From f43fdaaf82217f73a2de7bb9db44f04f32f759cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= Date: Fri, 21 Jan 2022 15:58:14 +0000 Subject: [PATCH] enh: osh-lingering-sessions-reaper: make it configurable --- bin/cron/osh-lingering-sessions-reaper.sh | 6 +-- .../osh-lingering-sessions-reaper.conf.dist | 49 +++++++++++++++++++ 2 files changed, 52 insertions(+), 3 deletions(-) create mode 100644 etc/bastion/osh-lingering-sessions-reaper.conf.dist diff --git a/bin/cron/osh-lingering-sessions-reaper.sh b/bin/cron/osh-lingering-sessions-reaper.sh index 804598c..bb07e2b 100755 --- a/bin/cron/osh-lingering-sessions-reaper.sh +++ b/bin/cron/osh-lingering-sessions-reaper.sh @@ -7,7 +7,7 @@ basedir=$(readlink -f "$(dirname "$0")"/../..) . "$basedir"/lib/shell/functions.inc # default config values for this script -: +MAX_AGE=86400 # set error trap, read config, setup logging, exit early if script is disabled, etc. script_init osh-lingering-sessions-reaper config_optional check_secure_lax @@ -19,7 +19,7 @@ nb=0 # shellcheck disable=SC2162 while read etimes pid tty do - if [ "$tty" = "?" ] && [ "$etimes" -gt 86400 ]; then + if [ "$tty" = "?" ] && [ "$etimes" -gt "$MAX_AGE" ]; then tokill="$tokill $pid" (( ++nb )) fi @@ -36,7 +36,7 @@ nb=0 # shellcheck disable=SC2162 while read etimes pid tty user do - if [ "$tty" = "?" ] && [ "$user" != "root" ] && [ "$etimes" -gt 86400 ]; then + if [ "$tty" = "?" ] && [ "$user" != "root" ] && [ "$etimes" -gt "$MAX_AGE" ]; then if [ "$(ps --no-header --ppid "$pid" | wc -l)" = 0 ]; then tokill="$tokill $pid" (( ++nb )) diff --git a/etc/bastion/osh-lingering-sessions-reaper.conf.dist b/etc/bastion/osh-lingering-sessions-reaper.conf.dist new file mode 100644 index 0000000..9ec3aec --- /dev/null +++ b/etc/bastion/osh-lingering-sessions-reaper.conf.dist @@ -0,0 +1,49 @@ +################################################################################ +## Config for /opt/bastion/bin/cron/osh-lingering-sessions-reaper.sh, the script +## responsible for terminating lingering sessions that no longer have any tty +## attached nor parent PID. +## +## Any file in /etc/bastion/osh-lingering-sessions-reaper.conf.d will also be +## sourced, in alphabetical order, and take precedence over any +## option specified in this file. +## +## Please ensure this file is only readable by root. +## +## As it'll be sourced, THIS FILE MUST BE A VALID SHELL SCRIPT. +################################################################################ +# +# > Logging +# >> These options configure the way the script logs its actions +# +# LOGFILE (string, path to a file) +# DESC: File where the logs will be written to (don't forget to configure ``logrotate``!). +# Note that using this configuration option, the script will directly write to the file, without using syslog. +# If empty, won't log directly to any file. +# DEFAULT: "" +LOGFILE="" +# +# LOG_FACILITY (string) +# DESC: The syslog facility to use for logging the script output. +# If set to the empty string, we'll not log through syslog at all. +# If this configuration option is missing from your config file altogether, +# the default value will be used (local6), which means that we'll log to syslog. +# DEFAULT: "local6" +LOG_FACILITY="local6" +# +# > Behavior +# >> These options govern the behavior of the script +# +# ENABLED (0 or 1) +# DESC: If set to 1, the script is enabled and will terminate lingering sessions that no longer have any +# tty attached nor parent PID, and have been running for more than MAX_AGE seconds. Note that this only +# removes orphan sessions that no longer seem to be attached to any client. Still alive sessions, even +# if older than MAX_AGE seconds, will be kept. +# If set to anything else, the script is considered disabled and will not run. +# DEFAULT: 1 +ENABLED=1 +# +# MAX_AGE (int >= 0) +# DESC: The minimum number of seconds a session must have been opened before being considered as possibly +# a lingering orphan session. +# DEFAULT: 86400 +MAX_AGE=86400