rhel7/fixes/bash/accounts_tmout.sh incomplete?

[WorkingDaddy]

(Github noob here.)

accounts_tmout.sh seems incomplete (or out of date?). See Vuln ID V-72223 (STIG ID RHEL-07-040160) where we read that the fix is to have these lines in /etc/profile (or in a file in /etc/profile.d):

TMOUT=600 readonly TMOUT export TMOUT

accounts.tmout.sh only provides the first line - which satisfies the STIG's test, but not its fix. Shouldn't we apply the fix in its entirety - or just satisfy the STIG test?

[redhatrises]

@WorkingDaddy welcome and thanks for your query.

This is a typical misunderstanding where multiple configuration or remediation changes happen in a single file/check. In reality to meet NIST Common Configuration Enumeration (CCE) and National Checklist configurations, there should be a single configuration or remediation change in a single file/check. So, rhel7/fixes/bash/accounts_tmout.sh is correct in the fact that it only sets TMOUT=600. The other settings need to be added to their own Rules, OVAL checks, and scripts. Which if you are interested in helping to provide, pull requests are welcome.

[weavage]

Why not use the following? Would that meet the single change you speak of? typeset -xr TMOUT=600

It's also more concise than 3 separate statements :-)

[WorkingDaddy]

Thanks, @redhatrises. I didn't know. Because I'm just trying to remediate STIG findings with bash, though, I myself don't have the one-change-per-file restriction that you do. So I think I'll make my own locally modified copy of accounts_tmout.sh and go from there.

Interesting, @weavage. Though fwiw, `help typeset' sayeth:

Obsolete. See `help declare'.

[weavage]

Ah, good catch. Bash man page says they're synonymous, so should be able to use 'declare' with the same options. That's assuming bash is your shell of choice.

[WorkingDaddy]

@weavage, @redhatrises : just fwiw, I suggested to DISA that "declare -xr TMOUT=600" be presented in the STIG as an equivalent alternative to the 3 lines shown above (as currently seen in the "fix text" of the STIG). The main DISA STIG support guy responded with, "Sounds reasonable to me." ;)

[matejak]

@redhatrises Could you please clarify why those three lines in the first issue comment can't be considered one setting with one CCE? Defining a variable without exporting it in a sourced file doesn't make sense, and the equivalent can be achieved by less-known one-liner using the declare -xr call.

[redhatrises]

@matejak there is no technical reason. I like the one-liner call. It just needs to be changed with DISA first.

[matejak]

I have checked the actual behavior on RHEL7 and Fedora, and the TMOUT variable doesn't have to be exported in order to be effective. Although having readonly TMOUT would be nice, it could be factored out to another rule. Therefore, I am closing this issue, please reopen if you disagree.