Configuring inactivity timeout for Users and Administrators
If users or administrators are not actively working on the command line or WebUI, the user is automatically logged out after a defined period of time.
This time can be configured.
Inactivity Timeout for CLI
An individual timeout can be configured for the console as well as for users connecting via SSH. To configure it for all users the file /etc/profile.d/autologout.sh needs to be adjusted. To set it to five minutes of inactivity, the file should look like this:
# set timeout for CLI
TMOUT=300
readonly TMOUT
export TMOUT
This file needs to be executable. To do so, the command
[tufin]# chmod +x /etc/profile.d/autologout.sh
is used. Checking the status is done by calling the variable
[tufin]# echo $TMOUT
300
[tufin]#
Since in TufinOS all users of the CLI are administrators, generally changing it is possible. This is documented in central logging that needs to be monitored.
For sure, setting the timeout individually per user is possible via the file .bash_profile, but not really useful in TufinOS.
If a connection to the command line is established with an SSH client, a separate time period applies here until the automatic inactivity logout. This needs to be adjusted in the /etc/ssh/sshd_config file.
ClientAliveInterval 300
ClientAliveCountMax 0
This configuration enforces a logout after 5 minutes of inactivity. To get it active, the sshd needs to be restarted
[tufin]# systemctl restart sshd
Inactivity Timeout for WebUI
The timeout for users of the WebUI needs to be configured also. It's done for SecureTrack by changing the configured parameter. It should first be checked using the CLI of the server.
[tufin]# tos config get -f | grep web.session.inactivityTimeout
Global web.session.inactivityTimeout 60m
[tufin]#
It's also possible to use another flag
[tufin]# tos config get -p web.session.inactivityTimeout
SERVICE PROPERTY VALUE DEFAULT MESSAGE
Global web.session.inactivityTimeout 60m
[tufin]#
In the case shown above, the timeout is 60 minutes. To change it to e.g. 120 minutes, this command shoult be used:
[tufin]# tos config set -p web.session.inactivityTimeout=120m
Besides the digit, the time period can be chosen - m for minutes, h for hours and d for days.
Please consider that this way to change the inactivity timeout works for SecureTrack only!
For SecureChange there is a hardcoded timeout of 30 minutes. Therefore, a changed configuration is disregarded
(Tufin SR[00134598])