id: insecure-sudo-timestamp

info:
  name: macOS Excessive Sudo Timestamp Timeout
  author: geeknik
  severity: medium
  description: |
    Checks if the sudo timestamp timeout is configured to an excessively long duration (100+ minutes).
  impact: |
    A long sudo timestamp can allow a user to execute commands with root privileges for an extended period of time without re-entering their password.
  remediation: |
    Set the sudo timestamp to a reasonable value to reduce the risk of unauthorized access.
  tags: macos,audit,local,security,sudo

self-contained: true

code:
  - engine:
      - sh
      - bash
    source: |
      grep -E "^Defaults.*timestamp_timeout=" /etc/sudoers
    matchers:
      - type: regex
        regex:
          - "timestamp_timeout=([1-9][0-9]{2,})"
# digest: 4a0a00473045022056c70c9e83ca5b06dfd2d6f37d3fac472448c1684e5513de20f012e1c6d79207022100fa6c9d279661d23106d9c0c878ae249adb35cd312d45c18c3f9a6f098d8bf186:922c64590222798bb761d5b6d8e72950