AIX V6.1 Remote Login Session ManagementProvisions for automatic session logoff for regulatorycompliance

Skill Level: Intermediate

Bhushan Pradip Jain (bhujain1@in.ibm.com)Associate Software EngineerIBM

22 Jun 2010

Regulatory compliances require systems to implement automatic logoff of sessions toenable secure environment. UNIX® based solutions tend to make extensive use ofutilities like FTP, TELNET and SSH whose sessions are required to be configured forautomatic timeout. This article explains the relationship between automatic logoff andvarious regulatory compliances. Subsequently, it steps through the administrativeprocedure required to configure it for FTP, TELNET and SSH over AIX V6.1.

Introduction

AIX V6.1 is provisioned with various security features which aid in adherence ofvarious regulatory compliances applicable to different industrial sectors like federal,finance, health care, etc. The functionalities cover from secure data at rest to securedata in transit to login and password management. These features make AIX V6.1 alucrative UNIX based system to host solutions and applications for regulatorycompliance driven industries.

UNIX based systems and solutions tend to make extensive use of remote login andfile transfer technologies like FTP, TELNET and SSH not only for administrativetasks but also for various other aspects of the overall solution. Rightful use of suchremote login sessions come under the auditing umbrella for various compliances.From a compliance perspective, the two prime factors to be considered for remotelogin sessions of these utilities are authentication with secure transmission and

AIX V6.1 Remote Login Session Management Trademarks© Copyright IBM Corporation 2010. All rights reserved. Page 1 of 10

automatic logoff of remote sessions. While the former can be accomplished via useof Kerberos (see Resources) and similar network security protocol, the latterrequires special administrative tuning. In this article, we will map the need ofautomatic logoff of remote sessions to various compliances and subsequentlyexplain the administrative procedures required for its enablement over AIX V6.1systems. The article will aid administrators to tune the remote utility sessions on theirAIX systems, to adhere to compliances and also address the risk associated withremote sessions.

What is automatic logoff?

Automatic logoff is protection of dormant sessions to a given system (generallyremote, but not necessarily) from malevolent usage to help mitigate the risk ofmalicious attack. Many a times authorized users log into systems using loginmechanisms (like SSH, TELNET, FTP and others) and either due to negligenceforget to log off from the session or due to inactivity the session remains dormant. Insuch cases, if a malicious user exploits these sessions, the user can potentiallydisrupt the system. Automatic logoff feature helps alleviate such risks byautomatically disabling the session using recommended time-out values fordormancy.

Regulatory compliance and automatic logoff

There are different regulatory compliances for different industrial sectors mandatedby the government. Most of the compliance directly influence the designing,development and deployment of IT solution for businesses to ensure a safe andaudited environment. Most of these compliances require automatic logoff facilities fortheir IT systems to help secure them from malicious influence. For example:

• The Health Insurance Portability and Accountability Act (HIPAA) providesfederal protections for personal health information held by coveredentities and gives patients an array of rights with respect to thatinformation. The HIPAA Security Rule Section 164.312(a)s(2)(iii) titledAutomatic logoff indicates the requirement as "Implement procedures toterminate an electronic session after a predetermined time of inactivity"(see Resources).

• The State of Oklahoma in United States has a special State of OklahomaInformation Security Policy, Procedures and Guidelines which are appliedfor the protection of the information assets of the state. The State ofOklahoma Information Security Policies requires automatic logoff whichstates, "Section 7.4: Access Control indicates to timeout a session after15 minutes of inactivity" (see Resources).

developerWorks® ibm.com/developerWorks

AIX V6.1 Remote Login Session Management Trademarks© Copyright IBM Corporation 2010. All rights reserved. Page 2 of 10

• Title 21, Part 11 of the U.S. Food and Drug Administration's (FDA) Codeof Federal Regulations requires drug makers, medical devicemanufacturers, biotechnology companies, biologics developers and otherFDA-regulated industries (except food manufacturers) to implementcontrols—including audits, validation systems and documentation—forsoftware and systems involved in processing many forms of data as partof business operations and product development. Section 300(d)indicates "Use of transaction safeguards to prevent unauthorized use ofpasswords and/or identification codes, and to detect and report in animmediate and urgent manner any attempts at their unauthorized use tothe system security unit, and, as appropriate, to organizationalmanagement." (see Resources).

