Blame SOURCES/scap-security-guide-0.1.50-simplify_login_banner.patch

dac76a
From fb5fe8c7dea9c83558b9e4fd7d2235caff6bd4db Mon Sep 17 00:00:00 2001
dac76a
From: Marek Haicman <mhaicman@redhat.com>
dac76a
Date: Wed, 4 Dec 2019 15:11:39 +0100
dac76a
Subject: [PATCH 01/27] Create macro to translate text to banner text.
dac76a
dac76a
With banner texts having every whitespace replaced with more complex regular
dac76a
expression, it's not really readable in that form. This macro should provide
dac76a
way to write human readable text in source, and get machine readable text
dac76a
as the output.
dac76a
---
dac76a
 .../var_web_login_banner_text.var             | 15 ++++++---------
dac76a
 .../banner_etc_issue/bash/shared.sh           |  2 +-
dac76a
 ...disa_dod_default_banner_no_newline.fail.sh | 19 +++++++++++++++++++
dac76a
 .../accounts-banners/login_banner_text.var    | 12 ++++++------
dac76a
 shared/macros.jinja                           |  4 ++++
dac76a
 ssg/build_yaml.py                             |  2 +-
dac76a
 6 files changed, 37 insertions(+), 17 deletions(-)
dac76a
 create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_default_banner_no_newline.fail.sh
dac76a
dac76a
diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
dac76a
index 61ebea65f3..72a728659b 100644
dac76a
--- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
dac76a
+++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
dac76a
@@ -4,7 +4,7 @@ title: 'Web Login Banner Verbiage'
dac76a
 
dac76a
 description: |-
dac76a
     Enter an appropriate login banner for your organization. Please note that new lines must
dac76a
-    be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\'.
dac76a
+    be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\\'.
dac76a
 
dac76a
 type: string
dac76a
 
dac76a
@@ -13,11 +13,8 @@ operator: equals
dac76a
 interactive: false
dac76a
 
dac76a
 options:
dac76a
-    dod_banners: ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.|I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t.)$
dac76a
-    dod_default: You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.
dac76a
-    dod_short: I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t.
dac76a
-    dss_odaa_default: "[\\s\\n]+Use[\\s\\n]+of[\\s\\n]+this[\\s\\n]+or[\\s\\n]+any[\\s\\n]+other[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system[\\s\\n]+constitutes[\\s\\n]+consent[\\s\\n]+to[\\s\\n]+monitoring[\\s\\n]+at[\\s\\n]+all[\\s\\n]+times.[\\s\\n]+This[\\s\\n]+is[\\s\\n]+a[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system.[\\s\\n]+All[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+systems[\\s\\n]+and[\\s\\n]+related[\\s\\n]+equipment[\\s\\n]+are[\\s\\n]+intended[\\s\\n]+for[\\s\\n]+the[\\s\\n]+communication,[\\s\\n]+transmission,[\\s\\n]+processing,[\\s\\n]+and[\\s\\n]+storage[\\s\\n]+of[\\s\\n]+official[\\s\\n]+U.S.[\\s\\n]+Government[\\s\\n]+or[\\s\\n]+other[\\s\\n]+authorized[\\s\\n]+information[\\s\\n]+only.[\\s\\n]+All[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+systems[\\s\\n]+are[\\s\\n]+subject[\\s\\n]+to[\\s\\n]+monitoring[\\s\\n]+at[\\s\\n]+all[\\s\\n]+times[\\s\\n]+to[\\s\\n]+ensure[\\s\\n]+proper[\\s\\n]+functioning[\\s\\n]+of[\\\
dac76a
-        s\\n]+equipment[\\s\\n]+and[\\s\\n]+systems[\\s\\n]+including[\\s\\n]+security[\\s\\n]+devices[\\s\\n]+and[\\s\\n]+systems,[\\s\\n]+to[\\s\\n]+prevent[\\s\\n]+unauthorized[\\s\\n]+use[\\s\\n]+and[\\s\\n]+violations[\\s\\n]+of[\\s\\n]+statutes[\\s\\n]+and[\\s\\n]+security[\\s\\n]+regulations,[\\s\\n]+to[\\s\\n]+deter[\\s\\n]+criminal[\\s\\n]+activity,[\\s\\n]+and[\\s\\n]+for[\\s\\n]+other[\\s\\n]+similar[\\s\\n]+purposes.[\\s\\n]+Any[\\s\\n]+user[\\s\\n]+of[\\s\\n]+a[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system[\\s\\n]+should[\\s\\n]+be[\\s\\n]+aware[\\s\\n]+that[\\s\\n]+any[\\s\\n]+information[\\s\\n]+placed[\\s\\n]+in[\\s\\n]+the[\\s\\n]+system[\\s\\n]+is[\\s\\n]+subject[\\s\\n]+to[\\s\\n]+monitoring[\\s\\n]+and[\\s\\n]+is[\\s\\n]+not[\\s\\n]+subject[\\s\\n]+to[\\s\\n]+any[\\s\\n]+expectation[\\s\\n]+of[\\s\\n]+privacy.[\\s\\n]+If[\\s\\n]+monitoring[\\s\\n]+of[\\s\\n]+this[\\s\\n]+or[\\s\\n]+any[\\s\\n]+other[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system[\\\
dac76a
-        s\\n]+reveals[\\s\\n]+possible[\\s\\n]+evidence[\\s\\n]+of[\\s\\n]+violation[\\s\\n]+of[\\s\\n]+criminal[\\s\\n]+statutes,[\\s\\n]+this[\\s\\n]+evidence[\\s\\n]+and[\\s\\n]+any[\\s\\n]+other[\\s\\n]+related[\\s\\n]+information,[\\s\\n]+including[\\s\\n]+identification[\\s\\n]+information[\\s\\n]+about[\\s\\n]+the[\\s\\n]+user,[\\s\\n]+may[\\s\\n]+be[\\s\\n]+provided[\\s\\n]+to[\\s\\n]+law[\\s\\n]+enforcement[\\s\\n]+officials.[\\s\\n]+If[\\s\\n]+monitoring[\\s\\n]+of[\\s\\n]+this[\\s\\n]+or[\\s\\n]+any[\\s\\n]+other[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+systems[\\s\\n]+reveals[\\s\\n]+violations[\\s\\n]+of[\\s\\n]+security[\\s\\n]+regulations[\\s\\n]+or[\\s\\n]+unauthorized[\\s\\n]+use,[\\s\\n]+employees[\\s\\n]+who[\\s\\n]+violate[\\s\\n]+security[\\s\\n]+regulations[\\s\\n]+or[\\s\\n]+make[\\s\\n]+unauthorized[\\s\\n]+use[\\s\\n]+of[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+systems[\\s\\n]+are[\\s\\n]+subject[\\s\\n]+to[\\s\\n]+appropriate[\\s\\n]+disciplinary[\\\
dac76a
-        s\\n]+action.[\\s\\n]+Use[\\s\\n]+of[\\s\\n]+this[\\s\\n]+or[\\s\\n]+any[\\s\\n]+other[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system[\\s\\n]+constitutes[\\s\\n]+consent[\\s\\n]+to[\\s\\n]+monitoring[\\s\\n]+at[\\s\\n]+all[\\s\\n]+times."
dac76a
-    usgcb_default: --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials.
dac76a
+    dod_banners: {{{ banner_flexibler(banner_text="^(You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.|I\\'ve read \& consent to terms in IS user agreem\\'t.)$") }}}
dac76a
+    dod_default: {{{ banner_flexibler(banner_text="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.") }}}
dac76a
+    dod_short: {{{ banner_flexibler(banner_text="I\\'ve read \& consent to terms in IS user agreem\\'t.") }}}
dac76a
+    dss_odaa_default: {{{ banner_flexibler(banner_text="Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}}
dac76a
+    usgcb_default: {{{ banner_flexibler(banner_text="-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}}
dac76a
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
dac76a
index 9617934e4f..54bc576551 100644
dac76a
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
dac76a
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
dac76a
@@ -3,7 +3,7 @@
dac76a
 populate login_banner_text
dac76a
 
