Ben wrote:
We currently use ssh in our system and are investigating ways to fulfill an
Application STIG requirement. Here's the req
APP0530: Session limits do not exist for the application.
Its actually a checklist item to determine if you have a security finding. That's why it looks like a negative requirement. Supporting text for this requirement indicates that a limit on the number of sessions per user or process ID OR a maximum limit on the aggregate of all sessions needs to exist.
One possible way to implement this requirement for Solaris systems would
be to use the project(4) resource control system.
Put each user into their own project. For each of those projects set
the maximum number of tasks to be 1. If you also want to limit the
number of processes then you can do that in the project definition as well.
For my example user 'jru'
Add this to /etc/project (or the project(4) database in your
nameservice) to limit them to one login session and 10 processes.
user.jru:100::::project.max-tasks=(privileged,1,deny);project.max-lwps=(privileged,10,deny)
This uses the special user. syntax which also makes this the default
project for the user jru.
For this to work you also need to make sure that the user is NOT part of
the special 'default' project. To do that make the list of users in
project(4) for the default project '!*' eg:
default:3::!*::
This requires that ALL users on the system have some default project
otherwise they won't be able to login at all. Note that the root user
already has a special 'user.root' project defined for them.
This is how it will look to users:
An attempt to login a second time (ie create a new task in the project)
will fail, eg:
$ ssh [EMAIL PROTECTED]
Resource control limit has been reached
$
An attempt to create more processes than is allowed will fail like this:
islay% sleep 500 &
zsh: fork failed: resource temporarily unavailable
--
Darren J Moffat
_______________________________________________
opensolaris-discuss mailing list
[email protected]
