AIX V6.1 Remote Login Session Management
Provisions for automatic session logoff for regulatory compliance
AIX V6.1 is provisioned with various security features which aid in adherence of various regulatory compliances applicable to different industrial sectors like federal, finance, health care, etc. The functionalities cover from secure data at rest to secure data in transit to login and password management. These features make AIX V6.1 a lucrative UNIX based system to host solutions and applications for regulatory compliance driven industries.
UNIX based systems and solutions tend to make extensive use of remote login and file transfer technologies like FTP, TELNET and SSH not only for administrative tasks but also for various other aspects of the overall solution. Rightful use of such remote login sessions come under the auditing umbrella for various compliances. From a compliance perspective, the two prime factors to be considered for remote login sessions of these utilities are authentication with secure transmission and automatic logoff of remote sessions. While the former can be accomplished via use of Kerberos (see Related topics) and similar network security protocol, the latter requires special administrative tuning. In this article, we will map the need of automatic logoff of remote sessions to various compliances and subsequently explain the administrative procedures required for its enablement over AIX V6.1 systems. The article will aid administrators to tune the remote utility sessions on their AIX systems, to adhere to compliances and also address the risk associated with remote sessions.
What is automatic logoff?
Automatic logoff is protection of dormant sessions to a given system (generally remote, but not necessarily) from malevolent usage to help mitigate the risk of malicious attack. Many a times authorized users log into systems using login mechanisms (like SSH, TELNET, FTP and others) and either due to negligence forget to log off from the session or due to inactivity the session remains dormant. In such cases, if a malicious user exploits these sessions, the user can potentially disrupt the system. Automatic logoff feature helps alleviate such risks by automatically disabling the session using recommended time-out values for dormancy.
Regulatory compliance and automatic logoff
There are different regulatory compliances for different industrial sectors mandated by the government. Most of the compliance directly influence the designing, development and deployment of IT solution for businesses to ensure a safe and audited environment. Most of these compliances require automatic logoff facilities for their IT systems to help secure them from malicious influence. For example:
- The Health Insurance Portability and Accountability Act (HIPAA) provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. The HIPAA Security Rule Section 164.312(a)s(2)(iii) titled Automatic logoff indicates the requirement as "Implement procedures to terminate an electronic session after a predetermined time of inactivity" (see Related topics).
- The State of Oklahoma in United States has a special State of Oklahoma Information Security Policy, Procedures and Guidelines which are applied for the protection of the information assets of the state. The State of Oklahoma Information Security Policies requires automatic logoff which states, "Section 7.4: Access Control indicates to timeout a session after 15 minutes of inactivity" (see Related topics).
- Title 21, Part 11 of the U.S. Food and Drug Administration's (FDA) Code of Federal Regulations requires drug makers, medical device manufacturers, biotechnology companies, biologics developers and other FDA-regulated industries (except food manufacturers) to implement controls—including audits, validation systems and documentation—for software and systems involved in processing many forms of data as part of business operations and product development. Section 300(d) indicates "Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management." (see Related topics).
The other compliance regulations stating the need for similar functionality are:
- FERPA: 34 CFR Part 99 [Family Educational Rights and Privacy Act]
- GLB: 16 CFR Part 314 Standards for Safeguarding Customer Information [section 501(b) of the Gramm-Leach-Bliley Act ("GLB Act")]
- USA Patriot Act
For more details, see "Information Technology Security Policy" laid down by University of Oklahoma (see Related topics).
This states the importance of automatic logoff provisioning for various regulatory compliances. In the next section, we will explain the procedures to enable automatic logoff over most popular remote login utilities over AIX V6.1
Auto logoff procedures for AIX V6.1 (FTP, TELNET, SSH)
File Transfer Protocol (FTP), TELNET and SSH (Secure Shell) are popular AIX V6.1 remote login mechanism used in various ways to meet various purposes within a given solution. AIX V6.1 provides special administrative procedures to help configure auto logoff feature with these utilities. The following explains and provides examples on these procedures:
FTP with automatic logoff feature
In AIX, the inetd daemon provides Internet service management for a network and starts by default every time you start your system. FTP has an ideal session timeout feature but this feature needs to be enabled and the inetd daemon needs to be informed that the connection is to be timed out in case of inactivity for a particular period. The /etc/inetd.conf file (configuration file for inetd) contains details about how the FTP service should behave. As shown below, we edit the /etc/inted.conf file to set the time interval for FTP session inactivity to be 60 seconds. Typically, this value will depend upon the business policy as well as the regulatory compliance guidelines.
