Profile Applicability:
• Level 1
Description:
Ensuring that re-authentication for privilege escalation is not disabled globally enforces that users must authenticate each time they attempt to escalate privileges, enhancing security by preventing unauthorized persistent access.
Rationale:
Requiring repeated authentication reduces risks from unattended sessions or compromised credentials by limiting the duration privileged access is granted without user verification.
Impact:
Pros:
Enhances security by enforcing strict privilege escalation controls.
Limits potential misuse of elevated privileges.
Cons:
May increase user prompts for password entry, potentially impacting convenience.
Default Value:
Systems may be configured to cache authentication for a period, but global disabling of re-authentication weakens security.
Pre-requisites:
Root or sudo privileges to modify PAM and sudoers configuration.
Remediation:
Test Plan:
Using Linux command line:
- Check sudoers and PAM configuration for authentication caching or disabling re-authentication:
sudo grep -E 'timestamp_timeout|authenticate' /etc/sudoers /etc/pam.d/*
Verify timestamp_timeout is not set to 0 or negative values that disable re-authentication.
Implementation Plan:
Using Linux command line:
1. Edit sudoers file safely using visudo:
visudo
2. Set or ensure timestamp_timeout is set to a positive value, for example:
Defaults timestamp_timeout=5
3. Verify PAM configuration does not disable authentication prompts.
4. Save changes.
Backout Plan:
Using Linux command line:
Modify timestamp_timeout or PAM settings to previous values if needed.
Verify sudo and authentication behavior.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
sudoers Manual