Skip to content

5.3.6 Ensure sudo authentication timeout is configured correctly

Audit#

Ensure that the caching timeout is no more than 15 minutes.

Example: 

# grep -roP "timestamp_timeout=\K[0-9]*" /etc/sudoers*

If there is no timestamp_timeout configured in /etc/sudoers* then the default is 15 minutes. This default can be checked with: 

# sudo -V | grep "Authentication timestamp timeout:"

NOTE: A value of -1 means that the timeout is disabled. Depending on the configuration of the timestamp_type, this could mean for all terminals / processes of that user and not just that one single terminal session.

Remediation#

If the currently configured timeout is larger than 15 minutes, edit the file listed in the audit section with visudo -f <PATH TO FILE> and modify the entry timestamp_timeout= to 15 minutes or less as per your site policy. The value is in minutes. This particular entry may appear on it's own, or on the same line as env_reset. See the following two examples: 

Defaults env_reset, timestamp_timeout=15
Defaults timestamp_timeout=15
Defaults env_reset