dac76a
 # There was a regular-expression matching various banners, needs to be expanded
dac76a
-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/[^-]- /\n\n-/g;s/(n)\**//g')
dac76a
+expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/\[n\]+/\n/g')
dac76a
 formatted=$(echo "$expanded" | fold -sw 80)
dac76a
 
dac76a
 cat <<EOF >/etc/issue
dac76a
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_default_banner_no_newline.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_default_banner_no_newline.fail.sh
dac76a
new file mode 100644
dac76a
index 0000000000..00121bae96
dac76a
--- /dev/null
dac76a
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_default_banner_no_newline.fail.sh
dac76a
@@ -0,0 +1,19 @@
dac76a
+#!/bin/bash
dac76a
+#
dac76a
+# profiles = xccdf_org.ssgproject.content_profile_stig
dac76a
+
dac76a
+# dod_default banner
dac76a
+echo "You are accessing a U.S. Government (USG) Information System (IS) that is 
dac76a
+provided for USG-authorized use only. By using this IS (which includes any 
dac76a
+device attached to this IS), you consent to the following conditions:-The USG routinely intercepts and monitors communications on this IS for 
dac76a
+purposes including, but not limited to, penetration testing, COMSEC monitoring, 
dac76a
+network operations and defense, personnel misconduct (PM), law enforcement 
dac76a
+(LE), and counterintelligence (CI) investigations.-At any time, the USG may inspect and seize data stored on this IS.-Communications using, or data stored on, this IS are not private, are subject 
dac76a
+to routine monitoring, interception, and search, and may be disclosed or used 
dac76a
+for any USG-authorized purpose.-This IS includes security measures (e.g., authentication and access controls) 
dac76a
+to protect USG interests--not for your personal benefit or privacy.-Notwithstanding the above, using this IS does not constitute consent to PM, LE 
dac76a
+or CI investigative searching or monitoring of the content of privileged 
dac76a
+communications, or work product, related to personal representation or services 
dac76a
+by attorneys, psychotherapists, or clergy, and their assistants. Such 
dac76a
+communications and work product are private and confidential. See User 
dac76a
+Agreement for details." > /etc/issue
dac76a
diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
dac76a
index f3a4795bce..0c398bee9c 100644
dac76a
--- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
dac76a
+++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
dac76a
@@ -4,7 +4,7 @@ title: 'Login Banner Verbiage'
dac76a
 
dac76a
 description: |-
dac76a
     Enter an appropriate login banner for your organization. Please note that new lines must
dac76a
-    be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\'.
dac76a
+    be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\\'.
dac76a
 
