Professional Documents
Culture Documents
22 Jun 2010 Regulatory compliances require systems to implement automatic logoff of sessions to enable secure environment. UNIX based solutions tend to make extensive use of utilities like FTP, TELNET and SSH whose sessions are required to be configured for automatic timeout. This article explains the relationship between automatic logoff and various regulatory compliances. Subsequently, it steps through the administrative procedure required to configure it for FTP, TELNET and SSH over AIX V6.1.
Introduction
AIX V6.1 is provisioned with various security features which aid in adherence of various regulatory compliances applicable to different industrial sectors like federal, finance, health care, etc. The functionalities cover from secure data at rest to secure data in transit to login and password management. These features make AIX V6.1 a lucrative UNIX based system to host solutions and applications for regulatory compliance driven industries. UNIX based systems and solutions tend to make extensive use of remote login and file transfer technologies like FTP, TELNET and SSH not only for administrative tasks but also for various other aspects of the overall solution. Rightful use of such remote login sessions come under the auditing umbrella for various compliances. From a compliance perspective, the two prime factors to be considered for remote login sessions of these utilities are authentication with secure transmission and
AIX V6.1 Remote Login Session Management Copyright IBM Corporation 2010. All rights reserved.
Trademarks Page 1 of 10
developerWorks
ibm.com/developerWorks
automatic logoff of remote sessions. While the former can be accomplished via use of Kerberos (see Resources) and similar network security protocol, the latter requires special administrative tuning. In this article, we will map the need of automatic logoff of remote sessions to various compliances and subsequently explain the administrative procedures required for its enablement over AIX V6.1 systems. The article will aid administrators to tune the remote utility sessions on their AIX systems, to adhere to compliances and also address the risk associated with remote sessions.
AIX V6.1 Remote Login Session Management Copyright IBM Corporation 2010. All rights reserved.
Trademarks Page 2 of 10
ibm.com/developerWorks
developerWorks
Title 21, Part 11 of the U.S. Food and Drug Administration's (FDA) Code of Federal Regulations requires drug makers, medical device manufacturers, biotechnology companies, biologics developers and other FDA-regulated industries (except food manufacturers) to implement controlsincluding audits, validation systems and documentationfor software and systems involved in processing many forms of data as part of business operations and product development. Section 300(d) indicates "Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management." (see Resources). The other compliance regulations stating the need for similar functionality are: FERPA: 34 CFR Part 99 [Family Educational Rights and Privacy Act] GLB: 16 CFR Part 314 Standards for Safeguarding Customer Information [section 501(b) of the Gramm-Leach-Bliley Act ("GLB Act")] USA Patriot Act For more details, see "Information Technology Security Policy" laid down by University of Oklahoma (see Resources). This states the importance of automatic logoff provisioning for various regulatory compliances. In the next section, we will explain the procedures to enable automatic logoff over most popular remote login utilities over AIX V6.1
AIX V6.1 Remote Login Session Management Copyright IBM Corporation 2010. All rights reserved.
Trademarks Page 3 of 10
developerWorks
ibm.com/developerWorks
set the time interval for FTP session inactivity to be 60 seconds. Typically, this value will depend upon the business policy as well as the regulatory compliance guidelines. Code 1: Configure inetd configuration file for FTP with Automatic Logoff.
(0) root @ motu: 61H (0934A_61H) : / # hostname motu.in.ibm.com (0) root @ motu: 61H (0934A_61H) : / # vi /etc/inetd.conf .......................... .......................... ftp stream tcp6 nowait root /usr/sbin/ftpd ftpd -t 60
Note that the "ftp stream tcp6 nowait root /usr/sbin/ftpd ftpd" entry is usually already present in the /etc/inetd.conf file. You have to just add the timeout value by appending it with "-t 60". Now the FTP service needs to be restarted for the changes to make effect. The following commands will stop and start the FTP service. Code 2: Restart FTP subserver.
61H (0934A_61H) : / # stopsrc -t ftp subserver was stopped successfully. 61H (0934A_61H) : / # startsrc -t ftp subserver has been started.
Let's verify the automatic logoff configuration set above. Once we are successfully connected to the FTP server (verified via basic commands) we will explicitly keep the session dormant for 60 seconds. On execution of any commands thereafter, we should get the message from the server "421 Timeout (60 seconds): closing connection." which indicates that the auto logoff for FTP is successfully configured. Code 3: Verify the FTP automatic logoff functionality.
