Puppet Class: cis_security_hardening::rules::sudo_timeout

Defined in:
manifests/rules/sudo_timeout.pp

Summary

Ensure sudo authentication timeout is configured correctly

Overview

sudo caches used credentials for a default of 5 minutes. This is for ease of use when there are multiple administrative tasks to perform. The timeout can be modified to suit local security policies.

Rationale: Setting a timeout value reduces the window of opportunity for unauthorized privileged access to another user.

Examples:

class { 'cis_security_hardening::rules::sudo_timeout':
  enforce => true,
}

Parameters:

  • enforce (Boolean) (defaults to: false)

    Enforce the rule.

  • timeout (Integer) (defaults to: 5)

    sudo timeout in minutes.



21
22
23
24
25
26
27
28
29
30
31
32
33
 
# File 'manifests/rules/sudo_timeout.pp', line 21

class cis_security_hardening::rules::sudo_timeout (
  Boolean $enforce = false,
  Integer $timeout = 5,
) {
  if $enforce {
    file_line { 'set sudo timeout':
      path               => '/etc/sudoers',
      match              => '^Defaults\s+timestamp_timeout=',
      line               => "Defaults timestamp_timeout=${timeout}",
      append_on_no_match => true,
    }
  }
}