1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
documentation_complete: true
title: 'Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty'
description: |-
The sudo <tt>requiretty</tt> tag, when specified, will only execute sudo
commands from users logged in to a real tty.
This should be enabled by making sure that the <tt>requiretty</tt> tag exists in
<tt>/etc/sudoers</tt> configuration file or any sudo configuration snippets
in <tt>/etc/sudoers.d/</tt>.
rationale: |-
Restricting the use cases in which a user is allowed to execute sudo commands
reduces the attack surface.
severity: medium
identifiers:
cce@rhel8: CCE-83790-6
cce@rhel9: CCE-83539-7
cce@rhel10: CCE-90076-1
cce@sle12: CCE-91496-0
cce@sle15: CCE-91188-3
ocil_clause: 'requiretty is not enabled in sudo'
ocil: |-
To determine if <tt>requiretty</tt> has been configured for sudo, run the following command:
<pre>$ sudo grep -ri "^[\s]*Defaults.*\brequiretty\b.*" /etc/sudoers /etc/sudoers.d/</pre>
The command should return a matching output.
template:
name: sudo_defaults_option
vars:
option: requiretty
|
