Skip to content

Ensure sudo passwd_timeout is appropriate - sudo passwd_timeout

An XCCDF Rule

Description

The sudo passwd_timeout tag sets the amount of time sudo password prompt waits. On Red Hat Enterprise Linux 7, the default passwd_timeout value is 5 minutes. The passwd_timeout should be configured by making sure that the passwd_timeout= tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/.

Rationale

Reducing the time sudo waits for a a password reduces the time the process is exposed.

ID
xccdf_org.ssgproject.content_rule_sudo_add_passwd_timeout
Severity
Medium
Updated



Remediation - Ansible

- name: XCCDF Value var_sudo_passwd_timeout # promote to variable
  set_fact:
    var_sudo_passwd_timeout: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_sudo_passwd_timeout" use="legacy"/>
  tags:
    - always


Remediation - Shell Script



var_sudo_passwd_timeout='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_sudo_passwd_timeout" use="legacy"/>'


if /usr/sbin/visudo -qcf /etc/sudoers; then