Hello community, here is the log from the commit of package seccheck for openSUSE:Factory checked in at 2014-02-19 07:25:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/seccheck (Old) and /work/SRC/openSUSE:Factory/.seccheck.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "seccheck" Changes: -------- --- /work/SRC/openSUSE:Factory/seccheck/seccheck.changes 2012-07-06 09:52:58.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.seccheck.new/seccheck.changes 2014-02-19 07:25:08.000000000 +0100 @@ -1,0 +2,13 @@ +Fri Feb 14 13:20:19 UTC 2014 - [email protected] + +- Extended autologout functionality in seccheck-2.0-autologout.patch + with SSH. See autologout.conf file for configuration details. +- Fixed issue if no user is logged on in seccheck-2.0-autologout.patch. + +------------------------------------------------------------------- +Thu Feb 13 08:29:15 UTC 2014 - [email protected] + +- Added new autologout functionality. (FATE#312303) + (added seccheck-2.0-autologout.patch) + +------------------------------------------------------------------- New: ---- seccheck-2.0-autologout.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ seccheck.spec ++++++ --- /var/tmp/diff_new_pack.1A9SNd/_old 2014-02-19 07:25:09.000000000 +0100 +++ /var/tmp/diff_new_pack.1A9SNd/_new 2014-02-19 07:25:09.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package seccheck # -# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -48,6 +48,7 @@ Patch15: %{name}-%{version}-website.patch Patch16: %{name}-%{version}_new_rpm_output_handle_more_filesystems_bnc746042.diff Patch17: %{name}-%{version}_daily_uid_bnc769770.diff +Patch18: %{name}-%{version}-autologout.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -76,6 +77,7 @@ %patch15 %patch16 %patch17 -p1 +%patch18 -p1 %install install -d -m 700 $RPM_BUILD_ROOT/var/lib/secchk @@ -84,6 +86,7 @@ install -d -m 755 $RPM_BUILD_ROOT/usr/doc/packages/secchk install -d -m 755 $RPM_BUILD_ROOT/etc/cron.d install -m 600 crontab.security $RPM_BUILD_ROOT/etc/cron.d/seccheck +install -m 600 crontab.autologout $RPM_BUILD_ROOT/etc/cron.d/autologout install -m 740 *.sh $RPM_BUILD_ROOT/usr/lib/secchk/ install -m 740 checkneverlogin $RPM_BUILD_ROOT/usr/lib/secchk/ install -d $RPM_BUILD_ROOT/var/adm/fillup-templates @@ -96,18 +99,22 @@ # chown 0.0 $RPM_BUILD_ROOT/etc/cron.$freq/seccheck # chmod 700 $RPM_BUILD_ROOT/etc/cron.$freq/seccheck #done +install -d -m 755 $RPM_BUILD_ROOT/etc/security +install -m 644 autologout.conf $RPM_BUILD_ROOT/etc/security/ %files %defattr(-,root,root) %doc TODO CHANGES README LICENCE /usr/lib/secchk %config /etc/cron.d/seccheck +%config /etc/cron.d/autologout #%config /etc/cron.daily/seccheck #%config /etc/cron.weekly/seccheck #%config /etc/cron.monthly/seccheck %dir /var/lib/secchk %dir /var/lib/secchk/data /var/adm/fillup-templates/sysconfig.seccheck +%config /etc/security/autologout.conf %clean rm -rf $RPM_BUILD_ROOT ++++++ seccheck-2.0-autologout.patch ++++++ diff -Nur seccheck-2.0-orig/autologout.conf seccheck-2.0/autologout.conf --- seccheck-2.0-orig/autologout.conf 1970-01-01 01:00:00.000000000 +0100 +++ seccheck-2.0/autologout.conf 2014-02-13 23:09:32.480000000 +0100 @@ -0,0 +1,27 @@ +# Set tty default timeout in minutes +TTY_TIMEOUT=60 +# Set default delay till timeout in seconds +DEFAULT_DELAY=60 +# Wait time between SIGHUP(1) and SIGKILL(9) +KILL_WAIT=20 + +# Timeout configuration based on user, group or tty +# Main Parameters: +# - group:<unix group> +# - user:<unix username> +# - tty:<tty device> +# - ssh +# Sub-Parameters: +# - idle:<idle time in minutes> +# - delay:<delay till logout in seconds> +# +# !! The last rule in LOGOUTCONF that matches is active !! +# Example: If root is connected over ssh its idle timeout is 5 min - not 22. + +LOGOUTCONF=( +#"group:users idle:30" +#"tty:/dev/ttyS0 idle:10" +#"ssh idle:22 delay:22" +#"user:root idle:5 delay:15" +) + diff -Nur seccheck-2.0-orig/autologout.sh seccheck-2.0/autologout.sh --- seccheck-2.0-orig/autologout.sh 1970-01-01 01:00:00.000000000 +0100 +++ seccheck-2.0/autologout.sh 2014-02-14 10:13:09.349000000 +0100 @@ -0,0 +1,273 @@ +#!/bin/sh +# +# Small shellscript by Alexander Bergmann <[email protected]> which checks +# for idle user terminals and kills them where applicable. Parameters can be +# found in the configuration file autologout.conf. +# +PATH="/usr/bin:/bin:/usr/sbin:/sbin" + +. /etc/security/autologout.conf + +# Default Values +DRY_RUN=0 +SHOW_CONF=0 + +# Our datasets +declare -a USER +declare -a GROUP +declare -a TTY +declare -a IDLE +declare -i SESSIONS + +# Return tty idle time in seconds +function tty_idle() { + EPOCH=`date +%s` + ACCESS=`stat --format=%X ${1}` + echo $(($EPOCH-$ACCESS)) +} + +# Format input seconds into minutes/hours/days +function format_time() { + SEC=$(($1%60)) + SEC=`printf "%02d" $SEC` + MIN=$(($1/60)) + if [ $MIN -gt 59 ]; then + HOUR=$(($MIN/60)) + MIN=$(($MIN%60)) + MIN=`printf "%02d" $MIN` + if [ $HOUR -gt 24 ]; then + DAY=$(($HOUR/24)) + HOUR=$(($HOUR%24)) + echo "${DAY}d ${HOUR}:${MIN}:${SEC}" + else + echo "${HOUR}:${MIN}:${SEC}" + fi + else + echo "${MIN}:${SEC}" + fi +} + +# Initialize datasets for active terminals +function init_db() { + local i=0 + for j in `w -hn | awk '{print $1";"$2}'`; do + if [ -c /dev/${j#*;} ]; then + USER[$i]="${j%;*}" + TTY[$i]="/dev/${j#*;}" + IDLE[$i]=`tty_idle ${TTY[$i]}` + GROUP[$i]=`id ${USER[$i]} | awk -F '[()]' '{print $(4)}'` + let i++ + fi + done + # Exit if no user is logged in. + if [ $i -eq 0 ]; then + exit + fi +} + +# Send message to terminal +function send_msg() { + MIN=`format_time ${IDLE[$1]}` + MESSAGE="" + if [ $DRY_RUN -eq 1 ]; then + MESSAGE="\nDry Run: This terminal will not be terminated.