From fb5fe8c7dea9c83558b9e4fd7d2235caff6bd4db Mon Sep 17 00:00:00 2001

From: Marek Haicman <mhaicman@redhat.com>

Date: Wed, 4 Dec 2019 15:11:39 +0100

Subject: [PATCH 01/27] Create macro to translate text to banner text.

With banner texts having every whitespace replaced with more complex regular

expression, it's not really readable in that form. This macro should provide

way to write human readable text in source, and get machine readable text

as the output.

---

 .../var_web_login_banner_text.var             | 15 ++++++---------

 .../banner_etc_issue/bash/shared.sh           |  2 +-

 ...disa_dod_default_banner_no_newline.fail.sh | 19 +++++++++++++++++++

 .../accounts-banners/login_banner_text.var    | 12 ++++++------

 shared/macros.jinja                           |  4 ++++

 ssg/build_yaml.py                             |  2 +-

 6 files changed, 37 insertions(+), 17 deletions(-)

 create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_default_banner_no_newline.fail.sh

diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var

index 61ebea65f3..72a728659b 100644

--- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var

+++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var

@@ -4,7 +4,7 @@ title: 'Web Login Banner Verbiage'

 description: |-

     Enter an appropriate login banner for your organization. Please note that new lines must

-    be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\'.

+    be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\\'.

 type: string

@@ -13,11 +13,8 @@ operator: equals

 interactive: false

 options:

-    dod_banners: ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.|I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t.)$

-    dod_default: You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.

-    dod_short: I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t.

-    dss_odaa_default: "[\\s\\n]+Use[\\s\\n]+of[\\s\\n]+this[\\s\\n]+or[\\s\\n]+any[\\s\\n]+other[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system[\\s\\n]+constitutes[\\s\\n]+consent[\\s\\n]+to[\\s\\n]+monitoring[\\s\\n]+at[\\s\\n]+all[\\s\\n]+times.[\\s\\n]+This[\\s\\n]+is[\\s\\n]+a[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system.[\\s\\n]+All[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+systems[\\s\\n]+and[\\s\\n]+related[\\s\\n]+equipment[\\s\\n]+are[\\s\\n]+intended[\\s\\n]+for[\\s\\n]+the[\\s\\n]+communication,[\\s\\n]+transmission,[\\s\\n]+processing,[\\s\\n]+and[\\s\\n]+storage[\\s\\n]+of[\\s\\n]+official[\\s\\n]+U.S.[\\s\\n]+Government[\\s\\n]+or[\\s\\n]+other[\\s\\n]+authorized[\\s\\n]+information[\\s\\n]+only.[\\s\\n]+All[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+systems[\\s\\n]+are[\\s\\n]+subject[\\s\\n]+to[\\s\\n]+monitoring[\\s\\n]+at[\\s\\n]+all[\\s\\n]+times[\\s\\n]+to[\\s\\n]+ensure[\\s\\n]+proper[\\s\\n]+functioning[\\s\\n]+of[\\\

-        s\\n]+equipment[\\s\\n]+and[\\s\\n]+systems[\\s\\n]+including[\\s\\n]+security[\\s\\n]+devices[\\s\\n]+and[\\s\\n]+systems,[\\s\\n]+to[\\s\\n]+prevent[\\s\\n]+unauthorized[\\s\\n]+use[\\s\\n]+and[\\s\\n]+violations[\\s\\n]+of[\\s\\n]+statutes[\\s\\n]+and[\\s\\n]+security[\\s\\n]+regulations,[\\s\\n]+to[\\s\\n]+deter[\\s\\n]+criminal[\\s\\n]+activity,[\\s\\n]+and[\\s\\n]+for[\\s\\n]+other[\\s\\n]+similar[\\s\\n]+purposes.[\\s\\n]+Any[\\s\\n]+user[\\s\\n]+of[\\s\\n]+a[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system[\\s\\n]+should[\\s\\n]+be[\\s\\n]+aware[\\s\\n]+that[\\s\\n]+any[\\s\\n]+information[\\s\\n]+placed[\\s\\n]+in[\\s\\n]+the[\\s\\n]+system[\\s\\n]+is[\\s\\n]+subject[\\s\\n]+to[\\s\\n]+monitoring[\\s\\n]+and[\\s\\n]+is[\\s\\n]+not[\\s\\n]+subject[\\s\\n]+to[\\s\\n]+any[\\s\\n]+expectation[\\s\\n]+of[\\s\\n]+privacy.[\\s\\n]+If[\\s\\n]+monitoring[\\s\\n]+of[\\s\\n]+this[\\s\\n]+or[\\s\\n]+any[\\s\\n]+other[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system[\\\

