On Fri, 15 Oct 2010 16:28:51 +0200
"Benny LC6fgren" <[email protected]> wrote:
> On 2010-10-15 00.59, Brad Tilley wrote:
> > On 10/14/2010 06:45 PM, Ben Niccum wrote:
> >>> I thought about doing that too. I need to test it more to see what
> >>> happens when ksh is the shell and the user executes csh manually.
> >>> I suppose ksh will still honor TMOUT in that case.
> >>> Brad
> >> Don't mean to complicate things for you, but just thought I should
> >> mention that if the user does:
> >> # exec /bin/csh
> >> Then csh takes over ksh's active process, and even though the TMOUT
> >> variable is still there, csh doesn't honor it, and ksh is no longer
> >> around to object.
> >> -Ben
> > Great point. That's precisely the sort of thing I'd like to have
> > thought about. Much of the compliance efforts may look good on
> > paper, but have no impact on actual usage or may be trivially
> > circumvented as you point out. So while disabling a shell may get a
> > check mark during PCI compliance efforts, that may be all you end
> > up with.
>
> You mentioned not wanting to use anything not in base.
>
> How about a simple shell script, using nothing but standard
> utilities, to regularly monitor logged-in users and kick idle ones
> out?
>
> I whipped something together as an example, se below. (Very slightly
> tested, use at your own risk :-) ) As an added bonus you can't as a
> regular user circumvent its watchful eye by exec:ing a different
> shell or simply by changing the idle timeout value in the current
> login shell.
>
>
> Regards,
> /Benny
>
> ----8<--------8<--------8<--------8<--------8<---- (cut)
> #!/bin/ksh
>
> #
> # idlehup -- hang up idle tty connections
> # -------
> #
> # Written on a whim in 2010-10-15 by Benny Lofgren
> #
> # benny -at- internetlabbet.se / +46 70 718 11 90
> #
> # Use at your own risk :-)
> #
> # Run with nohup (or remove infinite loop at the end
> # and run with cron)
> #
>
> PROG="$0"
>
> if [ $# -ne 1 ]
> then
> echo "${PROG}: usage: ${PROG} <max_idle_time_in_minutes>"
> exit 1
> else
> IDLETIME=`expr $1 + 0` 2>/dev/null
>
> if [ $? != 0 ]
> then
> echo "${PROG}: ERROR: idle time argument must be numeric"
> exit 2
> fi
>
> if [ ${IDLETIME} -gt 1440 ]
> then
> echo "${PROG}: ERROR: idle time must be <= 1440 minutes (24
> h)" exit 3
> fi
> fi
>
> getidle()
> {
> idletime="$1"
>
> who -u |
> while read user tty mon day time idle rest
> do
> # Check each logged-in user for excessive idle times
> isidle=false
> case "${idle}" in
> ".") ;; # Active tty, do nothing
> old) isidle=true;; # Very old, kick them out
> ??:??) H=`echo $idle | cut -d: -f1`
> M=`echo $idle | cut -d: -f2`
> M=`expr "$H" \* 60 + "$M"`
> if [ "$M" -gt "$idletime" ]
> then
> isidle=true
> fi
> ;;
> esac
>
> # Find and eliminate session leader and the rest will follow
> if [ "${isidle}" = "true" ]
> then
> ps -t`echo $tty | sed "s/^tty//"` -opid,stat |
> while read pid stat
> do
> case "$stat" in
> *s*) echo $pid;; # He's the leader, stone him!
> esac
> done
> fi
> done
> }
>
> while true
> do
> PIDS=`getidle ${IDLETIME}`
> if [ X"${PIDS}" != X"" ]
> then
> kill -HUP ${PIDS}
> fi
>
> sleep 60
> done
> ----8<--------8<--------8<--------8<--------8<---- (cut)
>
>
As already said in this thread, there is no way to handle everything.
For example, this script does not work when a user connects with ssh
without allocating a pseudo-tty.
Still, it does not seem to be a problem for the PCI DSS ...
--
Stephane Sezer
