{"description": "The <tt>tmux</tt> terminal multiplexer is used to implement\nautomatic session locking. It should be started from\n<tt>/etc/bashrc</tt> or drop-in files within <tt>/etc/profile.d/</tt>.", "rationale": "Unlike <tt>bash</tt> itself, the <tt>tmux</tt> terminal multiplexer\nprovides a mechanism to lock sessions after period of inactivity.\nA session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to\nlog out because of the temporary nature of the absence.", "severity": "medium", "references": {"srg": ["SRG-OS-000031-GPOS-00012", "SRG-OS-000028-GPOS-00009", "SRG-OS-000030-GPOS-00011"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the command does not produce output", "ocil": "Verify Ubuntu 22.04 shell initialization file is configured to start each shell with the tmux terminal multiplexer.\n\nDetermine the location of the tmux script with the following command:\n\n<pre>$ sudo grep tmux /etc/bashrc /etc/profile.d/*\n\n/etc/profile.d/tmux.sh:  case \"$name\" in (sshd|login) tmux ;; esac</pre>\n\nReview the tmux script by using the following example:\n\n<pre>$ cat /etc/profile.d/tmux.sh\n\nif [ \"$PS1\" ]; then\nparent=$(ps -o ppid= -p $$)\nname=$(ps -o comm= -p $parent)\ncase \"$name\" in (sshd|login) tmux ;; esac\nfi</pre>\n\nIf the shell file is not configured as the example above, is commented out, or is missing, this is a finding.\n\nDetermine if tmux is currently running with the following command:\n\n<pre>$ sudo ps all | grep tmux | grep -v grep</pre>", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to initialize the tmux terminal multiplexer as each shell is called by adding the following to file \"/etc/profile.d/tmux.sh\":\n\nif [ \"$PS1\" ]; then\n    parent=$(ps -o ppid= -p $$)\n    name=$(ps -o comm= -p $parent)\n    case \"$name\" in (sshd|login) tmux ;; esac\nfi\n\nThen, ensure a correct mode of /etc/profile.d/tmux.sh using this command:\n\n$ sudo chmod 0644 /etc/profile.d/tmux.sh", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must ensure session control is automatically started at shell initialization.", "warnings": [{"general": "This rule configures Tmux to be executed in a way that exiting Tmux\ndrops the user into a regular shell instead of logging them out, therefore the session locking mechanism is not enforced on the user."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must ensure session control is automatically started at shell initialization.", "fixtext": "Configure Ubuntu 22.04 to initialize the tmux terminal multiplexer as each shell is called by adding the following to file \"/etc/profile.d/tmux.sh\":\n\nif [ \"$PS1\" ]; then\n    parent=$(ps -o ppid= -p $$)\n    name=$(ps -o comm= -p $parent)\n    case \"$name\" in sshd|login) tmux ;; esac\nfi", "checktext": "Verify Ubuntu 22.04 shell initialization file is configured to start each shell with the tmux terminal multiplexer.\n\nDetermine the location of the tmux script with the following command:\n\n$ sudo grep tmux /etc/bashrc /etc/profile.d/*\n\n/etc/profile.d/tmux.sh:  case \"$name\" in (sshd|login) tmux ;; esac\n\nReview the tmux script by using the following example:\n\n$ cat /etc/profile.d/tmux.sh\n\nIf [ \"$PS1\" ]; then\nparent=$(ps -o ppid= -p $$)\nname=$(ps -o comm= -p $parent)\ncase \"$name\" in (sshd|login) tmux ;; esac\nfi\n\nIf the shell file is not configured as the example above, is commented out, or is missing, this is a finding.\n\nDetermine if tmux is currently running with the following command:\n\n$ sudo ps all | grep tmux | grep -v grep\n\nIf the command does not produce output, this is a finding.", "vuldiscussion": "Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package."}}, "platform": "package[tmux]", "platforms": ["package[tmux]"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_tmux"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Support session locking with tmux (not enforcing)", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_tmux/rule.yml", "template": null}