Ensure sudo passwd_timeout is appropriate - sudo passwd_timeout
An XCCDF Rule
Description
The sudo passwd_timeout
tag sets the amount of time sudo password prompt waits.
On Red Hat Enterprise Linux 7, the default passwd_timeout
value is 5 minutes.
The passwd_timeout should be configured by making sure that the
passwd_timeout=
tag exists in
/etc/sudoers
configuration file or any sudo configuration snippets
in /etc/sudoers.d/
.
Rationale
Reducing the time sudo
waits for a a password reduces the time the process is exposed.
- ID
- xccdf_org.ssgproject.content_rule_sudo_add_passwd_timeout
- Severity
- Medium
- Updated
Remediation - Ansible
- name: XCCDF Value var_sudo_passwd_timeout # promote to variable
set_fact:
var_sudo_passwd_timeout: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_sudo_passwd_timeout" use="legacy"/>
tags:
- always
Remediation - Shell Script
var_sudo_passwd_timeout='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_sudo_passwd_timeout" use="legacy"/>'
if /usr/sbin/visudo -qcf /etc/sudoers; then