The macOS system must require users to reauthenticate for privilege escalation when using the "sudo" command.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-257239	APPL-13-004022	SV-257239r922880_rule		Medium

Description
Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158

STIG	Date
Apple macOS 13 (Ventura) Security Technical Implementation Guide	2024-02-06

Details

Check Text ( C-60924r922878_chk )
Verify the macOS system requires reauthentication when using the "sudo" command to elevate privileges with the following command: /usr/bin/sudo /usr/bin/grep -r "timestamp_timeout" /etc/sudoers* /etc/sudoers.d/:Defaults timestamp_timeout=0 If conflicting results are returned, this is a finding. If "timestamp_timeout" is set to a negative number, is commented out, or no results are returned, this is a finding.

Check Text ( C-60924r922878_chk )

Verify the macOS system requires reauthentication when using the "sudo" command to elevate privileges with the following command:

/usr/bin/sudo /usr/bin/grep -r "timestamp_timeout" /etc/sudoers*

/etc/sudoers.d/:Defaults timestamp_timeout=0

If conflicting results are returned, this is a finding.

If "timestamp_timeout" is set to a negative number, is commented out, or no results are returned, this is a finding.

Fix Text (F-60865r922879_fix)
Configure the macOS system to require reauthentication when using the "sudo" command by creating a plain text file in the /private/etc/sudoers.d/ directory containing the following: Defaults timestamp_timeout=0