Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty

An XCCDF Rule

Description

The sudo requiretty tag, when specified, will only execute sudo commands from users logged in to a real tty. This should be enabled by making sure that the requiretty tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/.

Rationale

Restricting the use cases in which a user is allowed to execute sudo commands reduces the attack surface.

ID: xccdf_org.ssgproject.content_rule_sudo_add_requiretty
Severity: Medium
References: BP28(R58)
Updated: about 1 year ago


if /usr/sbin/visudo -qcf /etc/sudoers; then
    cp /etc/sudoers /etc/sudoers.bak
    if ! grep -P '^[\s]*Defaults[\s]*\brequiretty\b.*$' /etc/sudoers; then
        # sudoers file doesn't define Option requiretty
        echo "Defaults requiretty" >> /etc/sudoers    fi
    
    # Check validity of sudoers and cleanup bak
    if /usr/sbin/visudo -qcf /etc/sudoers; then
        rm -f /etc/sudoers.bak
    else
        echo "Fail to validate remediated /etc/sudoers, reverting to original file."
        mv /etc/sudoers.bak /etc/sudoers
        false
    fi
else
    echo "Skipping remediation, /etc/sudoers failed to validate"
    false
fi

- name: Ensure requiretty is enabled in /etc/sudoers
  lineinfile:
    path: /etc/sudoers
    regexp: ^[\s]*Defaults.*\brequiretty\b.*$
    line: Defaults requiretty
    validate: /usr/sbin/visudo -cf %s  tags:
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_add_requiretty

Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty

Description

Rationale

Remediation - Shell Script

Remediation - Ansible