Generic Linux system-access banner

#security

#linux

#ssh

#monitoring

Most people won't be aware of the /etc/issue and /etc/issue.net nodes on Unices which can be found as a reference in the OpenSSH system-wide configuration file (disabled by default). These files are so-called pre-login messages which you can modify to your own behalf, as so nicely pointed out by the very well known Linux/UNIX blogger Vivek .

The downside to using a pre-login banner, as the name suggests, is that it can be read by anyone who even tries to access the system. You might imagine placing a very provocative banner is not smart and has actually caused many (arrogant) system administrators to - kicks the open door - be hacked instead solely for the reason of being an ass. It's hacker psychology 101.

A little research brought me the following (PDF warning) white paper on security warning banners in UNIX-like systems who support this feature. To save you some time, it's a fun read still, I thought I'd just post the generic banner here.

WARNING: This computer system including all related equipment, network devices (specifically including Internet access), are provided only for authorized use. All computer systems may be monitored for all lawful purposes, including to ensure that their use is authorized, for management of the system, to facilitate protection against unauthorized access, and to verify security procedures, survivability and operational security.

Of course if you are a little more pro-active in your security measures you might want to add the following paragraph:

Monitoring includes active attacks by authorized personnel and their entities to test or verify the security of the system. During monitoring, information may be examined, recorded, copied and used for authorized purposes.

Currently in the Netherlands law has passed that you must warn your website users on the use of cookies (anyone should know that but I guess a law against being stupid and lazy was impossible) so everyone is putting up website warnings about cookies. Consider that cookies are way less dangerous than a root-user, and putting up warning the (server)system is actually actively being monitored might not seem like such a strange idea anymore:

All information including personal information, placed on or sent over this system may be monitored. Uses of this system, authorized or unauthorized, constitutes consent to monitoring of this system. Unauthorized use may subject you to criminal prosecution.  Use of this system constitutes consent to monitoring for these purposes.

Disclaimer: as of no means this guarantees any legal advantage in court (should a lawsuit follow in case your system was compromised) but it doesn't hurt, it's fair towards your user population and keeps them on their toes as well. As we say in Dutch: "een gewaarschuwd mens telt voor twee" (a warning counts double).

Evidence of any such unauthorized use collected during monitoring may be used for  administrative, criminal or other adverse action.

Should any of those users decide to sue you, the system administrator, due to privacy violations - you might just be glad to have put this up:

Use of this system constitutes consent to monitoring for these purposes.

Modify this to suit your own preferences based upon the system role and security necessities of the system and any data placed on connected storage devices and/or traffic.

Be advised that if you are a really secretive/paranoid geek like I once was, placing a banner is the same as advertising you have a high-value asset in possession or at least it would seem like so (do I smell honeypot bait?).