5.2.12 Ensure SSH Idle Timeout Interval is configured - ClientAliveCountMax

Information

Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening.. While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent.

Solution

Edit the /etc/ssh/sshd_config file to set the parameters as follows:
ClientAliveInterval 300
ClientAliveCountMax 0

See Also

https://workbench.cisecurity.org/files/1863

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-12, CSCv6|16.4

Plugin: Unix

Control ID: dd5ed1afeca0de76235d48d64e0cde9395f52e262f401b41c157270f9d88b9ed