CME-708

Least Privilege sudo Configuration

Isolate OS/Kernel Medium Confidence

Description

Configures sudo to allow specific commands only, rather than unrestricted root access. Uses command allowlists, NOPASSWD only for specific safe commands, and requiretty.

CVSS Vector Impacts

Metric Transition Rationale
Privileges Required (PR) L H Compromised user account has limited elevation paths

CWE Relationships

CWE-269 CWE-250

Verification

Audit sudoers for overly permissive rules

$ grep -r 'ALL=(ALL)' /etc/sudoers /etc/sudoers.d/ 2>/dev/null | grep -v NOPASSWD
# Expected: Minimal matches
Platform: linux
← CME-707: NoNewPrivileges CME-709: systemd Service Sandboxing (PrivateDevices, PrivateTmp, ProtectSystem) →