The other compliance regulations stating the need for similar functionality are:

• FERPA: 34 CFR Part 99 [Family Educational Rights and Privacy Act]

• GLB: 16 CFR Part 314 Standards for Safeguarding Customer Information[section 501(b) of the Gramm-Leach-Bliley Act ("GLB Act")]

• USA Patriot Act

For more details, see "Information Technology Security Policy" laid down byUniversity of Oklahoma (see Resources).

This states the importance of automatic logoff provisioning for various regulatorycompliances. In the next section, we will explain the procedures to enable automaticlogoff over most popular remote login utilities over AIX V6.1

Auto logoff procedures for AIX V6.1 (FTP, TELNET, SSH)

File Transfer Protocol (FTP), TELNET and SSH (Secure Shell) are popular AIX V6.1remote login mechanism used in various ways to meet various purposes within agiven solution. AIX V6.1 provides special administrative procedures to help configureauto logoff feature with these utilities. The following explains and provides exampleson these procedures:

FTP with automatic logoff feature

In AIX, the inetd daemon provides Internet service management for a network andstarts by default every time you start your system. FTP has an ideal session timeoutfeature but this feature needs to be enabled and the inetd daemon needs to beinformed that the connection is to be timed out in case of inactivity for a particularperiod. The /etc/inetd.conf file (configuration file for inetd) contains details about howthe FTP service should behave. As shown below, we edit the /etc/inted.conf file to

ibm.com/developerWorks developerWorks®

AIX V6.1 Remote Login Session Management Trademarks© Copyright IBM Corporation 2010. All rights reserved. Page 3 of 10

set the time interval for FTP session inactivity to be 60 seconds. Typically, this valuewill depend upon the business policy as well as the regulatory complianceguidelines.

Code 1: Configure inetd configuration file for FTP with Automatic Logoff.

(0) root @ motu: 61H (0934A_61H) : / # hostnamemotu.in.ibm.com

(0) root @ motu: 61H (0934A_61H) : / # vi /etc/inetd.conf....................................................

ftp stream tcp6 nowait root /usr/sbin/ftpd ftpd -t 60

..........................

..........................:wq

Note that the "ftp stream tcp6 nowait root /usr/sbin/ftpd ftpd"entry is usually already present in the /etc/inetd.conf file. You have to just add thetimeout value by appending it with "-t 60".

Now the FTP service needs to be restarted for the changes to make effect. Thefollowing commands will stop and start the FTP service.

Code 2: Restart FTP subserver.

(0) root @ motu: 61H (0934A_61H) : / # stopsrc -t ftp0513-127 The ftp subserver was stopped successfully.(0) root @ motu: 61H (0934A_61H) : / # startsrc -t ftp0513-124 The ftp subserver has been started.

Let's verify the automatic logoff configuration set above. Once we are successfullyconnected to the FTP server (verified via basic commands) we will explicitly keepthe session dormant for 60 seconds. On execution of any commands thereafter, weshould get the message from the server "421 Timeout (60 seconds): closingconnection." which indicates that the auto logoff for FTP is successfully configured.

Code 3: Verify the FTP automatic logoff functionality.

(0) root @ motu: 61H (0934A_61H) : / # ftp motu.in.ibm.comConnected to motu.in.ibm.com.220 motu.in.ibm.com FTP server (Version 4.2 Wed Jun 3 15:43:49 CDT 2009) ready.Name (motu.in.ibm.com:root): root331 Password required for root.Password:230-Last unsuccessful login: Mon Oct 26 12:20:34 IST 2009 on /dev/pts/0 from

developerWorks® ibm.com/developerWorks

AIX V6.1 Remote Login Session Management Trademarks© Copyright IBM Corporation 2010. All rights reserved. Page 4 of 10

ssingh11.in.ibm.com

230-Last login: Tue Nov 24 15:36:56 IST 2009 on ftp230 User root logged in.ftp> cd(remote-directory) /250 CWD command successful.ftp> lcdLocal directory now /ftp> cd(remote-directory) /421 Timeout (60 seconds): closing connection.ftp> quit

Note that even though the FTP server had automatically closed the connection after60 seconds on inactivity, the client will only be informed when it tries to execute acommand after the timeout.

