← Rules Catalog
mediumaccess-controlverified rollback-safe

Set sudo authentication timeout

sudo-timeout · RHEL ≥ 8 · 1 impl

Description

The timestamp_timeout option in sudoers configuration sets the number of minutes that can pass before sudo will ask for a password again. A value of 0 means always prompt for password.

Rationale

A short timeout reduces the window of opportunity for an attacker to use an already authenticated sudo session. A timeout of 5 minutes or less is recommended.

Check → Remediate

Checkcommand
grep -rPh '^\s*Defaults\s+.*timestamp_timeout=' /etc/sudoers /etc/sudoers.d/ 2>/dev/null | grep -E 'timestamp_timeout=([0-5]|0)([^0-9]|$)'
expected_exit:
0
Remediatefile_content
path:
/etc/sudoers.d/00-kensa-timeout
content:
Defaults timestamp_timeout=5
mode:
0440

Framework references

CIS

rhel8 5.2.6rhel9 5.2.6rhel10 5.2.6

STIG

V-281209 / RHEL-10-600540V-258084 / RHEL-09-432015V-237643

NIST 800-53

IA-11

Live verification

rhel8:checkrhel9:check
#sudo#privilege-escalation#authentication