5.5.4 Ensure default user shell timeout is configured

Information

TMOUT is an environmental setting that determines the timeout of a shell in seconds.

TMOUT=n - Sets the shell timeout to n seconds. A setting of TMOUT=0 disables timeout.

readonly TMOUT- Sets the TMOUT environmental variable as readonly, preventing unwanted modification during run-time.

export TMOUT - exports the TMOUT variable

System Wide Shell Configuration Files:

/etc/profile - used to set system wide environmental variables on users shells. The variables are sometimes the same ones that are in the .bash_profile, however this file is used to set an initial PATH or PS1 for all shell users of the system. is only executed for interactive login shells, or shells executed with the --login parameter.

/etc/profile.d - /etc/profile will execute the scripts within /etc/profile.d/*.sh. It is recommended to place your configuration in a shell script within /etc/profile.d to set your own system wide environmental variables.

/etc/bashrc - System wide version of .bashrc. In Fedora derived distributions, etc/bashrc also invokes /etc/profile.d/*.sh if non-login shell, but redirects output to /dev/null if non-interactive. Is only executed for interactive shells or if BASH_ENV is set to /etc/bashrc.

Rationale:

Setting a timeout value reduces the window of opportunity for unauthorized user access to another user's shell session that has been left unattended. It also ends the inactive session and releases the resources associated with that session.

Solution

Review /etc/bashrc, /etc/profile, and all files ending in *.sh in the /etc/profile.d/ directory and remove or edit all TMOUT=_n_ entries to follow local site policy. TMOUT should not exceed 900 or be equal to 0.
Configure TMOUT in one of the following files:

A file in the /etc/profile.d/ directory ending in .sh

/etc/profile

/etc/bashrc

TMOUT configuration examples:

As multiple lines:

TMOUT=900
readonly TMOUT
export TMOUT

As a single line:

readonly TMOUT=900 ; export TMOUT




Additional Information:

The audit and remediation in this recommendation apply to bash and shell. If other shells are supported on the system, it is recommended that their configuration files are also checked. Other methods of setting a timeout exist for other shells not covered here.

Ensure that the timeout conforms to your local policy.

See Also

https://workbench.cisecurity.org/files/3148

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-11, CSCv7|16.11

Plugin: Unix

Control ID: 1566094f2d3b33e746c5c32a779fe9cfb523fcfc6b2a25c5b2ad3ae921947314