FireMotD
FireMotD copied to clipboard
OutsideIT
Add free message banner
@dimon222 @ThomDietrich
I'm working in dev-willem on a way to integrate an official banner, which would show some legal information. I'm still thinking about how to implement it. So I'm giving you guys the chance to discuss this topic with me. I don't have very much time left to implement this (need it for work), but I can always change some things later. So I have the following questions:
- Where will I save the banner? Separate file in /var/tmp/? Integrated in the FireMotD.json? Somehwere else which seem a logical place to store a banner?
- When will the banner be shown? If found in FireMotD.json? If specified with an argument? If found in /var/tmp?
My goal is to show the banner in a color of choice.. An example banner I have now is:
This computer system including all related equipment, network devices (specifically including Internet access), are provided only for authorized use. All computer systems may be monitored for all lawful purposes, including to ensure that their use is authorized, for management of the system, to facilitate protection against unauthorized access, and to verify security procedures, survivability and operational security. Monitoring includes active attacks by authorized personnel and their entities to test or verify the security of the system. During monitoring, information may be examined, recorded, copied and used for authorized purposes. All information including personal information, placed on or sent over this system may be monitored. Uses of this system, authorized or unauthorized, constitutes consent to monitoring of this system. Unauthorized use may subject you to criminal prosecution. Evidence of any such unauthorized use collected during monitoring may be used for administrative, criminal or other adverse action. Use of this system constitutes consent to monitoring for these purposes.
Looking forward to some input!
Willem
Or a smaller version:
Unauthorized access to this system is forbidden and will be prosecuted by law. By accessing this system, you agree that your actions may be monitored if unauthorized usage is suspected.
I think saving in separate file along with FireMotD distribution or inside FireMotD.json is the way to go. This is basically because this data is almost never going to be changed.
Also short version looks more friendly. We can also try change color to make it more visible.
@dimon222 Thanks for your input. In the meantime, I discussed this with my security officer and we decided that the banner should be shown pre-login. As otherwise the consent is implicit. Therefore I won't go through with this implementation for now. We will add a banner file in /etc/ssh and set the banner directive in sshd_config.
That sounds like a good plan!
As for the idea to show some free text inside FireMotD: I still like the idea as a feature and would vote to make this an optional parameter in FireMotD.json. The reasons are simple:
- FireMotD.json is the place for data used by FireMotD - check
- The user can edit the file easily - check
- The user is not forced to create or manage yet another file
One downside is, that the user now has to manually edit the json file, introducing the chance of leaving a broken json file. As this is a one time change I don't think this is a critical issue. Another thing to consider: All other data in the json file is retrieved from the system and can hence be deleted or modified without risk. With the banner in place, that's not valid any longer.
I'm not sure if you read my latest post on this topic? But As I have the code ready to add an extra block, I'll reopen. Could take some time though before it gets into master.
That sounds like a good plan!
...was directed at your last post. I'm doing (or did, not sure) a similar thing with sshd_config.
No hurries. Not sure if I need this feature personally. I did already add a banner message to the .bash_profile of my system (openHABian).
The use case I'm seeing for me, is that I could for example add the primary and secondary contact for some of our servers. I'll keep this issue open untill a 'free message' banner is implemented.