diff --git a/files/build_templates/sonic_debian_extension.j2 b/files/build_templates/sonic_debian_extension.j2
index 73564c03cd..05c48f0d9b 100644
--- a/files/build_templates/sonic_debian_extension.j2
+++ b/files/build_templates/sonic_debian_extension.j2
@@ -389,6 +389,13 @@ echo "ntpsec.service" | sudo tee -a $GENERATED_SERVICE_FILE
 # Copy DNS templates
 sudo cp $BUILD_TEMPLATES/dns.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/
 
+# Copy cli-sessions config files
+sudo cp $IMAGE_CONFIGS/cli_sessions/tmout-env.sh.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/
+sudo cp $IMAGE_CONFIGS/cli_sessions/sysrq-sysctl.conf.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/
+sudo cp $IMAGE_CONFIGS/cli_sessions/serial-config.sh $FILESYSTEM_ROOT/usr/bin/
+sudo cp $IMAGE_CONFIGS/cli_sessions/serial-config.service $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM
+echo "serial-config.service" | sudo tee -a $GENERATED_SERVICE_FILE
+
 # Copy warmboot-finalizer files
 sudo LANG=C cp $IMAGE_CONFIGS/warmboot-finalizer/finalize-warmboot.sh $FILESYSTEM_ROOT/usr/local/bin/finalize-warmboot.sh
 sudo LANG=C cp $IMAGE_CONFIGS/warmboot-finalizer/warmboot-finalizer.service $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM
diff --git a/files/image_config/cli_sessions/serial-config.service b/files/image_config/cli_sessions/serial-config.service
new file mode 100644
index 0000000000..6211ecaaae
--- /dev/null
+++ b/files/image_config/cli_sessions/serial-config.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Update serial console config
+Requires=sonic.target
+After=sonic.target
+Before=getty-pre.target
+StartLimitIntervalSec=0
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/serial-config.sh
+
+[Install]
+WantedBy=sonic.target
diff --git a/files/image_config/cli_sessions/serial-config.sh b/files/image_config/cli_sessions/serial-config.sh
new file mode 100755
index 0000000000..b02d65ffae
--- /dev/null
+++ b/files/image_config/cli_sessions/serial-config.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# generate conf file for sysrq capabilities.
+sonic-cfggen -d -t /usr/share/sonic/templates/sysrq-sysctl.conf.j2 > /etc/sysctl.d/95-sysrq-sysctl.conf
+
+SYSRQ_CONF=0
+# update sysrq for current boot.
+sysrq_conf=`sonic-db-cli CONFIG_DB HGET "SERIAL_CONSOLE|POLICIES" sysrq_capabilities`
+if [ ${sysrq_conf} = "enabled" ]; then
+        SYSRQ_CONF=1
+fi
+sudo echo $SYSRQ_CONF > /proc/sys/kernel/sysrq
+
+# generate env file for profile.d to set auto-logout timeout for serial consoles.
+sonic-cfggen -d -t /usr/share/sonic/templates/tmout-env.sh.j2 > /etc/profile.d/tmout-env.sh
diff --git a/files/image_config/cli_sessions/sysrq-sysctl.conf.j2 b/files/image_config/cli_sessions/sysrq-sysctl.conf.j2
new file mode 100644
index 0000000000..49d9a62bc8
--- /dev/null
+++ b/files/image_config/cli_sessions/sysrq-sysctl.conf.j2
@@ -0,0 +1,10 @@
+###############################################################################
+# This file was AUTOMATICALLY GENERATED. DO NOT MODIFY.
+# Controlled by cli-sesisons.sh
+###############################################################################
+{% set sysrq = 0 %}
+{% set serial_policies = (SERIAL_CONSOLE | d({})).get('POLICIES', {}) -%}
+{% if serial_policies.sysrq_capabilities == 'enabled' %}
+{% set sysrq = 1 %}
+{% endif %}
+kernel.sysrq={{ sysrq }}
\ No newline at end of file
diff --git a/files/image_config/cli_sessions/tmout-env.sh.j2 b/files/image_config/cli_sessions/tmout-env.sh.j2
new file mode 100644
index 0000000000..528504ee72
--- /dev/null
+++ b/files/image_config/cli_sessions/tmout-env.sh.j2
@@ -0,0 +1,11 @@
+{# Default timeout (15 min) #}
+{% set inactivity_timeout_sec = 900 %}
+
+{% set serial_pol = (SERIAL_CONSOLE | d({})).get('POLICIES', {}) -%}
+{% if serial_pol and serial_pol.inactivity_timeout and serial_pol.inactivity_timeout | int >= 0 %}
+{% set inactivity_timeout_sec = serial_pol.inactivity_timeout | int * 60 %}
+{% endif %}
+
+{# apply only for serial tty #}
+tty | grep -q tty &&  \
+export TMOUT={{ inactivity_timeout_sec }}