This is not the latest version of the STIG. This is provided for archival purposes. See the latest STIG.

The macOS system must require users to reauthenticate for privilege escalation when using the "sudo" command.

STIG ID: APPL-14-004022  |  SRG: SRG-OS-000373-GPOS-00156 |  Severity: medium (CAT II)  |  CCI: CCI-004895,CCI-002038 |  Vulnerability Id: V-259555

Vulnerability Discussion

The file /etc/sudoers must include a timestamp_timout of 0.

Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability or change user authenticators, it is critical the user reauthenticate.

Satisfies: SRG-OS-000373-GPOS-00156,SRG-OS-000373-GPOS-00157,SRG-OS-000373-GPOS-00158

Check

Verify the macOS system requires reauthentication when using the "sudo" command to elevate privileges with the following command:

/usr/bin/sudo /usr/bin/sudo -V | /usr/bin/grep -c "Authentication timestamp timeout: 0.0 minutes"

If the result is not "1", this is a finding.

Fix

Configure the macOS system to require reauthentication when using "sudo" with the following command:

/usr/bin/find /etc/sudoers* -type f -exec sed -i '' '/timestamp_timeout/d' '{}' \;
/bin/echo "Defaults timestamp_timeout=0" >> /etc/sudoers.d/mscp
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.