3.4.6 Unattended terminal session timeout is 900 seconds (or less) - TMOUT

Information

TMOUT and TIMEOUT are environmental setting that activate the timeout of a shell. The value is in seconds.

TMOUT=n - Sets the shell timeout to n seconds. A setting of TMOUT=0, or unset TMOUT disables the automatic session timeout.

readonly TMOUT- Both export and lock TMOUT environmental variable to it's present value, preventing unwanted modification during run-time.

Rationale:

All systems are vulnerable if terminals are left logged in and unattended. The most serious problem occurs when a system manager leaves a terminal unattended that has been enabled with root authority. In general, users should log out anytime they leave their terminals.

You can force a terminal to log out after a period of inactivity by setting the TMOUT and TIMEOUT parameters in the /etc/profile file. The TMOUT parameter works in the ksh (Korn) shell, and the TIMEOUT parameter works in the bsh (Bourne) shell.

Impact:

This recommendation is set at Level 2 (using readonly).

The recommendation - at Level 1, would use export instead.

Solution

Review /etc/profile to verify that TMOUT is configured to:

include a timeout of no more than 900 seconds

to be readonly

verify readonly statement is the last statement

/usr/bin/egrep -n -e 'TMOUT|TIMEOUT' /etc/profile

This should return something similar to:

40:# TMOUT=120
41:TMOUT=900
42:TIMEOUT=900
43:readonly TMOUT TIMEOUT

If either setting is missing, and/or the readonly statement, add these to /etc/profile.

Default Value:

TMOUT=0

See Also

https://workbench.cisecurity.org/files/4119