{"description": "The <tt>tmux</tt> terminal multiplexer is used to implement\nautomatic session locking. It should be started from\n<tt>/etc/bashrc</tt> or drop-in files within <tt>/etc/profile.d/</tt>.", "rationale": "Unlike <tt>bash</tt> itself, the <tt>tmux</tt> terminal multiplexer\nprovides a mechanism to lock sessions after period of inactivity.\nA session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to\nlog out because of the temporary nature of the absence.", "severity": "medium", "references": {"ospp": ["FMT_SMF_EXT.1", "FMT_MOF_EXT.1", "FTA_SSL.1"], "srg": ["SRG-OS-000031-GPOS-00012", "SRG-OS-000028-GPOS-00009", "SRG-OS-000030-GPOS-00011"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the command does not produce output", "ocil": "Verify Ubuntu 22.04 shell initialization file is configured to start each shell with the tmux terminal multiplexer.\n\nDetermine the location of the tmux script with the following command:\n\n<pre>$ sudo grep tmux /etc/bashrc /etc/profile.d/*\n\n/etc/profile.d/tmux.sh:  case \"$name\" in (sshd|login) exec tmux ;; esac</pre>\n\nReview the tmux script by using the following example:\n\n<pre>$ cat /etc/profile.d/tmux.sh\n\nif [ \"$PS1\" ]; then\nparent=$(ps -o ppid= -p $$)\nname=$(ps -o comm= -p $parent)\ncase \"$name\" in (sshd|login) exec tmux ;; esac\nfi</pre>\n\nIf the shell file is not configured as the example above, is commented out, or is missing, this is a finding.\n\nDetermine if tmux is currently running with the following command:\n\n<pre>$ sudo ps all | grep tmux | grep -v grep</pre>", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to initialize the tmux terminal multiplexer as each shell is called by adding the following to file \"/etc/profile.d/tmux.sh\":\n\nif [ \"$PS1\" ]; then\n    parent=$(ps -o ppid= -p $$)\n    name=$(ps -o comm= -p $parent)\n    case \"$name\" in (sshd|login) exec tmux ;; esac\nfi\n\nThen, ensure a correct mode of /etc/profile.d/tmux.sh using this command:\n\n$ sudo chmod 0644 /etc/profile.d/tmux.sh", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must ensure session control is automatically started at shell initialization.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must ensure session control is automatically started at shell initialization.", "vuldiscussion": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n\nThe session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, Ubuntu 22.04 must provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.\n\nThe \"tmux\" package allows for a session lock to be implemented and configured. However, the session lock is implemented by an external command. The \"tmux\" default configuration does not contain an effective session lock.", "checktext": "Verify Ubuntu 22.04 shell initialization file is configured to start each shell with the tmux terminal multiplexer.\n\nDetermine the location of the tmux script with the following command:\n\n$ sudo grep tmux /etc/bashrc /etc/profile.d/*\n\n/etc/profile.d/tmux.sh:  case \"$name\" in (sshd|login) exec tmux ;; esac\n\nReview the tmux script by using the following example:\n\n$ cat /etc/profile.d/tmux.sh\n\nIf [ \"$PS1\" ]; then\nparent=$(ps -o ppid= -p $$)\nname=$(ps -o comm= -p $parent)\ncase \"$name\" in (sshd|login) exec tmux ;; esac\nfi\n\nIf the shell file is not configured as the example above, is commented out, or is missing, this is a finding.\n\nDetermine if tmux is currently running with the following command:\n\n$ sudo ps all | grep tmux | grep -v grep\n\nIf the command does not produce output, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to initialize the tmux terminal multiplexer as each shell is called by adding the flllowing to file \"/etc/profile.d/tmux.sh\":\n\nif [ \"$PS1\" ]; then\n    parent=$(ps -o ppid= -p $$)\n    name=$(ps -o comm= -p $parent)\n    case \"$name\" in sshd|login) exec tmux ;; esac\nfi"}}, "platform": "package[tmux]", "platforms": ["package[tmux]"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_tmux"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Support session locking with tmux", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml", "template": null}