I was reading through Jim Perrin’s CentOS hardening article, and saw one super interesting use of read-only bourne shell variables. If you have users that are frequently logging in and staying idle for days and or weeks, you can add a readonly TMOUT variable to /etc/profile:
$ echo "readonly TMOUT=3600" >> /etc/profile /etc/profile.d
The TMOUT variable controls the amount of time a user can be idle before the system logs them out. Since the variables in /etc/profile will be applied to the environment before a users .bash* and .profile files, you can be sure that users can’t override (this doesn’t address users who use C shells, but that can be addresses similarly) the read-only TMOUT variable and stay idle for longer periods of time. This also works well for HISTFILE environment variable, which is mentioned in the article. Great article Jim!