Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty

Docs > Datadog Security > OOTB Rules > Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty

Classification:

compliance

Framework:

Control:

Description

The sudo use_pty tag, when specified, will only execute sudo commands from users logged in to a real tty. This should be enabled by making sure that the use_pty tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/.

Rationale

Requiring that sudo commands be run in a pseudo-terminal can prevent an attacker from retaining access to the user’s terminal after the main program has finished executing.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'sudo' 2>/dev/null | grep -q installed; then

if /usr/sbin/visudo -qcf /etc/sudoers; then
 cp /etc/sudoers /etc/sudoers.bak
 if ! grep -P '^[\s]\*Defaults[\s]\*\buse\_pty\b.\*$' /etc/sudoers; then
 # sudoers file doesn't define Option use\_pty
 echo "Defaults use\_pty" >> /etc/sudoers
 fi
 
 # Check validity of sudoers and cleanup bak
 if /usr/sbin/visudo -qcf /etc/sudoers; then
 rm -f /etc/sudoers.bak
 else
 echo "Fail to validate remediated /etc/sudoers, reverting to original file."
 mv /etc/sudoers.bak /etc/sudoers
 false
 fi
else
 echo "Skipping remediation, /etc/sudoers failed to validate"
 false
fi

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Gather the package facts
 package\_facts:
 manager: auto
 tags:
 - PCI-DSS-Req-10.2.5
 - PCI-DSSv4-10.2.1.5
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy
 - sudo\_add\_use\_pty

- name: Ensure use\_pty is enabled in /etc/sudoers
 lineinfile:
 path: /etc/sudoers
 regexp: ^[\s]\*Defaults.\*\buse\_pty\b.\*$
 line: Defaults use\_pty
 validate: /usr/sbin/visudo -cf %s
 when: '"sudo" in ansible\_facts.packages'
 tags:
 - PCI-DSS-Req-10.2.5
 - PCI-DSSv4-10.2.1.5
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy
 - sudo\_add\_use\_pty