Secure TELNET with automatic logoff feature

The auto logoff provision for TELNET on AIX V6.1 is controlled via parameters listedin /etc/profile. The /etc/profile file is an administrator governed system configurationfile which controls system-wide default variables for all users. To prevent potentialsecurity hazard from users leaving their accounts unattended, the administrator canset an environment variable named "TMOUT" in /etc/profile, which also governs theauto logout for TELNET (as shown below). In the example below, the first commandTMOUT=<time interval in seconds> sets the time interval for the inactivity that willlead to an automatic logoff from the session. Here, we have set the value to 60seconds. This value will depend upon the business policy as well as the regulatorycompliance guidelines. The next command declares this environment variable asread-only so that no user (other than the administrator) can override this defaultvalue to have the session opened for longer that the inactivity time interval set. Onthe subsequent remote logins to the system, the environment variable "TMOUT" willbe set as read-only and with inactivity value as 60 seconds.

Code 4: Configure profile configuration file for automatic logoff.

(0) root @ motu: 61H (0934A_61H) : / # vi /etc/profile....................................................

TMOUT=60readonly TMOUT

..........................

..........................:wq!

Let us verify the previous settings. As shown below, when we TELNET to themachine, the command "echo $TMOUT" gives an output as 60 indicating that the

ibm.com/developerWorks developerWorks®

AIX V6.1 Remote Login Session Management Trademarks© Copyright IBM Corporation 2010. All rights reserved. Page 5 of 10

new value is set appropriately. Also, it can be seen that the value of the variablecannot be changed as we set it to read-only. Subsequently, if we keep the TELNETsession inactive for 60 seconds, the session is automatically logged off (as seenbelow) thus successfully enabling automatic session logoff for TELNET over AIXV6.1. Note that in the listing below we are using a bash shell:

Code 5: Verify the TELNET automatic logoff functionality.

(0) root @ motu: 61H (0934A_61H) : / # telnet motu.in.ibm.comTrying...Connected to motu.in.ibm.com.Escape character is '^]'.

telnet (motu.in.ibm.com)

AIX Version 6Copyright IBM Corporation, 1982, 2009.login: rootroot's Password:****************************************************************************** ** ** Welcome to AIX Version 6.1! ** ** ** Please see the README file in /usr/lpp/bos for information pertinent to ** this release of the AIX Operating System. ** ** ******************************************************************************Last unsuccessful login: Mon Oct 26 12:20:34 IST 2009 on /dev/pts/0 fromssingh11.in.ibm.com

Last login: Tue Nov 24 15:40:50 IST 2009 on /dev/pts/1

(0) root @ motu: 61H (0934A_61H) : / # echo $TMOUT60(0) root @ motu: 61H (0934A_61H) : / # echo $SHELL/usr/bin/bash(0) root @ motu: 61H (0934A_61H) : / # export TMOUT=200-bash: TMOUT: readonly variable(1) root @ motu: 61H (0934A_61H) : / # timed out waiting for input: auto-logoutConnection closed.(0) root @ motu: 61H (0934A_61H) : / #

Note that if the system is restarted after committing the changes to /etc/profile, thetimeout value will not only be set for remote login but will also be set for physicallogin.

Secure SSH with automatic logoff feature

A lot of solutions prefer SSH over TELNET for its default secure behavior.Incidentally, the configurations done for auto logoff of TELNET in the /etc/profile file(explained previously) are also applicable for SSH.

developerWorks® ibm.com/developerWorks

AIX V6.1 Remote Login Session Management Trademarks© Copyright IBM Corporation 2010. All rights reserved. Page 6 of 10

So, instead of TELNET let us SSH into the machine and test the behavior. We shallSSH into the machine using other user than root whose default shell is set to be ksh(Korn shell). Once we log in to the system, we execute a series of commands similarto the ones previously executed to confirm that the value of the environment variable"TMOUT" is actually set to 60, and that the variable is indeed read-only and thevalue cannot be changed. Now after inactivity for 60 seconds, we get a connectionclosed message from the remote machine, which indicates that the auto logoff issuccessfully set for SSH.

Code 6: Verify the SSH automatic logoff functionality.

