LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-26-2008, 06:58 PM   #1
legcard
Member
 
Registered: May 2007
Posts: 33

Rep: Reputation: 15
Need to add a consent ack to login process


Note: Post editted to provide policy reference

The US government has long had a policy that requires that all computers display a warning banner blurb when users log in.

A recent new wrinkle is DoD CIO memo dtd 9 May 2008 Policy on Use of Department of Defense (DoD) Information systems - Standard Consent Banner and User Agreement) which states ["banner shall be implemented as a click-through banner at logon (to the extent permitted by the operating system), meaning it prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by click on a box indicating "OK".] I've heard that this ia a simple registry setting in windows but I need to comply on my unix/linux boxes as well.

I thought that it would be easy to add a branch out to the scriptlet from the .bash_profile. Not so. I wrote a simple script to ask "do you consent" and then read the answer. Yes means continue, no means you get logged off.

My RedHat 4.6 test box won't let me (root)back on the system after I makes these changes and logout.
----------------------------------------------------------------
Here is my consent script (called red4):
#!/bin/sh
echo `cat /etc/issue`
echo " "
echo "I have read and consent to DOD Warning banner"
echo " "

echo "Enter yes or no"
read ACK
while [ "$ACK" != "yes" ]
do
echo " "
echo "Login cannot proceed until you Accept by answering yes"
echo " "
echo " Logging out"
exit
done
echo "Login will continue"
------------------------------------------------------------
Here is my .bash_profile with the callout to red4:
----------------------------------------------------------------
# .bash_profile
echo "I have read that stuff"

# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi

if [ -f ~/red4 ]; then # consent banner
. ~/red4 # consent banner
fi # consent banner

# User specific environment and startup programs

PATH=$PATH:$HOME/bin

export PATH
unset USERNAME
-----------------------------------------------------
I have not done a lot of scripting so I amy be doing something way off.

And this is the error I get when I try to login as root:
Pop up with Your session only lasted less than 10 sec, etc

and I put a check in the "look at the ~/.xsession-errors file box and click OK. and see:
------------------------------------------------------------
/etc/X11/gdm/PreSession/Default: Registering with wtmp and utmp
/etc/X11/gdm/PreSession/Default: running: /usr/bin/X11/sessreg -a
-w /var/log/wtmp -u /var/run/utmp -x "/var/gdm/:0.Xservers" -h "" -l
":0" "root:"
And then the text of my consent banner is the next line.
--------------------------------------------------------------
Any ideas what I am doing wrong? Thank you in advance.

Linda

Last edited by legcard; 06-27-2008 at 10:03 AM.
 
Old 06-27-2008, 11:56 AM   #2
Chromezero
Member
 
Registered: Nov 2004
Location: Arizona
Distribution: Slackware, RHEL, others
Posts: 470

Rep: Reputation: 40
You might want to take a look at "issue", "issue.net", and "motd", it could save you some time. I use this on our systems, for a similar purpose.

From the man pages....
Quote:
ISSUE(5) Linux Programmer's Manual ISSUE(5)

NAME
issue - pre-login message and identification file

DESCRIPTION
The file /etc/issue is a text file which contains a message or system identification to be printed before the login prompt. It may
contain various @char and \char sequences, if supported by mingetty(8).

FILES
/etc/issue

Last edited by Chromezero; 06-27-2008 at 11:58 AM.
 
Old 06-27-2008, 12:34 PM   #3
legcard
Member
 
Registered: May 2007
Posts: 33

Original Poster
Rep: Reputation: 15
Yes, we use the issue file which is nothing more than a text file that displays when you log in. I got that.

I need to display the file, have the use type yes to acknowledge and then he continues with login. If he answers anything but "yes", he gets logged out.

I googled as much of the error that displays in the dialog box when I get the "Your session only lasted less than 10 sec, etc" and it is all over the internet. But no solutions. I have to boot from CD to edit out the running of my red4 script inside the .bash_profile so the system will at least let me login.

