Using tty tickets ensures that a user must enter the sudo password in each Terminal session. In combination with removing the sudo timeout grace period, a further mitigation should be in place to reduce the possibility of a background process using elevated rights when a user elevates to root in an explicit context or tty. Additional mitigation should be in place to reduce the risk of privilege escalation of background processes. This control should have no user impact. Developers or installers may have issues if background processes are spawned with different interfaces than where sudo was executed. Fix: Edit the /etc/sudoers file with visudo and remove !tty_tickets from any Defaults line. If there is a Default line of timestamp_type= with a value other than tty , change the value to tty. If there is a file in the /etc/sudoers.d/ folder that contains Defaults !tty_tickets , edit the file and remove !tty_tickets from any Defaults line. If there is a file /etc/sudoers.d/ folder that contains a Default line of timestamp_type= with a value other than tty , change the value to tty

[tty]

Edit the /etc/sudoers file with visudo and remove !tty_tickets from any Defaults line. If there is a Default line of timestamp_type= with a value other than tty , change the value to tty. If there is a file in the /etc/sudoers.d/ folder that contains Defaults !tty_tickets , edit the file and remove !tty_tickets from any Defaults line. If there is a file /etc/sudoers.d/ folder that contains a Default line of timestamp_type= with a value other than tty , change the value to tty