-        s\\n]+reveals[\\s\\n]+possible[\\s\\n]+evidence[\\s\\n]+of[\\s\\n]+violation[\\s\\n]+of[\\s\\n]+criminal[\\s\\n]+statutes,[\\s\\n]+this[\\s\\n]+evidence[\\s\\n]+and[\\s\\n]+any[\\s\\n]+other[\\s\\n]+related[\\s\\n]+information,[\\s\\n]+including[\\s\\n]+identification[\\s\\n]+information[\\s\\n]+about[\\s\\n]+the[\\s\\n]+user,[\\s\\n]+may[\\s\\n]+be[\\s\\n]+provided[\\s\\n]+to[\\s\\n]+law[\\s\\n]+enforcement[\\s\\n]+officials.[\\s\\n]+If[\\s\\n]+monitoring[\\s\\n]+of[\\s\\n]+this[\\s\\n]+or[\\s\\n]+any[\\s\\n]+other[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+systems[\\s\\n]+reveals[\\s\\n]+violations[\\s\\n]+of[\\s\\n]+security[\\s\\n]+regulations[\\s\\n]+or[\\s\\n]+unauthorized[\\s\\n]+use,[\\s\\n]+employees[\\s\\n]+who[\\s\\n]+violate[\\s\\n]+security[\\s\\n]+regulations[\\s\\n]+or[\\s\\n]+make[\\s\\n]+unauthorized[\\s\\n]+use[\\s\\n]+of[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+systems[\\s\\n]+are[\\s\\n]+subject[\\s\\n]+to[\\s\\n]+appropriate[\\s\\n]+disciplinary[\\\

-        s\\n]+action.[\\s\\n]+Use[\\s\\n]+of[\\s\\n]+this[\\s\\n]+or[\\s\\n]+any[\\s\\n]+other[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system[\\s\\n]+constitutes[\\s\\n]+consent[\\s\\n]+to[\\s\\n]+monitoring[\\s\\n]+at[\\s\\n]+all[\\s\\n]+times."

-    usgcb_default: --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials.

+    dod_banners: {{{ banner_flexibler(banner_text="^(You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.|I\\'ve read \& consent to terms in IS user agreem\\'t.)$") }}}

+    dod_default: {{{ banner_flexibler(banner_text="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.") }}}

+    dod_short: {{{ banner_flexibler(banner_text="I\\'ve read \& consent to terms in IS user agreem\\'t.") }}}

+    dss_odaa_default: {{{ banner_flexibler(banner_text="Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}}

+    usgcb_default: {{{ banner_flexibler(banner_text="-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}}

diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh

index 9617934e4f..54bc576551 100644

--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh

+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh

@@ -3,7 +3,7 @@

 populate login_banner_text

 # There was a regular-expression matching various banners, needs to be expanded

-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/[^-]- /\n\n-/g;s/(n)\**//g')

+expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/\[n\]+/\n/g')

 formatted=$(echo "$expanded" | fold -sw 80)

 cat <<EOF >/etc/issue

diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_default_banner_no_newline.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_default_banner_no_newline.fail.sh

new file mode 100644

index 0000000000..00121bae96

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_default_banner_no_newline.fail.sh

@@ -0,0 +1,19 @@

+#!/bin/bash

+#

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+# dod_default banner

+echo "You are accessing a U.S. Government (USG) Information System (IS) that is 

+provided for USG-authorized use only. By using this IS (which includes any 

+device attached to this IS), you consent to the following conditions:-The USG routinely intercepts and monitors communications on this IS for 

+purposes including, but not limited to, penetration testing, COMSEC monitoring, 

+network operations and defense, personnel misconduct (PM), law enforcement 

+(LE), and counterintelligence (CI) investigations.-At any time, the USG may inspect and seize data stored on this IS.-Communications using, or data stored on, this IS are not private, are subject 

+to routine monitoring, interception, and search, and may be disclosed or used 

+for any USG-authorized purpose.-This IS includes security measures (e.g., authentication and access controls) 

+to protect USG interests--not for your personal benefit or privacy.-Notwithstanding the above, using this IS does not constitute consent to PM, LE 

+or CI investigative searching or monitoring of the content of privileged 

+communications, or work product, related to personal representation or services 

+by attorneys, psychotherapists, or clergy, and their assistants. Such 

+communications and work product are private and confidential. See User 

+Agreement for details." > /etc/issue

diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var

index f3a4795bce..0c398bee9c 100644

--- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var

+++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var

@@ -4,7 +4,7 @@ title: 'Login Banner Verbiage'

 description: |-

     Enter an appropriate login banner for your organization. Please note that new lines must

-    be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\'.

+    be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\\'.

 type: string

@@ -14,8 +14,8 @@ interactive: false

 options:

 # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accomodate banners of 1300 characters

-    dod_banners: (^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.$|^I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)

-    dod_default: You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.

-    dod_short: I(\\\')*(\')*ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t.

-    dss_odaa_default: Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times.[\s\n]+This[\s\n]+is[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+and[\s\n]+related[\s\n]+equipment[\s\n]+are[\s\n]+intended[\s\n]+for[\s\n]+the[\s\n]+communication,[\s\n]+transmission,[\s\n]+processing,[\s\n]+and[\s\n]+storage[\s\n]+of[\s\n]+official[\s\n]+U.S.[\s\n]+Government[\s\n]+or[\s\n]+other[\s\n]+authorized[\s\n]+information[\s\n]+only.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times[\s\n]+to[\s\n]+ensure[\s\n]+proper[\s\n]+functioning[\s\n]+of[\s\n]+equipment[\s\n]+and[\s\n]+systems[\s\n]+including[\s\n]+security[\s\n]+devices[\s\n]+and[\s\n]+systems,[\s\n]+to[\s\n]+prevent[\s\n]+unauthorized[\s\n]+use[\s\n]+and[\s\n]+violations[\s\n]+of[\s\n]+statutes[\s\n]+and[\s\n]+security[\s\n]+regulations,[\s\n]+to[\s\n]+deter[\s\n]+criminal[\s\n]+activity,[\s\n]+and[\s\n]+for[\s\n]+other[\s\n]+similar[\s\n]+purposes.[\s\n]+Any[\s\n]+user[\s\n]+of[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+should[\s\n]+be[\s\n]+aware[\s\n]+that[\s\n]+any[\s\n]+information[\s\n]+placed[\s\n]+in[\s\n]+the[\s\n]+system[\s\n]+is[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+not[\s\n]+subject[\s\n]+to[\s\n]+any[\s\n]+expectation[\s\n]+of[\s\n]+privacy.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+violation[\s\n]+of[\s\n]+criminal[\s\n]+statutes,[\s\n]+this[\s\n]+evidence[\s\n]+and[\s\n]+any[\s\n]+other[\s\n]+related[\s\n]+information,[\s\n]+including[\s\n]+identification[\s\n]+information[\s\n]+about[\s\n]+the[\s\n]+user,[\s\n]+may[\s\n]+be[\s\n]+provided[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+reveals[\s\n]+violations[\s\n]+of[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+unauthorized[\s\n]+use,[\s\n]+employees[\s\n]+who[\s\n]+violate[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+make[\s\n]+unauthorized[\s\n]+use[\s\n]+of[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+appropriate[\s\n]+disciplinary[\s\n]+action.[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times.

-    usgcb_default: --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials.

+    dod_banners: {{{ banner_flexibler(banner_text="^(You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.|I\\'ve read \& consent to terms in IS user agreem\\'t.)$") }}}

+    dod_default: {{{ banner_flexibler(banner_text="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.") }}}

+    dod_short: {{{ banner_flexibler(banner_text="I\\'ve read \& consent to terms in IS user agreem\\'t.") }}}

+    dss_odaa_default: {{{ banner_flexibler(banner_text="Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}}

+    usgcb_default: {{{ banner_flexibler(banner_text="-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}}

diff --git a/shared/macros.jinja b/shared/macros.jinja

index 8a25acc937..3c617040bf 100644

--- a/shared/macros.jinja

+++ b/shared/macros.jinja

@@ -657,3 +657,7 @@ openssl()

 )

 {{%- endmacro %}}

+

+{{% macro banner_flexibler(banner_text) -%}}

+{{{ banner_text|replace("\n", "BFLMPSVZ")|replace(" ", "[\s\\n]+")|replace("BFLMPSVZ", "[\\n]+") }}}

+{{% endmacro %}}

diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py

index 357d0e8d99..700e496246 100644

--- a/ssg/build_yaml.py

+++ b/ssg/build_yaml.py

@@ -327,7 +327,7 @@ def __init__(self, id_):

     @staticmethod

     def from_yaml(yaml_file, env_yaml=None):

-        yaml_contents = open_and_expand(yaml_file, env_yaml)

+        yaml_contents = open_and_macro_expand(yaml_file, env_yaml)

         if yaml_contents is None:

             return None

From 23185944dd5db08cfee599c62717f1b0f23df683 Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Thu, 27 Feb 2020 18:03:37 +0100

Subject: [PATCH 02/27] Fix stripping of short banner from dod_banners

Format of dod_banners changed a bit, and stripping of tailing

short dod banner got broken.

