stig-rhel6-disa includes TMOUT

[jamescassell]

Description of problem:

There is no mention of TMOUT in the RHEL 6 STIG V1R18

SCAP Security Guide Version:

0.1.38

Operating System Version:

RHEL 6.9

Steps to Reproduce:

1. Run oscap with profile stig-rhel6-disa
2. see failure for content_rule_accounts_tmout

Actual Results:

failed

Expected Results:

rule not present

Addition Information/Debugging Steps:

The only mentions of a session timeout is wrt sshd ClientAliveInterval and ClientAliveCountMax

[shawndwells]

@tbrunell same as the others. Not sure DISA understands this means all non-SSH logins will no longer have session timeouts.

[tedbrunell]

@shawndwells account_tmout does not appear the the RHEL 6 STIG table or the CCI table for RHEL 6. It does appear in the RHEL 6 STIG TestInfo table but has no check or fix content associated with it. Do we need the test? There are setting in published DoD content and SSG content for GNOME inactivity as well as SSH activity timeouts.

[shawndwells]

On 4/19/18 12:21 PM, tedbrunell wrote:

@shawndwells https://github.com/shawndwells account_tmout does not appear the the RHEL 6 STIG table or the CCI table for RHEL 6. It does appear in the RHEL 6 STIG TestInfo table but has no check or fix content associated with it. Do we need the test? There are setting in published DoD content and SSG content for GNOME inactivity as well as SSH activity timeouts.

This will allow for users to login, e.g. over terminal or console, and remain logged in indefinitely.

Long as DISA knows this is what they're enabling, and accepts that, so be it.

[tedbrunell]

@shawndwells There is rule V-38590 in the SSG RHEL 6 STIG profile that installs screen to timeout sessions after a period of idle time. The rule is also present in the DoD STIG content (v1R16 and v1R18 were checked). However, there is no content for account_tmout (as in the string TMOUT does not appear anywhere) in any content (SSG or DoD), unless I am missing something?

I agree that this is a good idea since we don't want people logged into consoles (physical or otherwise) all day. Easy to configure too, just set TMOUT=[value in seconds] in /etc/bashrc to change the default setting for all users.

[jamescassell]

This rule exists in the RHEL 7 STIG. (And users hate it...)

[jamescassell]

What was the resolution?

[redhatrises]

Unfortunately, this isn't going away, and we won't be able to influence changing this requirement.

[redhatrises]

We are also re-reviewing all of the rhel7 disa content from DISA itself... since we haven't done an update in an acceptable time frame.