Configuring /etc/motd with CFEngine

Configuration | Legal Notice | Production Systems | Mac OS X | Windows

When logging into a system, Unix typically displays the contents of the /etc/motd file. CFEngine can manage this file, and include a legal notice and other useful information depending on the system classes.

Configuration

Use a custom cf.motd configuration file, and import it from the master cfagent.conf file:

# $Id$

import:
any::
cf.main
cf.classes
cf.site

cf.motd

Then setup an editfiles block to manage /etc/motd:

# $Id$

copy:
any::
# copy legal disclaimer locally for inclusion below
${masterfiles}/etc/motd
dest=${workdir}/etc/motd
type=checksum backup=false
ifelapsed=200

editfiles:
any::
{
/etc/motd
AutoCreate
Backup "false"

# CFEngine manages entire contents
EmptyEntireFilePlease

# only attempt an update several times per day
IfElapsed 200

# add the legal disclaimer
InsertFile "${workdir}/etc/motd"

# warning to not hand edit anything while moving site to CFEngine
AppendIfNoSuchLine "*** Notice: CFEngine manages this system"

# special notifications based on class

BeginGroupIfDefined "redhat"
InsertFile "/etc/redhat-release"
EndGroup

BeginGroupIfDefined "role_cfengine_master"
Append "Master CFEngine Server"
EndGroup

BeginGroupIfDefined "role_mail_server"
Append "Mail Server: http://example.org/docs/mail-server/"
EndGroup

BeginGroupIfDefined "realm_prod"
Append "*** Warning: ${host} is a production system"
EndGroup
}

Depending on the operating system and other duties of the system, the /etc/motd should include useful information after the legal notice. This way, when an administrator logs into the system, they will see a quick overview of what the system is and does, instead of having to know or hunt down the data:

Last login: Fri Dec 9 10:39:55 2005 from 192.0.2.11

This machine is for the exclusive use of SOMEONE.
Anyone attempting to gain, or gaining access other
than as specifically authorized will be prosecuted
under all applicable statutes plus all applicable
civil rules for damages.

*** Notice: CFEngine manages this system
Red Hat Enterprise Linux ES release 4 (Nahant Update 1)
Master CFEngine Server
*** Warning: grue is a production system
$ exit
logout
Connection to gure closed.

Note that some consider editfiles harmful. For small files that need different bits of information like /etc/motd, I see no reason to use another solution.

Legal Notice

Sample legal notice to include in the /etc/motd file.

This machine is for the exclusive use of SOMEONE.
Anyone attempting to gain, or gaining access other
than as specifically authorized will be prosecuted
under all applicable statutes plus all applicable
civil rules for damages.

Production Systems

Production systems should include a notice, so that users know when they are on a production system. Place this message last in the motd file, and do not include a similar notice on development systems so the warning stands out better.

BeginGroupIfDefined "realm_prod"
Append "*** Warning: ${host} is a production system"
EndGroup

Mac OS X

A greeting message can be set in the graphical login window on Mac OS X:

shellcommands:
macosx.sys_install::
"/usr/bin/defaults write /Library/Preferences/com.apple.loginwindow
LoginwindowText -string 'This machine is for the exclusive use of SOMEONE.
Anyone attempting to gain, or gaining access other than as specifically
authorized will be prosecuted under all applicable statutes plus all
applicable civil rules for damages.'"

Or, use a copy statement to manage the /Library/Preferences/com.apple.loginwindow.plist configuration file, if managing every default in that file.

Windows

Set the login message in the *.inf policy file.