5.2.2 Ensure sudo commands use pty

Information

sudo can be configured to run only from a pseudo-pty

Rationale:

Attackers can run a malicious program using sudo, which would again fork a background process that remains even when the main program has finished executing.

This can be mitigated by configuring sudo to run other commands only from a pseudo-pty, whether I/O logging is turned on or not.

Solution

Edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo or visudo -f <PATH TO FILE> and add the following line:

Defaults use_pty

See Also

https://workbench.cisecurity.org/files/3152

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2, CSCv7|4

Plugin: Unix

Control ID: 11c13aa93a9320f9d96ae6c211ce903972fbb501e0affbd9d03af313d5cf6d80