The macOS system must be configured with the sudoers file configured to authenticate users on a per -tty basis.
An XCCDF Rule
Description
<VulnDiscussion>The "sudo" command must be configured to prompt for the administrator's password at least once in each newly opened Terminal window or remote logon session, as this prevents a malicious user from taking advantage of an unlocked computer or an abandoned logon session to bypass the normal password prompt requirement. Without the "tty_tickets" option, all open local and remote logon sessions would be authenticated to use sudo without a password for the duration of the configured password timeout window.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-252533r816413_rule
- Severity
- High
- References
- Updated
Remediation - Manual Procedure
Edit the "/etc/sudoers" file to contain the line:
Defaults tty_tickets
This line can be placed in the defaults section or at the end of the file.