On 2010-10-15 00.59, Brad Tilley wrote:
On 10/14/2010 06:45 PM, Ben Niccum wrote:
I thought about doing that too. I need to test it more to see what
happens when ksh is the shell and the user executes csh manually. I
suppose ksh will still honor TMOUT in that case.
Brad
Don't mean to complicate things for you, but just thought I should
mention that if the user does:
# exec /bin/csh
Then csh takes over ksh's active process, and even though the TMOUT
variable is still there, csh doesn't honor it, and ksh is no longer
around to object.
-Ben
Great point. That's precisely the sort of thing I'd like to have thought
about. Much of the compliance efforts may look good on paper, but have
no impact on actual usage or may be trivially circumvented as you point
out. So while disabling a shell may get a check mark during PCI
compliance efforts, that may be all you end up with.
You mentioned not wanting to use anything not in base.
How about a simple shell script, using nothing but standard utilities,
to regularly monitor logged-in users and kick idle ones out?
I whipped something together as an example, se below. (Very slightly
tested, use at your own risk :-) ) As an added bonus you can't as a
regular user circumvent its watchful eye by exec:ing a different shell
or simply by changing the idle timeout value in the current login shell.
Regards,
/Benny
----8<--------8<--------8<--------8<--------8<---- (cut)
#!/bin/ksh
#
# idlehup -- hang up idle tty connections
# -------
#
# Written on a whim in 2010-10-15 by Benny Lofgren
#
# benny -at- internetlabbet.se / +46 70 718 11 90
#
# Use at your own risk :-)
#
# Run with nohup (or remove infinite loop at the end
# and run with cron)
#
PROG="$0"
if [ $# -ne 1 ]
then
echo "${PROG}: usage: ${PROG} <max_idle_time_in_minutes>"
exit 1
else
IDLETIME=`expr $1 + 0` 2>/dev/null
if [ $? != 0 ]
then
echo "${PROG}: ERROR: idle time argument must be numeric"
exit 2
fi
if [ ${IDLETIME} -gt 1440 ]
then
echo "${PROG}: ERROR: idle time must be <= 1440 minutes (24 h)"
exit 3
fi
fi
getidle()
{
idletime="$1"
who -u |
while read user tty mon day time idle rest
do
# Check each logged-in user for excessive idle times
isidle=false
case "${idle}" in
".") ;; # Active tty, do nothing
old) isidle=true;; # Very old, kick them out
??:??) H=`echo $idle | cut -d: -f1`
M=`echo $idle | cut -d: -f2`
M=`expr "$H" \* 60 + "$M"`
if [ "$M" -gt "$idletime" ]
then
isidle=true
fi
;;
esac
# Find and eliminate session leader and the rest will follow
if [ "${isidle}" = "true" ]
then
ps -t`echo $tty | sed "s/^tty//"` -opid,stat |
while read pid stat
do
case "$stat" in
*s*) echo $pid;; # He's the leader, stone him!
esac
done
fi
done
}
while true
do
PIDS=`getidle ${IDLETIME}`
if [ X"${PIDS}" != X"" ]
then
kill -HUP ${PIDS}
fi
sleep 60
done
----8<--------8<--------8<--------8<--------8<---- (cut)
--
internetlabbet.se / work: +46 8 551 124 80 / "Words must
Benny Lvfgren / mobile: +46 70 718 11 90 / be weighed,
/ fax: +46 8 551 124 89 / not counted."
/ email: benny -at- internetlabbet.se