Require Re-Authentication When Using the sudo Command

Docs > Datadog Security > OOTB Rules > Require Re-Authentication When Using the sudo Command

Classification:

compliance

Framework:

Control:

Description

The sudo timestamp_timeout tag sets the amount of time sudo password prompt waits. The default timestamp_timeout value is 5 minutes. The timestamp_timeout should be configured by making sure that the timestamp_timeout tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. If the value is set to an integer less than 0, the user’s time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user’s session is terminated.

Rationale

Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'sudo' 2>/dev/null | grep -q installed; then

var\_sudo\_timestamp\_timeout='15'


if grep -Px '^[\s]\*Defaults.\*timestamp\_timeout[\s]\*=.\*' /etc/sudoers.d/\*; then
 find /etc/sudoers.d/ -type f -exec sed -Ei "/^[[:blank:]]\*Defaults.\*timestamp\_timeout[[:blank:]]\*=.\*/d" {} \;
fi

if /usr/sbin/visudo -qcf /etc/sudoers; then
 cp /etc/sudoers /etc/sudoers.bak
 if ! grep -P '^[\s]\*Defaults.\*timestamp\_timeout[\s]\*=[\s]\*[-]?\w+.\*$' /etc/sudoers; then
 # sudoers file doesn't define Option timestamp\_timeout
 echo "Defaults timestamp\_timeout=${var\_sudo\_timestamp\_timeout}" >> /etc/sudoers
 else
 # sudoers file defines Option timestamp\_timeout, remediate if appropriate value is not set
 if ! grep -P "^[\s]\*Defaults.\*timestamp\_timeout[\s]\*=[\s]\*${var\_sudo\_timestamp\_timeout}.\*$" /etc/sudoers; then
 
 sed -Ei "s/(^[[:blank:]]\*Defaults.\*timestamp\_timeout[[:blank:]]\*=)[[:blank:]]\*[-]?\w+(.\*$)/\1${var\_sudo\_timestamp\_timeout}\2/" /etc/sudoers
 fi
 fi
 
 # Check validity of sudoers and cleanup bak
 if /usr/sbin/visudo -qcf /etc/sudoers; then
 rm -f /etc/sudoers.bak
 else
 echo "Fail to validate remediated /etc/sudoers, reverting to original file."
 mv /etc/sudoers.bak /etc/sudoers
 false
 fi
else
 echo "Skipping remediation, /etc/sudoers failed to validate"
 false
fi

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Gather the package facts
 package\_facts:
 manager: auto
 tags:
 - NIST-800-53-IA-11
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy
 - sudo\_require\_reauthentication
- name: XCCDF Value var\_sudo\_timestamp\_timeout # promote to variable
 set\_fact:
 var\_sudo\_timestamp\_timeout: !!str 15
 tags:
 - always

- name: Find out if /etc/sudoers.d/\* files contain 'Defaults timestamp\_timeout' to
 be deduplicated
 find:
 path: /etc/sudoers.d
 patterns: '\*'
 contains: ^[\s]\*Defaults\s.\*\btimestamp\_timeout[\s]\*=.\*
 register: sudoers\_d\_defaults\_timestamp\_timeout
 when: '"sudo" in ansible\_facts.packages'
 tags:
 - NIST-800-53-IA-11
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy
 - sudo\_require\_reauthentication

- name: Remove found occurrences of 'Defaults timestamp\_timeout' from /etc/sudoers.d/\*
 files
 lineinfile:
 path: '{{ item.path }}'
 regexp: ^[\s]\*Defaults\s.\*\btimestamp\_timeout[\s]\*=.\*
 state: absent
 with\_items: '{{ sudoers\_d\_defaults\_timestamp\_timeout.files }}'
 when: '"sudo" in ansible\_facts.packages'
 tags:
 - NIST-800-53-IA-11
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy
 - sudo\_require\_reauthentication

- name: Ensure timestamp\_timeout is enabled with the appropriate value in /etc/sudoers
 lineinfile:
 path: /etc/sudoers
 regexp: ^[\s]\*Defaults\s(.\*)\btimestamp\_timeout[\s]\*=[\s]\*[-]?\w+\b(.\*)$
 line: Defaults \1timestamp\_timeout={{ var\_sudo\_timestamp\_timeout }}\2
 validate: /usr/sbin/visudo -cf %s
 backrefs: true
 register: edit\_sudoers\_timestamp\_timeout\_option
 when: '"sudo" in ansible\_facts.packages'
 tags:
 - NIST-800-53-IA-11
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy
 - sudo\_require\_reauthentication

- name: Enable timestamp\_timeout option with appropriate value in /etc/sudoers
 lineinfile:
 path: /etc/sudoers
 line: Defaults timestamp\_timeout={{ var\_sudo\_timestamp\_timeout }}
 validate: /usr/sbin/visudo -cf %s
 when:
 - '"sudo" in ansible\_facts.packages'
 - edit\_sudoers\_timestamp\_timeout\_option is defined and not edit\_sudoers\_timestamp\_timeout\_option.changed
 tags:
 - NIST-800-53-IA-11
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy
 - sudo\_require\_reauthentication