ComplianceAsCode · ggbecker · Feb 3, 2021 · Jan 21, 2021
diff --git a/controls/anssi.yml b/controls/anssi.yml
@@ -521,10 +521,22 @@ controls:
     description: >-
       Remote user sessions (shell access, graphical clients) must be closed
       after a certain period of inactivity.
+    notes: >-
+      There is no specific capability to check remote user inactivity, but some shells allow the
+      session inactivity time out to be configured via TMOUT variable.
+      In OpenSSH < 8.2 the inactivity of the user is implied from the network inactivity.
+      The server is configured to disconnect sessions if no data has been received within the idle timeout,
+      regardless of liveness status (ClientAliveCountMax is 0 and ClientAliveInterval is > 0).
+      In OpenSSH >= 8.2 there is no way to disconnect sessions based on client liveness.
+      The semantics of "ClientAliveCountMax 0" has changed from "disconnect on first timeout" to
+      "don't disconnect network inactive sessions". The server either probes for the client liveness
+      or keeps inactive sessions connected.
+    automated: yes
     rules:
     - accounts_tmout
+    - var_accounts_tmout=10_min
     - sshd_set_idle_timeout
-    - sshd_idle_timeout_value=5_minutes
+    - sshd_idle_timeout_value=10_minutes
     - sshd_set_keepalive
 
   - id: R30