Warn on sudoers configuration that doesn’t require a password

(Intro to Search Expressions here)

It’s possible to tell the sudo program that you want to give root privileges to a user to run certain programs, but don’t want to require that user to enter even their own password to do it.  While there may be circumstances where that’s appropriate, or even needed, it’s a very insecure way to set up a system.  We can put together a system check that will warn us if any of our servers have that setup:

/etc/sudoers Does not contain “sNOPASSWD:”

The “s” is a new one here.  “s” matches any whitespace: space or tab (or linefeed technically, although that wouldn’t apply in this example).  That lets us say that we need a space or tab in front of NOPASSWD, but we don’t care which.

Stay up to date

Get the latest news and tips on protecting critical business assets.

Related Posts