Jamf Nation Community

Hey @jimw you might want to review what the Jamf Professional Services team has already put together for implementing the CIS standard on macOS: https://github.com/jamfprofessionalservices/2016_JNUC_Security_Reporting_Compliance

If you feel like you need help with implementing this, contact your Jamf SE.

@jaharmi Thanks for the suggestion. Initial testing seems positive. Obviously, I would love to be able to append this line to the existing file, rather than replace the whole thing, but it looks promising. More testing will be conducted next week.

@mwoodruff Thank you very much for the link. I didn't realize this resource existed. This will definitely save some time with other parts of the project. However, the snippet of code I extracted regarding modifying the sudoers file doesn't seem to work.

# 5.3 Reduce the sudo timeout period
# Verify organizational score
Audit5_3="`defaults read "$plistlocation" OrgScore5_3`"
# If organizational score is 1 or true, check status of client
# If client fails, then remediate
if [ "$Audit5_3" = "1" ]; then
sudoTimeout=`cat /etc/sudoers | grep timestamp`
if [ "$sudoTimeout" = "" ]; then
    echo "Defaults timestamp_timeout=0" >> /etc/sudoers; else
    echo "5.3 passed"
fi
fi

I just passed the part of the script that was relevant and I'm getting a permissions denied error.

@LSinNY I just tried the /etc/sudoers.d/ drop in file and it seems to work. I'm going to package it all up and test it out further in our lab.

I'm assuming this is probably better practice than capturing and replacing the entire sudoers file, correct?

Yes @jimw that is correct.

Thanks everyone for the help! I think we got it all figured out.

Never liked the idea of sudo timeout. It only annoys administrators, and encourages them to sudo -s and stay elevated. ¯_(ツ)_/¯

@rtrouton posted a behavior change that's worth noting in macOS Sierra, even if not relevant on this thread. Blog link.

Thank you for the link. That is an interesting read. rtrouton's blog is always full of useful information!

I'm trying to work through this post as I have exactly the same need and found the solution posted but have created the file and dropped it to the sudoers.d folder but when I try and run sudo visudo to check the results, i get the following error:

>>> /private/etc/sudoers.d/defaults_timestamp_timeout: syntax error near line 1 <<<
sudo: parse error in ZTUM near line 1
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin

The file only contained one line: Defaults timestamp_timeout=0 and I have the permission set to 644 root:wheel as suggested...

Can anyone share what is in the file they used or point out my mistake?

@Porkpie2310 I'm sorry about the delay. I meant to reply sooner, but I wasn't able to reproduce the error you received. Were you able to figure this one out? I tested out my package on both 10.12.6 and 10.13.3 and it appears to be working on both.

/private/etc/sudoers.d/defaults_timestamp_timeout

Defaults timestamp_timeout=0

Weirdly enough, my permissions are not set to the above suggested. I'm not sure what happened, but I'll have to double check my package when I get a moment. However, still appears to function correctly with the 600 root:wheel at the moment.

we're just getting around to trying to get this done and I'm getting all kinds of errors when using this method.
I'm wondering how the file "defaults_timestamp_timeout" was created. I did it with text editor and removed the file extension. I followed the rest of the steps successfully, deploying the file wasn't the problem.

EDIT: Never mind - I inadvertently created it as a .RTF file instead of a .TXT

Went the simple route for this with a script with the following command:

/bin/echo 'Defaults timestamp_timeout=0' | /usr/bin/sudo EDITOR='tee -a' visudo