[Question] tmux detached session quits after ssh user disconnects

[jdaln]

Since this is probably not a bug but more of a feature, havec skipped the template description.

My question would be: which part of the hardening could cause a tmux detached session to be killed after a ssh user disconnects?

I noticed this behavior on a server patched with the role.

[cleberb]

You need to review the /etc/systemd/logind.conf file. I recently updated this in my cloned repository, but I didn't have time to send a pull request.

[konstruktoid]

https://github.com/konstruktoid/ansible-role-hardening/blob/master/templates/etc/systemd/logind.conf.j2 needs to be turned into variables :)

I can do that @cleberb, no stress.

[konstruktoid]

Sorry for the delay, I'm currently working on this

[konstruktoid]

#723 has been merged

[jdaln]

Thank you! :)

Just came back from holiday. I will comment here in a week or so, once tested but feel free to close if it is already tested.

[jdaln]

@konstruktoid
The changes have not worked for me.
Here is the current status:

$ systemctl show systemd-logind | grep -E 'KillUserProcesses|IdleAction|IdleActionSec|RemoveIPC'
RemoveIPC=no

Any idea what could be wrong with the current master @cleberb ?

I have /etc/systemd/logind.conf.d/zz-logind-hardening.conf

# Ansible managed
# Generated by Ansible role konstruktoid.hardening

[Login]
KillUserProcesses=false
KillExcludeUsers=root vagrant
IdleAction=lock
IdleActionSec=15min
RemoveIPC=true

and /etc/systemd/logind.conf

# Ansible managed
# Generated by Ansible role konstruktoid.hardening

[Login]
KillUserProcesses=1
KillExcludeUsers=root
IdleAction=lock
IdleActionSec=15min
RemoveIPC=yes

Update: Even deleting /etc/systemd/logind.conf does not change anything.
Full output of systemctl show systemd-logind:

