← Rules Catalog
mediumaccess-controlverified rollback-safe

Set default shell timeout

shell-timeout · RHEL ≥ 8 · 1 impl

Description

Idle sessions must be terminated after a period of inactivity. The TMOUT shell variable (CIS approach) or StopIdleSessionSec in logind.conf (STIG approach) must be configured to 900 seconds or less.

Rationale

Automatic session timeout prevents unauthorized access to unattended terminals. A timeout of 900 seconds (15 minutes) provides a balance between security and usability.

Check → Remediate

Checkcommand
pass=0
# Check systemd-logind idle session timeout (STIG approach)
idle_sec=$(systemd-analyze cat-config systemd/logind.conf 2>/dev/null |
  grep -E '^\s*StopIdleSessionSec\s*=' | tail -1 |
  sed 's/^[^=]*=\s*//')
if [ -n "$idle_sec" ] && [ "$idle_sec" != "infinity" ] && [ "$idle_sec" -gt 0 ] 2>/dev/null && [ "$idle_sec" -le 900 ] 2>/dev/null; then
  pass=1
fi
# Check TMOUT shell variable (CIS approach)
tmout_val=$(grep -rhE '^(export\s+)?TMOUT=' /etc/profile /etc/profile.d/*.sh /etc/bashrc 2>/dev/null | tail -1 | grep -oE '[0-9]+')
if [ -n "$tmout_val" ] && [ "$tmout_val" -gt 0 ] 2>/dev/null && [ "$tmout_val" -le 900 ] 2>/dev/null; then
  pass=1
fi
if [ "$pass" -eq 1 ]; then
  echo "OK: idle timeout configured (logind=${idle_sec:-unset}, TMOUT=${tmout_val:-unset})"
  exit 0
fi
echo "FAIL: no idle session timeout configured"
exit 1
expected_exit:
0
Remediatefile_content
path:
/etc/profile.d/kensa-tmout.sh
content:
TMOUT=900 readonly TMOUT export TMOUT
mode:
0644

Framework references

CIS

rhel8 5.4.3.2rhel9 5.4.3.2rhel10 5.4.3.2

STIG

V-258068 / RHEL-09-412035V-257258

NIST 800-53

AC-11AC-12

Live verification

rhel10:checkrhel8:checkrhel9:check
#shell#session#timeout#security