An error occurred:

Check: APPL-15-004060

Apple macOS 15 (Sequoia) STIG: APPL-15-004060 (in version v1 r4)

Title

The macOS system must configure sudoers timestamp type. (Cat II impact)

Discussion

The file /etc/sudoers must be configured to not include a timestamp_type of global or ppid and be configured for timestamp record types of tty. This rule ensures that the "sudo" command will prompt for the administrator's password at least once in each newly opened terminal window. This prevents a malicious user from taking advantage of an unlocked computer or an abandoned logon session by bypassing the normal password prompt requirement. Satisfies: SRG-OS-000373-GPOS-00156,SRG-OS-000373-GPOS-00157

Check Content

Verify the macOS system is configured with sudoers timestamp type with the following command: /usr/bin/sudo /usr/bin/sudo -V | /usr/bin/awk -F": " '/Type of authentication timestamp record/{print $2}' If the result is not "tty", this is a finding.

Fix Text

Configure the macOS system with sudoers timestamp type with the following command: /usr/bin/find /etc/sudoers* -type f -exec sed -i '' '/timestamp_type/d; /!tty_tickets/d' '{}' \;

Additional Identifiers

Rule ID: SV-274880r1099901_rule

Vulnerability ID: V-274880

Group Title: SRG-OS-000373-GPOS-00156

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002038

The organization requires users to reauthenticate upon organization-defined circumstances or situations requiring reauthentication.
CCI-004895

Permit users to invoke the trusted communications path for communications between the user and the organization-defined security functions, including at a minimum, authentication and re-authentication.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
IA-11

Re-authentication