There may actually be more to the .xsession-error file that would give me some hint to the problem but you can't get there from here.... The dialog box shows me what is in the original post and the only repsonse is OK. Then I get the login screen again and then grab the install cd to boot from. When I "linux rescue" and try to find a .xsession-error file, there is none. Sort of makes sense to me, it is a session file and as soon as I booted from CD, I started a new CD.

I checked my perms:
/var/log/wtmp was 644: did chmod 666; same for /var/run/utmp
There is a /usr/bin/X11/sessreg with root:root 755.

Did a strings on sessreg and noticed that it does "write wtmp entry". Hmmm, there were also "write...entry" for utmp and lastlog. So I did chmod 666 /var/log/lastlog (which was previously 400). Exited out of booted from cd and logged back in.

Same.

And my disks are nowhere near full - noticed that was Standard answer #1 on some of the other google requests for help.

All ideas welcome.
 
Old 06-27-2008, 05:33 PM   #4
Chromezero
Member
 
Registered: Nov 2004
Location: Arizona
Distribution: Slackware, RHEL, others
Posts: 470

Rep: Reputation: 40
I'm not much of an expert with scripts, but I do tinker around a bit. I was able to get a script working, although actually logging the user out causes some issues. Have a look...
Code:
#!/bin/sh
echo `cat /etc/issue`
echo " "
echo " "

echo "Do you agree? [yes] or [no]"
read ACK
if [ "$ACK" = "yes" ]
then
        echo "Logging you in"
else
        echo "Logging you out"
        echo " "
        sleep 5
        killall -u %USER
fi
One suggestion I have is possibly doing a killall for the user. This, of course, will take a few more lines of code to grep for pid's for the user and kill them off.

*edit*
So I played around with the killall option and it seems to work ok. It's not the cleanest approach, but it did work.

Last edited by Chromezero; 06-27-2008 at 05:39 PM. Reason: added killall command and it seems to work.
 
Old 06-28-2008, 10:06 AM   #5
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Got a link to this document?

This won't help much but the idea that someone has to comply before logging in won't solve a thing, security-wise, which is why must AUPs and EULA-type docs state that usage of said medium means that you acknowledge and will comply with policy.

Sorry I couldn't help more (although my reply is definitely security-oriented).

Last edited by unixfool; 06-28-2008 at 04:12 PM.
 
Old 06-28-2008, 12:22 PM   #6
Chromezero
Member
 
Registered: Nov 2004
Location: Arizona
Distribution: Slackware, RHEL, others
Posts: 470

Rep: Reputation: 40
The point of directives like this to maintain accountability. If a person says, "yes" I agree, then they can be held liable if they violate regulations. They can't say, "I didn't know I couldn't download porn on a Government computer", because they acknowledged that they would adhere to the policies. This may not be the exact regulation that legcard was referring to, but I suspect it's very similar. Have a look...

New Computer Banner Balances Security, Privacy Considerations
 
Old 06-28-2008, 12:59 PM   #7
OlRoy
Member
 
Registered: Dec 2002
Posts: 304

Rep: Reputation: 86
Quote:
Originally Posted by Chromezero View Post
The point of directives like this to maintain accountability. If a person says, "yes" I agree, then they can be held liable if they violate regulations. They can't say, "I didn't know I couldn't download porn on a Government computer", because they acknowledged that they would adhere to the policies. This may not be the exact regulation that legcard was referring to, but I suspect it's very similar. Have a look...

New Computer Banner Balances Security, Privacy Considerations
I think it doesn't make much of a difference over a simple login banner. I would think that a typical login banner, signed security policy, and a security awareness program which reminds users that they may be monitored would be enough. Next thing you know we're going to have to play an mp3 of the banner during every login.
 
Old 06-28-2008, 04:11 PM   #8
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by OlRoy View Post
I think it doesn't make much of a difference over a simple login banner. I would think that a typical login banner, signed security policy, and a security awareness program which reminds users that they may be monitored would be enough. Next thing you know we're going to have to play an mp3 of the banner during every login.
Bingo!