(0) root @ motu: 61H (0934A_61H) : / # ssh bhushan@motu.in.ibm.combhushan's Password:1 unsuccessful login attempt since last login.Last unsuccessful login: Tue Nov 24 18:35:22 IST 2009 on sshLast login: Tue Nov 24 18:27:43 IST 2009 on /dev/pts/2****************************************************************************** ** ** Welcome to AIX Version 6.1! ** ** ** Please see the README file in /usr/lpp/bos for information pertinent to ** this release of the AIX Operating System. ** ** ******************************************************************************Could not chdir to home directory /home/bhushan: A file or directory in thepath name does not exist.

$ echo $TMOUT60$ echo $SHELL/usr/bin/ksh$ export TMOUT=200ksh: TMOUT: This variable is read only.$ pwd/Shell will time out in 60 seconds.ksh: Timed out waiting for input.Connection to motu.in.ibm.com closed.(1) root @ motu: 61H (0934A_61H) : / #

Note that for AIX V6.1, the type of shell or the user account type does not have anyeffect over the behavior of the auto timeout feature enabled by setting the TMOUTenvironment variable in /etc/profile file. Moreover this environment variable ensuresauto timeout after inactivity for the interval of time for any login mechanism used tolog into the system.

Conclusion

In this article, we have described the importance of automatic logoff and its relationwith regulatory compliances. We have learned the administrative procedures

ibm.com/developerWorks developerWorks®

AIX V6.1 Remote Login Session Management Trademarks© Copyright IBM Corporation 2010. All rights reserved. Page 7 of 10

required to set automatic logoff for FTP, TELNET and SSH sessions on AIX V6.1which will help for regulatory compliance and enable a secure environment.

Acknowledgement

The author sincerely acknowledges Sandeep R Patil (rsandeep@in.ibm.com) fromIBM Corporation for his valued insights, exposure and motivation to write this articleand help convey the subject to the community, customers and practitioners.

developerWorks® ibm.com/developerWorks

AIX V6.1 Remote Login Session Management Trademarks© Copyright IBM Corporation 2010. All rights reserved. Page 8 of 10

Resources

Learn

• AIX 6.1 security features: Mapping with HIPAA compliance (developerWorks,April 2010): Get an overview of AIX security features with HIPAA compliances.

• AIX V6.1 security and regulatory compliance (developerWorks, Jan 2010): Thisarticle discusses the importance of regulatory compliances and how security isa key aspect for meeting these compliances.

• Configure and enable the Kerberos authentication in telnet, FTP, andr-commands on AIX V6 (developerWorks, May 2008): This article providesguidelines for authentication with secure transmission for Regulations'Compliance.

• Refer Understanding HIPAA Privacy for detailed understanding of the HIPAAPrivacy Rule.

• Learn more about HIPAA Technical Safeguards from the HIPAA Security Series#4 website.

• State of Oklahoma Information Security Policy, Procedures, Guidelines

• University of Oklahoma Information Technology Security Policy

• Food and Drug Administration Regulations

Get products and technologies

• AIX 5L Expansion Pack and Web Download Pack: Start downloading now.

• AIX Toolbox for Linux Applications.

Discuss

• Follow developerWorks on Twitter.

• Get involved in the My developerWorks community.

• Participate in the AIX and UNIX forums:

• AIX Forum

• AIX Forum for developers

• Cluster Systems Management

• IBM Support Assistant Forum

• Performance Tools Forum

• Virtualization Forum

ibm.com/developerWorks developerWorks®

AIX V6.1 Remote Login Session Management Trademarks© Copyright IBM Corporation 2010. All rights reserved. Page 9 of 10

• More AIX and UNIX Forums

About the author

Bhushan Pradip JainBhushan Pradip Jain is a Associate Software Engineer working for theIBM India Software Labs. He has published a technology named as"Policy-Driven File Encryption Explorer Based on OpenPGP" underalphaWorks and is currently working on IBM Unified Scalable Storage.He has also worked for developing Intrusion Detection System andimplementation of part of the operating system for a multi-antennatelescope. Bhushan has completed his B.Tech. in ComputerEngineering from College of Engineering, Pune(COEP). You cancontact him at bhujain1@in.ibm.com.

developerWorks® ibm.com/developerWorks

AIX V6.1 Remote Login Session Management Trademarks© Copyright IBM Corporation 2010. All rights reserved. Page 10 of 10