mediumaccess-controlverified ✓rollback-safe
Set sudo authentication timeout
sudo-timeout · RHEL ≥ 8 · 1 impl
Description
The timestamp_timeout option in sudoers configuration sets the number of minutes that can pass before sudo will ask for a password again. A value of 0 means always prompt for password.
Rationale
A short timeout reduces the window of opportunity for an attacker to use an already authenticated sudo session. A timeout of 5 minutes or less is recommended.
Check → Remediate
Checkcommand
grep -rPh '^\s*Defaults\s+.*timestamp_timeout=' /etc/sudoers /etc/sudoers.d/ 2>/dev/null | grep -E 'timestamp_timeout=([0-5]|0)([^0-9]|$)'
- expected_exit:
- 0
Remediatefile_content
- path:
- /etc/sudoers.d/00-kensa-timeout
- content:
- Defaults timestamp_timeout=5
- mode:
- 0440
Framework references
CIS
rhel8 5.2.6rhel9 5.2.6rhel10 5.2.6
STIG
V-281209 / RHEL-10-600540V-258084 / RHEL-09-432015V-237643
NIST 800-53
IA-11
Live verification
rhel8:checkrhel9:check
#sudo#privilege-escalation#authentication