Wednesday, October 2, 2013

Security & consent banner

It's always a good idea and a best practice to place a security & consent message right before allowing using and information system. Solaris provides all the means to accomplish this task and I shall show you how to do it both at text and graphical user interfaces.

The simplest method is at the text user interface. All that's required is to edit the /etc/issue file and you're done. Any text user interface login method, including SSH, by default (when uncommenting Banner in /etc/sshd_config), will display the contents of the referred to file.

Example:

# cat /etc/issue
 
You are accessing a COMPANY
Information System (IS) that is for authorized use only.
By using this IS (including any device attached to it),
you consent to the following conditions:
 

  • COMPANY
    routinely intercepts and monitors
    this IS
    for purposes including, but not limited to,

    penetration testing, monitoring, network
    operations and
    defense, personnel misconduct (PM),
    law enforcement (LE), and counterintelligence (CI)
    investigations.
     
  • At any time, COMPANY may
    inspect and seize data stored on this IS.
     
  • Communications using, or data stored on, this IS 
    are not private, are subject to routine monitoring,
        interception, and search, and may be disclosed or used
    for any COMPANY-authorized purpose.
     
  • This IS includes security measures
    (e.g., authentication and access controls)
    to protect
    COMPANY interests

    not for your personal benefit or privacy.
     
  • Not withstanding the above, using this IS
    does not constitute consent to PM, LE or CI 

    investigative searching or monitoring of
    the content of
    privileged communications,
    or work product,
    related to personal representation 
    or services by attorneys, psychotherapists, 
    or clergy, and their assistants. 
    Such communications and work product
    are private and confidential. 


But in text mode, such a long message may be very inconvenient and ineffective unless the access is remote, such as via SSH. The problem is that text consoles probably don't accommodate all the text in a single screen and what's scrolled beyond will probably escape from sight. For this reason I believe a shorter message (note the spacing around the text, before, after and to the left) is more appropriate, such as:

# cat /etc/issue
 
 You are accessing a COMPANY
 Information System (IS) that is for authorized use only.
 By using this IS (including any device attached to it),
 you consent and agree to the IS policy & conditions.

 

Nevertheless, for a variety of reasons, it may be necessary or convenient to explicitly override the Banner keyword of a server's /etc/ssh/sshd_config as previously shown. This is achieved by the DisableBanner keyword on the user's home directory ~/.ssh/config or client's /etc/ssh/ssh_config or even with the -o option. See ssh_config(4) for more detail.

client# ssh -o DisableBanner=in-exec-mode server remote-command



For the graphical user interface, things are a bit more complicated. There is more than one method but I prefer the following one which I believe is more integrated into the user interface. The main disadvantage is that it's not preserved across system updates, so special care must be taken to reestablish the banner after updating the system.

The first step is to enable the banner and create a message placeholder, which must be done under the gdm special account, using the gconftool-2 (pkg://solaris/gnome/config/gconf):
 
$ su -
# su - gdm
 
gdm@desktop-1 $ gconftool-2 
  --direct 
  --config-source=xml:readwrite:$HOME/StaticSeat1/.gconf 
  --type bool 
  --set /apps/gdm/simple-greeter/banner_message_enable 
  true

gdm@desktop-1 $ gconftool-2 
  --direct 
  --config-source=xml:readwrite:$HOME/StaticSeat1/.gconf 
  --type string
  --set /apps/gdm/simple-greeter/banner_message_text_nochooser 
  "placeholder"
 
Fully edit the message within the appropriate <stringvalue> markups. Pay attention that for the graphical user interface, as opposite to the text one, it's advisable to enlarge the text width and shrink its height.

gdm@desktop-1 $ cd StaticSeat1/.gconf/apps/gdm/simple-greeter
gdm@desktop-1 $ vim %gconf.xml
  
Then, check the editing:
 
gdm@desktop-1 $ gconftool-2 
  --direct 
  --config-source=xml:readwrite:$HOME/StaticSeat1/.gconf 
  --get /apps/gdm/simple-greeter/banner_message_text_nochooser 

You are accessing a COMPANY Information System (IS) that is for authorized use only.
By using this IS (including any device attached to it), you consent to the following conditions:

  * COMPANY
    routinely intercepts and monitors this IS for purposes including, but not limited to,
    penetration testing, monitoring, network operations and defense, personnel misconduct (PM),
    law enforcement (LE), and counterintelligence (CI) investigations.

  * At any time, COMPANY
    may inspect and seize data stored on this IS.

  * Communications using, or data stored on, this IS are not private, are subject to
    routine monitoring, interception, and search, and may be disclosed or used
    for any COMPANY-authorized purpose.

  * This IS includes security measures (e.g., authentication and access controls)
    to protect COMPANY interests ---
    not for your personal benefit or privacy.

  * Not withstanding the above, using this IS does not constitute consent to PM, LE or CI
    investigative searching or monitoring of the content of privileged communications,
    or work product, related to personal representation or services by attorneys,
    psychotherapists, or clergy, and their assistants. Such communications
    and work product are private and confidential.


The final step consists on minor layout adjustments on the user interface login dialog in order to make it more presentable to the user. To graphically edit as root I'll use the notes from X11 & SSH & SU.

$ xauth list
desktop-1/unix:0  MIT-MAGIC-COOKIE-1  ...

$ su -
# cd /usr/share/gdm
# cp -p gdm-greeter-login-window{,-backup}.ui
# cp -p logo{,-backup}.png

Replace the logo with a more appropriate .PNG of at most 195 x 66 pixels.
Don't forget to use transparency for a better look & feel.

# cp /tmp/company_logo.png ./logo.png
# cp logo{,-site}.png

Open the Glade user interface dialog definition (gdm-greeter-login-window.ui) and edit the auth-banner-label, setting its justification to left and its text flow to normal text.

# xauth add desktop-1/unix:0  MIT-MAGIC-COOKIE-1  ...
# export DISPLAY=:0.0
# glade-3 gdm-greeter-login-window.ui 2> /dev/null &  
# cp -p gdm-greeter-login-window{,-site}.ui
# xauth remove desktop-1/unix:0
# ^D

The final result is something such as:


It may be required a few text editing cycles for reaching the desired text contents and layout. In order to help the interactive process, things can be accomplished remotely via SSH and, at each step, GDM can be conveniently restarted as:

# svcadm restart gdm