1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
|
documentation_complete: true
title: 'Set Interactive Session Timeout'
description: |-
Setting the <tt>TMOUT</tt> option in <tt>/etc/profile</tt> ensures that
all user sessions will terminate based on inactivity. A value of <tt>0</tt> (zero)
disables the automatic logout feature and is therefore not a compliant setting.
The value of TMOUT should be a positive integer, exported, and read only.
The <tt>TMOUT</tt>
{{% if product in ["sle12", "sle15", "slmicro5", "slmicro6"] %}}
setting in <tt>/etc/profile.d/autologout.sh</tt> should read as follows:
<pre>TMOUT={{{ xccdf_value("var_accounts_tmout") }}}</pre>
readonly TMOUT
export TMOUT
{{% elif "ubuntu" in product %}}
setting in a file loaded by <tt>/etc/profile</tt>, e.g.
<tt>/etc/profile.d/tmout.sh</tt> should read as follows:
<pre>TMOUT={{{ xccdf_value("var_accounts_tmout") }}}</pre>
readonly TMOUT
export TMOUT
{{% else %}}
setting in a file loaded by <tt>/etc/profile</tt>
{{{- "or <tt>/etc/bashrc</tt>" if product in ["ol7"] }}}, e.g.
<tt>/etc/profile.d/tmout.sh</tt> should read as follows:
<pre>typeset -xr TMOUT={{{ xccdf_value("var_accounts_tmout") }}}</pre>
or
<pre>declare -xr TMOUT={{{ xccdf_value("var_accounts_tmout") }}}</pre>
Using the <code>typeset</code> keyword is preferred for wider compatibility with ksh and other shells.
{{% endif %}}
rationale: |-
Terminating an idle session within a short time period reduces
the window of opportunity for unauthorized personnel to take control of a
management session enabled on the console or console port that has been
left unattended.
severity: medium
identifiers:
cce@rhel8: CCE-80673-7
cce@rhel9: CCE-83633-8
cce@rhel10: CCE-88163-1
cce@sle12: CCE-83011-7
cce@sle15: CCE-83269-1
cce@slmicro5: CCE-93805-0
cce@slmicro6: CCE-94645-9
references:
cis-csc: 1,12,15,16
cis@sle12: 5.4.4
cis@sle15: 5.4.4
cobit5: DSS05.04,DSS05.10,DSS06.10
cui: 3.1.11
isa-62443-2009: 4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.5,SR 1.7,SR 1.8,SR 1.9'
iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3
nerc-cip: CIP-004-6 R2.2.3,CIP-007-3 R5.1,CIP-007-3 R5.2,CIP-007-3 R5.3.1,CIP-007-3 R5.3.2,CIP-007-3 R5.3.3
nist: AC-12,SC-10,AC-2(5),CM-6(a)
nist-csf: PR.AC-7
nist@sle12: AC-11(a)
srg: SRG-OS-000163-GPOS-00072,SRG-OS-000029-GPOS-00010
stigid@ol7: OL07-00-040160
stigid@sle12: SLES-12-010090
stigid@sle15: SLES-15-010130
ocil_clause: 'the TMOUT value is not configured, is set to 0, or is not less than or equal to the expected setting'
ocil: |-
Run the following command to ensure the <tt>TMOUT</tt> value is configured for all users
on the system:
{{% if product in ["sle12", "sle15", "slmicro5", "slmicro6"] %}}
<pre>$ sudo grep TMOUT /etc/profile.d/autologout.sh</pre>
{{% elif "ubuntu" in product %}}
<pre>$ sudo grep TMOUT /etc/bash.bashrc /etc/profile /etc/profile.d/*.sh</pre>
{{% else %}}
<pre>$ sudo grep TMOUT /etc/profile /etc/profile.d/*.sh</pre>
{{% endif %}}
The output should return the following:
<pre>TMOUT={{{ xccdf_value("var_accounts_tmout") }}}</pre>
{{% if product in ["sle12", "sle15", "slmicro5", "slmicro6", "ubuntu2204", "ubuntu2404"] %}}
readonly TMOUT
export TMOUT
{{% endif %}}
platform: system_with_kernel
fixtext: |-
Configure {{{ full_name }}} to terminate user sessions after {{{ xccdf_value("var_accounts_tmout") }}} seconds of inactivity.
Add or edit the following line in "/etc/profile.d/tmout.sh":
TMOUT={{{ xccdf_value("var_accounts_tmout") }}}
|
