Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-225218 | AOSX-15-004021 | SV-225218r610901_rule | High |
Description |
---|
The "sudo" command must be configured to prompt for the administrator's password at least once in each newly opened Terminal window or remote logon session, as this prevents a malicious user from taking advantage of an unlocked computer or an abandoned logon session to bypass the normal password prompt requirement. Without the "tty_tickets" option, all open local and remote logon sessions would be authenticated to use sudo without a password for the duration of the configured password timeout window. |
STIG | Date |
---|---|
Apple OS X 10.15 (Catalina) Security Technical Implementation Guide | 2022-06-06 |
Check Text ( C-26917r467822_chk ) |
---|
To check if the "tty_tickets" option is set for "/usr/bin/sudo", run the following command: /usr/bin/sudo /usr/bin/grep tty_tickets /etc/sudoers If there is no result, this is a finding. |
Fix Text (F-26905r467823_fix) |
---|
Edit the "/etc/sudoers" file to contain the line: Defaults tty_tickets This line can be placed in the defaults section or at the end of the file. |