(0) root @ motu: 61H (0934A_61H) : / # ftp motu.in.ibm.com Connected to motu.in.ibm.com. 220 motu.in.ibm.com FTP server (Version 4.2 Wed Jun 3 15:43:49 CDT 2009) ready. Name (motu.in.ibm.com:root): root 331 Password required for root. Password: 230-Last unsuccessful login: Mon Oct 26 12:20:34 IST 2009 on /dev/pts/0 from
AIX V6.1 Remote Login Session Management Copyright IBM Corporation 2010. All rights reserved.
Trademarks Page 4 of 10
ibm.com/developerWorks
developerWorks
ssingh11.in.ibm.com 230-Last login: Tue Nov 24 15:36:56 IST 2009 on ftp 230 User root logged in. ftp> cd (remote-directory) / 250 CWD command successful. ftp> lcd Local directory now / ftp> cd (remote-directory) / 421 Timeout (60 seconds): closing connection. ftp> quit
Note that even though the FTP server had automatically closed the connection after 60 seconds on inactivity, the client will only be informed when it tries to execute a command after the timeout. Secure TELNET with automatic logoff feature The auto logoff provision for TELNET on AIX V6.1 is controlled via parameters listed in /etc/profile. The /etc/profile file is an administrator governed system configuration file which controls system-wide default variables for all users. To prevent potential security hazard from users leaving their accounts unattended, the administrator can set an environment variable named "TMOUT" in /etc/profile, which also governs the auto logout for TELNET (as shown below). In the example below, the first command TMOUT=<time interval in seconds> sets the time interval for the inactivity that will lead to an automatic logoff from the session. Here, we have set the value to 60 seconds. This value will depend upon the business policy as well as the regulatory compliance guidelines. The next command declares this environment variable as read-only so that no user (other than the administrator) can override this default value to have the session opened for longer that the inactivity time interval set. On the subsequent remote logins to the system, the environment variable "TMOUT" will be set as read-only and with inactivity value as 60 seconds. Code 4: Configure profile configuration file for automatic logoff.
(0) root @ motu: 61H (0934A_61H) : / # vi /etc/profile .......................... .......................... TMOUT=60 readonly TMOUT .......................... .......................... :wq!
Let us verify the previous settings. As shown below, when we TELNET to the machine, the command "echo $TMOUT" gives an output as 60 indicating that the
AIX V6.1 Remote Login Session Management Copyright IBM Corporation 2010. All rights reserved.
Trademarks Page 5 of 10
developerWorks
ibm.com/developerWorks
new value is set appropriately. Also, it can be seen that the value of the variable cannot be changed as we set it to read-only. Subsequently, if we keep the TELNET session inactive for 60 seconds, the session is automatically logged off (as seen below) thus successfully enabling automatic session logoff for TELNET over AIX V6.1. Note that in the listing below we are using a bash shell: Code 5: Verify the TELNET automatic logoff functionality.
(0) root @ motu: 61H (0934A_61H) : / # telnet motu.in.ibm.com Trying... Connected to motu.in.ibm.com. Escape character is '^]'. telnet (motu.in.ibm.com) AIX Version 6 Copyright IBM Corporation, 1982, 2009. login: root root's Password: ***************************************************************************** * * * * * Welcome to AIX Version 6.1! * * * * * * Please see the README file in /usr/lpp/bos for information pertinent to * * this release of the AIX Operating System. * * * * * ***************************************************************************** Last unsuccessful login: Mon Oct 26 12:20:34 IST 2009 on /dev/pts/0 from ssingh11.in.ibm.com Last login: Tue Nov 24 15:40:50 IST 2009 on /dev/pts/1 (0) root @ motu: 61H (0934A_61H) 60 (0) root @ motu: 61H (0934A_61H) /usr/bin/bash (0) root @ motu: 61H (0934A_61H) -bash: TMOUT: readonly variable (1) root @ motu: 61H (0934A_61H) Connection closed. (0) root @ motu: 61H (0934A_61H) : / # echo $TMOUT : / # echo $SHELL : / # export TMOUT=200
Note that if the system is restarted after committing the changes to /etc/profile, the timeout value will not only be set for remote login but will also be set for physical login. Secure SSH with automatic logoff feature A lot of solutions prefer SSH over TELNET for its default secure behavior. Incidentally, the configurations done for auto logoff of TELNET in the /etc/profile file (explained previously) are also applicable for SSH.
AIX V6.1 Remote Login Session Management Copyright IBM Corporation 2010. All rights reserved.
Trademarks Page 6 of 10
ibm.com/developerWorks
developerWorks
So, instead of TELNET let us SSH into the machine and test the behavior. We shall SSH into the machine using other user than root whose default shell is set to be ksh (Korn shell). Once we log in to the system, we execute a series of commands similar to the ones previously executed to confirm that the value of the environment variable "TMOUT" is actually set to 60, and that the variable is indeed read-only and the value cannot be changed. Now after inactivity for 60 seconds, we get a connection closed message from the remote machine, which indicates that the auto logoff is successfully set for SSH. Code 6: Verify the SSH automatic logoff functionality.
(0) root @ motu: 61H (0934A_61H) : / # ssh bhushan@motu.in.ibm.com bhushan's Password: 1 unsuccessful login attempt since last login. Last unsuccessful login: Tue Nov 24 18:35:22 IST 2009 on ssh Last login: Tue Nov 24 18:27:43 IST 2009 on /dev/pts/2 ***************************************************************************** * * * * * Welcome to AIX Version 6.1! * * * * * * Please see the README file in /usr/lpp/bos for information pertinent to * * this release of the AIX Operating System. * * * * * ***************************************************************************** Could not chdir to home directory /home/bhushan: A file or directory in the path name does not exist. $ echo $TMOUT 60 $ echo $SHELL /usr/bin/ksh $ export TMOUT=200 ksh: TMOUT: This variable is read only. $ pwd / Shell will time out in 60 seconds. ksh: Timed out waiting for input. Connection to motu.in.ibm.com closed. (1) root @ motu: 61H (0934A_61H) : / #
Note that for AIX V6.1, the type of shell or the user account type does not have any effect over the behavior of the auto timeout feature enabled by setting the TMOUT environment variable in /etc/profile file. Moreover this environment variable ensures auto timeout after inactivity for the interval of time for any login mechanism used to log into the system.
Conclusion
In this article, we have described the importance of automatic logoff and its relation with regulatory compliances. We have learned the administrative procedures
AIX V6.1 Remote Login Session Management Copyright IBM Corporation 2010. All rights reserved.
Trademarks Page 7 of 10
developerWorks
ibm.com/developerWorks
required to set automatic logoff for FTP, TELNET and SSH sessions on AIX V6.1 which will help for regulatory compliance and enable a secure environment. Acknowledgement The author sincerely acknowledges Sandeep R Patil (rsandeep@in.ibm.com) from IBM Corporation for his valued insights, exposure and motivation to write this article and help convey the subject to the community, customers and practitioners.
AIX V6.1 Remote Login Session Management Copyright IBM Corporation 2010. All rights reserved.
Trademarks Page 8 of 10
ibm.com/developerWorks
developerWorks
Resources
Learn AIX 6.1 security features: Mapping with HIPAA compliance (developerWorks, April 2010): Get an overview of AIX security features with HIPAA compliances. AIX V6.1 security and regulatory compliance (developerWorks, Jan 2010): This article discusses the importance of regulatory compliances and how security is a key aspect for meeting these compliances. Configure and enable the Kerberos authentication in telnet, FTP, and r-commands on AIX V6 (developerWorks, May 2008): This article provides guidelines for authentication with secure transmission for Regulations' Compliance. Refer Understanding HIPAA Privacy for detailed understanding of the HIPAA Privacy Rule. Learn more about HIPAA Technical Safeguards from the HIPAA Security Series #4 website. State of Oklahoma Information Security Policy, Procedures, Guidelines University of Oklahoma Information Technology Security Policy Food and Drug Administration Regulations Get products and technologies AIX 5L Expansion Pack and Web Download Pack: Start downloading now. AIX Toolbox for Linux Applications. Discuss Follow developerWorks on Twitter. Get involved in the My developerWorks community. Participate in the AIX and UNIX forums: AIX Forum AIX Forum for developers Cluster Systems Management IBM Support Assistant Forum Performance Tools Forum Virtualization Forum
AIX V6.1 Remote Login Session Management Copyright IBM Corporation 2010. All rights reserved.
Trademarks Page 9 of 10
developerWorks
ibm.com/developerWorks
AIX V6.1 Remote Login Session Management Copyright IBM Corporation 2010. All rights reserved.
Trademarks Page 10 of 10