Configure tmux to lock session after inactivity

An XCCDF Rule

Description

To enable console screen locking in tmux terminal multiplexer after a period of inactivity, the lock-after-time option has to be set to a value greater than 0 and less than or equal to 900 in /etc/tmux.conf.

Rationale

Locking the session after a period of inactivity limits the potential exposure if the session is left unattended.

ID: xccdf_org.ssgproject.content_rule_configure_tmux_lock_after_time
Severity: Medium
References: CCI-000057 CCI-000060

FMT_MOF_EXT.1 FMT_SMF_EXT.1 FTA_SSL.1

SRG-OS-000029-GPOS-00010 SRG-OS-000031-GPOS-00012

OL08-00-020070

SV-248681r779609_rule
Updated: about 1 year ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - DISA-STIG-OL08-00-020070
  - configure_tmux_lock_after_time  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure tmux to lock session after inactivity
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/tmux.conf
      create: true
      regexp: ^\s*set -g lock-after-time\s+
      mode: '0644'
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/tmux.conf
    lineinfile:
      path: /etc/tmux.conf
      create: true
      regexp: ^\s*set -g lock-after-time\s+
      mode: '0644'
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/tmux.conf
    lineinfile:
      path: /etc/tmux.conf
      create: true
      regexp: ^\s*set -g lock-after-time\s+
      mode: '0644'
      line: set -g lock-after-time 900
      state: present
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - '"tmux" in ansible_facts.packages'
  tags:
  - DISA-STIG-OL08-00-020070
  - configure_tmux_lock_after_time
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q tmux; }; then

tmux_conf="/etc/tmux.conf"

if grep -qP '^\s*set\s+-g\s+lock-after-time' "$tmux_conf" ; then    sed -i 's/^\s*set\s\+-g\s\+lock-after-time.*$/set -g lock-after-time 900/' "$tmux_conf"
else
    echo "set -g lock-after-time 900" >> "$tmux_conf"
fi
chmod 0644 "$tmux_conf"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Configure tmux to lock session after inactivity

Description

Rationale

Remediation - Ansible

Remediation - Shell Script