\n" + fi + MESSAGE="${MESSAGE}\n${USER[$1]}: You've been idle for ${MIN} min (allowed ${TTY_TIMEOUT_TMP} min)." + MESSAGE="${MESSAGE}\nYou'll be logged off in ${DELAY_TIMEOUT_TMP} sec unless you hit a key.\n" + echo -e "${MESSAGE}" | write ${USER[$1]} ${TTY[$1]} +} + +# Kill terminal +function killit() { + sleep ${DELAY_TIMEOUT_TMP} + NEW_IDLE=`tty_idle ${TTY[$1]}` + if [ $((${NEW_IDLE}/60)) -ge ${TTY_TIMEOUT_TMP} ]; then + PIDS=`ps -eo pid,tty | grep ${TTY[$1]#/dev/} | awk '{print $1}' | tr '\n' ' '` + kill -HUP $PIDS &> /dev/null + MIN=`format_time ${NEW_IDLE}` + logger "autologout: Terminated ${USER[$1]}:${GROUP[$1]} on ${TTY[$1]} after being idle for ${MIN} (allowed ${TTY_TIMEOUT_TMP} min)." + sleep $KILL_WAIT + for pid in $PIDS; do + if kill -0 $pid &> /dev/null; then + kill -TERM $pid &> /dev/null + sleep 2 + if kill -0 $pid &> /dev/null; then + kill -KILL $pid &> /dev/null + fi + fi + done + fi +} + +# Check for SSH session +function check_ssh() { + USERID=`id -u ${USER[$1]}` + SSH_PS=`ps -eo uid,tty,cmd | grep -E 'sshd:.*@' | grep "${TTY[$1]#/dev/}" | grep -v grep | awk -v uid="${USERID}" '$1 == uid {print $4}'` + SSH_TTY=${SSH_PS##${USER[$1]}@} + echo "/dev/${SSH_TTY}" +} + +# Check rule configuration +function check_rule() { + local i=0 + # Load Defaults + CHECK_TIMEOUT=$TTY_TIMEOUT + CHECK_DELAY=$DEFAULT_DELAY + TMP_TIMEOUT="" + TMP_DELAY="" + for ((i = 0; i < ${#LOGOUTCONF[@]}; i++)); do + conf=${LOGOUTCONF[i]%% *} + case ${conf%:*} in + group) + if [ "${conf#*:}" = "${GROUP[$1]}" ]; then + TMP_TIMEOUT=`echo ${LOGOUTCONF[i]} | awk -F '[: ]' '$3 == "idle" {print $4}; $5 == "idle" {print $6}'` + TMP_DELAY=`echo ${LOGOUTCONF[i]} | awk -F '[: ]' '$3 == "delay" {print $4}; $5 == "delay" {print $6}'` + fi + ;; + user) + if [ "${conf#*:}" = "${USER[$1]}" ]; then + TMP_TIMEOUT=`echo ${LOGOUTCONF[i]} | awk -F '[: ]' '$3 == "idle" {print $4}; $5 == "idle" {print $6}'` + TMP_DELAY=`echo ${LOGOUTCONF[i]} | awk -F '[: ]' '$3 == "delay" {print $4}; $5 == "delay" {print $6}'` + fi + ;; + tty) + if [ "${conf#*:}" = "${TTY[$1]}" ]; then + TMP_TIMEOUT=`echo ${LOGOUTCONF[i]} | awk -F '[: ]' '$3 == "idle" {print $4}; $5 == "idle" {print $6}'` + TMP_DELAY=`echo ${LOGOUTCONF[i]} | awk -F '[: ]' '$3 == "delay" {print $4}; $5 == "delay" {print $6}'` + fi + ;; + ssh) + if [ "`check_ssh $1`" = "${TTY[$1]}" ]; then + TMP_TIMEOUT=`echo ${LOGOUTCONF[i]} | awk -F '[: ]' '$2 == "idle" {print $3}; $4 == "idle" {print $5}'` + TMP_DELAY=`echo ${LOGOUTCONF[i]} | awk -F '[: ]' '$2 == "delay" {print $3}; $4 == "delay" {print $5}'` + fi + ;; + esac + done + if [ "x$TMP_TIMEOUT" != "x" ]; then + CHECK_TIMEOUT=$TMP_TIMEOUT + fi + if [ "x$TMP_DELAY" != "x" ]; then + CHECK_DELAY=$TMP_DELAY + fi + echo "$CHECK_TIMEOUT:$CHECK_DELAY" +} + +# Check terminal idle time and compare with timeout configuration +function check_idle() { + local i=0 + if [ $DRY_RUN -eq 1 ]; then + echo "Autologout: Dry Run" + fi + for ((i = 0 ; i < ${#USER[@]}; i++)); do + #TIMEOUT=`check_rule $i` + LOGOUT="" + CONF_TIMEOUT=`check_rule $i` + TTY_TIMEOUT_TMP=${CONF_TIMEOUT%:*} + DELAY_TIMEOUT_TMP=${CONF_TIMEOUT#*:} + MIN=`format_time ${IDLE[$i]}` + if [ $((${IDLE[$i]}/60)) -ge ${TTY_TIMEOUT_TMP} ]; then + if [ $DRY_RUN -eq 1 ]; then + LOGOUT="(Subject to logout)" + send_msg $i + else + send_msg $i + killit $i & + fi + fi + if [ $DRY_RUN -eq 1 ]; then + echo -e "Checking: ${USER[$i]}:${GROUP[$i]} on ${TTY[$i]} Idle time: ${MIN} Max: ${TTY_TIMEOUT_TMP} min ${LOGOUT}" + fi + done +} + +# Show configuration details +function show_config_details() { + for rule in $@; do + case ${rule%:*} in + idle) + echo -n " Maximum idle time: ${rule#*:} min ";; + delay) + echo -n " Delay till logout: ${rule#*:} sec ";; + esac + done + echo +} + +# Show configuration rules +function show_config() { + echo "Defaults:" + echo "* maximum idle time: ${TTY_TIMEOUT} min" + echo "* logout delay: ${DEFAULT_DELAY} sec" + echo "Rules:" + local i=0 + for ((i = 0; i < ${#LOGOUTCONF[@]}; i++)); do + conf=${LOGOUTCONF[i]%% *} + case ${conf%:*} in + group) + echo -n "* GROUP Rule: ${conf#*:} " + show_config_details ${LOGOUTCONF[i]#* } + ;; + user) + echo -n "* USER Rule: ${conf#*:} " + show_config_details ${LOGOUTCONF[i]#* } + ;; + tty) + echo -n "* TTY Rule: ${conf#*:} " + show_config_details ${LOGOUTCONF[i]#* } + ;; + ssh) + echo -n "* SSH Rule:" + show_config_details ${LOGOUTCONF[i]#* } + ;; + esac + done + if [ $i -eq 0 ]; then + echo "* No rules defined." + fi +} + +# Initialize Datasets +init_db + +# Help output +USAGE="Usage: $0 [OPTION]...\n"\ +" -s Show configuration.\n"\ +" -d Configuration dry run.\n"\ +" -c config Use configuration file.\n"\ +" (default: /etc/security/autologout.conf)" + +# Parse command line options +while getopts ":sdc:" opt; do + case "${opt}" in + s ) SHOW_CONF=1;; + d ) DRY_RUN=1;; + c ) CONF=`readlink -f $OPTARG` + if [ "x$CONF" = "x" ]; then + echo "Error: Please provide a configuration file." + echo -e "$USAGE" + exit + fi + if [ -f $CONF ]; then + source $CONF + else + echo "Error: Couldn't find configuration file: '$CONF'" + echo -e "$USAGE" + exit + fi + ;; + \?) echo -e "$USAGE" + exit;; + esac +done + +# Print parsed configuration +if [ $SHOW_CONF -eq 1 ]; then + show_config + exit +fi + +# Start checking terminal idle times +check_idle +exit + diff -Nur seccheck-2.0-orig/crontab.autologout seccheck-2.0/crontab.autologout --- seccheck-2.0-orig/crontab.autologout 1970-01-01 01:00:00.000000000 +0100 +++ seccheck-2.0/crontab.autologout 2014-02-13 23:04:33.560000000 +0100 @@ -0,0 +1,6 @@ +RUN_FROM_CRON=yes +# +# SUSE Security Autologout +# +-*/10 * * * * root test -x /usr/lib/secchk/autologout.sh && /usr/lib/secchk/autologout.sh + -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
