4.3.6 Ensure sudo authentication timeout is configured correctly

Information

sudo caches used credentials for a default of 15 minutes. This is for ease of use when there are multiple administrative tasks to perform. The timeout can be modified to suit local security policies.

This default is distribution specific. See audit section for further information.

Setting a timeout value reduces the window of opportunity for unauthorized privileged access to another user.

Solution

If the currently configured timeout is larger than 15 minutes, edit the file listed in the audit section with visudo -f <PATH TO FILE> and modify the entry timestamp_timeout= to 15 minutes or less as per your site policy. The value is in minutes. This particular entry may appear on it's own, or on the same line as env_reset See the following two examples:

Defaults env_reset, timestamp_timeout=15 Defaults timestamp_timeout=15
Defaults env_reset

See Also

https://workbench.cisecurity.org/benchmarks/13775