Code 1: Configure inetd configuration file for FTP with Automatic Logoff.
(0) root @ motu: 61H (0934A_61H) : / # hostname motu.in.ibm.com (0) root @ motu: 61H (0934A_61H) : / # vi /etc/inetd.conf .......................... .......................... ftp stream tcp6 nowait root /usr/sbin/ftpd ftpd -t 60 .......................... .......................... :wq
Note that the
"ftp stream tcp6 nowait root /usr/sbin/ftpd ftpd" entry is usually already present in the /etc/inetd.conf file. You have to just add the timeout value by appending it with "-t 60".
Now the FTP service needs to be restarted for the changes to make effect. The following commands will stop and start the FTP service.
Code 2: Restart FTP subserver.
(0) root @ motu: 61H (0934A_61H) : / # stopsrc -t ftp 0513-127 The ftp subserver was stopped successfully. (0) root @ motu: 61H (0934A_61H) : / # startsrc -t ftp 0513-124 The ftp subserver has been started.
Let's verify the automatic logoff configuration set above. Once we are successfully connected to the FTP server (verified via basic commands) we will explicitly keep the session dormant for 60 seconds. On execution of any commands thereafter, we should get the message from the server "421 Timeout (60 seconds): closing connection." which indicates that the auto logoff for FTP is successfully configured.
Code 3: Verify the FTP automatic logoff functionality.
(0) root @ motu: 61H (0934A_61H) : / # ftp motu.in.ibm.com Connected to motu.in.ibm.com. 220 motu.in.ibm.com FTP server (Version 4.2 Wed Jun 3 15:43:49 CDT 2009) ready. Name (motu.in.ibm.com:root): root 331 Password required for root. Password: 230-Last unsuccessful login: Mon Oct 26 12:20:34 IST 2009 on /dev/pts/0 from ssingh11.in.ibm.com 230-Last login: Tue Nov 24 15:36:56 IST 2009 on ftp 230 User root logged in. ftp> cd (remote-directory) / 250 CWD command successful. ftp> lcd Local directory now / ftp> cd (remote-directory) / 421 Timeout (60 seconds): closing connection. ftp> quit
Note that even though the FTP server had automatically closed the connection after 60 seconds on inactivity, the client will only be informed when it tries to execute a command after the timeout.
Secure TELNET with automatic logoff feature
The auto logoff provision for TELNET on AIX V6.1 is controlled via parameters listed in /etc/profile. The /etc/profile file is an administrator governed system configuration file which controls system-wide default variables for all users. To prevent potential security hazard from users leaving their accounts unattended, the administrator can set an environment variable named "TMOUT" in /etc/profile, which also governs the auto logout for TELNET (as shown below). In the example below, the first command TMOUT=<time interval in seconds> sets the time interval for the inactivity that will lead to an automatic logoff from the session. Here, we have set the value to 60 seconds. This value will depend upon the business policy as well as the regulatory compliance guidelines. The next command declares this environment variable as read-only so that no user (other than the administrator) can override this default value to have the session opened for longer that the inactivity time interval set. On the subsequent remote logins to the system, the environment variable "TMOUT" will be set as read-only and with inactivity value as 60 seconds.
Code 4: Configure profile configuration file for automatic logoff.
(0) root @ motu: 61H (0934A_61H) : / # vi /etc/profile .......................... .......................... TMOUT=60 readonly TMOUT .......................... .......................... :wq!
Let us verify the previous settings. As shown below, when we TELNET to the machine, the command "echo $TMOUT" gives an output as 60 indicating that the new value is set appropriately. Also, it can be seen that the value of the variable cannot be changed as we set it to read-only. Subsequently, if we keep the TELNET session inactive for 60 seconds, the session is automatically logged off (as seen below) thus successfully enabling automatic session logoff for TELNET over AIX V6.1. Note that in the listing below we are using a bash shell:
Code 5: Verify the TELNET automatic logoff functionality.
