Ensure sudo passwd_timeout is appropriate - sudo passwd_timeout
An XCCDF Rule
Description
The sudo passwd_timeout tag sets the amount of time sudo password prompt waits.
On Red Hat Enterprise Linux 7, the default passwd_timeout value is 5 minutes.
The passwd_timeout should be configured by making sure that the
passwd_timeout= tag exists in
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/.
Rationale
Reducing the time sudo waits for a a password reduces the time the process is exposed.
- ID
- xccdf_org.ssgproject.content_rule_sudo_add_passwd_timeout
- Severity
- Medium
- Updated
Remediation - Shell Script
var_sudo_passwd_timeout='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_sudo_passwd_timeout" use="legacy"/>'
if /usr/sbin/visudo -qcf /etc/sudoers; then
Remediation - Ansible
- name: XCCDF Value var_sudo_passwd_timeout # promote to variable
set_fact:
var_sudo_passwd_timeout: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_sudo_passwd_timeout" use="legacy"/>
tags:
- always