Type=dbus
Restart=always
NotifyAccess=main
RestartUSec=0
TimeoutStartUSec=1min 30s
TimeoutStopUSec=1min 30s
TimeoutAbortUSec=1min 30s
TimeoutStartFailureMode=terminate
TimeoutStopFailureMode=terminate
RuntimeMaxUSec=infinity
WatchdogUSec=3min
WatchdogTimestamp=Wed 2024-10-16 11:18:05 UTC
WatchdogTimestampMonotonic=244781580
RootDirectoryStartOnly=no
RemainAfterExit=no
GuessMainPID=yes
MainPID=679
ControlPID=0
BusName=org.freedesktop.login1
FileDescriptorStoreMax=512
NFileDescriptorStore=0
StatusText=Processing requests...
StatusErrno=0
Result=success
ReloadResult=success
CleanResult=success
UID=[not set]
GID=[not set]
NRestarts=0
OOMPolicy=stop
ExecMainStartTimestamp=Wed 2024-10-16 11:14:15 UTC
ExecMainStartTimestampMonotonic=15430557
ExecMainExitTimestamp=n/a
ExecMainExitTimestampMonotonic=0
ExecMainPID=679
ExecMainCode=0
ExecMainStatus=0
ExecStart={ path=/lib/systemd/systemd-logind ; argv[]=/lib/systemd/systemd-logind ; ignore_errors=no ; start_time=[Wed 2024-10-16 11:14:15 UTC] ; stop_time=[n/a] ; pid=679 ; code=(null)rors=no ; start_time=[Wed 2024-10-16 11:14:15 UTC] ; stop_time=[n/a] ; pid=679 ; code=(null) ; status=0/0 }
ExecStartEx={ path=/lib/systemd/systemd-logind ; argv[]=/lib/systemd/systemd-logind ; flags= ; start_time=[Wed 2024-10-16 11:14:15 UTC] ; stop_time=[n/a] ; pid=679 ; code=(null) ; statu; start_time=[Wed 2024-10-16 11:14:15 UTC] ; stop_time=[n/a] ; pid=679 ; code=(null) ; status=0/0 }
Slice=system.slice
ControlGroup=/system.slice/systemd-logind.service
MemoryCurrent=1605632
MemoryAvailable=infinity
CPUUsageNSec=65876000
TasksCurrent=1
IPIngressBytes=[no data]
IPIngressPackets=[no data]
IPEgressBytes=[no data]
IPEgressPackets=[no data]
IOReadBytes=18446744073709551615
IOReadOperations=18446744073709551615
IOWriteBytes=18446744073709551615
IOWriteOperations=18446744073709551615
Delegate=no
CPUAccounting=yes
CPUWeight=[not set]
StartupCPUWeight=[not set]
CPUShares=[not set]
StartupCPUShares=[not set]
CPUQuotaPerSecUSec=infinity
CPUQuotaPeriodUSec=infinity
IOAccounting=no
IOWeight=[not set]
StartupIOWeight=[not set]
BlockIOAccounting=no
BlockIOWeight=[not set]
StartupBlockIOWeight=[not set]
MemoryAccounting=yes
DefaultMemoryLow=0
DefaultMemoryMin=0
MemoryMin=0
MemoryLow=0
MemoryHigh=infinity
MemoryMax=infinity
MemorySwapMax=infinity
MemoryLimit=infinity
DevicePolicy=auto
DeviceAllow=char-rtc r
DeviceAllow=char-vcs rw
DeviceAllow=char-tty rw
DeviceAllow=char-input rw
DeviceAllow=char-drm rw
DeviceAllow=char-/dev/console rw
DeviceAllow=block-* r
TasksAccounting=yes
TasksMax=2310
IPAccounting=no
IPAddressDeny=0.0.0.0/0 ::/0
ManagedOOMSwap=auto
ManagedOOMMemoryPressure=auto
ManagedOOMMemoryPressureLimit=0
ManagedOOMPreference=none
UMask=0022
LimitCPU=infinity
LimitCPUSoft=infinity
LimitFSIZE=infinity
LimitFSIZESoft=infinity
LimitDATA=infinity
LimitDATASoft=infinity
LimitSTACK=infinity
LimitSTACKSoft=8388608
LimitCORE=0
LimitCORESoft=0
LimitRSS=infinity
LimitRSSSoft=infinity
LimitNOFILE=524288
LimitNOFILESoft=524288
LimitAS=infinity
LimitASSoft=infinity
LimitNPROC=1024
LimitNPROCSoft=1024
LimitMEMLOCK=65536
LimitMEMLOCKSoft=65536
LimitLOCKS=infinity
LimitLOCKSSoft=infinity
LimitSIGPENDING=7702
LimitSIGPENDINGSoft=7702
LimitMSGQUEUE=819200
LimitMSGQUEUESoft=819200
LimitNICE=0
LimitNICESoft=0
LimitRTPRIO=0
LimitRTPRIOSoft=0
LimitRTTIME=infinity
LimitRTTIMESoft=infinity
OOMScoreAdjust=0
CoredumpFilter=0x33
Nice=0
IOSchedulingClass=2
IOSchedulingPriority=4
CPUSchedulingPolicy=0
CPUSchedulingPriority=0
CPUAffinityFromNUMA=no
NUMAPolicy=n/a
TimerSlackNSec=50000
CPUSchedulingResetOnFork=no
NonBlocking=no
StandardInput=null
StandardOutput=journal
StandardError=inherit
TTYReset=no
TTYVHangup=no
TTYVTDisallocate=no
SyslogPriority=30
