5.2.2 Ensure sudo commands use pty

Information

sudo can be configured to run only from a pseudo-pty

Rationale:

Attackers can run a malicious program using sudo, which would again fork a background process that remains even when the main program has finished executing.

This can be mitigated by configuring sudo to run other commands only from a pseudo-pty, whether I/O logging is turned on or not.

Solution

Edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo or visudo -f <PATH TO FILE> and add the following line:

Defaults use_pty

See Also

https://workbench.cisecurity.org/files/3152

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2, CSCv7|4

Plugin: Unix

Control ID: 3e99b1cb77903f23967f566c4d219266657db2bf22106dcbd023f0576f83c39f