The macOS system must configure sudoers timestamp type.

STIG ID: APPL-14-004060  |  SRG: SRG-OS-000373-GPOS-00156 |  Severity: medium |  CCI: CCI-002038 |  Vulnerability Id: V-259559

Vulnerability Discussion

The file /etc/sudoers must be configured to not include a timestamp_type
of global or ppid and be configured for timestamp record types of tty.

This rule ensures that the "sudo" command will prompt for the administrator's password at least once in
each newly opened terminal window. This prevents a malicious user from taking advantage of an unlocked
computer or an abandoned logon session by bypassing the normal password prompt requirement.

Satisfies: SRG-OS-000373-GPOS-00156,SRG-OS-000373-GPOS-00157

Check

Verify the macOS system is configured with sudoers timestamp type with the following
command:

/usr/bin/sudo /usr/bin/sudo -V | /usr/bin/awk -F": " '/Type of authentication timestamp
record/{print $2}'

If the result is not "tty", this is a finding.

Fix

Configure the macOS system with sudoers timestamp type with the
following command:

/usr/bin/find /etc/sudoers* -type f -exec sed -i '' '/timestamp_type/d; /!tty_tickets/d' '{}' \;
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.