Detections
Analytics

5.2.6 Ensure sudo timestamp_timeout is configured

Information

sudo timestamp_timeout controls how long a user's sudo privileges remain active after the initial password entry.

A timeout value reduces the window of opportunity for unauthorized privileged sudo access.

Solution

Edit the file listed in the audit section with visudo -f <PATH TO FILE> and modify the entry timestamp_timeout= to 15 minutes or less as per your site policy. The value is in minutes. This particular entry may appear on its own, or on the same line as env_reset . See the following two examples:

Example 1:

Defaults env_reset, timestamp_timeout=15

Example 2:

Defaults timestamp_timeout=15
Defaults env_reset

See Also

https://workbench.cisecurity.org/benchmarks/24330

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6, 800-53|AC-6(2), 800-53|AC-6(5), CSCv7|4.3

Plugin: Unix

Control ID: 079366e1c19026ed34cd327e071f42656128c029f1708eaf6e72b111e9c0f2a7