Bug 2122322

Summary: Add new rule to enforce idle session timeout (StopIdleSessionSec)
Product: Red Hat Enterprise Linux 8 Reporter: Marek Haicman <mhaicman>
Component: scap-security-guideAssignee: Vojtech Polasek <vpolasek>
Status: NEW --- QA Contact: Jiri Jaburek <jjaburek>
Severity: unspecified Docs Contact: Jan Fiala <jafiala>
Priority: unspecified    
Version: 8.8CC: ggasparb, jafiala, jjaburek, matyc, mhaicman, mlysonek, msekleta, peter.vreman, tscherf, vpolasek, wsato
Target Milestone: rcKeywords: AutoVerified, Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.66-1.el8 Doc Type: Enhancement
Doc Text:
.New SCAP rule for idle session termination New SCAP rule `logind_session_timeout` has been added to the `scap-security-guide` package in ANSSI-BP-028 profiles for Enhanced and High levels. This rule uses a new feature of the `systemd` service manager and terminates idle user sessions after a certain time. This rule provides automatic configuration of a robust idle session termination mechanism which is required by multiple security policies. As a result, OpenSCAP can automatically check the security requirement related to terminating idle user sessions and, if necessary, remediate it.
 Story Points: ---
Clone Of:
: 2168078 (view as bug list) Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2168078    

Description Marek Haicman 2022-08-29 18:59:24 UTC 
Description of problem:
New option is introduced in SystemD (See Bug 2122288). This option allows to set timeout for idle sessions globally, which can replace no longer available sshd session timeout mechanism using ClientAliveCountMax.

For the reason, we need the rule covering it.

Usage seems to be configuration of logind.conf in a form:
[Login]
StopIdleSessionSec=<time>

Version-Release number of selected component (if applicable):
scap-security-guide-0.1.63-4.el8


How reproducible:
reliably

Steps to Reproduce:
1. look at the list of rules
2.
3.

Actual results:
rule does not exist

Expected results:
rule exists

Additional info:
Comment 11 Vojtech Polasek 2023-02-01 07:55:43 UTC 
Merged into upstream: https://github.com/ComplianceAsCode/content/pull/10149
Comment 12 Michal Sekletar 2023-02-01 14:54:03 UTC 
I am planning to backport the feature to RHEL-8.6 after resolving bug that was recently filed,
https://bugzilla.redhat.com/show_bug.cgi?id=2158355

Hence do not rebase scap-security-guide in RHEL-8.6 before I push the update.
Comment 16 Watson Yuuma Sato 2023-02-07 07:29:34 UTC 
The fix is available in Content release v0.1.66:
https://github.com/ComplianceAsCode/content/pull/10127