mediumaccess-controlunverifiedrollback-safe
Configure sudo authentication reauthentication timeout
sudo-timestamp-timeout · RHEL ≥ 8 · 1 impl
Description
The sudo timestamp_timeout must be set to 0 to require reauthentication for every sudo command. This prevents privilege escalation by ensuring each sudo invocation requires explicit authentication.
Rationale
The default sudo caching period allows subsequent sudo commands to execute without reauthentication. Setting timestamp_timeout=0 eliminates this window, requiring users to authenticate for every elevated command.
Check → Remediate
Checkcommand
grep -rE '^\s*Defaults.*timestamp_timeout\s*=' /etc/sudoers /etc/sudoers.d/ 2>/dev/null | grep -q 'timestamp_timeout\s*=\s*0'
- expected_exit:
- 0
Remediatefile_content
- path:
- /etc/sudoers.d/00-kensa-timestamp
- content:
- Defaults timestamp_timeout=0
- owner:
- root
- group:
- root
- mode:
- 0440
Framework references
NIST 800-53
IA-11AC-6
#sudo#authentication#timestamp#timeout