It seems to have been missed on the CS2 side. It's likely that it was
refined internally at some point, but a subsequent version of the SSG
content overwrote it. I'll make a note to get the fix handled this week -
thanks for letting us know!
On Wed, May 14, 2014 at 5:06 PM, Shawn Wells <shawn(a)redhat.com> wrote:
On 5/14/14, 4:37 PM, Trevor Vaughan wrote:
> Ok, I realize that this went through a while ago but has anyone actually
> lived with this setting enabled?
>
> I've got a LOT of unhappy users that start to VI a file, walk away for a
> while (with their local screen locked) and come back to find their sessions
> dumped all over the floor.
>
> The default appears to be 5 minutes across the board which I find WAY too
> short since I might be looking at a man page in two windows for that amount
> of time or more.
>
> I would like to propose that the defaults be changed to something more
> sensible like 2, 4, or 8 hours. (Heck, meetings can go on for more than 2
> hours sometimes)
>
> Thanks,
>
The default value is 5 minutes:
> <Value id="sshd_idle_timeout_value" type="number"
> operator="equals" interactive="0">
> <title>SSH session Idle time</title>
> <description>Specify duration of allowed idle time.</description>
> <value selector="">300</value>
> <value selector="5_minutes">300</value>
> <value selector="10_minutes">600</value>
> <value selector="15_minutes">900</value>
> </Value>
>
STIG value is 15 minutes:
> $ grep -rin sshd_idle_timeout_value profiles/
> profiles/stig-rhel6-server-upstream.xml:114:<refine-value
> idref="sshd_idle_timeout_value" selector="15_minutes"/>
> profiles/rht-ccp.xml:9:<refine-value idref="sshd_idle_timeout_value"
> selector="5_minutes"/>
> profiles/common.xml:299:<refine-value idref="sshd_idle_timeout_value"
> selector="5_minutes"/>
>
Interestingly, the CS2 profile doesn't refine the sshd_idle_timeout_value,
thus inheriting the 5 minute constraint....
/me eyeballs dave smith to see if this was an oversight in the CS2 profile
_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide