5.3 Ensure the Sudo Timeout Period Is Set to Zero

Information

The sudo command allows the user to run programs as the root user. Working as the root user allows the user an extremely high level of configurability within the system. This control along with the control to use a separate timestamp for each tty limits the window where an unauthorized user, process or attacker could utilize legitimate credentials that are valid for longer than required.

Rationale:

The sudo command stays logged in as the root user for five minutes before timing out and re-requesting a password. This five-minute window should be eliminated since it leaves the system extremely vulnerable. This is especially true if an exploit were to gain access to the system, since they would be able to make changes as a root user.

Impact:

This control has a serious impact where users often have to use sudo. It is even more of an impact where users have to use sudo multiple times in quick succession as part of normal work processes. Organizations with that common use case will likely find this control too onerous and are better to accept the risk of not requiring a 0 grace period.

In some ways the use of sudo -s, which is undesirable, is better than a long grace period since that use does change the hash to show that it is a root shell rather than a normal shell where sudo commands will be implemented without a password.

Solution

Run the following command to edit the sudo settings:

$ sudo /usr/sbin/visudo

Add the line Defaults timestamp_timeout=0 in the Override built-in defaults section.

Additional Information:

#

# Sample /etc/sudoers file.

#

# This file MUST be edited with the 'visudo' command as root.

#

# See the sudoers man page for the details on how to write a sudoers file.



##

# Override built-in defaults

##

Defaults env_reset

Defaults env_keep += 'BLOCKSIZE'

Defaults env_keep += 'COLORFGBG COLORTERM'

Defaults env_keep += '__CF_USER_TEXT_ENCODING'

Defaults env_keep += 'CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE'

Defaults env_keep += 'LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME'

Defaults env_keep += 'LINES COLUMNS'

Defaults env_keep += 'LSCOLORS'

Defaults env_keep += 'SSH_AUTH_SOCK'

Defaults env_keep += 'TZ'

Defaults env_keep += 'DISPLAY XAUTHORIZATION XAUTHORITY'

Defaults env_keep += 'EDITOR VISUAL'

Defaults env_keep += 'HOME MAIL'



Defaults lecture_file = '/etc/sudo_lecture'

Defaults timestamp_timeout=0



##

# User alias specification

##

# User_Alias FULLTIMERS = millert, mikef, dowdy



##

# Runas alias specification

##

# Runas_Alias OP = root, operator






##

# Host alias specification

##

# Host_Alias CUNETS = 128.138.0.0/255.255.0.0

# Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0

# Host_Alias SERVERS = master, mail, www, ns

# Host_Alias CDROM = orion, perseus, hercules



##

# Cmnd alias specification

##

# Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less



##

# User specification

##



# root and users in group wheel can run anything on any machine as any user

root ALL = (ALL) ALL

%admin ALL = (ALL) ALL



## Read drop-in files from /private/etc/sudoers.d

## (the '#' here does not indicate a comment)

#includedir /private/etc/sudoers.d

See Also

https://workbench.cisecurity.org/files/3569