SyslogLevelPrefix=yes
SyslogLevel=6
SyslogFacility=3
LogLevelMax=-1
LogRateLimitIntervalUSec=0
LogRateLimitBurst=0
SecureBits=0
CapabilityBoundingSet=cap_chown cap_dac_override cap_dac_read_search cap_fowner cap_linux_immutable cap_sys_admin cap_sys_tty_config cap_audit_control cap_mac_admin
DynamicUser=no
RemoveIPC=no
ReadWritePaths=/etc /run
PrivateTmp=yes
PrivateDevices=no
ProtectClock=yes
ProtectKernelTunables=no
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
PrivateNetwork=no
PrivateUsers=no
PrivateMounts=no
PrivateIPC=no
ProtectHome=yes
ProtectSystem=strict
SameProcessGroup=no
UtmpMode=init
IgnoreSIGPIPE=yes
NoNewPrivileges=yes
SystemCallFilter=_llseek _newselect accept accept4 access add_key alarm arch_prctl bind brk cacheflush capget capset chdir chmod chown chown32 clock_getres clock_getres_time64 clock_get>
SystemCallArchitectures=native
SystemCallErrorNumber=1
LockPersonality=yes
RestrictAddressFamilies=AF_NETLINK AF_UNIX
RuntimeDirectoryPreserve=yes
RuntimeDirectoryMode=0755
RuntimeDirectory=systemd/sessions systemd/seats systemd/users systemd/inhibit systemd/shutdown
StateDirectoryMode=0755
StateDirectory=systemd/linger
CacheDirectoryMode=0755
LogsDirectoryMode=0755
ConfigurationDirectoryMode=0755
TimeoutCleanUSec=infinity
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RestrictNamespaces=yes
MountAPIVFS=no
KeyringMode=private
ProtectProc=default
ProcSubset=all
ProtectHostname=yes
KillMode=control-group
KillSignal=15
RestartKillSignal=15
FinalKillSignal=9
SendSIGKILL=yes
SendSIGHUP=no
WatchdogSignal=6
Id=systemd-logind.service
Names=systemd-logind.service dbus-org.freedesktop.login1.service
Requires=sysinit.target -.mount dbus.socket system.slice
Wants=modprobe@drm.service user.slice tmp.mount dbus.socket
WantedBy=multi-user.target
Conflicts=shutdown.target
Before=session-2.scope shutdown.target session-5.scope multi-user.target unattended-upgrades.service
After=dbus.socket modprobe@drm.service user.slice -.mount system.slice systemd-remount-fs.service nss-user-lookup.target systemd-journald.socket systemd-tmpfiles-setup.service tmp.mount>
RequiresMountsFor=/run/systemd/inhibit /var/lib/systemd/linger /run/systemd/seats /run/systemd/shutdown /run/systemd/users /var/tmp /run/systemd/sessions
Documentation="man:sd-login(3)" "man:systemd-logind.service(8)" "man:logind.conf(5)" "man:org.freedesktop.login1(5)"
Description=User Login Management
LoadState=loaded
ActiveState=active
FreezerState=running
SubState=running
FragmentPath=/lib/systemd/system/systemd-logind.service
UnitFileState=static
UnitFilePreset=enabled
StateChangeTimestamp=Wed 2024-10-16 11:14:16 UTC
StateChangeTimestampMonotonic=15844638
InactiveExitTimestamp=Wed 2024-10-16 11:14:15 UTC
InactiveExitTimestampMonotonic=15430640
ActiveEnterTimestamp=Wed 2024-10-16 11:14:16 UTC
ActiveEnterTimestampMonotonic=15844638
ActiveExitTimestamp=n/a
ActiveExitTimestampMonotonic=0
InactiveEnterTimestamp=n/a
InactiveEnterTimestampMonotonic=0
CanStart=yes
CanStop=yes
CanReload=no
CanIsolate=no
CanClean=runtime state
CanFreeze=yes
StopWhenUnneeded=no
RefuseManualStart=no
RefuseManualStop=no
AllowIsolate=no
DefaultDependencies=yes
OnSuccessJobMode=fail
OnFailureJobMode=replace
IgnoreOnIsolate=no
NeedDaemonReload=no
JobTimeoutUSec=infinity
JobRunningTimeoutUSec=infinity
JobTimeoutAction=none
ConditionResult=yes
AssertResult=yes
ConditionTimestamp=Wed 2024-10-16 11:14:15 UTC
ConditionTimestampMonotonic=15411520
AssertTimestamp=Wed 2024-10-16 11:14:15 UTC
AssertTimestampMonotonic=15411568
Transient=no
Perpetual=no
StartLimitIntervalUSec=10s
StartLimitBurst=5
StartLimitAction=none
FailureAction=none
SuccessAction=none
InvocationID=e3860d62c8874009bc25a76c19ffca25
CollectMode=inactive