I concur. This is what I normally see with our federal customers now and in the past when I was an onsite government contractor. Using such systems usually implies that you agree to certain usage standards and in most cases they also state that you may be monitored.
 
Old 06-28-2008, 04:18 PM   #9
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by Chromezero View Post
The point of directives like this to maintain accountability. If a person says, "yes" I agree, then they can be held liable if they violate regulations. They can't say, "I didn't know I couldn't download porn on a Government computer", because they acknowledged that they would adhere to the policies. This may not be the exact regulation that legcard was referring to, but I suspect it's very similar. Have a look...

New Computer Banner Balances Security, Privacy Considerations
I think the document the OP is referencing is here (HTML-readable here)

Last edited by unixfool; 06-28-2008 at 04:20 PM.
 
Old 06-29-2008, 12:13 AM   #10
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 61
I'm sorry, I don't have an RH 4 system, so i can't give you specifics here. But the general problem is that you are trying to obtain interactive shell input during a non-interactive shell being started by the GDM session manager. The graphical interface sessions are started by another file, which controls the graphical clients started upon successful login.

You can probably use the zenity graphical client to show your info, and request an answer from the user, and use the return value from zenity to exit/continue the session.

Here is a site that explains the difference between the two types of logins (login vs. session).

http://dailypackage.fedorabook.com/i...-Sessions.html

See also: http://www.gnome.org/projects/gdm/docs/gdmtalk.pdf

in particular, discussion of the PostLogin script.

Last edited by Mr. C.; 06-29-2008 at 12:33 AM.
 
Old 07-03-2008, 10:17 AM   #11
legcard
Member
 
Registered: May 2007
Posts: 33

Original Poster
Rep: Reputation: 15
Talking

MR. C, thank you. I researched zenity and despite the lacking documentation, I got it to work on my RHEL 4.5 test box. I added about 14 lines to my /etc/profile. A bit clunky but it displays the warning and asks for acknowledgement. "Yes" continues the login and "No" logs the user out. When I went to install it on my production RHEL 4.5 box, I was missing several GNOME packages (scrollkeeper and beaucoup libs). Added Gnome and found that it did not play well with my major application. Hmmm.

Then I found kdialog and made that work without any additioanl packages on the production side. It is a cleaner look, I think. I will keep the zenity because I still have to do this task on Solaris 8 boxes which are already fielded.

I have included both the zenity and the kdialog in case anybody else wants to give it a go.

kdialog Consent Banner (added these lines to the end (just before the unset commands) in the /etc/profile file)


kdialog --title "Consent Banner and User agreement" --yesno \
"#########################################################################\n
# You are accessing a U.S. Government (USG) information system\n
# (IS) that is provided for USG-authorized use only.\n
#\n
# By using this IS (which includes any device attached to this IS),\n
# you consent to the following conditions:\n
#\n
# - The USG routinely intercepts and monitors communications on this IS\n
# for purposes including, but not limited to, penetration testing,\n
# COMSEC monitoring, network operations and defense, personnel\n
# misconduct (PM), law enforcement (LE), and counterintelligence\n
# (CI) investigations.\n
#\n
# - At any time, the USG may inspect and seize data stored on this IS\n
#\n
# - Communications using, or data stored on, this IS are not private,\n
# are subject to routine monitoring, interception, and search, and\n
# any device attached to this IS, may be disclosed or used for\n
# any USG-authorized purpose.\n
#\n
# - This IS includes security measures (e.g., authentication and access\n
# controls) to protect USG interests -- not for your personal benefit or\n
# privacy.\n
Do you accept this login policy? "

if [ "$?" = "0" ]
then
kdialog --title "Please wait......" --passivepopup \
"You are being logged in" 3
else
kdialog --title "NO responses to the Consent Banner" --passivepopup \
" are automatically logged off" 10
exit
fi


Zenity Consent Banner (added these lines to the end (just before the unset commands) in the /etc/profile file)

zenity --info \
--text "`cat /etc/issue`"

ANSWER=$(xmessage "Do you acknowledge consent? " -buttons yes,no -print)

if [ "$ANSWER" = "yes" ]
then
zenity --info \
--text "Please wait while you are logged onto the system"
else
zenity --info \
--text "NO responses to the Consent Banner are automatically logged off"
exit
fi


Thanks again,
Linda
 
Old 07-03-2008, 11:23 AM   #12
Chromezero
Member
 
Registered: Nov 2004
Location: Arizona
Distribution: Slackware, RHEL, others
Posts: 470

Rep: Reputation: 40
Good info, thanks for posting it.
 