dac76a
 type: string
dac76a
 
dac76a
@@ -14,8 +14,8 @@ interactive: false
dac76a
 
dac76a
 options:
dac76a
 # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accomodate banners of 1300 characters
dac76a
-    dod_banners: (^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.$|^I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)
dac76a
-    dod_default: You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.
dac76a
-    dod_short: I(\\\')*(\')*ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t.
dac76a
-    dss_odaa_default: Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times.[\s\n]+This[\s\n]+is[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+and[\s\n]+related[\s\n]+equipment[\s\n]+are[\s\n]+intended[\s\n]+for[\s\n]+the[\s\n]+communication,[\s\n]+transmission,[\s\n]+processing,[\s\n]+and[\s\n]+storage[\s\n]+of[\s\n]+official[\s\n]+U.S.[\s\n]+Government[\s\n]+or[\s\n]+other[\s\n]+authorized[\s\n]+information[\s\n]+only.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times[\s\n]+to[\s\n]+ensure[\s\n]+proper[\s\n]+functioning[\s\n]+of[\s\n]+equipment[\s\n]+and[\s\n]+systems[\s\n]+including[\s\n]+security[\s\n]+devices[\s\n]+and[\s\n]+systems,[\s\n]+to[\s\n]+prevent[\s\n]+unauthorized[\s\n]+use[\s\n]+and[\s\n]+violations[\s\n]+of[\s\n]+statutes[\s\n]+and[\s\n]+security[\s\n]+regulations,[\s\n]+to[\s\n]+deter[\s\n]+criminal[\s\n]+activity,[\s\n]+and[\s\n]+for[\s\n]+other[\s\n]+similar[\s\n]+purposes.[\s\n]+Any[\s\n]+user[\s\n]+of[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+should[\s\n]+be[\s\n]+aware[\s\n]+that[\s\n]+any[\s\n]+information[\s\n]+placed[\s\n]+in[\s\n]+the[\s\n]+system[\s\n]+is[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+not[\s\n]+subject[\s\n]+to[\s\n]+any[\s\n]+expectation[\s\n]+of[\s\n]+privacy.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+violation[\s\n]+of[\s\n]+criminal[\s\n]+statutes,[\s\n]+this[\s\n]+evidence[\s\n]+and[\s\n]+any[\s\n]+other[\s\n]+related[\s\n]+information,[\s\n]+including[\s\n]+identification[\s\n]+information[\s\n]+about[\s\n]+the[\s\n]+user,[\s\n]+may[\s\n]+be[\s\n]+provided[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+reveals[\s\n]+violations[\s\n]+of[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+unauthorized[\s\n]+use,[\s\n]+employees[\s\n]+who[\s\n]+violate[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+make[\s\n]+unauthorized[\s\n]+use[\s\n]+of[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+appropriate[\s\n]+disciplinary[\s\n]+action.[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times.
dac76a
-    usgcb_default: --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials.
dac76a
+    dod_banners: {{{ banner_flexibler(banner_text="^(You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.|I\\'ve read \& consent to terms in IS user agreem\\'t.)$") }}}
dac76a
+    dod_default: {{{ banner_flexibler(banner_text="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.") }}}
dac76a
+    dod_short: {{{ banner_flexibler(banner_text="I\\'ve read \& consent to terms in IS user agreem\\'t.") }}}
dac76a
+    dss_odaa_default: {{{ banner_flexibler(banner_text="Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}}
dac76a
+    usgcb_default: {{{ banner_flexibler(banner_text="-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}}
dac76a
diff --git a/shared/macros.jinja b/shared/macros.jinja
dac76a
index 8a25acc937..3c617040bf 100644
dac76a
--- a/shared/macros.jinja
dac76a
+++ b/shared/macros.jinja
dac76a
@@ -657,3 +657,7 @@ openssl()
dac76a
 )
dac76a
 
dac76a
 {{%- endmacro %}}
dac76a
+
dac76a
+{{% macro banner_flexibler(banner_text) -%}}
dac76a
+{{{ banner_text|replace("\n", "BFLMPSVZ")|replace(" ", "[\s\\n]+")|replace("BFLMPSVZ", "[\\n]+") }}}
dac76a
+{{% endmacro %}}
dac76a
diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py
dac76a
index 357d0e8d99..700e496246 100644
dac76a
--- a/ssg/build_yaml.py
dac76a
+++ b/ssg/build_yaml.py
dac76a
@@ -327,7 +327,7 @@ def __init__(self, id_):
dac76a
 
dac76a
     @staticmethod
dac76a
     def from_yaml(yaml_file, env_yaml=None):
dac76a
-        yaml_contents = open_and_expand(yaml_file, env_yaml)
dac76a
+        yaml_contents = open_and_macro_expand(yaml_file, env_yaml)
dac76a
         if yaml_contents is None:
dac76a
             return None
dac76a
 
dac76a
dac76a
From 23185944dd5db08cfee599c62717f1b0f23df683 Mon Sep 17 00:00:00 2001
dac76a
From: Watson Sato <wsato@redhat.com>
dac76a
Date: Thu, 27 Feb 2020 18:03:37 +0100
dac76a
Subject: [PATCH 02/27] Fix stripping of short banner from dod_banners
dac76a
dac76a
Format of dod_banners changed a bit, and stripping of tailing
dac76a
short dod banner got broken.
dac76a
dac76a
Goal of dod_banners is to check for either long or shord DoD, but
dac76a
default to remediating with the long banner.
dac76a
---
dac76a
 .../accounts/accounts-banners/banner_etc_issue/bash/shared.sh   | 2 +-
dac76a
 .../dconf_gnome_login_banner_text/bash/shared.sh                | 2 +-
dac76a
 2 files changed, 2 insertions(+), 2 deletions(-)
dac76a
dac76a
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
dac76a
index 54bc576551..1b2052a658 100644
dac76a
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
dac76a
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
dac76a
@@ -3,7 +3,7 @@
dac76a
 populate login_banner_text
dac76a
 
dac76a
 # There was a regular-expression matching various banners, needs to be expanded
dac76a
-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/\[n\]+/\n/g')
dac76a
+expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/\[n\]+/\n/g')
dac76a
 formatted=$(echo "$expanded" | fold -sw 80)
dac76a
 
dac76a
 cat <<EOF >/etc/issue
dac76a
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
dac76a
index 1614098c8c..bc6a31bc74 100644
dac76a
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
dac76a
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
dac76a
@@ -2,7 +2,7 @@
dac76a
 . /usr/share/scap-security-guide/remediation_functions
dac76a
 populate login_banner_text
dac76a
 
dac76a
-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
dac76a
+expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
dac76a
 
dac76a
 {{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}}
dac76a
 {{{ bash_dconf_lock("org/gnome/login-screen", "banner-message-text", "gdm.d", "00-security-settings-lock") }}}
dac76a
dac76a
From ed7a96bc41d31ceeeb6b75b2a9565521f4f3eda5 Mon Sep 17 00:00:00 2001
dac76a
From: Watson Sato <wsato@redhat.com>
dac76a
Date: Mon, 2 Mar 2020 17:31:49 +0100
dac76a
Subject: [PATCH 03/27] Fix test scenarios for OSPP profile
dac76a
dac76a
OSPP profile doesn't select banner_etc_issue
dac76a
---
dac76a
 ...banner_etc_issue_ospp_usbcg_banner.fail.sh |  2 +-
dac76a
 ...banner_etc_issue_ospp_usbcg_banner.pass.sh | 30 +++++++++++++------
dac76a
 2 files changed, 22 insertions(+), 10 deletions(-)
dac76a
dac76a
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.fail.sh
dac76a
index db0b72089c..0f962279be 100644
dac76a
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.fail.sh
dac76a
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.fail.sh
dac76a
@@ -1,5 +1,5 @@
dac76a
 #!/bin/bash
dac76a
 #
dac76a
-# profiles = xccdf_org.ssgproject.content_profile_ospp
dac76a
+# profiles = xccdf_org.ssgproject.content_profile_stig
dac76a
 
