Update Login Banner

What the login banner configuration Worklet does

This Automox Worklet™ automates SSH login banner configuration by updating the /etc/motd file and verifying that /etc/sshd_config references it correctly. The Worklet detects whether the banner directive already exists in sshd_config and either uncomments it, adds it, or leaves it unchanged if already present.

The Worklet then verifies or creates the /etc/motd file with a standardized security warning banner. If changes occur, it automatically restarts the SSH daemon (sshd) so the new configuration takes effect immediately.

Why configure SSH login banners

Login banners serve as a critical security and compliance control. They display a warning message before users authenticate, which can deter unauthorized access attempts, inform users that their actions are monitored, and document your security policy at the point of entry.

Many compliance frameworks including CIS Benchmarks, HIPAA, and SOC 2 require visible access warnings. Without a consistent banner strategy, endpoints may lack this control, leaving your organization exposed to configuration drift and compliance gaps.

How SSH login banner deployment works

1. Evaluation phase: The Worklet checks whether /etc/ssh/sshd_config exists and scans it for a banner directive pointing to /etc/motd. It also checks if /etc/motd exists and compares its current contents to the desired banner text.

2. Remediation phase: If the banner directive is missing, the Worklet adds "banner /etc/motd" to sshd_config. If it exists but is commented out, the Worklet uncomments it. The Worklet then creates or overwrites /etc/motd with the standard security warning message, sets ownership to root:root, and applies 644 permissions. After any changes, it restarts sshd so the configuration takes effect.

Login banner configuration requirements

• Linux endpoints with OpenSSH installed (most distributions include this)

• /etc/ssh/sshd_config file must be present and readable

• Root or sudo permissions required to modify SSH configuration files

• SSH service (sshd) must be able to restart without blocking other critical services

• Supported on all major Linux distributions (RedHat, CentOS, Ubuntu, Debian, etc.)

• FixNow compatible for immediate remediation via RunNow capability

Expected login banner state after remediation

After the Worklet runs, all SSH login attempts on the endpoint will display the configured banner message before prompting for credentials. You can verify the banner by initiating a new SSH connection to the endpoint and confirming the message appears before the password prompt. The message reads: "This is a private server. All connections are monitored and recorded. Disconnect IMMEDIATELY if you are not an authorized user."

You can verify the configuration by checking the /etc/ssh/sshd_config file (should contain "banner /etc/motd") and the /etc/motd file (should contain the warning banner text). The next SSH login session will display the banner automatically.

How to validate update login banner changes

1. Run this Worklet on a pilot Linux endpoint and review evaluation output for update login banner.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit.

4. Validate remediation effects from script operations such as elif, sed, else, then rerun evaluation for compliance.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for update login banner. This supports repeatable system preferences workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as exit and remediation operations such as elif, sed, else. Use these indicators to verify that endpoint changes match intended policy outcomes.