Skip to content
Log In

Ensure sudo passwd_timeout is appropriate - sudo passwd_timeout

An XCCDF Rule

Description

The sudo passwd_timeout tag sets the amount of time sudo password prompt waits. On Red Hat Enterprise Linux 8, the default passwd_timeout value is 5 minutes. The passwd_timeout should be configured by making sure that the passwd_timeout= tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/.

Rationale

Reducing the time sudo waits for a a password reduces the time the process is exposed.

ID
xccdf_org.ssgproject.content_rule_sudo_add_passwd_timeout
Severity
Medium
Updated

Remediation Templates

A Shell Script

var_sudo_passwd_timeout='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_sudo_passwd_timeout" use="legacy"/>'


if /usr/sbin/visudo -qcf /etc/sudoers; then
    cp /etc/sudoers /etc/sudoers.bak
    if ! grep -P '^[\s]*Defaults[\s]*\bpasswd_timeout=\w+\b\b.*$' /etc/sudoers; then

An Ansible Snippet

- name: XCCDF Value var_sudo_passwd_timeout # promote to variable
  set_fact:
    var_sudo_passwd_timeout: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_sudo_passwd_timeout" use="legacy"/>
  tags:
    - always
- name: Ensure passwd_timeout is enabled with the appropriate value in /etc/sudoers