dac76a
 echo "This is not the expected banner" > /etc/issue
dac76a
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.pass.sh
dac76a
index d36b3a146b..9bb0319323 100644
dac76a
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.pass.sh
dac76a
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.pass.sh
dac76a
@@ -1,12 +1,24 @@
dac76a
 #!/bin/bash
dac76a
 #
dac76a
-# profiles = xccdf_org.ssgproject.content_profile_ospp
dac76a
+# profiles = xccdf_org.ssgproject.content_profile_stig
dac76a
 
dac76a
-# usgcb_default banner
dac76a
-echo "-- WARNING -- This system is for the use of authorized users only. Individuals 
dac76a
-using this computer system without authority or in excess of their authority 
dac76a
-are subject to having all their activities on this system monitored and 
dac76a
-recorded by system personnel. Anyone using this system expressly consents to 
dac76a
-such monitoring and is advised that if such monitoring reveals possible 
dac76a
-evidence of criminal activity system personal may provide the evidence of such 
dac76a
-monitoring to law enforcement officials." > /etc/issue
dac76a
+# dod_banners banner
dac76a
+echo "You are accessing a U.S. Government (USG) Information System (IS) that is
dac76a
+provided for USG-authorized use only. By using this IS (which includes any
dac76a
+device attached to this IS), you consent to the following conditions:
dac76a
+-The USG routinely intercepts and monitors communications on this IS for
dac76a
+purposes including, but not limited to, penetration testing, COMSEC monitoring,
dac76a
+network operations and defense, personnel misconduct (PM), law enforcement
dac76a
+(LE), and counterintelligence (CI) investigations.
dac76a
+-At any time, the USG may inspect and seize data stored on this IS.
dac76a
+-Communications using, or data stored on, this IS are not private, are subject
dac76a
+to routine monitoring, interception, and search, and may be disclosed or used
dac76a
+for any USG-authorized purpose.
dac76a
+-This IS includes security measures (e.g., authentication and access controls)
dac76a
+to protect USG interests--not for your personal benefit or privacy.
dac76a
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE
dac76a
+or CI investigative searching or monitoring of the content of privileged
dac76a
+communications, or work product, related to personal representation or services
dac76a
+by attorneys, psychotherapists, or clergy, and their assistants. Such
dac76a
+communications and work product are private and confidential. See User
dac76a
+Agreement for details." > /etc/issue
dac76a
dac76a
From c0e947ab378de0c3c45b1a0be0b3f7a239c3d6f4 Mon Sep 17 00:00:00 2001
dac76a
From: Watson Sato <wsato@redhat.com>
dac76a
Date: Tue, 3 Mar 2020 10:26:40 +0100
dac76a
Subject: [PATCH 04/27] Update test scenario metadata for banner tests
dac76a
dac76a
---
dac76a
 .../dconf_gnome_login_banner_text/tests/correct_value.pass.sh   | 1 +
dac76a
 .../tests/correct_value_stig.pass.sh                            | 2 +-
dac76a
 .../tests/missing_value_stig.fail.sh                            | 2 +-
dac76a
 .../dconf_gnome_login_banner_text/tests/wrong_value.fail.sh     | 1 +
dac76a
 .../tests/wrong_value_stig.fail.sh                              | 2 +-
dac76a
 5 files changed, 5 insertions(+), 3 deletions(-)
dac76a
dac76a
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value.pass.sh
dac76a
index 2c92fcbeb8..230a8b0a22 100644
dac76a
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value.pass.sh
dac76a
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value.pass.sh
dac76a
@@ -1,4 +1,5 @@
dac76a
 #!/bin/bash
dac76a
+# platform = Red Hat Enterprise Linux 7
dac76a
 # profiles = xccdf_org.ssgproject.content_profile_ncp
dac76a
 
dac76a
 source $SHARED/dconf_test_functions.sh
dac76a
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh
dac76a
index 8a142b740e..d59f9071f0 100644
dac76a
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh
dac76a
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh
dac76a
@@ -1,5 +1,5 @@
dac76a
 #!/bin/bash
dac76a
-# platform = Red Hat Enterprise Linux 7
dac76a
+# platform = Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8
dac76a
 # profiles = xccdf_org.ssgproject.content_profile_stig
dac76a
 
dac76a
 source $SHARED/dconf_test_functions.sh
dac76a
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh
dac76a
index 1fea01471e..9638681130 100644
dac76a
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh
dac76a
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh
dac76a
@@ -1,5 +1,5 @@
dac76a
 #!/bin/bash
dac76a
-# platform = Red Hat Enterprise Linux 7
dac76a
+# platform = Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8
dac76a
 # profiles = xccdf_org.ssgproject.content_profile_stig
dac76a
 
dac76a
 source $SHARED/dconf_test_functions.sh
dac76a
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh
dac76a
index af4ea0ab82..7f7123a8be 100644
dac76a
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh
dac76a
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh
dac76a
@@ -1,4 +1,5 @@
dac76a
 #!/bin/bash
dac76a
+# platform = Red Hat Enterprise Linux 7
dac76a
 # profiles = xccdf_org.ssgproject.content_profile_ncp
dac76a
 
dac76a
 source $SHARED/dconf_test_functions.sh
dac76a
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh
dac76a
index e0f43ec001..cd65f885a2 100644
dac76a
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh
dac76a
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh
dac76a
@@ -1,5 +1,5 @@
dac76a
 #!/bin/bash
dac76a
-# platform = Red Hat Enterprise Linux 7
dac76a
+# platform = Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8
dac76a
 # profiles = xccdf_org.ssgproject.content_profile_stig
dac76a
 
