Configure the tmux Lock Command

An XCCDF Rule

Description

To enable console screen locking in tmux terminal multiplexer, the vlock command must be configured to be used as a locking mechanism. Add the following line to /etc/tmux.conf:

set -g lock-command vlock

. The console can now be locked with the following key combination:

ctrl+b :lock-session

Rationale

The tmux package allows for a session lock to be implemented and configured. However, the session lock is implemented by an external command. The tmux default configuration does not contain an effective session lock.

ID: xccdf_org.ssgproject.content_rule_configure_tmux_lock_command
Severity: Medium
References: CCI-000056 CCI-000058

AC-11(a) AC-11(b) CM-6(a)

FMT_MOF_EXT.1 FMT_SMF_EXT.1 FTA_SSL.1

SRG-OS-000028-GPOS-00009 SRG-OS-000030-GPOS-00011
Updated: about 1 year ago

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q tmux; }; then

tmux_conf="/etc/tmux.conf"

if grep -qP '^\s*set\s+-g\s+lock-command' "$tmux_conf" ; then    sed -i 's/^\s*set\s\+-g\s\+lock-command.*$/set -g lock-command vlock/' "$tmux_conf"
else
    echo "set -g lock-command vlock" >> "$tmux_conf"
fi
chmod 0644 "$tmux_conf"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-AC-11(a)
  - NIST-800-53-AC-11(b)  - NIST-800-53-CM-6(a)
  - configure_tmux_lock_command
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure the tmux Lock Command
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/tmux.conf
      create: true
      regexp: ^\s*set -g lock-command\s+
      mode: '0644'
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/tmux.conf
    lineinfile:
      path: /etc/tmux.conf
      create: true
      regexp: ^\s*set -g lock-command\s+
      mode: '0644'
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/tmux.conf
    lineinfile:
      path: /etc/tmux.conf
      create: true
      regexp: ^\s*set -g lock-command\s+
      mode: '0644'
      line: set -g lock-command vlock
      state: present
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - '"tmux" in ansible_facts.packages'
  tags:
  - NIST-800-53-AC-11(a)
  - NIST-800-53-AC-11(b)
  - NIST-800-53-CM-6(a)
  - configure_tmux_lock_command
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Configure the tmux Lock Command

Description

Rationale

Remediation - Shell Script

Remediation - Ansible