Halting the Hacker: A Practical Guide to Computer Security (2nd Edition)
I l @ ve RuBoard |
U.S. case law has set the standard that a computer hacker has to have prior knowledge that the his activities are not allowed. When the hacker is not breaking the law, he can contend that he would have no way of knowing that his activities were not acceptable. He will probably be able to produce other environments where the activities are acceptable as a defense. So, it has become a legal imperative that a warning message be posted so that the intruder is aware that he is committing an inappropriate act. These messages should state that the system is the property of the organization, is subject to monitoring, that there is no expectation of privacy, and that unauthorized use is prohibited . The exact wording should be determined by your legal department. Posting Warning Banners
A requirement for successfully prosecuting those unauthorized users who improperly use a government computer is that the computer must have a warning banner displayed at all access points. That banner must warn both authorized and unauthorized users. The Department of Energy's Office of the General Council has approved the following banner for Federal Government computer systems:
[81] J-043g: Creating Login Banners, CIAC, 9 May 2000. Any open service needs to have a warning banner. Removing services from the system improves security and eliminates the need to have a warning banner for that service. The details of implementing warning banners for UNIX machines depend on the particular vendor and service. For machines that do not use these methods for displaying banners, consult the man pages for each service to see if there is a banner mechanism available. Terminal Access
For many recent systems (Sun, Linux), creating the file /etc/issue containing the banner text causes the banner text to be displayed before the console login and before all interactive logins such as telnet , rsh , and rlogin . Linux systems use two such files, /etc/issue for console logins and /etc/issue.net for telnet logins, so be sure to place the banner text in both. For other systems and for services that do not respond to the /etc/issue file, put the banner text in the file /etc/motd. The contents of this file are displayed by the global /etc/.login and the /etc/profile files, depending on which shell you start ( sh or csh ), immediately after a successful login. Displaying the /etc/motd file immediately after login is also an option for the Secure Shell daemon, sshd, and is set in the /usr/local/etc/sshd_config file. FTP Access
Newer versions of the FTP daemon provide for a banner message to be displayed prior to the remote user entering his username and password. This is configured in the /etc/ftpacces s file. The following entry displays the file /etc/ftpbanner to anyone who connects to the ftp daemon: banner /etc/ftpbanner Web Access
Add a JavaScript program to your home page that is executed whenever the page is loaded. No matter which initial banner you use, each page should contain a button in the header or footer labeled "Notice To Users" that takes the user to a page that displays the banner or that runs the JavaScript banner. The following JavaScript program is run whenever the page containing it is loaded and displays the banner in a dialog box with an OK button. To add it to a web page, copy everything between the two SCRIPT tags, including the tags, into the HEAD of the web page. To make it run whenever the page is loaded, add the onLoad="do_banner()" attribute to the BODY tag. Note that if the users have JavaScript turned off for their browser, this JavaScript banner will not be displayed. <HTML> <HEAD> <TITLE>Home Page</TITLE> <SCRIPT LANGUAGE="JavaScript"> function do_banner() { var msg = "<HTML><HEAD><TITLE>NOTICE TO USERS</TITLE></HEAD>\n"+ "<BODY BGCOLOR=white><FONT FACE='Times' SIZE=2>\n"+ "<CENTER>NOTICE TO USERS</CENTER>\n"+ "THE HTML FOR THE TEXT OF THE BANNER GOES HERE "+ "<CENTER>\n"+ "<FORM>\n"+ "<INPUT TYPE=button VALUE='OK' onClick=window.close()>\n"+ "</FORM>\n"+ "</CENTER>"+ "</FONT></BODY></HTML>"; win1 = window.open("", "messageWindow", "toolbar=no,scrollbars=yes,width=600,height=500") win1.document.write(msg) } </SCRIPT> </HEAD> <BR> <!--The following line starts the body of the web page and runs the JavaScript banner program whenever the page is loaded. --> <BODY onLoad="do_banner()"> . . <!---body of the home page---> . </BODY> </HTML> |
I l @ ve RuBoard |