Jurjen Oskam wrote:
> On Thu, Oct 14, 2010 at 06:17:23PM -0400, Brad Tilley wrote:
>
>> I thought about doing that too. I need to test it more to see what
>> happens when ksh is the shell and the user executes csh manually. I
>> suppose ksh will still honor TMOUT in that case.
>
> TMOUT is at most a convenience, not a security measure:
>
> $ TMOUT=600
> $ readonly TMOUT
> $ exec perl -e 'delete $ENV{TMOUT} ; exec "/bin/ksh";'
> $ echo $TMOUT
> 0
> $
>
Understood. If an employee did that, there should be measures in place
at the policy level to deal with that behavior (if it is discovered).
70% of the PCI DSS controls are policy and procedure, not technical.
Thanks to all for feedback, I appreciate it.
Brad
