5.2.2 Ensure sudo commands use pty

Information

sudo can be configured to run only from a pseudo-pty

Rationale:

Attackers can run a malicious program using sudo, which would again fork a background process that remains even when the main program has finished executing.

This can be mitigated by configuring sudo to run other commands only from a pseudo-pty, whether I/O logging is turned on or not.

Solution

Edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo or visudo -f <PATH TO FILE> and add the following line:

Defaults use_pty

See Also

https://workbench.cisecurity.org/files/3148

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2, CSCv7|4

Plugin: Unix

Control ID: 2090a903ecb8da2d69ac7ed46962e62346cbc96066402e80230fc14a473b1d7b