Support session locking with tmux

An XCCDF Rule

Description

The tmux terminal multiplexer is used to implement automatic session locking. It should be started from /etc/bashrc or drop-in files within /etc/profile.d/.

Rationale

Unlike bash itself, the tmux terminal multiplexer provides a mechanism to lock sessions after period of inactivity. A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.

ID: xccdf_org.ssgproject.content_rule_configure_bashrc_exec_tmux
Severity: Medium
References: CCI-000056 CCI-000058

FMT_MOF_EXT.1 FMT_SMF_EXT.1 FTA_SSL.1

SRG-OS-000028-GPOS-00009 SRG-OS-000030-GPOS-00011 SRG-OS-000031-GPOS-00012

CCE-82266-8
Updated: about 1 year ago

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q tmux; }; then

if ! grep -x '  case "$name" in sshd|login) tmux ;; esac' /etc/bashrc; then
    cat >> /etc/profile.d/tmux.sh <<'EOF'
if [ "$PS1" ]; then  parent=$(ps -o ppid= -p $$)
  name=$(ps -o comm= -p $parent)
  case "$name" in sshd|login) tmux ;; esac
fi
EOF
    chmod 0644 /etc/profile.d/tmux.sh
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-82266-8
  - configure_bashrc_exec_tmux  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: 'Support session locking with tmux: Determine If the Tmux Launch Script Is
    Present in /etc/bashrc'
  ansible.builtin.find:
    paths: /etc
    patterns: bashrc
    contains: .*case "$name" in sshd|login\) tmux ;; esac.*
  register: tmux_in_bashrc
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - '"tmux" in ansible_facts.packages'
  tags:
  - CCE-82266-8
  - configure_bashrc_exec_tmux
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: 'Support session locking with tmux: Determine If the Tmux Launch Script Is
    Present in /etc/profile.d/*.sh'
  ansible.builtin.find:
    paths: /etc/profile.d
    patterns: '*.sh'
    contains: .*case "$name" in sshd|login\) tmux ;; esac.*
  register: tmux_in_profile_d
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - '"tmux" in ansible_facts.packages'
  tags:
  - CCE-82266-8
  - configure_bashrc_exec_tmux
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: 'Support session locking with tmux: Insert the Correct Script into /etc/profile.d/tmux.sh'
  ansible.builtin.blockinfile:
    path: /etc/profile.d/tmux.sh
    block: |
      if [ "$PS1" ]; then
        parent=$(ps -o ppid= -p $$)
        name=$(ps -o comm= -p $parent)
        case "$name" in sshd|login) tmux ;; esac
      fi
    create: true
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - '"tmux" in ansible_facts.packages'
  - tmux_in_bashrc is defined and tmux_in_bashrc.matched == 0
  - tmux_in_profile_d is defined and tmux_in_profile_d.matched == 0
  tags:
  - CCE-82266-8
  - configure_bashrc_exec_tmux
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

Support session locking with tmux

Description

Rationale

Remediation - Shell Script

Remediation - Ansible