5.4.3.2 Ensure default user shell timeout is configured

Information

TMOUT is an environmental setting that determines the timeout of a shell in seconds.

- TMOUT=

n

- Sets the shell timeout to

n

seconds. A setting of TMOUT=0 disables timeout.
- readonly TMOUT- Sets the TMOUT environmental variable as readonly, preventing unwanted modification during run-time.
- export TMOUT - exports the TMOUT variable

System Wide Shell Configuration Files:

- /etc/profile - used to set system wide environmental variables on users shells. The variables are sometimes the same ones that are in thebash_profile however this file is used to set an initial PATH or PS1 for all shell users of the system. is only executed for interactive

login

shells, or shells executed with the --login parameter.
- /etc/profile.d - /etc/profile will execute the scripts within /etc/profile.d/*.sh It is recommended to place your configuration in a shell script within /etc/profile.d to set your own system wide environmental variables.
- /etc/bashrc - System wide version ofbashrc In Fedora derived distributions, /etc/bashrc also invokes /etc/profile.d/*.sh if

non-login

shell, but redirects output to /dev/null if

non-interactive.

Is only executed for

interactive

shells or if BASH_ENV is set to /etc/bashrc

Setting a timeout value reduces the window of opportunity for unauthorized user access to another user's shell session that has been left unattended. It also ends the inactive session and releases the resources associated with that session.

Solution

Review /etc/bashrc /etc/profile and all files ending in *.sh in the /etc/profile.d/ directory and remove or edit all TMOUT=_n_ entries to follow local site policy. TMOUT should not exceed 900 or be equal to 0

Configure TMOUT in one of the following files:

- A file in the /etc/profile.d/ directory ending insh
- /etc/profile
- /etc/bashrc

Example command to set TMOUT to 900 seconds in a file in /etc/profile.d/ :

# printf '%s
' "# Set TMOUT to 900 seconds" "typeset -xr TMOUT=900" > /etc/profile.d/50-tmout.sh

TMOUT configuration examples:

typeset -xr TMOUT=900

Deprecated methods:

- As multiple lines:

TMOUT=900
readonly TMOUT
export TMOUT
- As a single line:

readonly TMOUT=900 ; export TMOUT

See Also

https://workbench.cisecurity.org/benchmarks/18208