It seems to have been missed on the CS2 side.  It's likely that it was refined internally at some point, but a subsequent version of the SSG content overwrote it.  I'll make a note to get the fix handled this week - thanks for letting us know!


On Wed, May 14, 2014 at 5:06 PM, Shawn Wells <shawn@redhat.com> wrote:

On 5/14/14, 4:37 PM, Trevor Vaughan wrote:
Ok, I realize that this went through a while ago but has anyone actually lived with this setting enabled?

I've got a LOT of unhappy users that start to VI a file, walk away for a while (with their local screen locked) and come back to find their sessions dumped all over the floor.

The default appears to be 5 minutes across the board which I find WAY too short since I might be looking at a man page in two windows for that amount of time or more.

I would like to propose that the defaults be changed to something more sensible like 2, 4, or 8 hours. (Heck, meetings can go on for more than 2 hours sometimes)

Thanks,

The default value is 5 minutes:
<Value id="sshd_idle_timeout_value" type="number"
operator="equals" interactive="0">
<title>SSH session Idle time</title>
<description>Specify duration of allowed idle time.</description>
<value selector="">300</value>
<value selector="5_minutes">300</value>
<value selector="10_minutes">600</value>
<value selector="15_minutes">900</value>
</Value>


STIG value is 15 minutes:
$ grep -rin sshd_idle_timeout_value profiles/
profiles/stig-rhel6-server-upstream.xml:114:<refine-value idref="sshd_idle_timeout_value" selector="15_minutes"/>
profiles/rht-ccp.xml:9:<refine-value idref="sshd_idle_timeout_value" selector="5_minutes"/>
profiles/common.xml:299:<refine-value idref="sshd_idle_timeout_value" selector="5_minutes"/>

Interestingly, the CS2 profile doesn't refine the sshd_idle_timeout_value, thus inheriting the 5 minute constraint....

/me eyeballs dave smith to see if this was an oversight in the CS2 profile

_______________________________________________
scap-security-guide mailing list
scap-security-guide@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide