On 2010-10-15 17.13, Stephane Sezer wrote:
On Fri, 15 Oct 2010 16:28:51 +0200
"Benny LC6fgren"<bl-li...@lofgren.biz> wrote:
On 2010-10-15 00.59, Brad Tilley wrote:
On 10/14/2010 06:45 PM, Ben Niccum wrote:
I thought about doing that too. I need to test it more to see what
happens when ksh is the shell and the user executes csh manually.
I suppose ksh will still honor TMOUT in that case.
Brad
Don't mean to complicate things for you, but just thought I should
mention that if the user does:
# exec /bin/csh
Then csh takes over ksh's active process, and even though the TMOUT
variable is still there, csh doesn't honor it, and ksh is no longer
around to object.
-Ben
Great point. That's precisely the sort of thing I'd like to have
thought about. Much of the compliance efforts may look good on
paper, but have no impact on actual usage or may be trivially
circumvented as you point out. So while disabling a shell may get a
check mark during PCI compliance efforts, that may be all you end
up with.
You mentioned not wanting to use anything not in base.
How about a simple shell script, using nothing but standard
utilities, to regularly monitor logged-in users and kick idle ones
out?
I whipped something together as an example, se below. (Very slightly
tested, use at your own risk :-) ) As an added bonus you can't as a
regular user circumvent its watchful eye by exec:ing a different
shell or simply by changing the idle timeout value in the current
login shell.
>> [boring script snipped out]
As already said in this thread, there is no way to handle everything.
For example, this script does not work when a user connects with ssh
without allocating a pseudo-tty.
Still, it does not seem to be a problem for the PCI DSS ...
Indeed, this was never meant to be a catch-all, just an example of what
can be done with standard tools that are all in base. (Also, I find
perverse happiness in writing an 80+ line script that works on the first
try. :-) )
Then again, how does the PCI DSS standard define a "user"? If there is
no pseudo-tty (or for that matter, a "real" tty) allocated, that
normally means it isn't an interactive session but rather something like
a connection established to transfer a file, communicate with a server
resource or similar. Something that probably wouldn't even be a good
idea to "idle-kill" anyway.
Regards,
/Benny
--
internetlabbet.se / work: +46 8 551 124 80 / "Words must
Benny Lvfgren / mobile: +46 70 718 11 90 / be weighed,
/ fax: +46 8 551 124 89 / not counted."
/ email: benny -at- internetlabbet.se
