A question about logon banners

Sat, 16 Mar 2002 15:10:22 -0800 

This is a question I get in just about every admin or security class I teach. The 
problem is that there is not a really universal answer, as the requirements vary from 
state to state and are subject to interpretation. If you want to search the laws of 
each state, the best reference I have found is:
        http://www.law.cornell.edu/statutes.html

SF has many of the state laws online in the Library section, but are often WAY out of 
date and because of how they are formatted, it is impossible to print them without 
loosing text.

I have discussed this issue with several "high-tech-savy" attornies. The concensis is:
        1) Never say "WELCOME" in your login banner or ANYWHERE else!
        2) BEFORE giving a login prompt, you should say something along the lines of:
                        name-of-organization-who-owns-the-system
                        UNAUTHORIZED ACCESS IS PROHIBITED
                        VIOLATORS WILL BE PROSECUTED

        3) AFTER processing the login (or at the password prompt on a GUI), you should 
say something along the lines of:
                        name-of-organization-who-owns-the-system
                        THIS SYSTEM MAY BE USED ONLY BY AUTHORIZED USERS FOR 
AUTHORIZED PURPOSES
                        USE FOR UNAUTHORIZED PURPOSES IS PROHIBITED
                        IF YOU ARE NOT AN AUTHORIZED USER, LOGOUT NOW
                        VIOLATORS OF THESE POLICIES WILL BE PROSECUTED

It is a REAL P-I-T-A to accompolish the above on a Windows box, but trivial on most 
Unix/Linux boxes. In Unix:
        1) For console/telnet/etc login (DISABLE ALL R* COMMANDS!) you should:
                a) put #2 into /etc/issue
                b) put #3 into /etc/motd
        or equivalent files on some version of UNIX (above works on Solaris)
        2) For CDE login you should edit /usr/dt/config/C/Xresources (or equivalent 
file) and change the "Greeting" lines. Use '\n' to separate lines. Don't forget to 
uncomment the standard template if you do not already have local mods in place.
        3) For other GUIs, make similar changes to the Xresources file for the login 
server.
        4) You should also disable the "O/S IDENTIFIER" on daemons with logins, such 
as ftpd and telnetd, and replace it with "UNAUTHORIZED ACCESS IS PROHIBITED" text. In 
Solaris, do this in /etc/default/telnetd and /etc/default/ftpd (see man pages). Other 
O/Ses may or may not allow similar changes.

Hope this helps!

Sincerely,
Jon R. Kibler
Systems Architect
[EMAIL PROTECTED]

Advanced Systems Engineering Technology, Inc.
389 Johnnie Dodds Blvd., Suite 205
Mt. Pleasant, SC 29464-2969  (Charleston)
USA

Phone:  (843) 849-8214
Fax:    (843) 849-8215

Reply via email to