mediumaccess-controlverified ✓rollback-safe
Set default shell timeout
shell-timeout · RHEL ≥ 8 · 1 impl
Description
Idle sessions must be terminated after a period of inactivity. The TMOUT shell variable (CIS approach) or StopIdleSessionSec in logind.conf (STIG approach) must be configured to 900 seconds or less.
Rationale
Automatic session timeout prevents unauthorized access to unattended terminals. A timeout of 900 seconds (15 minutes) provides a balance between security and usability.
Check → Remediate
Checkcommand
pass=0
# Check systemd-logind idle session timeout (STIG approach)
idle_sec=$(systemd-analyze cat-config systemd/logind.conf 2>/dev/null |
grep -E '^\s*StopIdleSessionSec\s*=' | tail -1 |
sed 's/^[^=]*=\s*//')
if [ -n "$idle_sec" ] && [ "$idle_sec" != "infinity" ] && [ "$idle_sec" -gt 0 ] 2>/dev/null && [ "$idle_sec" -le 900 ] 2>/dev/null; then
pass=1
fi
# Check TMOUT shell variable (CIS approach)
tmout_val=$(grep -rhE '^(export\s+)?TMOUT=' /etc/profile /etc/profile.d/*.sh /etc/bashrc 2>/dev/null | tail -1 | grep -oE '[0-9]+')
if [ -n "$tmout_val" ] && [ "$tmout_val" -gt 0 ] 2>/dev/null && [ "$tmout_val" -le 900 ] 2>/dev/null; then
pass=1
fi
if [ "$pass" -eq 1 ]; then
echo "OK: idle timeout configured (logind=${idle_sec:-unset}, TMOUT=${tmout_val:-unset})"
exit 0
fi
echo "FAIL: no idle session timeout configured"
exit 1
- expected_exit:
- 0
Remediatefile_content
- path:
- /etc/profile.d/kensa-tmout.sh
- content:
- TMOUT=900 readonly TMOUT export TMOUT
- mode:
- 0644
Framework references
CIS
rhel8 5.4.3.2rhel9 5.4.3.2rhel10 5.4.3.2
STIG
V-258068 / RHEL-09-412035V-257258
NIST 800-53
AC-11AC-12
Live verification
rhel10:checkrhel8:checkrhel9:check
#shell#session#timeout#security