5.1.5 Ensure sshd Banner is configured

Information

The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed.

Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system.

Solution

Edit the /etc/ssh/sshd_config file to set the Banner parameter above any Include and Match entries as follows:

Banner /etc/issue.net

Note: First occurrence of a option takes precedence, Match set statements withstanding. If Include locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include location.

Edit the file being called by the Banner argument with the appropriate contents according to your site policy, remove any instances of m r s v or references to the OS platform

Example:

# printf '%s
' "Authorized users only. All activity may be monitored and reported." > "$(sshd -T | awk '$1 == "banner" {print $2}')"

See Also

https://workbench.cisecurity.org/benchmarks/18960

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-8

Plugin: Unix

Control ID: f04ae630c49269d7f19b017f714aaf263f384e2e13b821488387dbfb23c01d20