Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
An XCCDF Rule
Description
The sudo use_pty
tag, when specified, will only execute sudo
commands from users logged in to a real tty.
This should be enabled by making sure that the use_pty
tag exists in
/etc/sudoers
configuration file or any sudo configuration snippets
in /etc/sudoers.d/
.
Rationale
Requiring that sudo commands be run in a pseudo-terminal can prevent an attacker from retaining access to the user's terminal after the main program has finished executing.
- ID
- xccdf_org.ssgproject.content_rule_sudo_add_use_pty
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-2.2.6
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q sudo; then
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
if ! grep -P '^[\s]*Defaults[\s]*\buse_pty\b.*$' /etc/sudoers; then