Profile Applicability:
• Level 1
Description:
Configuring sudo to use a pseudo-terminal (pty) ensures that all commands executed via sudo are run in a controlled terminal environment. This improves logging fidelity and prevents certain security issues related to input/output redirection.
Rationale:
Requiring pty usage for sudo commands enhances audit trails and mitigates risks associated with non-interactive command execution or session hijacking.
Impact:
Pros:
Improves logging and auditing of sudo command executions.
Enhances security by controlling command execution environment.
Cons:
May cause compatibility issues with some automated scripts or applications.
Default Value:
Depending on the sudo version and configuration, pty may or may not be required by default.
Pre-requisites:
Root or sudo privileges to modify sudoers configuration.
Remediation:
Test Plan:
Using Linux command line:
Check sudoers configuration for requiretty or equivalent:
sudo grep requiretty /etc/sudoers /etc/sudoers.d/*
Verify that requiretty is set or that pty is enforced.
Implementation Plan:
Using Linux command line:
Edit the sudoers file safely using visudo:
visudo
Add or ensure the following line is present to require pty:
Defaults requiretty
Save and exit visudo.
Backout Plan:
Using Linux command line:
Remove or comment out the Defaults requiretty line if necessary.
Save changes using visudo and test sudo functionality.
References: