AlmaLinux OS 9 must terminate idle user sessions.

STIG ID: ALMA-09-040500  |  SRG: SRG-OS-000163-GPOS-00072 |  Severity: medium |  CCI: CCI-001133 |  Vulnerability Id: V-269421

Vulnerability Discussion

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element.

Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.

Check

Verify that AlmaLinux OS 9 logs out sessions that are idle for 15 minutes with the following command:

$ systemd-analyze cat-config systemd/logind.conf | grep StopIdleSessionSec

#StopIdleSessionSec=infinity
StopIdleSessionSec=900

If "StopIdleSessionSec" is not configured to "900" seconds, this is a finding.

Fix

Configure AlmaLinux OS 9 to log out idle sessions.

Create the directory if necessary:

$ mkdir -p /etc/systemd/logind.conf.d/

Create a *.conf file in /etc/systemd/logind.conf.d/ with the following content:

[Login]
StopIdleSessionSec=900
KillUserProcesses=no

Restart systemd-logind:

$ systemctl restart systemd-logind
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.