(0) root @ motu: 61H (0934A_61H) : / # telnet motu.in.ibm.com Trying... Connected to motu.in.ibm.com. Escape character is '^]'. telnet (motu.in.ibm.com) AIX Version 6 Copyright IBM Corporation, 1982, 2009. login: root root's Password: ***************************************************************************** * * * * * Welcome to AIX Version 6.1! * * * * * * Please see the README file in /usr/lpp/bos for information pertinent to * * this release of the AIX Operating System. * * * * * ***************************************************************************** Last unsuccessful login: Mon Oct 26 12:20:34 IST 2009 on /dev/pts/0 from ssingh11.in.ibm.com Last login: Tue Nov 24 15:40:50 IST 2009 on /dev/pts/1 (0) root @ motu: 61H (0934A_61H) : / # echo $TMOUT 60 (0) root @ motu: 61H (0934A_61H) : / # echo $SHELL /usr/bin/bash (0) root @ motu: 61H (0934A_61H) : / # export TMOUT=200 -bash: TMOUT: readonly variable (1) root @ motu: 61H (0934A_61H) : / # timed out waiting for input: auto-logout Connection closed. (0) root @ motu: 61H (0934A_61H) : / #
Note that if the system is restarted after committing the changes to /etc/profile, the timeout value will not only be set for remote login but will also be set for physical login.
Secure SSH with automatic logoff feature
A lot of solutions prefer SSH over TELNET for its default secure behavior. Incidentally, the configurations done for auto logoff of TELNET in the /etc/profile file (explained previously) are also applicable for SSH.
So, instead of TELNET let us SSH into the machine and test the behavior. We shall SSH into the machine using other user than root whose default shell is set to be ksh (Korn shell). Once we log in to the system, we execute a series of commands similar to the ones previously executed to confirm that the value of the environment variable "TMOUT" is actually set to 60, and that the variable is indeed read-only and the value cannot be changed. Now after inactivity for 60 seconds, we get a connection closed message from the remote machine, which indicates that the auto logoff is successfully set for SSH.
Code 6: Verify the SSH automatic logoff functionality.
(0) root @ motu: 61H (0934A_61H) : / # ssh firstname.lastname@example.org bhushan's Password: 1 unsuccessful login attempt since last login. Last unsuccessful login: Tue Nov 24 18:35:22 IST 2009 on ssh Last login: Tue Nov 24 18:27:43 IST 2009 on /dev/pts/2 ***************************************************************************** * * * * * Welcome to AIX Version 6.1! * * * * * * Please see the README file in /usr/lpp/bos for information pertinent to * * this release of the AIX Operating System. * * * * * ***************************************************************************** Could not chdir to home directory /home/bhushan: A file or directory in the path name does not exist. $ echo $TMOUT 60 $ echo $SHELL /usr/bin/ksh $ export TMOUT=200 ksh: TMOUT: This variable is read only. $ pwd / Shell will time out in 60 seconds. ksh: Timed out waiting for input. Connection to motu.in.ibm.com closed. (1) root @ motu: 61H (0934A_61H) : / #
Note that for AIX V6.1, the type of shell or the user account type does not have any effect over the behavior of the auto timeout feature enabled by setting the TMOUT environment variable in /etc/profile file. Moreover this environment variable ensures auto timeout after inactivity for the interval of time for any login mechanism used to log into the system.
In this article, we have described the importance of automatic logoff and its relation with regulatory compliances. We have learned the administrative procedures required to set automatic logoff for FTP, TELNET and SSH sessions on AIX V6.1 which will help for regulatory compliance and enable a secure environment.
The author sincerely acknowledges Sandeep R Patil (email@example.com) from IBM Corporation for his valued insights, exposure and motivation to write this article and help convey the subject to the community, customers and practitioners.
- AIX 6.1 security features: Mapping with HIPAA compliance (developerWorks, April 2010): Get an overview of AIX security features with HIPAA compliances.
- AIX V6.1 security and regulatory compliance (developerWorks, Jan 2010): This article discusses the importance of regulatory compliances and how security is a key aspect for meeting these compliances.
- Configure and enable the Kerberos authentication in telnet, FTP, and r-commands on AIX V6 (developerWorks, May 2008): This article provides guidelines for authentication with secure transmission for Regulations' Compliance.
- Refer Understanding HIPAA Privacy for detailed understanding of the HIPAA Privacy Rule.
- Learn more about HIPAA Technical Safeguards from the HIPAA Security Series #4 website.
- State of Oklahoma Information Security Policy, Procedures, Guidelines
- University of Oklahoma Information Technology Security Policy
- Food and Drug Administration Regulations
- AIX 5L Expansion Pack and Web Download Pack: Start downloading now.
- AIX Toolbox for Linux Applications.