Detections
Analytics

5.3 Ensure the Sudo Timeout Period Is Set to Zero - timestamp timeout

Information

The sudo command allows the user to run programs as the root user. Working as the root user allows the user an extremely high level of configurability within the system. This control, along with the control to use a separate timestamp for each tty, limits the window where an unauthorized user, process, or attacker could utilize legitimate credentials that are valid for longer than required.

Rationale:

The sudo command stays logged in as the root user for five minutes before timing out and re-requesting a password. This five-minute window should be eliminated since it leaves the system extremely vulnerable. This is especially true if an exploit were to gain access to the system, since they would be able to make changes as a root user.

Impact:

This control has a serious impact where users often have to use sudo. It is even more of an impact where users have to use sudo multiple times in quick succession as part of normal work processes. Organizations with that common use case will likely find this control too onerous and are better to accept the risk of not requiring a 0 grace period.

In some ways the use of sudo -s, which is undesirable, is better than a long grace period since that use does change the hash to show that it is a root shell rather than a normal shell where sudo commands will be implemented without a password.

Solution

Terminal Method:
Run the following command to edit the sudo settings:

$ /usr/bin/sudo /usr/sbin/visudo -f /etc/sudoers.d/<configuration file name>

example: $ /usr/bin/sudo /usr/sbin/visudo -f /etc/sudoers.d/10_cissudoconfiguration
Note: Unlike other Unix and/or Linux distros, macOS will ignore configuration files in the sudoers.d folder that contain a . so do not add a file extension to the configuration file.
Add the line Defaults timestamp_timeout=0 to the configuration file.
If /etc/sudoers.d/ is not owned by root or in the wheel group, run the following to change ownership and group:

$ /usr/bin/sudo /usr/sbin/chown -R root:wheel /etc/security/sudoers.d/

Additional Information:

In previous iterations and OS versions of the macOS Benchmark, the guidance was to edit the sudoers file directly. While this would properly configure the OS, any update would change the settings back to the default configuration. Creating a configuration file in the /etc/sudoers.d/ folder will not be modified on an OS update and will keep the proper configuration.

See Also

https://workbench.cisecurity.org/files/4176

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(5), 800-53|AC-11, 800-53|AC-11(1), 800-53|AC-12, CSCv7|16.11

Plugin: Unix

Control ID: 566d68797abd6bb6e48a8f4174f65182bb2b32a1ceaa8a059e3d821963d31847