Require Re-Authentication When Using the sudo Command
An XCCDF Rule
Description
The sudo timestamp_timeout
tag sets the amount of time sudo password prompt waits.
The default timestamp_timeout
value is 5 minutes.
The timestamp_timeout should be configured by making sure that the
timestamp_timeout
tag exists in
/etc/sudoers
configuration file or any sudo configuration snippets
in /etc/sudoers.d/
.
If the value is set to an integer less than 0, the user's time stamp will not expire
and the user will not have to re-authenticate for privileged actions until the user's session is terminated.
Rationale
Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate.
- ID
- xccdf_org.ssgproject.content_rule_sudo_require_reauthentication
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-90029-0
- DISA-STIG-RHEL-09-432015
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q sudo; then
var_sudo_timestamp_timeout='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_sudo_timestamp_timeout" use="legacy"/>'