Old 07-10-2008, 11:46 AM   #13
legcard
Member
 
Registered: May 2007
Posts: 33

Original Poster
Rep: Reputation: 15
Now won't boot up

As mentioned above, I added about 14 lines to my /etc/profile so everybody got a message during login that required them to click "yes' or "no". It worked great....at least I thought so. We power everything down at night due to ancient cooling system. I mention this because I thought that we had booted down without problems several times while working on this Consent Banner thing.

But now I get the dreaded and oft mentioned error message:
"INIT:Id "x" respawning too fast: disabled for 5 minutes. " And of course, it does not come up. I googled it and found several things but they don't sound like the same thing. So I put the original /etc/profile back out there and it boots up fine. I tried moving my addition to the /etc/profile file to the end of the file; same results. I tried shortening the text of the consent banner; same. I verified that nothing went past cc 78; good.

My idea of putting this in the /etc/profile is that it would be executed by every user, be executed first and only once (unless you su and then you get the consent banner again - that's OK). Now, I'm wondering if maybe the /etc/profile has to remain pristine. If I try to put this in, say, the .bash_profile or .bashrc file, then I will have to edit every user's .bash_profile or .bashrc file. Ugh!

I have included my /etc/inittab, /etc/sysconfig/desktop, and /etc/X11/prefdm files in case needed.

I am out of ideas. All help will be appreciated.
* * * * * * * * * * * * * ** * * * * * * * * * *
/etc/inittab file:
#
# inittab This file describes how the INIT process should set up
# the system in a certain run-level.
#
# Author: Miquel van Smoorenburg, <miquels@drinkel.nl.mugnet.org>
# Modified for RHS Linux by Marc Ewing and Donnie Barnes
#

# Default runlevel. The runlevels used by RHS are:
# 0 - halt (Do NOT set initdefault to this)
# 1 - Single user mode
# 2 - Multiuser, without NFS (The same as 3, if you do not have networking)
# 3 - Full multiuser mode
# 4 - unused
# 5 - X11
# 6 - reboot (Do NOT set initdefault to this)
#
id:5:initdefault:

# System initialization.
si::sysinit:/etc/rc.d/rc.sysinit

l0:0:wait:/etc/rc.d/rc 0
l1:1:wait:/etc/rc.d/rc 1
l2:2:wait:/etc/rc.d/rc 2
l3:3:wait:/etc/rc.d/rc 3
l4:4:wait:/etc/rc.d/rc 4
l5:5:wait:/etc/rc.d/rc 5
l6:6:wait:/etc/rc.d/rc 6

# Trap CTRL-ALT-DELETE
ca::ctrlaltdel:/sbin/shutdown -t3 -r now

# When our UPS tells us power has failed, assume we have a few minutes
# of power left. Schedule a shutdown for 2 minutes from now.
# This does, of course, assume you have powerd installed and your
# UPS connected and working correctly.
pf:owerfail:/sbin/shutdown -f -h +2 "Power Failure; System Shutting Down"

# If power was restored before the shutdown kicked in, cancel it.
pr:12345owerokwait:/sbin/shutdown -c "Power Restored; Shutdown Cancelled"


# Run gettys in standard runlevels
1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty tty2
3:2345:respawn:/sbin/mingetty tty3
4:2345:respawn:/sbin/mingetty tty4
5:2345:respawn:/sbin/mingetty tty5
6:2345:respawn:/sbin/mingetty tty6

