CCE-99122-4Platform: cpe:/o:apple:mac_os_12 | Date: (C)2022-05-31 (M)2023-07-04 |
Using tty tickets ensures that a user must enter the sudo password in each Terminal session.
In combination with removing the sudo timeout grace period, a further mitigation should be in place to reduce the possibility of a background process using elevated rights when a user elevates to root in an explicit context or tty.
Additional mitigation should be in place to reduce the risk of privilege escalation of background processes.
This control should have no user impact. Developers or installers may have issues if background processes are spawned with different interfaces than where sudo was executed.
Fix:
Edit the /etc/sudoers file with visudo and remove !tty_tickets from any Defaults line. If there is a Default line of timestamp_type= with a value other than tty , change the value to tty. If there is a file in the /etc/sudoers.d/ folder that contains Defaults !tty_tickets , edit
the file and remove !tty_tickets from any Defaults line. If there is a file /etc/sudoers.d/ folder that contains a Default line of timestamp_type= with a value other than tty , change the value to tty
Parameter:
[tty]
Technical Mechanism:
Edit the /etc/sudoers file with visudo and remove !tty_tickets from any Defaults line. If there is a Default line of timestamp_type= with a value other than tty , change the value to tty. If there is a file in the /etc/sudoers.d/ folder that contains Defaults !tty_tickets , edit
the file and remove !tty_tickets from any Defaults line. If there is a file /etc/sudoers.d/ folder that contains a Default line of timestamp_type= with a value other than tty , change the value to tty
CCSS Severity: | CCSS Metrics: |
CCSS Score : 7.4 | Attack Vector: LOCAL |
Exploit Score: 1.4 | Attack Complexity: HIGH |
Impact Score: 5.9 | Privileges Required: NONE |
Severity: HIGH | User Interaction: NONE |
Vector: AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | Scope: UNCHANGED |
| Confidentiality: HIGH |
| Integrity: HIGH |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:80556 |