Informationsudo can be configured to run only from a pseudo-pty
Note: visudo edits the sudoers file in a safe fashion, analogous to vipw(8). visudo locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks for parse errors. If the sudoers file is currently being edited you will receive a message to try again later. The -f option allows you to tell visudo which file to edit.
Attackers can run a malicious program using sudo, which would again fork a background process that remains even when the main program has finished executing.
This can be mitigated by configuring sudo to run other commands only from a pseudo-pty, whether I/O logging is turned on or not.
SolutionEdit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo or visudo -f <PATH TO FILE> and add the following line:
Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION
References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|4
Control ID: 27893f6416b4c37913346182c37219cf430c201692741d548d04166e6eb2b520