# Run xdm in runlevel 5
x:5:respawn:/etc/X11/prefdm -nodaemon

* * * * * * * * * * * * * * * * * * * * * * ** *
Here is the /etc/sysconfig/desktop:
DESKTOP="kde"

* * * * * * * * ** * * ** *** * * ** * * * * * * *

And here is the /etc/X11/prefdm:

#!/bin/sh

PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin


# shut down any graphical boot that might exist
if [ -x /usr/bin/rhgb-client ]; then
/usr/bin/rhgb-client -quit
fi

# We need to source this so that the login screens get translated
[ -f /etc/profile.d/lang.sh ] && . /etc/profile.d/lang.sh

# Run preferred X display manager
preferred=
if [ -f /etc/sysconfig/desktop ]; then
. /etc/sysconfig/desktop
if [ "$DISPLAYMANAGER" = GNOME ]; then
preferred=gdm
elif [ "$DISPLAYMANAGER" = KDE ]; then
preferred=kdm
elif [ "$DISPLAYMANAGER" = XDM ]; then
preferred=xdm
fi
fi

shopt -s execfail

[ -n "$preferred" ] && exec $preferred "$@" >/dev/null 2>&1

# Fallbacks, in order
exec gdm "$@" >/dev/null 2>&1
exec kdm "$@" >/dev/null 2>&1
exec xdm "$@" >/dev/null 2>&1

# catch all exit error
exit 1

TIA,
Linda
 
Old 07-10-2008, 02:08 PM   #14
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by legcard
I am out of ideas. All help will be appreciated.
Quote:
Originally Posted by legcard
A recent new wrinkle is DoD CIO memo dtd 9 May 2008 Policy on Use of Department of Defense (DoD) Information systems - Standard Consent Banner and User Agreement) which states ["banner shall be implemented as a click-through banner at logon (to the extent permitted by the operating system), meaning it prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by click on a box indicating "OK".]
IANAL, and I hate when tech geeks provide their "legal advice", but... the wording "to the extent permitted by the operating system" has my attention in this case. What does that mean exactly? I'd consult with your legal support staff to understand what you're required to do when there is not a practical technical approach to solving that particular problem.

If I were absolutely forced to solve this B.S. problem on the technical side I would likely look into a PAM module that would make typing in "OK" requisite to authentication. Does this module exist? I have no idea.

A much better approach would be to display a ssh banner (if that's the service you are providing) which clearly informs users that by logging in they agree to the legal terms. Will your auditors be satisfied with this? Again, I have no idea.

Good luck.
 
Old 07-10-2008, 02:26 PM   #15
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 61
Quote:
Originally Posted by legcard View Post
...

if [ "$?" = "0" ]
$? is an integer, and does not need to be quoted (it always has a value). Nor does 0 need to be quoted. Use == or = for string comparison, and -eq / -ne for integer comparison. So:


if [ $? -eq 0 ]

INIT spawning too fast means init spawns a program, but the program immediately dies, so init spawns again, etc. etc. etc. It eventually stops trying, and gives you that nasty message.

You typically want to protect any interactive shell startup code behind a test such that for non-interactive shells, your interactive code does not execute.

Code:
[ -z "$PS1" ] && return 0

or 

if [ -n "$PS1" ] ; then

  do interactive stuff

fi

Last edited by Mr. C.; 07-11-2008 at 02:08 AM. Reason: I was mistaken about = vs. == : both are valid string comparison operators
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
add a process brianmay27 Linux - Software 1 07-23-2007 02:31 AM
4.56 GB deleted without any consent. Random. Ichpuchtli SUSE / openSUSE 4 07-05-2006 07:57 PM
LXer: Microsoft's Calling Home Problem: It's a Matter of Informed Consent LXer Syndicated Linux News 3 06-15-2006 02:16 PM
add a process to boot? alphamike Linux - Newbie 3 09-06-2005 01:20 PM
cursor jumps to mouse location without my consent Myron Linux - Hardware 1 02-08-2004 10:34 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:52 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration