5.4 Ensure a Separate Timestamp Is Enabled for Each User/tty Combo

Information

Using tty tickets ensures that a user must enter the sudo password in each Terminal session.

With sudo versions 1.8 and higher, introduced in 10.12, the default value is to have tty tickets for each interface so that root access is limited to a specific terminal. The default configuration can be overwritten or not configured correctly on earlier versions of macOS.

In combination with removing the sudo timeout grace period, a further mitigation should be in place to reduce the possibility of a background process using elevated rights when a user elevates to root in an explicit context or tty.

Additional mitigation should be in place to reduce the risk of privilege escalation of background processes.

Solution

Run the following command to edit the sudo settings:

% /usr/bin/sudo /usr/sbin/visudo -f /etc/sudoers.d/<configuration file name>

example:

% /usr/bin/sudo /usr/sbin/visudo -f /etc/sudoers.d/10_cissudoconfiguration

Note: Unlike other Unix and/or Linux distros, macOS will ignore configuration files in the sudoers.d folder that contain a so do not add a file extension to the configuration file.

Add the line Defaults timestamp_type=tty to the configuration file.

Note: The Defaults timestamp_type=tty line can be added to an existing configuration file or a new one. That will depend on your organization's preference and works either way.

Impact:

This control should have no user impact. Developers or installers may have issues if background processes are spawned with different interfaces than where sudo was executed.

See Also

https://workbench.cisecurity.org/benchmarks/18639