Goal of dod_banners is to check for either long or shord DoD, but

default to remediating with the long banner.

---

 .../accounts/accounts-banners/banner_etc_issue/bash/shared.sh   | 2 +-

 .../dconf_gnome_login_banner_text/bash/shared.sh                | 2 +-

 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh

index 54bc576551..1b2052a658 100644

--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh

+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh

@@ -3,7 +3,7 @@

 populate login_banner_text

 # There was a regular-expression matching various banners, needs to be expanded

-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/\[n\]+/\n/g')

+expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/\[n\]+/\n/g')

 formatted=$(echo "$expanded" | fold -sw 80)

 cat <<EOF >/etc/issue

diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh

index 1614098c8c..bc6a31bc74 100644

--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh

+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh

@@ -2,7 +2,7 @@

 . /usr/share/scap-security-guide/remediation_functions

 populate login_banner_text

-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')

+expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')

 {{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}}

 {{{ bash_dconf_lock("org/gnome/login-screen", "banner-message-text", "gdm.d", "00-security-settings-lock") }}}

From ed7a96bc41d31ceeeb6b75b2a9565521f4f3eda5 Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Mon, 2 Mar 2020 17:31:49 +0100

Subject: [PATCH 03/27] Fix test scenarios for OSPP profile

OSPP profile doesn't select banner_etc_issue

---

 ...banner_etc_issue_ospp_usbcg_banner.fail.sh |  2 +-

 ...banner_etc_issue_ospp_usbcg_banner.pass.sh | 30 +++++++++++++------

 2 files changed, 22 insertions(+), 10 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.fail.sh

index db0b72089c..0f962279be 100644

--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.fail.sh

+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.fail.sh

@@ -1,5 +1,5 @@

 #!/bin/bash

 #

-# profiles = xccdf_org.ssgproject.content_profile_ospp

+# profiles = xccdf_org.ssgproject.content_profile_stig

 echo "This is not the expected banner" > /etc/issue

diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.pass.sh

index d36b3a146b..9bb0319323 100644

--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.pass.sh

+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.pass.sh

@@ -1,12 +1,24 @@

 #!/bin/bash

 #

-# profiles = xccdf_org.ssgproject.content_profile_ospp

+# profiles = xccdf_org.ssgproject.content_profile_stig

-# usgcb_default banner

-echo "-- WARNING -- This system is for the use of authorized users only. Individuals 

-using this computer system without authority or in excess of their authority 

-are subject to having all their activities on this system monitored and 

-recorded by system personnel. Anyone using this system expressly consents to 

-such monitoring and is advised that if such monitoring reveals possible 

-evidence of criminal activity system personal may provide the evidence of such 

-monitoring to law enforcement officials." > /etc/issue

+# dod_banners banner

+echo "You are accessing a U.S. Government (USG) Information System (IS) that is

+provided for USG-authorized use only. By using this IS (which includes any

+device attached to this IS), you consent to the following conditions:

+-The USG routinely intercepts and monitors communications on this IS for

+purposes including, but not limited to, penetration testing, COMSEC monitoring,

+network operations and defense, personnel misconduct (PM), law enforcement

+(LE), and counterintelligence (CI) investigations.

+-At any time, the USG may inspect and seize data stored on this IS.

+-Communications using, or data stored on, this IS are not private, are subject

+to routine monitoring, interception, and search, and may be disclosed or used

+for any USG-authorized purpose.

+-This IS includes security measures (e.g., authentication and access controls)

+to protect USG interests--not for your personal benefit or privacy.

+-Notwithstanding the above, using this IS does not constitute consent to PM, LE

+or CI investigative searching or monitoring of the content of privileged

+communications, or work product, related to personal representation or services

+by attorneys, psychotherapists, or clergy, and their assistants. Such

+communications and work product are private and confidential. See User

+Agreement for details." > /etc/issue

From c0e947ab378de0c3c45b1a0be0b3f7a239c3d6f4 Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Tue, 3 Mar 2020 10:26:40 +0100

