← Rules Catalog
mediumaccess-controlverified

Ensure re-authentication for privilege escalation is not disabled globally

sudo-reauth-not-disabled · RHEL ≥ 8, UBUNTU ≥ 22 · 1 impl

Description

The sudo timestamp_timeout should not be set to a negative value, which would disable re-authentication requirements entirely.

Rationale

Disabling sudo re-authentication by setting a negative timeout means users only need to authenticate once per session, reducing security.

Check → Remediate

Checkcommand
fail=0
# Check for negative timestamp_timeout (disables re-auth)
timeout=$(sudo -V 2>/dev/null | grep -i 'timestamp timeout' | grep -oE '[-]?[0-9]+\.?[0-9]*' || echo "5")
timeout_int=$(echo "$timeout" | cut -d. -f1)
if [ "$timeout_int" -lt 0 ] 2>/dev/null; then
  echo "FAIL: timestamp_timeout is negative ($timeout), re-auth disabled"
  fail=1
fi
# Check for !authenticate in sudoers
if grep -rE '^\s*[^#].*!authenticate' /etc/sudoers /etc/sudoers.d/ 2>/dev/null; then
  echo "FAIL: !authenticate found in sudoers"
  fail=1
fi
# PAM sudo configuration is verified by sudoers-reauth-required;
# standard RHEL uses "auth include system-auth" in /etc/pam.d/sudo,
# so grepping for direct module lines here false-fails compliant hosts.
[ "$fail" -eq 0 ] && echo "OK: re-authentication not disabled"
exit $fail
expected_exit:
0
Remediatemanual
note:
Remove negative timestamp_timeout values and !authenticate from sudoers. PAM configuration for sudo is covered separately by sudoers-reauth-required.

Framework references

CIS

rhel8 5.2.5rhel9 5.2.5

STIG

V-251712V-270707 / UBTU-24-300021

NIST 800-53

IA-11AC-6

Live verification

rhel8:checkrhel9:checkubuntu24:check
#sudo#authentication#timeout#privilege-escalation