Detections
Analytics

5.2.6 Ensure sudo timestamp_timeout is configured

Information

sudo timestamp_timeout controls how long a user's sudo privileges remain active after the initial password entry.

A timeout value reduces the window of opportunity for unauthorized privileged sudo access.

Solution

Create or modify the administrator customization file in the /etc/sudoers.d/ directory using visudo -f <PATH TO FILE> and modify the entry timestamp_timeout= to 15 minutes or less as per your site policy:

Example

Defaults timestamp_timeout=5

Note:

 - The timestamp_timeout value is in minutes.
 - If the timestamp_timeout is set to zero, you are prompted for the root password for every execution of a sudo command.

See Also

https://workbench.cisecurity.org/benchmarks/26236

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(2), 800-53|AC-6(5), CSCv7|4.3

Plugin: Unix

Control ID: 07f525af0de57a6cf77933f12b9f11f057b019f05a6ae7969cd585d159005bfe