dac76a
 source $SHARED/dconf_test_functions.sh
dac76a
dac76a
From 12f6616d83a23de27ebca932710a8128474068ff Mon Sep 17 00:00:00 2001
dac76a
From: Watson Sato <wsato@redhat.com>
dac76a
Date: Tue, 3 Mar 2020 10:28:07 +0100
dac76a
Subject: [PATCH 05/27] Fix text of banners, remove space after dash
dac76a
dac76a
Per DISA STIG reference, there is no space after the list items.
dac76a
---
dac76a
 .../dconf_gnome_login_banner_text/bash/shared.sh                | 2 +-
dac76a
 .../tests/correct_value_stig.pass.sh                            | 2 +-
dac76a
 2 files changed, 2 insertions(+), 2 deletions(-)
dac76a
dac76a
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
dac76a
index bc6a31bc74..d9dca1bef9 100644
dac76a
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
dac76a
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
dac76a
@@ -2,7 +2,7 @@
dac76a
 . /usr/share/scap-security-guide/remediation_functions
dac76a
 populate login_banner_text
dac76a
 
dac76a
-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
dac76a
+expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
dac76a
 
dac76a
 {{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}}
dac76a
 {{{ bash_dconf_lock("org/gnome/login-screen", "banner-message-text", "gdm.d", "00-security-settings-lock") }}}
dac76a
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh
dac76a
index d59f9071f0..dca4b8e99b 100644
dac76a
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh
dac76a
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh
dac76a
@@ -6,7 +6,7 @@ source $SHARED/dconf_test_functions.sh
dac76a
 
dac76a
 install_dconf_and_gdm_if_needed
dac76a
 
dac76a
-login_banner_text="(^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.$|^I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)"
dac76a
+login_banner_text="(^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.$|^I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)"
dac76a
 expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
dac76a
 
dac76a
 clean_dconf_settings
dac76a
dac76a
From b09ddb6a040c980ccf1c55d3f4fe700953195d77 Mon Sep 17 00:00:00 2001
dac76a
From: Watson Sato <wsato@redhat.com>
dac76a
Date: Tue, 3 Mar 2020 11:01:25 +0100
dac76a
Subject: [PATCH 06/27] Make banner compatible with console and dconf
dac76a
dac76a
The banner in /etc/issue is expected to have actual newlines, while the
dac76a
banner in /etc/dconf/db/gdm.d/ is expected to have the escape sequence
dac76a
'\n'.
dac76a
dac76a
This commit transforms the newline from the input banner into a regex
dac76a
that matches either the newline or the escape sequence.
dac76a
dac76a
During remediation, each rule will replace the regular expression for
dac76a
the correct "version" of the newline.
dac76a
---
dac76a
 .../accounts/accounts-banners/banner_etc_issue/bash/shared.sh   | 2 +-
dac76a
 .../dconf_gnome_login_banner_text/bash/shared.sh                | 2 +-
dac76a
 shared/macros.jinja                                             | 2 +-
dac76a
 3 files changed, 3 insertions(+), 3 deletions(-)
dac76a
dac76a
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
dac76a
index 1b2052a658..fcaaa2c794 100644
dac76a
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
dac76a
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
dac76a
@@ -3,7 +3,7 @@
dac76a
 populate login_banner_text
dac76a
 
dac76a
 # There was a regular-expression matching various banners, needs to be expanded
dac76a
-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/\[n\]+/\n/g')
dac76a
+expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/\n/g;s/\\//g;')
dac76a
 formatted=$(echo "$expanded" | fold -sw 80)
dac76a
 
dac76a
 cat <<EOF >/etc/issue
dac76a
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
dac76a
index d9dca1bef9..2b51e7c94c 100644
dac76a
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
dac76a
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
dac76a
@@ -2,7 +2,7 @@
dac76a
 . /usr/share/scap-security-guide/remediation_functions
dac76a
 populate login_banner_text
dac76a
 
dac76a
-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
dac76a
+expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/(n)\*/g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
dac76a
 
dac76a
 {{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}}
dac76a
 {{{ bash_dconf_lock("org/gnome/login-screen", "banner-message-text", "gdm.d", "00-security-settings-lock") }}}
dac76a
diff --git a/shared/macros.jinja b/shared/macros.jinja
dac76a
index 3c617040bf..b178088f0c 100644
dac76a
--- a/shared/macros.jinja
dac76a
+++ b/shared/macros.jinja
dac76a
@@ -659,5 +659,5 @@ openssl()
dac76a
 {{%- endmacro %}}
dac76a
 
dac76a
 {{% macro banner_flexibler(banner_text) -%}}
dac76a
-{{{ banner_text|replace("\n", "BFLMPSVZ")|replace(" ", "[\s\\n]+")|replace("BFLMPSVZ", "[\\n]+") }}}
dac76a
+{{{ banner_text|replace("\n", "BFLMPSVZ")|replace(" ", "[\s\\n]+")|replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)") }}}
dac76a
 {{% endmacro %}}
dac76a
dac76a
From fc6fe07f12faac1023b65551eaa82dc50e12303b Mon Sep 17 00:00:00 2001
dac76a
From: Watson Sato <wsato@redhat.com>
dac76a
Date: Tue, 3 Mar 2020 12:46:30 +0100
dac76a
Subject: [PATCH 07/27] Simplify banner remediation regexes
dac76a
dac76a
Remove unneded sed's for single quote (\x27)
dac76a
---
dac76a
 .../accounts/accounts-banners/banner_etc_issue/bash/shared.sh   | 2 +-
dac76a
 .../dconf_gnome_login_banner_text/bash/shared.sh                | 2 +-
dac76a
 2 files changed, 2 insertions(+), 2 deletions(-)
dac76a
dac76a
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
dac76a
index fcaaa2c794..5d079e9271 100644
dac76a
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
dac76a
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
dac76a
@@ -3,7 +3,7 @@
dac76a
 populate login_banner_text
dac76a
 
dac76a
 # There was a regular-expression matching various banners, needs to be expanded
dac76a
-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/\n/g;s/\\//g;')
dac76a
+expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/\n/g;s/\\//g;')
dac76a
 formatted=$(echo "$expanded" | fold -sw 80)
dac76a
 
