Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-1804

There is no applicable rule to disconnect idle sessions after a certain time

XMLWordPrintable

    • Normal
    • sst_security_compliance
    • ssg_security
    • None
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • None
    • None
    • Known Issue
    • Hide
      .`scap-security-guide` cannot configure termination of idle sessions

      Even though the `sshd_set_idle_timeout` rule still exists in the data stream, the former method for idle session timeout of configuring `sshd` is no longer available. Therefore, the rule is marked as `not applicable` and cannot harden anything. Other methods for configuring idle session termination, such as `systemd` (Logind), are also not available. As a consequence, `scap-security-guide` cannot configure the system to reliably disconnect idle sessions after a certain amount of time.

      You can work around this problem in one of the following ways, which might fulfill the security requirement:

      * Configuring the `accounts_tmout` rule. However, this variable could be overridden by using the `exec` command.
      * Configuring the `configure_tmux_lock_after_time` and `configure_bashrc_exec_tmux` rules. This requires installing the `tmux` package.
      * Upgrading to RHEL 8.7 or later where the `systemd` feature is already implemented together with the proper SCAP rule.
      Show
      .`scap-security-guide` cannot configure termination of idle sessions Even though the `sshd_set_idle_timeout` rule still exists in the data stream, the former method for idle session timeout of configuring `sshd` is no longer available. Therefore, the rule is marked as `not applicable` and cannot harden anything. Other methods for configuring idle session termination, such as `systemd` (Logind), are also not available. As a consequence, `scap-security-guide` cannot configure the system to reliably disconnect idle sessions after a certain amount of time. You can work around this problem in one of the following ways, which might fulfill the security requirement: * Configuring the `accounts_tmout` rule. However, this variable could be overridden by using the `exec` command. * Configuring the `configure_tmux_lock_after_time` and `configure_bashrc_exec_tmux` rules. This requires installing the `tmux` package. * Upgrading to RHEL 8.7 or later where the `systemd` feature is already implemented together with the proper SCAP rule.
    • Done
    • None

      Description of problem:
      There are two SCAP rules in the datastream shipped in RHEL 8.6 which can configure the system to terminate idle sessions after certain time has passed.
      Rules are logind_session_timeout and sshd_set_idle_timeout.
      None of those rules unfortunately work properly in RHEL 8.6 and therefore they are restricted by CPE platforms. Both rules will result in "not applicable". The reason is that the SSH feature used by sshd_set_idle_timeout was never meaned to be used in this way and it is not producing desired behavior in 8.6. The patch which enables usage of Logind to terinate idle sessions is not backported into 8.6 as of the time of this comment.

      Version-Release number of selected component (if applicable):
      scap-security-guide-0.1.66 in RHEL 8.6 (the package has not been built yet)

      How reproducible:

      always

      Steps to Reproduce:
      1. oscap xccdf eval --profile '(all)' --rule xccdf_org.ssgproject.content_rule_logind_session_timeout /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
      2. oscap xccdf eval --profile '(all)' --rule xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

      Actual results:
      Both rules report "not applicable"

      Expected results:
      Ideally the rule logind_session_timeout should be applicable as soon as the correct functionality gets backported into 8.6.

      Additional info:

            vpolasek@redhat.com Vojtech Polasek
            vpolasek@redhat.com Vojtech Polasek
            Vojtech Polasek Vojtech Polasek
            SSG Security QE SSG Security QE
            Jan Fiala Jan Fiala
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated: