3.6.1.3 OpenSSH - Banner - banner text

Information

The recommendation is to edit the /etc/ssh/sshd_config file and configure a path to a login herald message.

The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed.

Rationale:

Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system.

Solution

Create an SSH banner file:

printf 'Unauthorized use of this system is prohibited.
'' > /etc/ssh/ssh_banner

NOTE: The content of the banner file can reflect any internal acceptable usage policy standards

Edit the /etc/ssh/sshd_config file and customize the Banner parameter

vi /etc/ssh/sshd_config

Replace:

#Banner /some/path

With:

Banner /etc/ssh/ssh_banner

Re-cycle the sshd daemon to pick up the configuration changes:

stopsrc -s sshd
sleep 5
startsrc -s sshd

Default Value:

No banner is configured

See Also

https://workbench.cisecurity.org/files/4119

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-8

Plugin: Unix

Control ID: 820f57fce2b125191f9e54fe960704edce2b1264594c970eaa763fa16f70ec88