-
Notifications
You must be signed in to change notification settings - Fork 676
/
rule.yml
79 lines (52 loc) · 2.63 KB
/
rule.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
documentation_complete: true
prodtype: ol8,rhel8
title: 'Support session locking with tmux (not enforcing)'
description: |-
The <tt>tmux</tt> terminal multiplexer is used to implement
automatic session locking. It should be started from
<tt>/etc/bashrc</tt> or drop-in files within <tt>/etc/profile.d/</tt>.
rationale: |-
Unlike <tt>bash</tt> itself, the <tt>tmux</tt> terminal multiplexer
provides a mechanism to lock sessions after period of inactivity.
A session lock is a temporary action taken when a user stops work and moves away from the
immediate physical vicinity of the information system but does not want to
log out because of the temporary nature of the absence.
severity: medium
identifiers:
cce@rhel8: CCE-90782-4
references:
disa: CCI-000056,CCI-000058
srg: SRG-OS-000031-GPOS-00012,SRG-OS-000028-GPOS-00009,SRG-OS-000030-GPOS-00011
stigid@ol8: OL08-00-020041
stigid@rhel8: RHEL-08-020041
platform: package[tmux]
ocil_clause: 'the command does not produce output'
ocil: |-
Verify {{{ full_name }}} shell initialization file is configured to start each shell with the tmux terminal multiplexer.
Determine the location of the tmux script with the following command:
<pre>$ sudo grep tmux /etc/bashrc /etc/profile.d/*
/etc/profile.d/tmux.sh: case "$name" in (sshd|login) tmux ;; esac</pre>
Review the tmux script by using the following example:
<pre>$ cat /etc/profile.d/tmux.sh
if [ "$PS1" ]; then
parent=$(ps -o ppid= -p $$)
name=$(ps -o comm= -p $parent)
case "$name" in (sshd|login) tmux ;; esac
fi</pre>
If the shell file is not configured as the example above, is commented out, or is missing, this is a finding.
Determine if tmux is currently running with the following command:
<pre>$ sudo ps all | grep tmux | grep -v grep</pre>
fixtext: |-
Configure {{{ full_name }}} to initialize the tmux terminal multiplexer as each shell is called by adding the following to file "/etc/profile.d/tmux.sh":
if [ "$PS1" ]; then
parent=$(ps -o ppid= -p $$)
name=$(ps -o comm= -p $parent)
case "$name" in sshd|login) tmux ;; esac
fi
Then, ensure a correct mode of /etc/profile.d/tmux.sh using this command:
$ sudo chmod 0644 /etc/profile.d/tmux.sh
srg_requirement: '{{{ full_name }}} must ensure session control is automatically started at shell initialization.'
warnings:
- general: |-
This rule configures Tmux to be executed in a way that exiting Tmux
drops the user into a regular shell instead of logging them out, therefore the session locking mechanism is not enforced on the user.