Apple macOS 15 (Sequoia) STIG Version Comparison

There are 12 differences between versions v1 r3 (April 2, 2025) (the "left" version) and v1 r5 (Oct. 1, 2025) (the "right" version).

Check APPL-15-004022 was added to the benchmark in the "right" version.

This check's original form is available here.

Title

The macOS system must require users to reauthenticate for privilege escalation when using the "sudo" command.

Check Content

Verify the macOS system requires reauthentication when using the "sudo" command to elevate privileges with the following command: /usr/bin/sudo /usr/bin/sudo -V | /usr/bin/grep -c "Authentication timestamp timeout: 0.0 minutes" If the result is not "1", this is a finding.

Discussion

The file /etc/sudoers must include a timestamp_timout of 0. Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability or change user authenticators, it is critical the user reauthenticate. Satisfies: SRG-OS-000373-GPOS-00156,SRG-OS-000373-GPOS-00157

Fix

Configure the macOS system to require reauthentication when using "sudo" with the following command: /usr/bin/find /etc/sudoers* -type f -exec sed -i '' '/timestamp_timeout/d' '{}' \; /bin/echo "Defaults timestamp_timeout=0" >> /etc/sudoers.d/mscp