Skip to content

5.2.2 Ensure sudo commands use pty

Audit#

Verify that sudo can only run other commands from a pseudo terminal. Run the following command to verify Defaults use_pty is set: 

# grep -rPi -- '^\h*Defaults\h+([^#\n\r]+,\h*)?use_pty\b' /etc/sudoers*

Verify the output matches: 

/etc/sudoers:Defaults use_pty

Run the follow command to to verify Defaults !use_pty is not set: 

# grep -rPi -- '^\h*Defaults\h+([^#\n\r]+,\h*)?!use_pty\b' /etc/sudoers*
Nothing should be returned

Remediation#

Edit the file /etc/sudoers with visudo or a file in /etc/sudoers.d/ with visudo -f and add the following line: 

Defaults use_pty

Edit the file /etc/sudoers with visudo and any files in /etc/sudoers.d/ with visudo -f and and remove any occurrence of !use_pty

Note: - sudo will read each file in /etc/sudoers.d, skipping file names that end in ~ or contain a . character to avoid causing problems with package manager or editor temporary/backup files. - Files are parsed in sorted lexical order. That is, /etc/sudoers.d/01_first will be parsed before /etc/sudoers.d/10_second. - Be aware that because the sorting is lexical, not numeric, /etc/sudoers.d/1_whoops would be loaded after /etc/sudoers.d/10_second. - Using a consistent number of leading zeroes in the file names can be used to avoid such problems.