1.3.2 Ensure sudo commands use pty

Information

sudo can be configured to run only from a psuedo-pty

Rationale:

Attackers can run a malicious program using sudo, which would again fork a background process that remains even when the main program has finished executing.

Solution

edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo -f and add the following line:

Defaults use_pty

References:

SUDO(8)

Notes:

visudo edits the sudoers file in a safe fashion, analogous to vipw(8). visudo locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks or parse errors. If the sudoers file is currently being edited you will receive a message to try again later.

See Also

https://workbench.cisecurity.org/files/2658

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(9), CSCv7|4.3

Plugin: Unix

Control ID: a6c78b1cb096be3adc264345a7052aa01b56276f2339ed72f0cac349b0a30f94