Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty
An XCCDF Rule
Description
The sudo requiretty
tag, when specified, will only execute sudo
commands from users logged in to a real tty.
This should be enabled by making sure that the requiretty
tag exists in
/etc/sudoers
configuration file or any sudo configuration snippets
in /etc/sudoers.d/
.
Rationale
Restricting the use cases in which a user is allowed to execute sudo commands reduces the attack surface.
- ID
- xccdf_org.ssgproject.content_rule_sudo_add_requiretty
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Ensure requiretty is enabled in /etc/sudoers
lineinfile:
path: /etc/sudoers
regexp: ^[\s]*Defaults.*\brequiretty\b.*$
line: Defaults requiretty
validate: /usr/sbin/visudo -cf %s
Remediation - Shell Script
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
if ! grep -P '^[\s]*Defaults[\s]*\brequiretty\b.*$' /etc/sudoers; then
# sudoers file doesn't define Option requiretty
echo "Defaults requiretty" >> /etc/sudoers