Do your users need console access to the system.
I my environment I usually control this via ssh and disable console access
to normal users.
A simple way to do it
in /etc/ssh/sshd_config
ClientAliveInterval 300
ClientAliveCountMax 0
Make all the users that require console access use ksh and
On Fri, 15 Oct 2010 01:12:03 +0200
Ingo Schwarze schwa...@usta.de wrote:
Much of the compliance efforts may look good on paper, but have
no impact on actual usage or may be trivially circumvented
or even worse, will likely end up compromising security
in case somebody aiming for hardening
On Oct 14 18:15:16, Brad Tilley wrote:
On 10/14/2010 05:13 PM, Jan Stary wrote:
On Oct 14 17:01:30, Brad Tilley wrote:
Jan Stary wrote:
Why do you want to logout idle users?
There is sysutils/idled if you need it.
I'm experimenting with getting an OpenBSD base system to meet the PCI
On Thu, Oct 14, 2010 at 03:28:20PM -0400, Brad Tilley wrote:
Brad Tilley wrote:
I created (...) /etc/profile to force sh and ksh to logout users
after a certain period of idleness:
$ cat /etc/profile
# Force sh and ksh to logout idle users after 15 minutes
# Prevent normal users
On Oct 14 18:17:23, Brad Tilley wrote:
On 10/14/2010 05:08 PM, Darrin Chandler wrote:
rm /bin/csh
cp /bin/ksh /bin/csh
You just forced your csh users to use ksh. Why do you want them to hate
you?
It's just a shell, they'll get over it.
Remove it from /etc/shells instead.
On Thu, Oct 14, 2010 at 06:17:23PM -0400, Brad Tilley wrote:
I thought about doing that too. I need to test it more to see what
happens when ksh is the shell and the user executes csh manually. I
suppose ksh will still honor TMOUT in that case.
TMOUT is at most a convenience, not a security
Jurjen Oskam wrote:
On Thu, Oct 14, 2010 at 06:17:23PM -0400, Brad Tilley wrote:
I thought about doing that too. I need to test it more to see what
happens when ksh is the shell and the user executes csh manually. I
suppose ksh will still honor TMOUT in that case.
TMOUT is at most a
On 2010-10-15 00.59, Brad Tilley wrote:
On 10/14/2010 06:45 PM, Ben Niccum wrote:
I thought about doing that too. I need to test it more to see what
happens when ksh is the shell and the user executes csh manually. I
suppose ksh will still honor TMOUT in that case.
Brad
Don't mean to
On Fri, 15 Oct 2010 16:28:51 +0200
Benny LC6fgren bl-li...@lofgren.biz wrote:
On 2010-10-15 00.59, Brad Tilley wrote:
On 10/14/2010 06:45 PM, Ben Niccum wrote:
I thought about doing that too. I need to test it more to see what
happens when ksh is the shell and the user executes csh
On 2010-10-15 17.13, Stephane Sezer wrote:
On Fri, 15 Oct 2010 16:28:51 +0200
Benny LC6fgrenbl-li...@lofgren.biz wrote:
On 2010-10-15 00.59, Brad Tilley wrote:
On 10/14/2010 06:45 PM, Ben Niccum wrote:
I thought about doing that too. I need to test it more to see what
happens when ksh is
Brad Tilley wrote:
I created the file /etc/profile to force sh and ksh to logout users
after a certain period of idleness:
$ cat /etc/profile
# Force sh and ksh to logout idle users after 15 minutes
# Prevent normal users from disabling this setting
readonly TMOUT=900
export TMOUT
Any good reason to not do this?
They're not the same shell. I can't think of any security reasons because
I'm not familiar with the code but as far as logs and noise factor I imagine
it would go up or various things might start breaking that depend on csh.
Adam M. Dutko wrote:
Any good reason to not do this?
They're not the same shell.
Yes, I know that part :)
I can't think of any security reasons because
I'm not familiar with the code but as far as logs and noise factor I imagine
it would go up or various things might start breaking that
On Oct 14 15:28:20, Brad Tilley wrote:
Brad Tilley wrote:
I created the file /etc/profile to force sh and ksh to logout users
after a certain period of idleness:
Why do you want to logout idle users?
There is sysutils/idled if you need it.
$ cat /etc/profile
# Force sh and ksh to
Jan Stary wrote:
Why do you want to logout idle users?
There is sysutils/idled if you need it.
I'm experimenting with getting an OpenBSD base system to meet the PCI
DSS requirements. I'm trying to avoid using any software outside the
base system.
rm /bin/csh
cp /bin/ksh /bin/csh
You just
rm /bin/csh
cp /bin/ksh /bin/csh
You just forced your csh users to use ksh. Why do you want them to hate you?
It's just a shell, they'll get over it.
Remove it from /etc/shells instead. Replacing csh with ksh is evil, and
I don't mean that in a good way.
--
Darrin Chandler
On Oct 14 17:01:30, Brad Tilley wrote:
Jan Stary wrote:
Why do you want to logout idle users?
There is sysutils/idled if you need it.
I'm experimenting with getting an OpenBSD base system to meet the PCI
DSS requirements.
Does PCI DSS require you to log users out?
I'm trying to avoid
On Thu, Oct 14, 2010 at 4:01 PM, Brad Tilley b...@16systems.com wrote:
Jan Stary wrote:
Why do you want to logout idle users?
There is sysutils/idled if you need it.
I'm experimenting with getting an OpenBSD base system to meet the PCI
DSS requirements. I'm trying to avoid using any
On 10/14/2010 05:08 PM, Darrin Chandler wrote:
rm /bin/csh
cp /bin/ksh /bin/csh
You just forced your csh users to use ksh. Why do you want them to hate you?
It's just a shell, they'll get over it.
Remove it from /etc/shells instead. Replacing csh with ksh is evil, and
I don't mean that
On 10/14/2010 05:13 PM, Jan Stary wrote:
On Oct 14 17:01:30, Brad Tilley wrote:
Jan Stary wrote:
Why do you want to logout idle users?
There is sysutils/idled if you need it.
I'm experimenting with getting an OpenBSD base system to meet the PCI
DSS requirements.
Does PCI DSS require you
On Thu, 14 Oct 2010 18:17:23 -0400
Brad Tilley b...@16systems.com wrote:
On 10/14/2010 05:08 PM, Darrin Chandler wrote:
rm /bin/csh
cp /bin/ksh /bin/csh
You just forced your csh users to use ksh. Why do you want them
to hate you?
It's just a shell, they'll get over it.
Remove
On 10/14/2010 06:45 PM, Ben Niccum wrote:
I thought about doing that too. I need to test it more to see what
happens when ksh is the shell and the user executes csh manually. I
suppose ksh will still honor TMOUT in that case.
Brad
Don't mean to complicate things for you, but just thought
Much of the compliance efforts may look good on paper, but have
no impact on actual usage or may be trivially circumvented
or even worse, will likely end up compromising security
in case somebody aiming for hardening manipulates the
system without fully understanding the consequences.
2010/10/13 Brad Tilley b...@16systems.com:
That works great. I've tried to do the same to the other default shell
in base (csh). I added 'set autologout=15' to /etc/csh.cshrc and then to
/etc/csh.login as well (I'm turning knobs like a good clueless user).
I then read the csh man page, but
I created the file /etc/profile to force sh and ksh to logout users
after a certain period of idleness:
$ cat /etc/profile
# Force sh and ksh to logout idle users after 15 minutes
# Prevent normal users from disabling this setting
readonly TMOUT=900
export TMOUT
That works great. I've tried to
25 matches
Mail list logo