Summary

You configure the inactivity timeout per user in BoKS. Each user can be configured to take on a global value, a setting in the primary User Class or a personal value.

If a user needs access to a privilege account, you may want to apply a shorter timeout for the duration of that session. However this doesn't work with the su command where the timeout of the from-user is still applied.

Likewise with the suexec command the from-user timeout is also applied by default. However when keystroke logging is enabled for suexec, this changes so that the timeout of the to-user applies for the session.


Procedure


Inactivity checking is performed by the boks_bksd daemon. Therefore this daemon must be enabled in the ENV file for user inactivity checking to apply. boks_bksd reads the $BOKS_var/btmp file to find information about logged-in users. The information needed is the login name, terminal (TTY) device and the process ID (PID) of the login shell.

boks_bksd will then ask boks_servc for the inactivity timeout for this user as stored in BoKS database. If you su to e.g. root the TTY won't change nor will the user name in btmp file change. Thus the inactivity timeout applied is taken from the original (from-) user, not the target user.

However this mechanism doesn't work very well for keystroke logged sessions. In this case there's a new TTY allocated by the kslog program.

This behavior was introduced with hotfix TFS110913-012882 for BoKS 6.5. This hotfix includes boks_bksd, kslog and the bwho command.

This hotfix introduced the $BOKS_var/btmpx file. The kslog program will report the allocated TTY, PID and new user in that file (as well as modify the original entry in the btmp file). boks_bksd is aware of this and will apply the inactivity timeout for the user of the keystroke logged session rather than the login session. I.e the timeout of the root user applies during the remainder of the keystroke logged session.

New options were added to the bwho command {-x|-X} to make it possible to list the contents of both $BOKS_var/btmp and $BOKS_var/btmpx.

Problem analysis

If there is a problem with the inactivity timeout you may get more information by enabling debug traces on the boks_bksd daemon. This should be done on the affected Server Agent host.

To get an understanding of what is going on:

- Determine if keystroke logging is in use (applies to the suexec command only)
- Check the TTY associations for the involved processes with the ps or pstree/ptree commands (login shell, kslog, su and shell)
- Run bwho -x (executed locally on the affected host) and verify that the PID and TTY of the user's login shell as well as the kslog process are seen in the output.
- Check the inactivity setting in BoKS for the affected user (the target-user or the from-user depending on if kslog is in effect or not).
- Enable debug traces on boks_bksd:
# bdebug -x9 [-f outputfile] bksd

The debug trace will reveal how boks_bksd interprets the activity of the miscellaneous user sessions. However the trace isn't easy to read. If you need help with the analyses, please send the trace file to FoxT Customer Support for analysis.

Note also that there are three sources for activity when boks_bksd checks the inactivity timeout:


- input from the keyboard - the access time (atime) of the TTY.
- output to the screen - modification time (mtime) of the TTY.
- consumed CPU (differences in "ps" output for the process registered in btmp[x] between rounds)

The activity checking for screen output and CPU cycles can be disabled per user.

Caveats


There is a known problem with boks_bksd in versions prior to BoKS 6.7. If there are many users on the system registered in btmp that need to be checked for inactivity, the performance of this check will degrade. I.e. users may not be logged out in a timely fashion as boks_bksd only checks one user at a time.


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: May 25, 2018