Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The macOS system must require users to reauthenticate for privilege escalation when using the "sudo" command.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-259555 | APPL-14-004022 | SV-259555r987879_rule | Medium |
| Description |
|---|
| The file /etc/sudoers must include a timestamp_timout of 0. Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability or change user authenticators, it is critical the user reauthenticate. Satisfies: SRG-OS-000373-GPOS-00156,SRG-OS-000373-GPOS-00157,SRG-OS-000373-GPOS-00158 |
| STIG | Date |
|---|---|
| Apple macOS 14 (Sonoma) Security Technical Implementation Guide | 2024-05-30 |
Details
| Check Text ( C-63294r941285_chk ) |
|---|
| Verify the macOS system requires reauthentication when using the "sudo" command to elevate privileges with the following command: /usr/bin/sudo /usr/bin/sudo -V | /usr/bin/grep -c "Authentication timestamp timeout: 0.0 minutes" If the result is not "1", this is a finding. |
| Fix Text (F-63202r941286_fix) |
|---|
| Configure the macOS system to require reauthentication when using "sudo" with the following command: /usr/bin/find /etc/sudoers* -type f -exec sed -i '' '/timestamp_timeout/d' '{}' \; /bin/echo "Defaults timestamp_timeout=0" >> /etc/sudoers.d/mscp |