Greetings all,
As I mentioned in the conference call, we have a slightly different way of doing the login banner that also gets the user's acknowledgement sent to /var/log/secure (or the equivalent). I should note that our tool helps with remediating a box against several different guidelines. Hence we tried to find as 'simple' a way to do this as possible, without large banners looking seriously cramped (IE - cram the full DoD login banner into the default authentication dialog on a small screen). We also tried to support both pure Gnome (GDM) and KDE (kdm). I'll handwave through the details (ping me if you'd like more info).
Basically we add wording to the main login with text along the lines of:
All users will be required to read and accept a 'Consent to Monitor' statement before being allowed to login.
The response will be logged.
This text fits nicely on most of the OS's we support, and is shown on every graphical login attempt on the main authentication display. Currently for GDM on Fedora/RHEL6 we make these changes to /apps/gdm/simple-greeter/*, most of the other Linux boxes we'll change the /etc/X11/gdm/gdm.conf or /etc/gdm/custom.conf file instead. For KDM it all goes to /usr/share/config/kdm/kdmrc.
To display the actual required login banner we tweak the /etc/X11/gdm/PreSession/Default (Solaris), /etc/X11/xdm/Xsession (RH4), or /etc/X11/xinit/Xsession (everyone else) file to call a script that uses zenity or kdialog (use first one found) to display the text of the banner. Since we do support other guidelines that may just require notification, we have our dialog may just have an acknowledgement button or an explicit accept/deny button. The user's response is logged using the first of /usr/sbin/logger, /sbin/logger, /usr/bin/logger, or /bin/logger with authpriv.notice. Obviously if the user hits deny we fail out back to the authentication screen.
Disadvantages : change to expected login procedure/alternate login mananger, extra script on login
Advantages : acknowledgement tied that the login banner was accepted/read to a particular user, better framing of potentially large banner text
Sincerely,
Rob Sanders
===========================
Rob Sanders
Sr. Secure Systems Engineer
Raytheon Trusted Computer Solutions
12950 Worldgate Drive, Suite 600
Herndon, Virginia 20170
Security Blanket Support: 1-866-230-1317
Security Blanket Email: SecurityBlanket(a)TrustedCS.com
Office: 703-896-4762
Fax: 703-318-5041
Email: RSanders(a)TrustedCS.com