|
 |
dac76a |
From 023412217f4a73e47a7b5d8786b2b10974015615 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Watson Sato <wsato@redhat.com>
|
|
|
dac76a |
Date: Thu, 19 Mar 2020 16:55:29 +0100
|
|
|
dac76a |
Subject: [PATCH 1/4] Make banner_etc_motd like banner_etc_issue
|
|
|
dac76a |
|
|
|
dac76a |
Both rules source the banner from the same XCCDF variable.
|
|
|
dac76a |
---
|
|
|
dac76a |
.../banner_etc_motd/bash/shared.sh | 18 +++++++++++++-----
|
|
|
dac76a |
.../banner_etc_motd/oval/shared.xml | 8 +++++++-
|
|
|
dac76a |
2 files changed, 20 insertions(+), 6 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh
|
|
|
dac76a |
index ac04d93dd5..d731063b5a 100644
|
|
|
dac76a |
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh
|
|
|
dac76a |
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh
|
|
|
dac76a |
@@ -2,12 +2,20 @@
|
|
|
dac76a |
. /usr/share/scap-security-guide/remediation_functions
|
|
|
dac76a |
populate login_banner_text
|
|
|
dac76a |
|
|
|
dac76a |
-# There was a regular-expression matching various banners, needs to be expanded
|
|
|
dac76a |
-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/[^-]- /\n\n-/g;s/(n)\**//g')
|
|
|
dac76a |
-formatted=$(echo "$expanded" | fold -sw 80)
|
|
|
dac76a |
+# Multiple regexes transform the banner regex into a usable banner
|
|
|
dac76a |
+# 0 - Remove anchors around the banner text
|
|
|
dac76a |
+{{{ bash_deregexify_banner_anchors("login_banner_text") }}}
|
|
|
dac76a |
+# 1 - Keep only the first banners if there are multiple
|
|
|
dac76a |
+# (dod_banners contains the long and short banner)
|
|
|
dac76a |
+{{{ bash_deregexify_multiple_banners("login_banner_text") }}}
|
|
|
dac76a |
+# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
|
|
|
dac76a |
+{{{ bash_deregexify_banner_space("login_banner_text") }}}
|
|
|
dac76a |
+# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n")
|
|
|
dac76a |
+{{{ bash_deregexify_banner_newline("login_banner_text", "\\n") }}}
|
|
|
dac76a |
+# 4 - Remove any leftover backslash. (From any parethesis in the banner, for example).
|
|
|
dac76a |
+{{{ bash_deregexify_banner_backslash("login_banner_text") }}}
|
|
|
dac76a |
+formatted=$(echo "$login_banner_text" | fold -sw 80)
|
|
|
dac76a |
|
|
|
dac76a |
cat <<EOF >/etc/motd
|
|
|
dac76a |
$formatted
|
|
|
dac76a |
EOF
|
|
|
dac76a |
-
|
|
|
dac76a |
-printf "\n" >> /etc/motd
|
|
|
dac76a |
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/oval/shared.xml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/oval/shared.xml
|
|
|
dac76a |
index dfd3bb69c0..9b20ee032a 100644
|
|
|
dac76a |
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/oval/shared.xml
|
|
|
dac76a |
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/oval/shared.xml
|
|
|
dac76a |
@@ -18,14 +18,20 @@
|
|
|
dac76a |
|
|
|
dac76a |
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="correct banner in /etc/motd" id="test_banner_etc_motd" version="1">
|
|
|
dac76a |
<ind:object object_ref="object_banner_etc_motd" />
|
|
|
dac76a |
+ <ind:state state_ref="state_banner_etc_motd" />
|
|
|
dac76a |
</ind:textfilecontent54_test>
|
|
|
dac76a |
|
|
|
dac76a |
<ind:textfilecontent54_object id="object_banner_etc_motd" version="1">
|
|
|
dac76a |
+ <ind:behaviors singleline="true" multiline="false" />
|
|
|
dac76a |
<ind:filepath>/etc/motd</ind:filepath>
|
|
|
dac76a |
- <ind:pattern var_ref="login_banner_text" operation="pattern match" />
|
|
|
dac76a |
+ <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
|
|
|
dac76a |
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
dac76a |
</ind:textfilecontent54_object>
|
|
|
dac76a |
|
|
|
dac76a |
+ <ind:textfilecontent54_state id="state_banner_etc_motd" version="1">
|
|
|
dac76a |
+ <ind:subexpression datatype="string" var_ref="login_banner_text" operation="pattern match" />
|
|
|
dac76a |
+ </ind:textfilecontent54_state>
|
|
|
dac76a |
+
|
|
|
dac76a |
<external_variable comment="warning banner text variable" datatype="string" id="login_banner_text" version="1" />
