Reduce the sudo timeout period

jimw
New Contributor III

Hi all!

We are looking for a way to reduce the sudo timeout period as recommended by the Center for Internet Security. The only solution we can find online is to manually edit with visudo and add:

Defaults timestamp_timeout=0

However, we were hoping to script this task and not disable SIP if possible. Has anyone accomplished something like this or am I asking the impossible?

Thanks,
Jim

1 ACCEPTED SOLUTION

Nix4Life
Valued Contributor

have you tried via /etc/sudoers.d?

Create a file "defaults_timestamp_timeout" with the contents:
Defaults timestamp_timeout = 0. then copy it to /etc/sudoers.d.
confirm permissions(644 root:wheel)

L

View solution in original post

13 REPLIES 13

jaharmi
Contributor

I used to override the entire /etc/sudoers file with Radmind. At the time, that worked perfectly fine, but YMMV. I used visudo to make the necessary edits one time only.

If you want to try this out, the rough test plan is:

  1. Set up a template system with Apple defaults.
  2. Edit /etc/sudoers with visudo.
  3. Capture, package, and deploy the modified /etc/sudoers.
  4. Test.

mwoodruff
New Contributor III
New Contributor III

Hey @jimw you might want to review what the Jamf Professional Services team has already put together for implementing the CIS standard on macOS: https://github.com/jamfprofessionalservices/2016_JNUC_Security_Reporting_Compliance

If you feel like you need help with implementing this, contact your Jamf SE.

jimw
New Contributor III

@jaharmi Thanks for the suggestion. Initial testing seems positive. Obviously, I would love to be able to append this line to the existing file, rather than replace the whole thing, but it looks promising. More testing will be conducted next week.

@mwoodruff Thank you very much for the link. I didn't realize this resource existed. This will definitely save some time with other parts of the project. However, the snippet of code I extracted regarding modifying the sudoers file doesn't seem to work.

# 5.3 Reduce the sudo timeout period
# Verify organizational score
Audit5_3="`defaults read "$plistlocation" OrgScore5_3`"
# If organizational score is 1 or true, check status of client
# If client fails, then remediate
if [ "$Audit5_3" = "1" ]; then
sudoTimeout=`cat /etc/sudoers | grep timestamp`
if [ "$sudoTimeout" = "" ]; then
    echo "Defaults timestamp_timeout=0" >> /etc/sudoers; else
    echo "5.3 passed"
fi
fi

I just passed the part of the script that was relevant and I'm getting a permissions denied error.

Nix4Life
Valued Contributor

have you tried via /etc/sudoers.d?

Create a file "defaults_timestamp_timeout" with the contents:
Defaults timestamp_timeout = 0. then copy it to /etc/sudoers.d.
confirm permissions(644 root:wheel)

L

jimw
New Contributor III

@LSinNY I just tried the /etc/sudoers.d/ drop in file and it seems to work. I'm going to package it all up and test it out further in our lab.

I'm assuming this is probably better practice than capturing and replacing the entire sudoers file, correct?

Nix4Life
Valued Contributor

Yes @jimw that is correct.

jimw
New Contributor III

Thanks everyone for the help! I think we got it all figured out.

donmontalvo
Esteemed Contributor III

Never liked the idea of sudo timeout. It only annoys administrators, and encourages them to sudo -s and stay elevated. ¯_(ツ)_/¯

@rtrouton posted a behavior change that's worth noting in macOS Sierra, even if not relevant on this thread. Blog link.

--
https://donmontalvo.com

jimw
New Contributor III

Thank you for the link. That is an interesting read. rtrouton's blog is always full of useful information!

Porkpie2310
New Contributor

I'm trying to work through this post as I have exactly the same need and found the solution posted but have created the file and dropped it to the sudoers.d folder but when I try and run sudo visudo to check the results, i get the following error:

>>> /private/etc/sudoers.d/defaults_timestamp_timeout: syntax error near line 1 <<<
sudo: parse error in ZTUM near line 1
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin

The file only contained one line: Defaults timestamp_timeout=0 and I have the permission set to 644 root:wheel as suggested...

Can anyone share what is in the file they used or point out my mistake?

jimw
New Contributor III

@Porkpie2310 I'm sorry about the delay. I meant to reply sooner, but I wasn't able to reproduce the error you received. Were you able to figure this one out? I tested out my package on both 10.12.6 and 10.13.3 and it appears to be working on both.

/private/etc/sudoers.d/defaults_timestamp_timeout

Defaults timestamp_timeout=0

Weirdly enough, my permissions are not set to the above suggested. I'm not sure what happened, but I'll have to double check my package when I get a moment. However, still appears to function correctly with the 600 root:wheel at the moment.

pinsent
New Contributor III

we're just getting around to trying to get this done and I'm getting all kinds of errors when using this method.
I'm wondering how the file "defaults_timestamp_timeout" was created. I did it with text editor and removed the file extension. I followed the rest of the steps successfully, deploying the file wasn't the problem.

EDIT: Never mind - I inadvertently created it as a .RTF file instead of a .TXT

jbutler47
Contributor II

Went the simple route for this with a script with the following command:

 

/bin/echo 'Defaults timestamp_timeout=0' | /usr/bin/sudo EDITOR='tee -a' visudo