Blame SOURCES/scap-security-guide-0.1.55-add_selector_for_R29-PR_6553.patch

618a7c
From 4d67a36c0a07ef8e07b8760b0e883bd42c0177ec Mon Sep 17 00:00:00 2001
618a7c
From: Watson Sato <wsato@redhat.com>
618a7c
Date: Thu, 21 Jan 2021 11:04:05 +0100
618a7c
Subject: [PATCH] Add variable selector and notes for R29
618a7c
618a7c
---
618a7c
 controls/anssi.yml | 14 +++++++++++++-
618a7c
 1 file changed, 13 insertions(+), 1 deletion(-)
618a7c
618a7c
diff --git a/controls/anssi.yml b/controls/anssi.yml
618a7c
index dec9d68c99..3303d70295 100644
618a7c
--- a/controls/anssi.yml
618a7c
+++ b/controls/anssi.yml
618a7c
@@ -521,10 +521,22 @@ controls:
618a7c
     description: >-
618a7c
       Remote user sessions (shell access, graphical clients) must be closed
618a7c
       after a certain period of inactivity.
618a7c
+    notes: >-
618a7c
+      There is no specific capability to check remote user inactivity, but some shells allow the
618a7c
+      session inactivity time out to be configured via TMOUT variable.
618a7c
+      In OpenSSH < 8.2 the inactivity of the user is implied from the network inactivity.
618a7c
+      The server is configured to disconnect sessions if no data has been received within the idle timeout,
618a7c
+      regardless of liveness status (ClientAliveCountMax is 0 and ClientAliveInterval is > 0).
618a7c
+      In OpenSSH >= 8.2 there is no way to disconnect sessions based on client liveness.
618a7c
+      The semantics of "ClientAliveCountMax 0" has changed from "disconnect on first timeout" to
618a7c
+      "don't disconnect network inactive sessions". The server either probes for the client liveness
618a7c
+      or keeps inactive sessions connected.
618a7c
+    automated: yes
618a7c
     rules:
618a7c
     - accounts_tmout
618a7c
+    - var_accounts_tmout=10_min
618a7c
     - sshd_set_idle_timeout
618a7c
-    - sshd_idle_timeout_value=5_minutes
618a7c
+    - sshd_idle_timeout_value=10_minutes
618a7c
     - sshd_set_keepalive
618a7c
 
618a7c
   - id: R30