[jdaln]

Just checked again after deleting the old /etc/systemd/logind.conf and rebooting and, after disconnecting from ssh + 15mn, tmux gets killed.

[konstruktoid]

i'll check the configuration, but have you enabled lingering (https://www.freedesktop.org/software/systemd/man/latest/loginctl.html#enable-linger%20USER%E2%80%A6) for the user as well?

[jdaln]

i'll check the configuration, but have you enabled lingering (https://www.freedesktop.org/software/systemd/man/latest/loginctl.html#enable-linger%20USER%E2%80%A6) for the user as well?

I have not. This is a default Ubuntu 22.04. The only difference with the other servers I have is that I ran ansible-role-hardening in the past. Will check this further.

[jdaln]

Considering that I now have /etc/systemd/logind.conf.d/zz-logind-hardening.conf:

# Ansible managed
# Generated by Ansible role konstruktoid.hardening

[Login]
KillUserProcesses=false
KillExcludeUsers=root vagrant
IdleAction=lock
IdleActionSec=15min
RemoveIPC=true

Shouldn't my process not be killed?

[konstruktoid]

the process should not be killed, especially since you've set KillUserProcesses=false.
I'm not going to pretend I understand systemd user management, but if lingering is "enabled for a specific user, a user manager is spawned for the user at boot and kept around after logouts."

[konstruktoid]

i'll check the configuration, but have you enabled lingering (https://www.freedesktop.org/software/systemd/man/latest/loginctl.html#enable-linger%20USER%E2%80%A6) for the user as well?

I have not. This is a default Ubuntu 22.04. The only difference with the other servers I have is that I ran ansible-role-hardening in the past. Will check this further.

what does loginctl show-user "$(id -un)" return?

~$ lsb_release -d
Description:    Ubuntu 22.04.5 LT
~$ loginctl show-user "$(id -un)" | grep -i linger
Linger=no

[jdaln]

Exactly the same values.

$ lsb_release -d
Description:	Ubuntu 22.04.5 LTS
$ loginctl show-user "$(id -un)" | grep -i linger
Linger=no

Could it be that previous runs affect?
If you spawn a tmux via tmux, do ctrl+b+d and exit ssh, will it be killed after 15mn?

[konstruktoid]

using KillUserProcesses=no my tmux is still alive after 30min.

vagrant@jammy:~$ tmux
vagrant@jammy:~$ sudo loginctl show-user vagrant | grep -i linger  && sudo loginctl show-user | grep -i kill
Linger=no
KillUserProcesses=no
vagrant@jammy:~$ date
Wed Oct 16 01:03:40 PM UTC 2024
vagrant@jammy:~
[ctrl+b+d]
vagrant@jammy:~$ tmux list-session
0: 1 windows (created Wed Oct 16 13:05:15 2024)
vagrant@jammy:~$ exit
logout

vagrant@jammy:~$ date
Wed Oct 16 01:34:48 PM UTC 2024
vagrant@jammy:~$ tmux list-sessions
0: 1 windows (created Wed Oct 16 13:05:15 2024)
vagrant@jammy:~$ date
Wed Oct 16 01:34:48 PM UTC 2024
vagrant@jammy:~$ sudo journalctl -r | grep -Ei 'New session'
Oct 16 13:34:46 jammy systemd-logind[675]: New session 7 of user vagrant.
Oct 16 13:04:54 jammy systemd-logind[675]: New session 5 of user vagrant.
Oct 16 12:58:29 jammy systemd-logind[675]: New session 3 of user vagrant.
Oct 16 12:56:01 vagrant systemd-logind[675]: New session 1 of user vagrant.

[jdaln]

Nice! Thank you for checking.

I guess it's just a problem with my server then.

Although, the notebook sets it to "false" but that should work too.

[konstruktoid]

KillUserProcesses=no will ignore KillExcludeUsers

[jdaln]

@konstruktoid I tried on a fresh server, and unfortunately, I kills tmux after 15mn with the config below.

