Information
The sudo command allows the user to run programs as the root user. Working as the root user allows the user an extremely high level of configurability within the system.
Rationale:
The sudo command stays logged in as the root user for five minutes before timing out and re-requesting a password. This five minute window should be eliminated since it leaves the system extremely vulnerable. This is especially true if an exploit were to gain access to the system, since they would be able to make changes as a root user.
Impact:
Users with sudo rights will have to enter their password after every sudo command with no grace period allowed.
Solution
Perform the following to implement the prescribed state:
Run the following command in Terminal:
sudo visudo
In the '# Override built-in defaults' section, add the line:
Defaults timestamp_timeout=0
Additional Information:
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
# Failure to use 'visudo' may result in syntax or file permission errors
# that prevent sudo from running.
#
# See the sudoers man page for the details on how to write a sudoers file.
#
# Host alias specification
# User alias specification
# Cmnd alias specification
# Defaults specification
Defaults env_reset
Defaults timestamp_timeout=0
Defaults env_keep += 'BLOCKSIZE'
Defaults env_keep += 'COLORFGBG COLORTERM'
Defaults env_keep += '__CF_USER_TEXT_ENCODING'
Defaults env_keep += 'CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE'
Defaults env_keep += 'LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME'
Defaults env_keep += 'LINES COLUMNS'
Defaults env_keep += 'LSCOLORS'
Defaults env_keep += 'SSH_AUTH_SOCK'
Defaults env_keep += 'TZ'
Defaults env_keep += 'DISPLAY XAUTHORIZATION XAUTHORITY'
Defaults env_keep += 'EDITOR VISUAL'
Defaults env_keep += 'HOME MAIL'
# Runas alias specification
# User privilege specification
root ALL=(ALL) ALL
%admin ALL=(ALL) ALL
# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now