Skip to content

Support session locking with tmux (not enforcing)

An XCCDF Rule

Description

The tmux terminal multiplexer is used to implement automatic session locking. It should be started from /etc/bashrc or drop-in files within /etc/profile.d/.

warning alert: Warning

This rule configures Tmux to be executed in a way that exiting Tmux drops the user into a regular shell instead of logging them out, therefore the session locking mechanism is not enforced on the user.

Rationale

Unlike bash itself, the tmux terminal multiplexer provides a mechanism to lock sessions after period of inactivity. A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.

ID
xccdf_org.ssgproject.content_rule_configure_bashrc_tmux
Severity
Medium
References
Updated



Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-90782-4
  - DISA-STIG-RHEL-08-020041

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q tmux; }; then

if ! grep -x '  case "$name" in (sshd|login) tmux ;; esac' /etc/bashrc /etc/profile.d/*.sh; then
    cat >> /etc/profile.d/tmux.sh <<'EOF'
if [ "$PS1" ]; then