dac76a
 cat <<EOF >/etc/issue
dac76a
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
dac76a
index 2b51e7c94c..568942e892 100644
dac76a
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
dac76a
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
dac76a
@@ -2,7 +2,7 @@
dac76a
 . /usr/share/scap-security-guide/remediation_functions
dac76a
 populate login_banner_text
dac76a
 
dac76a
-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/(n)\*/g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
dac76a
+expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/(n)\*/g;s/\\//g;s/(n)\*/\\n/g;')
dac76a
 
dac76a
 {{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}}
dac76a
 {{{ bash_dconf_lock("org/gnome/login-screen", "banner-message-text", "gdm.d", "00-security-settings-lock") }}}
dac76a
dac76a
From f94f4ba5a5d650c5ae50f83d59b7464e7f785b9d Mon Sep 17 00:00:00 2001
dac76a
From: Watson Sato <wsato@redhat.com>
dac76a
Date: Tue, 3 Mar 2020 12:48:10 +0100
dac76a
Subject: [PATCH 08/27] Document what the regexes do in the banner
dac76a
dac76a
---
dac76a
 .../accounts-banners/banner_etc_issue/bash/shared.sh      | 7 ++++++-
dac76a
 .../dconf_gnome_login_banner_text/bash/shared.sh          | 8 ++++++++
dac76a
 2 files changed, 14 insertions(+), 1 deletion(-)
dac76a
dac76a
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
dac76a
index 5d079e9271..07b88bf039 100644
dac76a
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
dac76a
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
dac76a
@@ -2,7 +2,12 @@
dac76a
 . /usr/share/scap-security-guide/remediation_functions
dac76a
 populate login_banner_text
dac76a
 
dac76a
-# There was a regular-expression matching various banners, needs to be expanded
dac76a
+# Multiple regexes transform the banner regex into a usable banner
dac76a
+# 1 - Keep only the first banners if there are multiple, and remove wrapping regex syntax.
dac76a
+#    (dod_banners contains the long and shor banner)
dac76a
+# 2- Add spaces ' '. (Transforms regex for "space or newline" into a " ")
dac76a
+# 3- Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n")
dac76a
+# 4- Remove any leftover backslash. (From any parethesis in the banner, for example).
dac76a
 expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/\n/g;s/\\//g;')
dac76a
 formatted=$(echo "$expanded" | fold -sw 80)
dac76a
 
dac76a
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
dac76a
index 568942e892..658205bd2c 100644
dac76a
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
dac76a
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
dac76a
@@ -2,6 +2,14 @@
dac76a
 . /usr/share/scap-security-guide/remediation_functions
dac76a
 populate login_banner_text
dac76a
 
dac76a
+# Multiple regexes transform the banner regex into a usable banner
dac76a
+# 1 - Keep only the first banners if there are multiple, and remove wrapping regex syntax.
dac76a
+#    (dod_banners contains the long and shor banner)
dac76a
+# 2- Add spaces ' '. (Transforms regex for "space or newline" into a " ")
dac76a
+# 3- Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*")
dac76a
+# 4- Remove any leftover backslash. (From any parethesis in the banner, for example).
dac76a
+# 5- Removes the newline "token." (Transforms them into newline escape sequences "\n").
dac76a
+#    ( Needs to be done after 4, otherwise the escapce sequence will become just "n".
dac76a
 expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/(n)\*/g;s/\\//g;s/(n)\*/\\n/g;')
dac76a
 
dac76a
 {{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}}
dac76a
dac76a
From b7545c3ab81758f89e034fdab7f2c573f287d770 Mon Sep 17 00:00:00 2001
dac76a
From: Watson Sato <wsato@redhat.com>
dac76a
Date: Tue, 3 Mar 2020 12:49:02 +0100
dac76a
Subject: [PATCH 09/27] Add rule to check dconf banner
dac76a
dac76a
The STIG profile sets the banner, and checks whether it is enabled for
dac76a
dconf, but never checked the banner text.
dac76a
---
dac76a
 rhel8/profiles/stig.profile | 1 +
dac76a
 1 file changed, 1 insertion(+)
dac76a
dac76a
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
dac76a
index 7eb1869a3c..f315df7d06 100644
dac76a
--- a/rhel8/profiles/stig.profile
dac76a
+++ b/rhel8/profiles/stig.profile
dac76a
@@ -21,6 +21,7 @@ extends: ospp
dac76a
     - login_banner_text=dod_banners
dac76a
     - dconf_db_up_to_date
dac76a
     - dconf_gnome_banner_enabled
dac76a
+    - dconf_gnome_login_banner_text
dac76a
     - banner_etc_issue
dac76a
     - accounts_password_set_min_life_existing
dac76a
     - accounts_password_set_max_life_existing
dac76a
dac76a
From 21ae88f72c1c9a324041637b0f52eea6b90fb03f Mon Sep 17 00:00:00 2001
dac76a
From: Watson Sato <wsato@redhat.com>
dac76a
Date: Fri, 6 Mar 2020 15:37:46 +0100
dac76a
Subject: [PATCH 10/27] Fix Ansible for dconf banner-message-text lock
dac76a
dac76a
---
dac76a
 .../dconf_gnome_login_banner_text/ansible/shared.yml          | 4 ++--
dac76a
 1 file changed, 2 insertions(+), 2 deletions(-)
dac76a
dac76a
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml
dac76a
index 6946c9ddf7..303f505968 100644
dac76a
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml
dac76a
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml
dac76a
@@ -38,7 +38,7 @@
dac76a
 - name: "Prevent user modification of the GNOME3 Login Warning Banner Text"
dac76a
   lineinfile:
dac76a
     path: '/etc/dconf/db/gdm.d/locks/00-security-settings-lock'
dac76a
-    regexp: '^org/gnome/login-screen/banner-message-text$'
dac76a
-    line: 'org/gnome/login-screen/banner-message-text'
dac76a
+    regexp: '^/org/gnome/login-screen/banner-message-text$'
dac76a
+    line: '/org/gnome/login-screen/banner-message-text'
dac76a
     create: yes
dac76a
     state: present
dac76a
dac76a
From 54ec93ae3254c726b8313646419fa9f1a9fbbcb5 Mon Sep 17 00:00:00 2001
dac76a
From: Watson Sato <wsato@redhat.com>
dac76a
Date: Fri, 6 Mar 2020 15:58:38 +0100
dac76a
Subject: [PATCH 11/27] Fix banner regex stripping for Ansible
dac76a
dac76a
Do similar regex stripping as done in Bash remediaiton.
dac76a
The triple single quotes is necessary for the jinja template expansion
dac76a
to add the banner wrapped in single quotes.
dac76a
---
dac76a
 .../dconf_gnome_login_banner_text/ansible/shared.yml           | 3 ++-
dac76a
 1 file changed, 2 insertions(+), 1 deletion(-)
dac76a
dac76a
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml
dac76a
index 303f505968..5d5e92530a 100644
dac76a
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml
dac76a
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml
dac76a
@@ -32,8 +32,9 @@
dac76a
     dest: /etc/dconf/db/gdm.d/00-security-settings
dac76a
     section: org/gnome/login-screen
dac76a
     option: banner-message-text
dac76a
-    value: '{{ login_banner_text }}'
dac76a
+    value: '''{{ login_banner_text | regex_replace("\^\((.*)\|.*$", "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", "(n)\*") | regex_replace("\\", "") | regex_replace("\(n\)\*", "\\n") }}'''
dac76a
     create: yes
dac76a
+    no_extra_spaces: yes
dac76a
 
