5.3 Reduce the sudo timeout period

Information

The sudo command allows the user to run programs as the root user. Working as the root user allows the user an extremely high level of configurability within the system. The sudo command stays logged in as the root user for five minutes before timing out and re-requesting a password. This five minute window should be eliminated since it leaves the system extremely vulnerable. This is especially true if an exploit were to gain access to the system, since they would be able to make changes as a root user.

Solution

Perform the following to implement the prescribed state: Run the following command in Terminal: sudo visudo In the "# Defaults specification" section, add the line: Defaults timestamp_timeout=0

See Also

https://workbench.cisecurity.org/files/299

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3(7)

Plugin: Unix

Control ID: 5ca7feaca0b053ccfca168707f8c1c5e0382e14463214fd21e7a704eefc4f667