Subject: [PATCH 04/27] Update test scenario metadata for banner tests

---

 .../dconf_gnome_login_banner_text/tests/correct_value.pass.sh   | 1 +

 .../tests/correct_value_stig.pass.sh                            | 2 +-

 .../tests/missing_value_stig.fail.sh                            | 2 +-

 .../dconf_gnome_login_banner_text/tests/wrong_value.fail.sh     | 1 +

 .../tests/wrong_value_stig.fail.sh                              | 2 +-

 5 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value.pass.sh

index 2c92fcbeb8..230a8b0a22 100644

--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value.pass.sh

+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value.pass.sh

@@ -1,4 +1,5 @@

 #!/bin/bash

+# platform = Red Hat Enterprise Linux 7

 # profiles = xccdf_org.ssgproject.content_profile_ncp

 source $SHARED/dconf_test_functions.sh

diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh

index 8a142b740e..d59f9071f0 100644

--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh

+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh

@@ -1,5 +1,5 @@

 #!/bin/bash

-# platform = Red Hat Enterprise Linux 7

+# platform = Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8

 # profiles = xccdf_org.ssgproject.content_profile_stig

 source $SHARED/dconf_test_functions.sh

diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh

index 1fea01471e..9638681130 100644

--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh

+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh

@@ -1,5 +1,5 @@

 #!/bin/bash

-# platform = Red Hat Enterprise Linux 7

+# platform = Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8

 # profiles = xccdf_org.ssgproject.content_profile_stig

 source $SHARED/dconf_test_functions.sh

diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh

index af4ea0ab82..7f7123a8be 100644

--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh

+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh

@@ -1,4 +1,5 @@

 #!/bin/bash

+# platform = Red Hat Enterprise Linux 7

 # profiles = xccdf_org.ssgproject.content_profile_ncp

 source $SHARED/dconf_test_functions.sh

diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh

index e0f43ec001..cd65f885a2 100644

--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh

+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh

@@ -1,5 +1,5 @@

 #!/bin/bash

-# platform = Red Hat Enterprise Linux 7

+# platform = Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8

 # profiles = xccdf_org.ssgproject.content_profile_stig

 source $SHARED/dconf_test_functions.sh

From 12f6616d83a23de27ebca932710a8128474068ff Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Tue, 3 Mar 2020 10:28:07 +0100

Subject: [PATCH 05/27] Fix text of banners, remove space after dash

Per DISA STIG reference, there is no space after the list items.

---

 .../dconf_gnome_login_banner_text/bash/shared.sh                | 2 +-

 .../tests/correct_value_stig.pass.sh                            | 2 +-

 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh

index bc6a31bc74..d9dca1bef9 100644

--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh

+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh

@@ -2,7 +2,7 @@

 . /usr/share/scap-security-guide/remediation_functions

 populate login_banner_text

-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')

+expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')

 {{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}}

 {{{ bash_dconf_lock("org/gnome/login-screen", "banner-message-text", "gdm.d", "00-security-settings-lock") }}}

diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh

index d59f9071f0..dca4b8e99b 100644

--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh

+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh

@@ -6,7 +6,7 @@ source $SHARED/dconf_test_functions.sh

 install_dconf_and_gdm_if_needed

-login_banner_text="(^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.$|^I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)"

+login_banner_text="(^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.$|^I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)"

 expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')

 clean_dconf_settings

From b09ddb6a040c980ccf1c55d3f4fe700953195d77 Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Tue, 3 Mar 2020 11:01:25 +0100

Subject: [PATCH 06/27] Make banner compatible with console and dconf

The banner in /etc/issue is expected to have actual newlines, while the

banner in /etc/dconf/db/gdm.d/ is expected to have the escape sequence

'\n'.

This commit transforms the newline from the input banner into a regex

that matches either the newline or the escape sequence.

During remediation, each rule will replace the regular expression for

the correct "version" of the newline.

---

 .../accounts/accounts-banners/banner_etc_issue/bash/shared.sh   | 2 +-

 .../dconf_gnome_login_banner_text/bash/shared.sh                | 2 +-

 shared/macros.jinja                                             | 2 +-

 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh

index 1b2052a658..fcaaa2c794 100644

--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh

+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh

@@ -3,7 +3,7 @@

 populate login_banner_text

 # There was a regular-expression matching various banners, needs to be expanded

-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/\[n\]+/\n/g')

+expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/\n/g;s/\\//g;')

 formatted=$(echo "$expanded" | fold -sw 80)

 cat <<EOF >/etc/issue

diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh

index d9dca1bef9..2b51e7c94c 100644

--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh

+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh

@@ -2,7 +2,7 @@

 . /usr/share/scap-security-guide/remediation_functions

 populate login_banner_text

-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')

+expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/(n)\*/g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')

