Windows/Macintosh
Web
Servers
UNIX
TCPwrappers and Other Services
Important
LBNL URLs
Off-Site
Security Resources
<< Back
to Desktop Security
_____________
To
ensure that users are aware of the Laboratory's Authorized
Computer Use policy and to comply with a DOE mandate, a banner
will appear each time a user accesses any Laboratory computer
system. This banner may be displayed automatically by the
system when a user accesses the computer or an adhesive banner
may be attached directly to computer monitors.
Laboratory
policy regarding the banner (including the full required text)
can be found at: http://www.lbl.gov/Workplace/RPM/R9.01.html#RTFToC8
Banner Stickers for your computer
may be obtained from TEID in person by going to Building 46,
Room 139, by contacting TEID's Administrator at 510 486-6765,
or by emailing your request to TEID@lbl.gov.
Instructions for implementing the required warning banners
on various types of systems can be found below.
Windows/Macintosh
Download
Patch and Installation Instructions for computer security
notice from http://www.lbl.gov/download.
There are three download locations on the page: one for WinNT;
another for Win 95 or 98; and the third for the Macintosh.
Uncompress the file and read the readme file for instructions.
After installation the required warning banner will be displayed
whenever the system starts.
Web
Servers
For
web servers we are required to place a link labeled "Notice
to Users" on each page served. The link can be in the header,
in the footer or anywhere on the page. The link should be
to the following site, which displays a copy of the required
notice:
http://www.lbl.gov/ITSD/Security/policies/user-notice.htm
UNIX
The
banners for Unix machines depend on the particular vendor
and service. For many recent systems (Sun, Linux), creating
the file /etc/issue containing the banner text causes the
banner text to be displayed before the console login and before
all interactive logins such as telnet, rsh, and rlogin.
Linux
systems use two such files, /etc/issue for console logins
and /etc/issue.net for telnet logins, so be sure to place
the banner text in both. For other systems and for services
that do not respond to the /etc/issue file, put the banner
text in the file /etc/motd.
The
contents of this file are displayed by the global /etc/.login
and the /etc/profile files, depending on which shell you start
(sh or csh), immediately after a successful login. Displaying
the /etc/motd file immediately after login is also an option
for the Secure Shell daemon (sshd) and is set in the /usr/local/etc/sshd_config
file.
Some versions of the FTP service have been modified to display
after login the contents of the file .login_message found
in the root directory of the FTP tree or in the users home
directory. You will have to try this to see if it works. If
it does not work, you must put a file named NOTICE_TO_USERS
containing the warning text into the root directory of the
anonymous ftp tree and the file or a link to the file into
each user's home directory.
For
machines that do not use these methods for displaying banners,
consult the man pages for each service to see if there is
a banner mechanism available.
IMPORTANT
NOTE: If you remove a service from a Unix machine, your
machine will be more secure and you will not have to worry
about placing a banner on that service. If you have open services
that you do not need simply remove them.
TCPwrappers
and Other Services
UNIX
users can apply banners to services such as ftp, telnet, etc.
using the TCPwrappers program. TCPwrappers is a program that
controls who can connect to the different services on your
computer. In addition to controlling access to your computer,
the TCPwrappers program has the capability to send a banner
to the connecting client whenever a connection to a service
is requested.
Care
must be taken as to which services the banners are added to,
as many protocols are not meant to be read by people and do
not support text banners. Note also that this works only for
those services that are controlled by TCPwrappers. The
TCPwrappers program must first be downloaded and installed
on your system. The source code for TCPwrappers is available
from: ftp://ftp.porcupine.org/pub/security/.
To
add banners to your TCPwrappers program, you have to recompile
it with the -DPROCESS_OPTIONS flag. The flag, which is a language
extension, is NOT on by default. In the hosts.allow file,
add the text, ": banners /banner/path" after the list of clients
that you want the banner to be displayed to.
The
string /banner/path is the path to a directory that contains
the banner files. The banner files have the same names as
the daemons they will apply to. That is, the banner for the
in.ftpd daemon is in a file named in.ftpd. It is possible
to have a different banner for each rule in hosts.allow should
you so desire.
See the Banners.Makefile file in the TCPwrappers directory
for complete instructions on how to set up and use banners
with TCPwrappers. There is also a Linux Gazette article available
that describes how to install TCPwrappers and add banners:
http://www.linuxgazette.com/issue15/tcpd.html
Important
LBNL URLs
|