|
|
|
dac76a |
|
|
|
dac76a |
</def-group>
|
|
|
dac76a |
|
|
|
dac76a |
From 38e7680395d78371a12d3afd2561533d9f1860c3 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Watson Sato <wsato@redhat.com>
|
|
|
dac76a |
Date: Thu, 19 Mar 2020 16:59:45 +0100
|
|
|
dac76a |
Subject: [PATCH 2/4] Add Ansible for banner_etc_motd
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../banner_etc_motd/ansible/shared.yml | 17 +++++++++++++++++
|
|
|
dac76a |
1 file changed, 17 insertions(+)
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..dfc1c519b7
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml
|
|
|
dac76a |
@@ -0,0 +1,17 @@
|
|
|
dac76a |
+# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
|
|
dac76a |
+# reboot = false
|
|
|
dac76a |
+# strategy = unknown
|
|
|
dac76a |
+# complexity = low
|
|
|
dac76a |
+# disruption = medium
|
|
|
dac76a |
+- (xccdf-var login_banner_text)
|
|
|
dac76a |
+
|
|
|
dac76a |
+- name: "{{{ rule_title }}} - remove incorrect banner"
|
|
|
dac76a |
+ file:
|
|
|
dac76a |
+ state: absent
|
|
|
dac76a |
+ path: /etc/motd
|
|
|
dac76a |
+
|
|
|
dac76a |
+- name: "{{{ rule_title }}} - add correct banner"
|
|
|
dac76a |
+ lineinfile:
|
|
|
dac76a |
+ dest: /etc/motd
|
|
|
dac76a |
+ line: '{{{ ansible_deregexify_banner_etc_issue("login_banner_text") }}}'
|
|
|
dac76a |
+ create: yes
|
|
|
dac76a |
|
|
|
dac76a |
From c6ea356cef8678cdf248fc8363767d8615fb7423 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Watson Sato <wsato@redhat.com>
|
|
|
dac76a |
Date: Thu, 19 Mar 2020 17:20:38 +0100
|
|
|
dac76a |
Subject: [PATCH 3/4] Use profile "all" to test banner_etc_motd
|
|
|
dac76a |
|
|
|
dac76a |
When the profile doesn't do any selection, the default value is used.
|
|
|
dac76a |
When the variable doesn't define a default value, the first value is
|
|
|
dac76a |
considered the default.
|
|
|
dac76a |
|
|
|
dac76a |
The test scenarios of banner_etcmotd are aligned with the first value of
|
|
|
dac76a |
login_banner_text.
|
|
|
dac76a |
---
|
|
|
dac76a |
.../tests/banner_etc_motd_disa_dod_default_banner.pass.sh | 2 --
|
|
|
dac76a |
.../tests/banner_etc_motd_disa_dod_short.pass.sh | 2 --
|
|
|
dac76a |
.../tests/banner_etc_motd_disa_double_banner.fail.sh | 2 --
|
|
|
dac76a |
.../tests/banner_etc_motd_disa_usgcb_banner.fail.sh | 2 --
|
|
|
dac76a |
.../tests/banner_etc_motd_ospp_usbcg_banner.fail.sh | 2 --
|
|
|
dac76a |
.../tests/banner_etc_motd_ospp_usbcg_banner.pass.sh | 2 --
|
|
|
dac76a |
6 files changed, 12 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_dod_default_banner.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_dod_default_banner.pass.sh
|
|
|
dac76a |
index a926abd7dd..96e5e11e5b 100644
|
|
|
dac76a |
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_dod_default_banner.pass.sh
|
|
|
dac76a |
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_dod_default_banner.pass.sh
|
|
|
dac76a |
@@ -1,6 +1,4 @@
|
|
|
dac76a |
#!/bin/bash
|
|
|
dac76a |
-#
|
|
|
dac76a |
-# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
dac76a |
|
|
|
dac76a |
# dod_default banner
|
|
|
dac76a |
echo "You are accessing a U.S. Government (USG) Information System (IS) that is
|
|
|
dac76a |
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_dod_short.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_dod_short.pass.sh
|
|
|
dac76a |
index a2624e1066..ddf1efa43c 100644
|
|
|
dac76a |
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_dod_short.pass.sh
|
|
|
dac76a |
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_dod_short.pass.sh
|
|
|
dac76a |
@@ -1,6 +1,4 @@
|
|
|
dac76a |
#!/bin/bash
|
|
|
dac76a |
-#
|
|
|
dac76a |
-# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
dac76a |
|
|
|
dac76a |
# dod_short banner
|
|
|
dac76a |
echo "I've read & consent to terms in IS user agreem't." > /etc/motd
|
|
|
dac76a |
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_double_banner.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_double_banner.fail.sh
|
|
|
dac76a |