 {{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}}

 {{{ bash_dconf_lock("org/gnome/login-screen", "banner-message-text", "gdm.d", "00-security-settings-lock") }}}

diff --git a/shared/macros.jinja b/shared/macros.jinja

index 3c617040bf..b178088f0c 100644

--- a/shared/macros.jinja

+++ b/shared/macros.jinja

@@ -659,5 +659,5 @@ openssl()

 {{%- endmacro %}}

 {{% macro banner_flexibler(banner_text) -%}}

-{{{ banner_text|replace("\n", "BFLMPSVZ")|replace(" ", "[\s\\n]+")|replace("BFLMPSVZ", "[\\n]+") }}}

+{{{ banner_text|replace("\n", "BFLMPSVZ")|replace(" ", "[\s\\n]+")|replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)") }}}

 {{% endmacro %}}

From fc6fe07f12faac1023b65551eaa82dc50e12303b Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Tue, 3 Mar 2020 12:46:30 +0100

Subject: [PATCH 07/27] Simplify banner remediation regexes

Remove unneded sed's for single quote (\x27)

---

 .../accounts/accounts-banners/banner_etc_issue/bash/shared.sh   | 2 +-

 .../dconf_gnome_login_banner_text/bash/shared.sh                | 2 +-

 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh

index fcaaa2c794..5d079e9271 100644

--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh

+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh

@@ -3,7 +3,7 @@

 populate login_banner_text

 # There was a regular-expression matching various banners, needs to be expanded

-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/\n/g;s/\\//g;')

+expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/\n/g;s/\\//g;')

 formatted=$(echo "$expanded" | fold -sw 80)

 cat <<EOF >/etc/issue

diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh

index 2b51e7c94c..568942e892 100644

--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh

+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh

@@ -2,7 +2,7 @@

 . /usr/share/scap-security-guide/remediation_functions

 populate login_banner_text

-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/(n)\*/g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')

+expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/(n)\*/g;s/\\//g;s/(n)\*/\\n/g;')

 {{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}}

 {{{ bash_dconf_lock("org/gnome/login-screen", "banner-message-text", "gdm.d", "00-security-settings-lock") }}}

From f94f4ba5a5d650c5ae50f83d59b7464e7f785b9d Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Tue, 3 Mar 2020 12:48:10 +0100

Subject: [PATCH 08/27] Document what the regexes do in the banner

---

 .../accounts-banners/banner_etc_issue/bash/shared.sh      | 7 ++++++-

 .../dconf_gnome_login_banner_text/bash/shared.sh          | 8 ++++++++

 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh

index 5d079e9271..07b88bf039 100644

--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh

+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh

@@ -2,7 +2,12 @@

 . /usr/share/scap-security-guide/remediation_functions

 populate login_banner_text

-# There was a regular-expression matching various banners, needs to be expanded

+# Multiple regexes transform the banner regex into a usable banner

+# 1 - Keep only the first banners if there are multiple, and remove wrapping regex syntax.

+#    (dod_banners contains the long and shor banner)

+# 2- Add spaces ' '. (Transforms regex for "space or newline" into a " ")

+# 3- Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n")

+# 4- Remove any leftover backslash. (From any parethesis in the banner, for example).

 expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/\n/g;s/\\//g;')

 formatted=$(echo "$expanded" | fold -sw 80)

diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh

index 568942e892..658205bd2c 100644

--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh

+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh

@@ -2,6 +2,14 @@

 . /usr/share/scap-security-guide/remediation_functions

 populate login_banner_text

+# Multiple regexes transform the banner regex into a usable banner

+# 1 - Keep only the first banners if there are multiple, and remove wrapping regex syntax.

+#    (dod_banners contains the long and shor banner)

+# 2- Add spaces ' '. (Transforms regex for "space or newline" into a " ")

+# 3- Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*")

+# 4- Remove any leftover backslash. (From any parethesis in the banner, for example).

+# 5- Removes the newline "token." (Transforms them into newline escape sequences "\n").

+#    ( Needs to be done after 4, otherwise the escapce sequence will become just "n".

 expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/(n)\*/g;s/\\//g;s/(n)\*/\\n/g;')

 {{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}}

From b7545c3ab81758f89e034fdab7f2c573f287d770 Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Tue, 3 Mar 2020 12:49:02 +0100

Subject: [PATCH 09/27] Add rule to check dconf banner

The STIG profile sets the banner, and checks whether it is enabled for

dconf, but never checked the banner text.

