4

I am working on a Red Hat Enterprise Linux (RHEL) 8 machine with the DISA STIG applied via OpenSCAP. The STIG requires that users be automatically dropped into a tmux session, that tmux session locks the screen after a set idle time, and SSH disconnects after another amount of idle time.

The problem I'm having is that we have long running commands that we start and then walk away from. First tmux locks the screen, and eventually SSH kills the connection. The expected behavior is that when we reconnect via SSH either the old tmux session is reconnected or a new tmux session is created while the old one is still running in the background. Either way we don't want the tmux session to die when SSH disconnects.

The relevant STIGs and our configurations are as follows:

https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2023-09-11/finding/V-230349

$ cat /etc/profile.d/tmux.sh
if [ "$PS1" ]; then
  parent=$(ps -o ppid= -p $$)
  name=$(ps -o comm= -p $parent)
  case "$name" in (sshd|login) tmux ;; esac
fi
if [ -n "$TMUX" ]; then
  # render /etc/issue or else fall back to kernel/system info
  agetty --show-issue 2>/dev/null || uname -a

message of the day


for motd in /run/motd.dynamic /etc/motd; do
    if [ -s "$motd" ]; then cat "$motd"; break; fi
  done


last login


last $USER |awk 'NR==2 {
    if (NF==10) { i=1; if ($3!~/^:/) from = " from " $3 }
    printf("Last login: %s %s %s %s%s on %s\n",
      $(3+i), $(4+i), $(5+i), $(6+i), from, $2);
    exit
  }'


mail check


if [ -s "/var/mail/$USER" ] # may need to change to /var/spool/mail/$USER
    then echo "You have  mails."
    else echo "You have no mail."
  fi
fi

https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2023-09-11/finding/V-230353

$ cat /etc/tmux.conf
set -g lock-after-time 300
set -g lock-command vlock
bind X lock-session

https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2023-09-11/finding/V-244525

$ cat /etc/ssh/sshd_config
...
Compression no
ClientAliveInterval 600
ClientAliveCountMax 1
#UseDNS no
...

I also suspect systemd-logind has something to do with it due to this argument on the Debian mailing list.

$ cat /etc/systemd/logind.conf
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.
#
# Entries in this file show the compile time defaults.
# You can change settings by editing this file.
# Defaults can be restored by simply deleting this file.
#
# See logind.conf(5) for details.

[Login]
StopIdleSessionSec=900
#NAutoVTs=6
#ReserveVT=6
KillUserProcesses=no
#KillOnlyUsers=
#KillExcludeUsers=root
#InhibitDelayMaxSec=5
#HandlePowerKey=poweroff
#HandleSuspendKey=suspend
#HandleHibernateKey=hibernate
#HandleLidSwitch=suspend
#HandleLidSwitchExternalPower=suspend
#HandleLidSwitchDocked=ignore
#PowerKeyIgnoreInhibited=no
#SuspendKeyIgnoreInhibited=no
#HibernateKeyIgnoreInhibited=no
#LidSwitchIgnoreInhibited=yes
#HoldoffTimeoutSec=30s
#IdleAction=ignore
#IdleActionSec=30min
#RuntimeDirectorySize=10%
#RemoveIPC=no
#InhibitorsMax=8192
#SessionsMax=8192
#StopIdleSessionSec=infinity

I edited longer files to give the relevant sections.

I have tried editing the profile.d startup to match this StackOverflow suggestion, I have tried changing the SSH ClientAlive to 60 and 10 (plus systemd restart), I've tried changing logind.conf to KillUserProcesses=no (uncommenting that line with systemd restart and OS restart), and I've tried starting a separate tmux session (session 1) from the session that we get when we login (session 0) and both sessions are terminated upon SSH disconnect. None of those changes have produced desirable behavior.

Has anyone else encountered this issue and found a workaround?

Andrew Laramore
  • 61

3 Answers3

2

For anyone finding this question and looking for a solution, we started using systemd-run. That seems to make the long running processes immune to logind killing the session after a timeout, although it does make things slightly less convenient than screen or tmux.

Andrew Laramore
  • 61
2

When using systemd's StopIdleSessionSec a user process such as tmux should not be killed if using systemd's KillUserProcesses=no. Unfortunately, this is not working.

Tried the below method, which did not work since users would need access to systemd-run and specifically the --scope option, which I don't want. I will provide it here nonetheless for others to review, use, change:

UPDATE [2024/07/23]: Thanks "@This isn't my real name" for your correction. To avoid security issues by scripting this it makes sense for admins to just run the systemd-run --scope command when wanting a long running tmux session. I will instead set StopIddleSessionSec to 1hr as tmux sessions already lock at the 15min mark. If a background job is needing to run more than 1hr, then the systemd-run command would be used. Any thoughts on this are appreciated.

sudo -i

#!/bin/bash


#Backup current tmux.sh script in /etc/profile.d
mv /etc/profile.d/tmux.sh /etc/profile.d/tmux.sh.bk


Create the tmux.sh script in /etc/profile.d


tee /etc/profile.d/tmux.sh > /dev/null <<'EOF'
if [ "$PS1" ]; then
  parent=$(ps -o ppid= -p $$)
  name=$(ps -o comm= -p $parent)
  case "$name" in
    sshd|login)
      # Check if tmux is already running to avoid nested tmux sessions
      if [ -z "$TMUX" ]; then
        systemd-run --scope --user --slice=tmux.slice tmux
      fi
      ;;
  esac
fi
EOF


Make the tmux.sh script readable by all


chmod a+r /etc/profile.d/tmux.sh


Create the tmux.slice configuration file


tee /etc/systemd/system/tmux.slice > /dev/null <<'EOF'
[Slice]


Ensure that idle action is ignored for tmux slice


IdleAction=ignore
IdleActionSec=infinity
EOF


Reload systemd configuration


systemctl daemon-reload


Restart the systemd-logind service:


systemctl restart systemd-logind

For now I have StopIdleSessionSec disabled and STIG kept open, but if I end up having to keep it enabled will use systemd-run as Andrew mentioned. Thanks for providing that info Andrew.

SpaceBass
  • 21
0

Our system is running RHEL 8.10. I tried everything I could find, including this post, and it ended up being that the $TMOUT variable was being set at the system level to 900 seconds. It may have been something specific our security team had put in place, but I was able to override it in my .bashrc with "export TMOUT=0 &>/dev/null". It is keeping my screen and tmux sessions alive properly now.

Matt
  • 1