Catalina - Configure Sudoers to Authenticate Users on a Per -tty Basis

Information

The file /etc/sudoers _MUST_ be configured to include tty_tickets.

This rule ensures that the "sudo" command will prompt for the administrator's password at least once in each newly opened terminal window. This prevents a malicious user from taking advantage of an unlocked computer or an abandoned logon session by bypassing the normal password prompt requirement. Without the "tty_tickets" option, all open local and remote logon sessions would be authenticated to use sudo without a password for the duration of the configured password timeout window.

Solution

[source,bash]
----
/bin/cp /etc/sudoers /etc/sudoers.bk; /bin/echo "Defaults tty_tickets" >> /etc/sudoers
----

See Also

https://github.com/usnistgov/macos_security

Item Details

Category: CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

References: 800-53|CM-5(1), 800-53|CM-6b., 800-53|IA-11, CCE|CCE-84799-6, CCI|CCI-000366, STIG-ID|AOSX-15-004021

Plugin: Unix

Control ID: e15ab9f9d031fa5eb395158eb5d7d7ae6ecc1df34c129cb4d4208ea41f91d5cc