5.3 Ensure the Sudo Timeout Period Is Set to Zero

Information

The sudo command allows the user to run programs as the root user. Working as the root user allows the user an extremely high level of configurability within the system. This control, along with the control to use a separate timestamp for each tty, limits the window where an unauthorized user, process, or attacker could utilize legitimate credentials that are valid for longer than required.

The sudo command stays logged in as the root user for five minutes before timing out and re-requesting a password. This five-minute window should be eliminated since it leaves the system extremely vulnerable. This is especially true if an exploit were to gain access to the system, since they would be able to make changes as a root user.

Solution

Run the following command to edit the sudo settings:

% /usr/bin/sudo /usr/sbin/visudo -f /etc/sudoers.d/<configuration file name>

example:

$ /usr/bin/sudo /usr/sbin/visudo -f /etc/sudoers.d/10_cissudoconfiguration

Note: Unlike other Unix and/or Linux distros, macOS will ignore configuration files in the sudoers.d folder that contain a so do not add a file extension to the configuration file.

Add the line Defaults timestamp_timeout=0 to the configuration file.

If /etc/sudoers.d/ is not owned by root or in the wheel group, run the following to change ownership and group:

% /usr/bin/sudo /usr/sbin/chown -R root:wheel /etc/security/sudoers.d/

Impact:

This control has a serious impact where users often have to use sudo. It is even more of an impact where users have to use sudo multiple times in quick succession as part of normal work processes. Organizations with that common use case will likely find this control too onerous and are better to accept the risk of not requiring a 0 grace period.

In some ways the use of sudo -s, which is undesirable, is better than a long grace period since that use does change the hash to show that it is a root shell rather than a normal shell where sudo commands will be implemented without a password.

See Also

https://workbench.cisecurity.org/benchmarks/17465