PCI DSS requirement for session idle timeout: implementation and bypass

PCI DSS 3.2 requirement 8.1.8 states “If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session”.

For bash this may be achieved with this config:

/etc/profile.d/set_tmout.sh:

# Exit bash after 15 minutes of inactivity
TMOUT=900
export TMOUT
readonly TMOUT

For ssh sessions you should use this settings in sshd_config:

ClientAliveInterval 300
ClientAliveCountMax 3

Your auditor will be quite happy with this.


Problem is, if you like to open a lot of sessions in tmux/screen - with appropriate directory and commands history for particular task - this thing fucks up all your well-suited workflow.

You can not just unset TMOUT variable, because it is read-only. But happily, you can replace shell with another program by exec command. Pure sh respects the TMOUT setting, but it’s simple and doesn’t know a thing about read-only variables. So here is what you do:

alias fuckoff='exec sh -c "unset TMOUT; exec bash"'

Or even insert this in .bashrc_local(included from .bashrc and removed before audit):

test -n "$TMOUT" && exec sh -c "unset TMOUT; exec bash"

Voila! You have usable working environment again.

Of course, all this is purely theoretical. Nobody should ever bypass PCI DSS requirements with sneaky tricks. That’s the law -_-



License: Creative Commons Attribution-ShareAlike License Share: share on reddit share on facebook share on twitter