5.4 Ensure a Separate Timestamp Is Enabled for Each User/tty Combo

Information

Using tty tickets ensures that a user must enter the sudo password in each Terminal session.

With sudo versions 1.8 and higher, introduced in 10.12, the default value is to have tty tickets for each interface so that root access is limited to a specific terminal. The default configuration can be overwritten or not configured correctly on earlier versions of macOS.

Rationale:

In combination with removing the sudo timeout grace period, a further mitigation should be in place to reduce the possibility of a background process using elevated rights when a user elevates to root in an explicit context or tty.

Additional mitigation should be in place to reduce the risk of privilege escalation of background processes.

Impact:

This control should have no user impact. Developers or installers may have issues if background processes are spawned with different interfaces than where sudo was executed.

Solution

Terminal Method:
Run the following command to edit the sudo settings:

$ /usr/bin/sudo /usr/sbin/visudo -f /etc/sudoers.d/<configuration file name>

example: $ /usr/bin/sudo /usr/sbin/visudo -f /etc/sudoers.d/10_cissudoconfiguration
Note: Unlike other Unix and/or Linux distros, macOS will ignore configuration files in the sudoers.d folder that contain a . so do not add a file extension to the configuration file.
Add the line Defaults timestamp_type=tty to the configuration file.
Note: The Defaults timestamp_type=tty line can be added to an existing configuration file or a new one. That will depend on your organization's preference and works either way.

Default Value:

If no value is set, the default value of tty_tickets enabled will be used.

Additional Information:

In previous iterations and OS versions of the macOS Benchmark, the guidance was to edit the sudoers file directly. While this would properly configure the OS, any update would change the settings back to the default configuration. Creating a configuration file in the /etc/sudoers.d/ folder will not be modified on an OS update and will keep the proper configuration.

With the configuration file, there is no need to remove the Defaults !tty_tickets line from the visudo settings. The configuration file will take precedent.

See Also

https://workbench.cisecurity.org/files/4176