1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
documentation_complete: true
title: 'Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty'
description: |-
The sudo <tt>use_pty</tt> tag, when specified, will only execute sudo
commands from users logged in to a real tty.
This should be enabled by making sure that the <tt>use_pty</tt> tag exists in
<tt>/etc/sudoers</tt> configuration file or any sudo configuration snippets
in <tt>/etc/sudoers.d/</tt>.
rationale: |-
Requiring that sudo commands be run in a pseudo-terminal can prevent an attacker from retaining
access to the user's terminal after the main program has finished executing.
severity: medium
identifiers:
cce@rhel8: CCE-83798-9
cce@rhel9: CCE-83538-9
cce@rhel10: CCE-89073-1
cce@sle12: CCE-91499-4
cce@sle15: CCE-91190-9
cce@slmicro5: CCE-94074-2
references:
cis@sle12: 1.3.2
cis@sle15: 1.3.2
cis@slmicro5: 1.3.2
cis@ubuntu2004: 1.3.2
cis@ubuntu2204: 5.3.2
pcidss: Req-10.2.5
ocil_clause: 'use_pty is not enabled in sudo'
ocil: |-
To determine if <tt>use_pty</tt> has been configured for sudo, run the following command:
<pre>$ sudo grep -ri "^[\s]*Defaults.*\buse_pty\b.*" /etc/sudoers /etc/sudoers.d/</pre>
The command should return a matching output.
template:
name: sudo_defaults_option
vars:
option: use_pty
platform: package[sudo]
|