dac76a
 - name: "Prevent user modification of the GNOME3 Login Warning Banner Text"
dac76a
   lineinfile:
dac76a
dac76a
From a4755e87a66ad8b47f22444bde9a2e48c6f33aca Mon Sep 17 00:00:00 2001
dac76a
From: Watson Sato <wsato@redhat.com>
dac76a
Date: Fri, 6 Mar 2020 16:09:50 +0100
dac76a
Subject: [PATCH 12/27] Add Ansible remediation for banner_etc_issue
dac76a
dac76a
---
dac76a
 .../banner_etc_issue/ansible/shared.yml              | 12 ++++++++++++
dac76a
 1 file changed, 12 insertions(+)
dac76a
 create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
dac76a
dac76a
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
dac76a
new file mode 100644
dac76a
index 0000000000..e136304020
dac76a
--- /dev/null
dac76a
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
dac76a
@@ -0,0 +1,12 @@
dac76a
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
dac76a
+# reboot = false
dac76a
+# strategy = unknown
dac76a
+# complexity = low
dac76a
+# disruption = medium
dac76a
+- (xccdf-var login_banner_text)
dac76a
+
dac76a
+- name: "{{{ rule_title }}}"
dac76a
+  lineinfile:
dac76a
+    dest: /etc/issue
dac76a
+    line: '{{ login_banner_text | regex_replace("\^\((.*)\|.*$", "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", "\n") | regex_replace("\\", "") | wordwrap() }}'
dac76a
+    create: yes
dac76a
dac76a
From ac5d4b7482f4dc673f8f5d8dbbc95c42700bb251 Mon Sep 17 00:00:00 2001
dac76a
From: Watson Sato <wsato@redhat.com>
dac76a
Date: Fri, 6 Mar 2020 16:52:09 +0100
dac76a
Subject: [PATCH 13/27] Update reference RHEL8 STIG profile
dac76a
dac76a
---
dac76a
 tests/data/profile_stability/rhel8/stig.profile | 1 +
dac76a
 1 file changed, 1 insertion(+)
dac76a
dac76a
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
dac76a
index 843267d589..381cf54b3a 100644
dac76a
--- a/tests/data/profile_stability/rhel8/stig.profile
dac76a
+++ b/tests/data/profile_stability/rhel8/stig.profile
dac76a
@@ -84,6 +84,7 @@ selections:
dac76a
 - coredump_disable_storage
dac76a
 - dconf_db_up_to_date
dac76a
 - dconf_gnome_banner_enabled
dac76a
+- dconf_gnome_login_banner_text
dac76a
 - disable_ctrlaltdel_burstaction
dac76a
 - disable_ctrlaltdel_reboot
dac76a
 - disable_host_auth
dac76a
dac76a
From 6b27221e857cefe7efaa04f4491c506ea0cb096c Mon Sep 17 00:00:00 2001
dac76a
From: Watson Sato <wsato@redhat.com>
dac76a
Date: Sat, 7 Mar 2020 13:12:28 +0100
dac76a
Subject: [PATCH 14/27] Move bash banner deregexification to macros
dac76a
dac76a
This aims to increase maintenability and readability.
dac76a
Every step in the deregexification is a separate macro.
dac76a
The macros 'bash_deregexify_banner_etc_issue' and
dac76a
'bash_deregexify_banner_dconf_gnome' build upon the basic steps.
dac76a
---
dac76a
 .../banner_etc_issue/bash/shared.sh           |  9 ++++---
dac76a
 .../bash/shared.sh                            | 10 +++++---
dac76a
 shared/macros-bash.jinja                      | 25 +++++++++++++++++++
dac76a
 3 files changed, 38 insertions(+), 6 deletions(-)
dac76a
dac76a
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
dac76a
index 07b88bf039..119413005e 100644
dac76a
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
dac76a
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
dac76a
@@ -4,12 +4,15 @@ populate login_banner_text
dac76a
 
dac76a
 # Multiple regexes transform the banner regex into a usable banner
dac76a
 # 1 - Keep only the first banners if there are multiple, and remove wrapping regex syntax.
dac76a
-#    (dod_banners contains the long and shor banner)
dac76a
+#    (dod_banners contains the long and short banner)
dac76a
+{{{ bash_deregexify_multiple_banners("login_banner_text") }}}
dac76a
 # 2- Add spaces ' '. (Transforms regex for "space or newline" into a " ")
dac76a
+{{{ bash_deregexify_banner_space("login_banner_text") }}}
dac76a
 # 3- Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n")
dac76a
+{{{ bash_deregexify_banner_newline("login_banner_text", "\\n") }}}
dac76a
 # 4- Remove any leftover backslash. (From any parethesis in the banner, for example).
dac76a
-expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/\n/g;s/\\//g;')
dac76a
-formatted=$(echo "$expanded" | fold -sw 80)
dac76a
+{{{ bash_deregexify_banner_backslash("login_banner_text") }}}
dac76a
+formatted=$(echo "$login_banner_text" | fold -sw 80)
dac76a
 
