File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (63 lines) | stat: -rw-r--r-- 2,432 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
 
documentation_complete: true


title: 'Require Re-Authentication When Using the sudo Command'

description: |-
    The sudo <tt>timestamp_timeout</tt> tag sets the amount of time sudo password prompt waits.
    The default <tt>timestamp_timeout</tt> value is 5 minutes.
    The timestamp_timeout should be configured by making sure that the
    <tt>timestamp_timeout</tt> tag exists in
    <tt>/etc/sudoers</tt> configuration file or any sudo configuration snippets
    in <tt>/etc/sudoers.d/</tt>.
    If the value is set to an integer less than 0, the user's time stamp will not expire
    and the user will not have to re-authenticate for privileged actions until the user's session is terminated.

rationale: |-
    Without re-authentication, users may access resources or perform tasks for which they
    do not have authorization.
    <br /><br />
    When operating systems provide the capability to escalate a functional capability, it
    is critical that the user re-authenticate.

severity: medium

identifiers:
    cce@rhel8: CCE-87838-9
    cce@rhel9: CCE-90029-0
    cce@rhel10: CCE-88136-7
    cce@sle12: CCE-83231-1
    cce@sle15: CCE-85764-9
    cce@slmicro5: CCE-93716-9
    cce@slmicro6: CCE-94719-2

references:
    nist: IA-11
    srg: SRG-OS-000373-GPOS-00156,SRG-OS-000373-GPOS-00157,SRG-OS-000373-GPOS-00158
    stigid@ol7: OL07-00-010343
    stigid@ol8: OL08-00-010384
    stigid@sle12: SLES-12-010113
    stigid@sle15: SLES-15-020102

ocil_clause: 'timestamp_timeout is not set with the appropriate value for sudo'

ocil: |-
    Verify the operating system requires re-authentication
    when using the "sudo" command to elevate privileges, run the following command:
    <pre>sudo grep -ri '^Defaults.*timestamp_timeout' /etc/sudoers /etc/sudoers.d</pre>
    The output should be:
    <pre>/etc/sudoers:Defaults timestamp_timeout=0</pre> or "timestamp_timeout" is set to a positive number.
    If conflicting results are returned, this is a finding.

fixtext: |-
    Configure {{{ full_name }}} to re-authenticate "sudo" commands after the specified timeout:

    Add the following line to "/etc/sudoers":

    Defaults timestamp_timeout={{{ xccdf_value("var_sudo_timestamp_timeout") }}}

    Remove any duplicate or conflicting lines from /etc/sudoers and /etc/sudoers.d/ files.

srg_requirement: '{{{ full_name }}} must require re-authentication when using the "sudo" command.'

platform: package[sudo]