5.4.4 Ensure default user shell timeout is configured

Information

TMOUT is an environmental setting that determines the timeout of a shell in seconds.

- TMOUT=

n

- Sets the shell timeout to

n

seconds. A setting of TMOUT=0 disables timeout.
- readonly TMOUT- Sets the TMOUT environmental variable as readonly, preventing unwanted modification during run-time.
- export TMOUT - exports the TMOUT variable

System Wide Shell Configuration Files:

- /etc/profile - used to set system wide environmental variables on users shells. The variables are sometimes the same ones that are in thebash_profile however this file is used to set an initial PATH or PS1 for all shell users of the system. is only executed for interactive

login

shells, or shells executed with the --login parameter.
- /etc/profile.d - /etc/profile will execute the scripts within /etc/profile.d/*.sh It is recommended to place your configuration in a shell script within /etc/profile.d to set your own system wide environmental variables.
- /etc/bash.bashrc - System wide version ofbashrc etc/bashrc also invokes /etc/profile.d/*.sh if

non-login

shell, but redirects output to /dev/null if

non-interactive.

Is only executed for

interactive

shells or if BASH_ENV is set to /etc/bash.bashrc

Setting a timeout value reduces the window of opportunity for unauthorized user access to another user's shell session that has been left unattended. It also ends the inactive session and releases the resources associated with that session.

Notes:

- The audit and remediation in this recommendation apply to bash and shell. If other shells are supported on the system, it is recommended that their configuration files are also checked. Other methods of setting a timeout exist for other shells not covered here.
- The TMOUT option applies to the active shell only. In case a user switches from one shell to another, it needs another full cycle to close the remaining shell.
- /etc/profile may get updated by YaST2 Online Update
- Ensure that the timeout conforms to your local policy.

Solution

Review /etc/bash.bashrc /etc/profile and all files ending in *.sh in the /etc/profile.d/ directory and remove or edit all TMOUT=_n_ entries to follow local site policy. TMOUT should not exceed 900 or be equal to 0

Configure TMOUT in a file ending insh in the /etc/profile.d/ directory.

TMOUT configuration examples:

- As multiple lines:

TMOUT=900
readonly TMOUT
export TMOUT
- As a single line:

readonly TMOUT=900 ; export TMOUT

See Also

https://workbench.cisecurity.org/benchmarks/8498