← Rules Catalog
mediumaccess-controlunverifiedrollback-safe

Configure sudo authentication reauthentication timeout

sudo-timestamp-timeout · RHEL ≥ 8 · 1 impl

Description

The sudo timestamp_timeout must be set to 0 to require reauthentication for every sudo command. This prevents privilege escalation by ensuring each sudo invocation requires explicit authentication.

Rationale

The default sudo caching period allows subsequent sudo commands to execute without reauthentication. Setting timestamp_timeout=0 eliminates this window, requiring users to authenticate for every elevated command.

Check → Remediate

Checkcommand
grep -rE '^\s*Defaults.*timestamp_timeout\s*=' /etc/sudoers /etc/sudoers.d/ 2>/dev/null | grep -q 'timestamp_timeout\s*=\s*0'
expected_exit:
0
Remediatefile_content
path:
/etc/sudoers.d/00-kensa-timestamp
content:
Defaults timestamp_timeout=0
owner:
root
group:
root
mode:
0440

Framework references

NIST 800-53

IA-11AC-6
#sudo#authentication#timestamp#timeout