Profile Applicability:
• Level 1
Description:
The sudo authentication timeout controls the duration a user can execute sudo commands without re-entering their password. Configuring this timeout correctly balances usability with security by limiting the window for unauthorized privileged access.
Rationale:
A properly configured timeout reduces the risk of unauthorized use of sudo privileges while minimizing frequent password prompts for legitimate users.
Impact:
Pros:
Enhances security by requiring timely re-authentication.
Supports user convenience by allowing brief password caching.
Cons:
Setting too short a timeout may inconvenience users.
Setting too long a timeout may increase security risks.
Default Value:
Defaults vary; often the timeout is set to 5 minutes.
Pre-requisites:
Root or sudo privileges to modify sudoers configuration.
Remediation:
Test Plan:
Using Linux command line:
- Check sudoers configuration for timestamp_timeout:
sudo grep timestamp_timeout /etc/sudoers /etc/sudoers.d/*
Verify the timeout value is appropriate (e.g., between 0 and 15 minutes).
Implementation Plan:
Using Linux command line:
- Edit sudoers file safely using visudo:
visudo
- Set or update the timestamp_timeout directive, for example:
Defaults timestamp_timeout=5
Save changes.
Backout Plan:
Using Linux command line:
Modify timestamp_timeout value as needed to previous or different values.
Verify sudo authentication behavior.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
sudoers Manual