    - name: Include the hardening role
      ansible.builtin.include_role:
        name: konstruktoid.hardening
      vars:
        automatic_updates:
          enabled: true
          only_security: true
          reboot: true
          reboot_from_time: "2:00"
          reboot_time_margin_mins: "20"
        logind:
          killuserprocesses: false
          killexcludeusers:
            - root
            - vagrant
          idleaction: lock
          idleactionsec: 15min
          removeipc: true
        auditd_action_mail_acct: "root"
        manage_ufw: true
        ufw_outgoing_traffic:
          - 22
          - 53
          - 80
          - 123
          - 443
          - 853
          - 6443
          - 465
        disable_wireless: true
        reboot_ubuntu: true
        sshd_admin_net:
          - 0.0.0.0/0
        sshd_allow_users: user1 user2 user3
        sshd_allow_groups: user1 user2 user3
        sshd_login_grace_time: 60
        sshd_max_auth_tries: 5
        suid_sgid_permissions: true
        sshd_allow_tcp_forwarding: true
        sshd_client_alive_interval: 600

[konstruktoid]

That's odd, I'll do some more testing. What distro and release are you using? Ubuntu 22.04.5 LTS?

[jdaln]

Thank you! Yes Ubuntu 22.04.5 LTS

[konstruktoid]

can't really figure why this is happening, but i'll continue looking

[jdaln]

Thank you for checking.
If you remove vagrant from the killexcludeusers during the test runs, does it kill it after 15mn?

[konstruktoid]

yeah, I cant keep a tmux session running for 15 min even if all the logind settings are in place

[konstruktoid]

sorry for not getting back to you earlier, could you check if the TMOUT variable is set? It's most likely in /etc/profile

https://github.com/konstruktoid/ansible-role-hardening?tab=readme-ov-file#defaultsmainumaskyml

[jdaln]

Not at all! Thank you for checking.

In both cases, it looks like this:

$ more /etc/profile
# /etc/profile: system-wide .profile file for the Bourne shell (sh(1))
# and Bourne compatible shells (bash(1), ksh(1), ash(1), ...).

if [ "${PS1-}" ]; then
  if [ "${BASH-}" ] && [ "$BASH" != "/bin/sh" ]; then
    # The file bash.bashrc already sets the default PS1.
    # PS1='\h:\w\$ '
    if [ -f /etc/bash.bashrc ]; then
      . /etc/bash.bashrc
    fi
  else
    if [ "$(id -u)" -eq 0 ]; then
      PS1='# '
    else
      PS1='$ '
    fi
  fi
fi

if [ -d /etc/profile.d ]; then
  for i in /etc/profile.d/*.sh; do
    if [ -r $i ]; then
      . $i
    fi
  done
  unset i
fi
umask 077
declare -irx TMOUT=900

So I guess, this is the culprit in this case, correct?

I wonder how this behavior could be documented. It seems to me that it's not that obvious.

[konstruktoid]

could be most likely, does your sessions get killed if TMOUT is unset?
i'm thinking that the TMOUT line shouldn't be added if /etc/systemd/logind.conf.d/zz-logind-hardening.conf exists or something like that, so that logind is responsible for all things regarding timeouts and sessions.

[konstruktoid]

or just set session_timeout: 0

[jdaln]

I was able to test while having the line commented, and indeed, it now stays alive. Thank you!

[jdaln]

could be most likely, does your sessions get killed if TMOUT is unset? i'm thinking that the TMOUT line shouldn't be added if /etc/systemd/logind.conf.d/zz-logind-hardening.conf exists or something like that, so that logind is responsible for all things regarding timeouts and sessions.

If it has fully the same effect and still complies with CIS, it is indeed the way to go IMO.

[konstruktoid]

well, 5.4.3.2 Ensure default user shell timeout is configured only has a remediation procedure using TMOUT.

StopIdleSessionSec=900 will do the same thing as TMOUT=900 so I'll add that instead for consistency, and I've added a discussion to the Ubuntu CIS benchmark regarding this (https://workbench.cisecurity.org/community/4/discussions/11401)

[konstruktoid]

https://github.com/konstruktoid/ansible-role-hardening/releases/tag/v2.2.0 released with #763 included

[jdaln]

Should this be closed or are you waiting for answers from CIS before closing it?

[konstruktoid]

Getting an answer and a update benchmark can take forever :) so we'll close this for the time being.