If users or administrators are not actively working on the command line or WebUI, the user is automatically logged out after a defined period of time.
This time can be configured.


Inactivity Timeout for CLI

An individual timeout can be configured for the console as well as for users connecting via SSH. To configure it for all users the file /etc/profile.d/autologout.sh needs to be adjusted. To set it to five minutes of inactivity, the file should look like this:

# set timeout for CLI
readonly TMOUT
export TMOUT

This file needs to be executable. To do so, the command

[tufin]# chmod +x /etc/profile.d/autologout.sh

is used. Checking the status is done by calling the variable

[tufin]# echo $TMOUT

Since in TufinOS all users of the CLI are administrators, generally changing it is possible. This is documented in central logging that needs to be monitored.
For sure, setting the timeout individually per user is possible via the file .bash_profile, but not really useful in TufinOS.

If a connection to the command line is established with an SSH client, a separate time period applies here until the automatic inactivity logout. This needs to be adjusted in the /etc/ssh/sshd_config file.

ClientAliveInterval 300
ClientAliveCountMax 0

This configuration enforces a logout after 5 minutes of inactivity. To get it active, the sshd needs to be restarted

[tufin]# systemctl restart sshd


Inactivity Timeout for WebUI

The timeout for users of the WebUI needs to be configured also. It's done for SecureTrack by changing the configured parameter. It should first be checked using the CLI of the server.

[tufin]# tos config get -f | grep web.session.inactivityTimeout
  Global                          web.session.inactivityTimeout                   60m  

It's also possible to use another flag

[tufin]# tos config get -p web.session.inactivityTimeout
  Global   web.session.inactivityTimeout  60m

In the case shown above, the timeout is 60 minutes. To change it to e.g. 120 minutes, this command shoult be used:

[tufin]# tos config set -p web.session.inactivityTimeout=120m

Besides the digit, the time period can be chosen - m for minutes, h for hours and d for days.


Please consider that this way to change the inactivity timeout works for SecureTrack only!
For SecureChange there is a hardcoded timeout of 30 minutes. Therefore, a changed configuration is disregarded
(Tufin SR[00134598])