mediumaccess-controlverified ✓
Ensure re-authentication for privilege escalation is not disabled globally
sudo-reauth-not-disabled · RHEL ≥ 8, UBUNTU ≥ 22 · 1 impl
Description
The sudo timestamp_timeout should not be set to a negative value, which would disable re-authentication requirements entirely.
Rationale
Disabling sudo re-authentication by setting a negative timeout means users only need to authenticate once per session, reducing security.
Check → Remediate
Checkcommand
fail=0 # Check for negative timestamp_timeout (disables re-auth) timeout=$(sudo -V 2>/dev/null | grep -i 'timestamp timeout' | grep -oE '[-]?[0-9]+\.?[0-9]*' || echo "5") timeout_int=$(echo "$timeout" | cut -d. -f1) if [ "$timeout_int" -lt 0 ] 2>/dev/null; then echo "FAIL: timestamp_timeout is negative ($timeout), re-auth disabled" fail=1 fi # Check for !authenticate in sudoers if grep -rE '^\s*[^#].*!authenticate' /etc/sudoers /etc/sudoers.d/ 2>/dev/null; then echo "FAIL: !authenticate found in sudoers" fail=1 fi # PAM sudo configuration is verified by sudoers-reauth-required; # standard RHEL uses "auth include system-auth" in /etc/pam.d/sudo, # so grepping for direct module lines here false-fails compliant hosts. [ "$fail" -eq 0 ] && echo "OK: re-authentication not disabled" exit $fail
- expected_exit:
- 0
Remediatemanual
- note:
- Remove negative timestamp_timeout values and !authenticate from sudoers. PAM configuration for sudo is covered separately by sudoers-reauth-required.
Framework references
CIS
rhel8 5.2.5rhel9 5.2.5
STIG
V-251712V-270707 / UBTU-24-300021
NIST 800-53
IA-11AC-6
Live verification
rhel8:checkrhel9:checkubuntu24:check
#sudo#authentication#timeout#privilege-escalation