On 5/14/14, 4:37 PM, Trevor Vaughan wrote:
Ok, I realize that this went through a while ago but has anyone
actually lived with this setting enabled?
I've got a LOT of unhappy users that start to VI a file, walk away for
a while (with their local screen locked) and come back to find their
sessions dumped all over the floor.
The default appears to be 5 minutes across the board which I find WAY
too short since I might be looking at a man page in two windows for
that amount of time or more.
I would like to propose that the defaults be changed to something more
sensible like 2, 4, or 8 hours. (Heck, meetings can go on for more
than 2 hours sometimes)
Thanks,
The default value is 5 minutes:
<Value id="sshd_idle_timeout_value" type="number"
operator="equals" interactive="0">
<title>SSH session Idle time</title>
<description>Specify duration of allowed idle time.</description>
<value selector="">300</value>
<value selector="5_minutes">300</value>
<value selector="10_minutes">600</value>
<value selector="15_minutes">900</value>
</Value>
STIG value is 15 minutes:
$ grep -rin sshd_idle_timeout_value profiles/
profiles/stig-rhel6-server-upstream.xml:114:<refine-value
idref="sshd_idle_timeout_value" selector="15_minutes"/>
profiles/rht-ccp.xml:9:<refine-value idref="sshd_idle_timeout_value"
selector="5_minutes"/>
profiles/common.xml:299:<refine-value idref="sshd_idle_timeout_value"
selector="5_minutes"/>
Interestingly, the CS2 profile doesn't refine the
sshd_idle_timeout_value, thus inheriting the 5 minute constraint....
/me eyeballs dave smith to see if this was an oversight in the CS2 profile
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
