We recently underwent a security audit and have a new requirement to not allow users to stay logged on overnight. In order to place this policy into effect i need a way to check for idle users and log them off. Is there any good way to enforce this policy in Solaris 10 and make it work in such a way that only users are logged out and other accounts are not affected?
TMOUT
There is a TMOUT variable you can define readonly in /etc/profile -
ksh example:
typeset -r TMOUT=14400
bash:
readonly TMOUT=14400
This sets the idle timeout to 3 hours. Any idle process will simply logout after three hours of idle time.
Thanks for the replies, I'm looking for something more along the lines of a cron job that will run at 6, 9, and 12 and log off any idle users found during that timeframe.
Well, the nuclear option that you're suggesting for yourself would be for a root or superuser to kill any jobs associated with non-Admin and higher GIDs...every 3 hours. For this to work, you'd need to identify the PIDs associated with these GIDs and work backwards from there. Gritty...and dangerous.
For example, what if little Cindy Lou Who signs on and is working on a time-critical item...only to be killed based on your cron job? The loss in her time alone might be sufficient to raise alarms, if it doesn't corrupt data as a result as well. Tack on the likelihood that it happens after-hours, after she's just signed in at 1135pm, on New Year's Eve while she's been ordered to do so from the corner office...and it spirals from there.
TMOUT, on the other hand, will serve to neutralize lingering sessions where the User has been idle (ie, not actually working) for a specified amount of time. Their own passivity serves the purpose to allow the system to sign them off; sort of like banking websites. It's a rolling window that resets according to their login time and their activity. Imagine if banks took the aggressive approach and nixed your session while you were still setting up a transfer to your offshore account? (All those fractions of cents add up, you know...)
I'd strongly suggest that you at least apply the TMOUT option first and see if would suit the audit requirement. Something that works, as opposed to a whiz-bang script written from the ground up, might just suit the requirement perfectly...with zero effort.
1 Like
Given your argument and other considerations I'll go ahead and try the bash option first and if that doesn't work then I'll try something else.
---------- Post updated at 10:26 AM ---------- Previous update was at 08:26 AM ----------
Setting the TMOUT varialbe works but does not really accomplish what i want to accomplish. It closes the active terminal windows but does not accomplish a logout of the user. Is there no way to logoutout the user after a certain timeframe?
It would help then if you tell how the users do log in and what these non terminal windows you are referring to are.
We have a script that runs 24/7 in cron to log off idle users that have been idle for over 1 hour.
The majority of our users use Sun Ray Terminals to log into a server. I've tested the TMOUT variable by setting it on the server and it does kill their inactive windows but does not log them out of the system. I have also tested the variable on a Sun Ultra 20 and my inactive windows close out after the specified time period but the session is still established. Is there some way to force a complete logout of the system after a specified time period?
---------- Post updated at 10:48 AM ---------- Previous update was at 10:41 AM ----------
mikep9
We have a script that runs 24/7 in cron to log off idle users that have been idle for over 1 hour.
Could you possibly post that script?
The proper way to programatically end Sun Ray sessions is using
utsession -k ...
#!/bin/bash
who -u | cut -c 1-10,38-50 | egrep "[1-9]:|old" > /tmp/idle$$
for idleSession in `cat /tmp/idle$$ | awk '{print $3}'`
do
if [ -t 0 ]; then
echo killing session $idleSession
fi
kill -9 $idleSession
done
This script seems to do the trick but I'm not sure that it's really using idle time in order to kill the sessions.
You'll probably want to get familiar with the tools before relying on this forum alone, but it would seem: yes, it is using idle time.
However, since it's grepping the entire line for either/both a number between 1 and 9 followed by a colon and the string 'old', it could be improved some by focusing on the Idle Time column. For example,
who -u |nawk ' /[3-9]:/ !~ $6 || /old/ !~ $6 {print $0;} '