Skip to content

Require Re-Authentication When Using the sudo Command

An XCCDF Rule

Description

The sudo timestamp_timeout tag sets the amount of time sudo password prompt waits. The default timestamp_timeout value is 5 minutes. The timestamp_timeout should be configured by making sure that the timestamp_timeout tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated.

Rationale

Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.

ID
xccdf_org.ssgproject.content_rule_sudo_require_reauthentication
Severity
Medium
References
Updated



Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-85764-9
  - DISA-STIG-SLES-15-020102

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if rpm --quiet -q sudo; then

var_sudo_timestamp_timeout='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_sudo_timestamp_timeout" use="legacy"/>'