index 93c00cfde7..8cd0d30fa9 100644
|
|
|
dac76a |
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_double_banner.fail.sh
|
|
|
dac76a |
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_double_banner.fail.sh
|
|
|
dac76a |
@@ -1,6 +1,4 @@
|
|
|
dac76a |
#!/bin/bash
|
|
|
dac76a |
-#
|
|
|
dac76a |
-# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
dac76a |
|
|
|
dac76a |
# dod_default|dod_short banner
|
|
|
dac76a |
echo "You are accessing a U.S. Government (USG) Information System (IS) that is
|
|
|
dac76a |
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_usgcb_banner.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_usgcb_banner.fail.sh
|
|
|
dac76a |
index 3878983a19..5abacbb535 100644
|
|
|
dac76a |
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_usgcb_banner.fail.sh
|
|
|
dac76a |
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_usgcb_banner.fail.sh
|
|
|
dac76a |
@@ -1,6 +1,4 @@
|
|
|
dac76a |
#!/bin/bash
|
|
|
dac76a |
-#
|
|
|
dac76a |
-# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
dac76a |
|
|
|
dac76a |
# usgcb_default banner
|
|
|
dac76a |
echo "-- WARNING -- This system is for the use of authorized users only. Individuals
|
|
|
dac76a |
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.fail.sh
|
|
|
dac76a |
index c82a8e39b2..43b2e0a2e9 100644
|
|
|
dac76a |
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.fail.sh
|
|
|
dac76a |
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.fail.sh
|
|
|
dac76a |
@@ -1,5 +1,3 @@
|
|
|
dac76a |
#!/bin/bash
|
|
|
dac76a |
-#
|
|
|
dac76a |
-# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
dac76a |
|
|
|
dac76a |
echo "This is not the expected banner" > /etc/motd
|
|
|
dac76a |
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.pass.sh
|
|
|
dac76a |
index 41894c998b..5abacbb535 100644
|
|
|
dac76a |
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.pass.sh
|
|
|
dac76a |
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.pass.sh
|
|
|
dac76a |
@@ -1,6 +1,4 @@
|
|
|
dac76a |
#!/bin/bash
|
|
|
dac76a |
-#
|
|
|
dac76a |
-# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
dac76a |
|
|
|
dac76a |
# usgcb_default banner
|
|
|
dac76a |
echo "-- WARNING -- This system is for the use of authorized users only. Individuals
|
|
|
dac76a |
|
|
|
dac76a |
From 4cb5b1f167a1ac3de94626d82eb6d3779a443475 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Watson Sato <wsato@redhat.com>
|
|
|
dac76a |
Date: Thu, 19 Mar 2020 18:04:14 +0100
|
|
|
dac76a |
Subject: [PATCH 4/4] Remove test that doesn't make sense
|
|
|
dac76a |
|
|
|
dac76a |
At the moment no profile selects this rules.
|
|
|
dac76a |
The value of the variable will be the default (first) value of
|
|
|
dac76a |
variable login_banner_text. Thus, second pass test doesn't make sense.
|
|
|
dac76a |
---
|
|
|
dac76a |
.../tests/banner_etc_motd_ospp_usbcg_banner.pass.sh | 10 ----------
|
|
|
dac76a |
1 file changed, 10 deletions(-)
|
|
|
dac76a |
delete mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.pass.sh
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.pass.sh
|
|
|
dac76a |
deleted file mode 100644
|
|
|
dac76a |
index 5abacbb535..0000000000
|
|
|
dac76a |
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.pass.sh
|
|
|
dac76a |
+++ /dev/null
|
|
|
dac76a |
@@ -1,10 +0,0 @@
|
|
|
dac76a |
-#!/bin/bash
|
|
|
dac76a |
-
|
|
|
dac76a |
-# usgcb_default banner
|
|
|
dac76a |
-echo "-- WARNING -- This system is for the use of authorized users only. Individuals
|
|
|
dac76a |
-using this computer system without authority or in excess of their authority
|
|
|
dac76a |
-are subject to having all their activities on this system monitored and
|
|
|
dac76a |
-recorded by system personnel. Anyone using this system expressly consents to
|
|
|
dac76a |
-such monitoring and is advised that if such monitoring reveals possible
|
|
|
dac76a |
-evidence of criminal activity system personal may provide the evidence of such
|
|
|
dac76a |
-monitoring to law enforcement officials." > /etc/motd
|