---

 rhel8/profiles/stig.profile | 1 +

 1 file changed, 1 insertion(+)

diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile

index 7eb1869a3c..f315df7d06 100644

--- a/rhel8/profiles/stig.profile

+++ b/rhel8/profiles/stig.profile

@@ -21,6 +21,7 @@ extends: ospp

     - login_banner_text=dod_banners

     - dconf_db_up_to_date

     - dconf_gnome_banner_enabled

+    - dconf_gnome_login_banner_text

     - banner_etc_issue

     - accounts_password_set_min_life_existing

     - accounts_password_set_max_life_existing

From 21ae88f72c1c9a324041637b0f52eea6b90fb03f Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Fri, 6 Mar 2020 15:37:46 +0100

Subject: [PATCH 10/27] Fix Ansible for dconf banner-message-text lock

---

 .../dconf_gnome_login_banner_text/ansible/shared.yml          | 4 ++--

 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml

index 6946c9ddf7..303f505968 100644

--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml

+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml

@@ -38,7 +38,7 @@

 - name: "Prevent user modification of the GNOME3 Login Warning Banner Text"

   lineinfile:

     path: '/etc/dconf/db/gdm.d/locks/00-security-settings-lock'

-    regexp: '^org/gnome/login-screen/banner-message-text$'

-    line: 'org/gnome/login-screen/banner-message-text'

+    regexp: '^/org/gnome/login-screen/banner-message-text$'

+    line: '/org/gnome/login-screen/banner-message-text'

     create: yes

     state: present

From 54ec93ae3254c726b8313646419fa9f1a9fbbcb5 Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Fri, 6 Mar 2020 15:58:38 +0100

Subject: [PATCH 11/27] Fix banner regex stripping for Ansible

Do similar regex stripping as done in Bash remediaiton.

The triple single quotes is necessary for the jinja template expansion

to add the banner wrapped in single quotes.

---

 .../dconf_gnome_login_banner_text/ansible/shared.yml           | 3 ++-

 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml

index 303f505968..5d5e92530a 100644

--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml

+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml

@@ -32,8 +32,9 @@

     dest: /etc/dconf/db/gdm.d/00-security-settings

     section: org/gnome/login-screen

     option: banner-message-text

-    value: '{{ login_banner_text }}'

+    value: '''{{ login_banner_text | regex_replace("\^\((.*)\|.*$", "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", "(n)\*") | regex_replace("\\", "") | regex_replace("\(n\)\*", "\\n") }}'''

     create: yes

+    no_extra_spaces: yes

 - name: "Prevent user modification of the GNOME3 Login Warning Banner Text"

   lineinfile:

From a4755e87a66ad8b47f22444bde9a2e48c6f33aca Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Fri, 6 Mar 2020 16:09:50 +0100

Subject: [PATCH 12/27] Add Ansible remediation for banner_etc_issue

---

 .../banner_etc_issue/ansible/shared.yml              | 12 ++++++++++++

 1 file changed, 12 insertions(+)

 create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml

diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml

new file mode 100644

index 0000000000..e136304020

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml

@@ -0,0 +1,12 @@

+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol

+# reboot = false

+# strategy = unknown

+# complexity = low

+# disruption = medium

+- (xccdf-var login_banner_text)

+

+- name: "{{{ rule_title }}}"

+  lineinfile:

+    dest: /etc/issue

+    line: '{{ login_banner_text | regex_replace("\^\((.*)\|.*$", "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", "\n") | regex_replace("\\", "") | wordwrap() }}'

+    create: yes

From ac5d4b7482f4dc673f8f5d8dbbc95c42700bb251 Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Fri, 6 Mar 2020 16:52:09 +0100

Subject: [PATCH 13/27] Update reference RHEL8 STIG profile

---

 tests/data/profile_stability/rhel8/stig.profile | 1 +

 1 file changed, 1 insertion(+)

diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile

index 843267d589..381cf54b3a 100644

--- a/tests/data/profile_stability/rhel8/stig.profile

+++ b/tests/data/profile_stability/rhel8/stig.profile

@@ -84,6 +84,7 @@ selections:

 - coredump_disable_storage

 - dconf_db_up_to_date

 - dconf_gnome_banner_enabled

+- dconf_gnome_login_banner_text

 - disable_ctrlaltdel_burstaction

 - disable_ctrlaltdel_reboot

 - disable_host_auth

From 6b27221e857cefe7efaa04f4491c506ea0cb096c Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Sat, 7 Mar 2020 13:12:28 +0100

Subject: [PATCH 14/27] Move bash banner deregexification to macros

This aims to increase maintenability and readability.

Every step in the deregexification is a separate macro.

The macros 'bash_deregexify_banner_etc_issue' and

'bash_deregexify_banner_dconf_gnome' build upon the basic steps.

