Set Interactive Session Timeout
Description
Setting the TMOUT option in /etc/profile ensures that
all user sessions will terminate based on inactivity.
The value of TMOUT should be exported and read only.
The TMOUT
setting in a file loaded by /etc/profile, e.g.
/etc/profile.d/tmout.sh should read as follows:
readonly TMOUT
export TMOUT
Rationale
Terminating an idle session within a short time period reduces
the window of opportunity for unauthorized personnel to take control of a
management session enabled on the console or console port that has been
left unattended.
Shell script
The following script can be run on the host to remediate the issue.
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
var\_accounts\_tmout='900'
# if 0, no occurence of tmout found, if 1, occurence found
tmout\_found=0
for f in /etc/bash.bashrc /etc/profile /etc/profile.d/\*.sh; do
if grep --silent '^\s\*TMOUT' $f; then
sed -i -E "s/^(\s\*)TMOUT\s\*=\s\*(\w|\$)\*(.\*)$/\1TMOUT=$var\_accounts\_tmout\3/g" $f
tmout\_found=1
if ! grep --silent '^\s\*readonly TMOUT' $f ; then
echo "readonly TMOUT" >> $f
fi
if ! grep --silent '^\s\*export TMOUT' $f ; then
echo "export TMOUT" >> $f
fi
fi
done
if [ $tmout\_found -eq 0 ]; then
echo -e "\n# Set TMOUT to $var\_accounts\_tmout per security requirements" >> /etc/profile.d/tmout.sh
echo "TMOUT=$var\_accounts\_tmout" >> /etc/profile.d/tmout.sh
echo "readonly TMOUT" >> /etc/profile.d/tmout.sh
echo "export TMOUT" >> /etc/profile.d/tmout.sh
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
