On Sat, Jan 21, 2023 at 10:43:08AM +0000, Stuart Henderson wrote: > Test machines are less of a problem, because they're test machines.
Sure, we're talking about two different scenarios. > Machines where things have been enabled to debug a problem and then > forgotten are a bigger issue. > I'm not convinced that something visible only on a monitor help much. > How about security(8) though? But surely for securelevel < 1, we need some kind of indication that nags continuously rather than a notification that can take up to 24 hours before it's reported? Adding: if [ `sysctl -n kern.securelevel` -lt 1 ] ; then export PS1='!!\h\$!!'; fi to root's .profile gives an on-going reminder that is visible on a remote, (I.E. non-monitor), session, but then people who change their shell prompt, will lose it, and obviously with that simple solution the notification will stay after setting securelevel >= 1 until you log out and in again.