---

 .../banner_etc_issue/bash/shared.sh           |  9 ++++---

 .../bash/shared.sh                            | 10 +++++---

 shared/macros-bash.jinja                      | 25 +++++++++++++++++++

 3 files changed, 38 insertions(+), 6 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh

index 07b88bf039..119413005e 100644

--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh

+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh

@@ -4,12 +4,15 @@ populate login_banner_text

 # Multiple regexes transform the banner regex into a usable banner

 # 1 - Keep only the first banners if there are multiple, and remove wrapping regex syntax.

-#    (dod_banners contains the long and shor banner)

+#    (dod_banners contains the long and short banner)

+{{{ bash_deregexify_multiple_banners("login_banner_text") }}}

 # 2- Add spaces ' '. (Transforms regex for "space or newline" into a " ")

+{{{ bash_deregexify_banner_space("login_banner_text") }}}

 # 3- Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n")

+{{{ bash_deregexify_banner_newline("login_banner_text", "\\n") }}}

 # 4- Remove any leftover backslash. (From any parethesis in the banner, for example).

-expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/\n/g;s/\\//g;')

-formatted=$(echo "$expanded" | fold -sw 80)

+{{{ bash_deregexify_banner_backslash("login_banner_text") }}}

+formatted=$(echo "$login_banner_text" | fold -sw 80)

 cat <<EOF >/etc/issue

 $formatted

diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh

index 658205bd2c..4011932790 100644

--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh

+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh

@@ -4,13 +4,17 @@ populate login_banner_text

 # Multiple regexes transform the banner regex into a usable banner

 # 1 - Keep only the first banners if there are multiple, and remove wrapping regex syntax.

-#    (dod_banners contains the long and shor banner)

+#    (dod_banners contains the long and short banner)

+{{{ bash_deregexify_multiple_banners("login_banner_text") }}}

 # 2- Add spaces ' '. (Transforms regex for "space or newline" into a " ")

+{{{ bash_deregexify_banner_space("login_banner_text") }}}

 # 3- Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*")

+{{{ bash_deregexify_banner_newline("login_banner_text", "(n)*") }}}

 # 4- Remove any leftover backslash. (From any parethesis in the banner, for example).

+{{{ bash_deregexify_banner_backslash("login_banner_text") }}}

 # 5- Removes the newline "token." (Transforms them into newline escape sequences "\n").

 #    ( Needs to be done after 4, otherwise the escapce sequence will become just "n".

-expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/(n)\*/g;s/\\//g;s/(n)\*/\\n/g;')

+{{{ bash_deregexify_banner_newline_token("login_banner_text")}}}

-{{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}}

+{{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${login_banner_text}'", "gdm.d", "00-security-settings") }}}

 {{{ bash_dconf_lock("org/gnome/login-screen", "banner-message-text", "gdm.d", "00-security-settings-lock") }}}

diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja

index 2756cc0c00..6d72684c6d 100644

--- a/shared/macros-bash.jinja

+++ b/shared/macros-bash.jinja

@@ -521,3 +521,28 @@ cat << 'EOF' > {{{ filepath }}}

 {{{ contents|trim() }}}

 EOF

 {{%- endmacro %}}

+

+{{# Strips multibanner regex and keeps only the first banner #}}

+{{% macro bash_deregexify_multiple_banners(banner_var_name) -%}}

+{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/\^(\(.*\)|.*$/\1/g')

+{{%- endmacro %}}

+

+{{# Strips whitespace or newline regex #}}

+{{% macro bash_deregexify_banner_space(banner_var_name) -%}}

+{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/\[\\s\\n\]+/ /g')

+{{%- endmacro %}}

+

+{{# Strips newline or newline escape sequence regex #}}

+{{% macro bash_deregexify_banner_newline(banner_var_name, newline) -%}}

+{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/(?:\[\\n\]+|(?:\\n)+)/{{{ newline }}}/g')

+{{%- endmacro %}}

+

+{{# Strips newline token for a newline escape sequence regex #}}

+{{% macro bash_deregexify_banner_newline_token(banner_var_name) -%}}

+{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/(n)\*/\\n/g')

+{{%- endmacro %}}

+

+{{# Strips backslash regex #}}

+{{% macro bash_deregexify_banner_backslash(banner_var_name) -%}}

+{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/\\//g')

+{{%- endmacro %}}

From 4e2f96de31ed24c5e58ffc8da07b689a461d385f Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Sat, 7 Mar 2020 14:04:40 +0100

Subject: [PATCH 15/27] Move ansible banner deregexification to macros