PCI DSS compliance

8.1.8 Session idle time out

8.1.8 session time out

Depending on the application used, appropriate measures should be taken to avoid sessions being idle and unsupervised by the owner of the session. Regarding this control the PCI DSS states such sessions should be lower than 15 minutes. They may related to applications running on the system itself, but also those used for system management. In the case of Linux this would to the configuration of SSH.


Define the timeout value in your shell, with the TMOUT variable.


  • File: /etc/ssh/sshd_config
Depending on your version of SSH, the ClientAliveInterval defines how often a "ping" is sent to the client, to determine if it is still available. By defining an interval of 300, with a related count of 3, the maximum time of an idle session is 15 minutes. Another option is to set the interval higher and limit the ClientAliveCountMax to 0. Testing in your configuration is advised to determine what is working best.
  • Option: ClientAliveInterval 300
  • Option: ClientAliveCountMax 3