dac76a
 cat <<EOF >/etc/issue
dac76a
 $formatted
dac76a
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
dac76a
index 658205bd2c..4011932790 100644
dac76a
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
dac76a
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
dac76a
@@ -4,13 +4,17 @@ populate login_banner_text
dac76a
 
dac76a
 # Multiple regexes transform the banner regex into a usable banner
dac76a
 # 1 - Keep only the first banners if there are multiple, and remove wrapping regex syntax.
dac76a
-#    (dod_banners contains the long and shor banner)
dac76a
+#    (dod_banners contains the long and short banner)
dac76a
+{{{ bash_deregexify_multiple_banners("login_banner_text") }}}
dac76a
 # 2- Add spaces ' '. (Transforms regex for "space or newline" into a " ")
dac76a
+{{{ bash_deregexify_banner_space("login_banner_text") }}}
dac76a
 # 3- Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*")
dac76a
+{{{ bash_deregexify_banner_newline("login_banner_text", "(n)*") }}}
dac76a
 # 4- Remove any leftover backslash. (From any parethesis in the banner, for example).
dac76a
+{{{ bash_deregexify_banner_backslash("login_banner_text") }}}
dac76a
 # 5- Removes the newline "token." (Transforms them into newline escape sequences "\n").
dac76a
 #    ( Needs to be done after 4, otherwise the escapce sequence will become just "n".
dac76a
-expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/(n)\*/g;s/\\//g;s/(n)\*/\\n/g;')
dac76a
+{{{ bash_deregexify_banner_newline_token("login_banner_text")}}}
dac76a
 
dac76a
-{{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}}
dac76a
+{{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${login_banner_text}'", "gdm.d", "00-security-settings") }}}
dac76a
 {{{ bash_dconf_lock("org/gnome/login-screen", "banner-message-text", "gdm.d", "00-security-settings-lock") }}}
dac76a
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
dac76a
index 2756cc0c00..6d72684c6d 100644
dac76a
--- a/shared/macros-bash.jinja
dac76a
+++ b/shared/macros-bash.jinja
dac76a
@@ -521,3 +521,28 @@ cat << 'EOF' > {{{ filepath }}}
dac76a
 {{{ contents|trim() }}}
dac76a
 EOF
dac76a
 {{%- endmacro %}}
dac76a
+
dac76a
+{{# Strips multibanner regex and keeps only the first banner #}}
dac76a
+{{% macro bash_deregexify_multiple_banners(banner_var_name) -%}}
dac76a
+{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/\^(\(.*\)|.*$/\1/g')
dac76a
+{{%- endmacro %}}
dac76a
+
dac76a
+{{# Strips whitespace or newline regex #}}
dac76a
+{{% macro bash_deregexify_banner_space(banner_var_name) -%}}
dac76a
+{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/\[\\s\\n\]+/ /g')
dac76a
+{{%- endmacro %}}
dac76a
+
dac76a
+{{# Strips newline or newline escape sequence regex #}}
dac76a
+{{% macro bash_deregexify_banner_newline(banner_var_name, newline) -%}}
dac76a
+{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/(?:\[\\n\]+|(?:\\n)+)/{{{ newline }}}/g')
dac76a
+{{%- endmacro %}}
dac76a
+
dac76a
+{{# Strips newline token for a newline escape sequence regex #}}
dac76a
+{{% macro bash_deregexify_banner_newline_token(banner_var_name) -%}}
dac76a
+{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/(n)\*/\\n/g')
dac76a
+{{%- endmacro %}}
dac76a
+
dac76a
+{{# Strips backslash regex #}}
dac76a
+{{% macro bash_deregexify_banner_backslash(banner_var_name) -%}}
dac76a
+{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/\\//g')
dac76a
+{{%- endmacro %}}
dac76a
dac76a
From 4e2f96de31ed24c5e58ffc8da07b689a461d385f Mon Sep 17 00:00:00 2001
dac76a
From: Watson Sato <wsato@redhat.com>
dac76a
Date: Sat, 7 Mar 2020 14:04:40 +0100
dac76a
Subject: [PATCH 15/27] Move ansible banner deregexification to macros
dac76a
dac76a
This aims to increase maintenability and readability.
dac76a
Every step in the deregexification is a separate macro.
dac76a
The macros 'ansible_deregexify_banner_etc_issue' and
dac76a
'ansible_deregexify_banner_dconf_gnome' build upon the basic steps.
dac76a
---
dac76a
 .../banner_etc_issue/ansible/shared.yml       |  2 +-
dac76a
 .../ansible/shared.yml                        |  2 +-
dac76a
 shared/macros-ansible.jinja                   | 54 +++++++++++++++++++
dac76a
 3 files changed, 56 insertions(+), 2 deletions(-)
dac76a
dac76a
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
dac76a
index e136304020..42c19194e4 100644
dac76a
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
dac76a
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
dac76a
@@ -8,5 +8,5 @@
dac76a
 - name: "{{{ rule_title }}}"
dac76a
   lineinfile:
dac76a
     dest: /etc/issue
dac76a
-    line: '{{ login_banner_text | regex_replace("\^\((.*)\|.*$", "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", "\n") | regex_replace("\\", "") | wordwrap() }}'
dac76a
+    line: '{{{ ansible_deregexify_banner_etc_issue("login_banner_text") }}}'
dac76a
     create: yes
dac76a
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml
dac76a
index 5d5e92530a..40cce05fbc 100644
dac76a
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml
dac76a
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml
dac76a
@@ -32,7 +32,7 @@
dac76a
     dest: /etc/dconf/db/gdm.d/00-security-settings
dac76a
     section: org/gnome/login-screen
dac76a
     option: banner-message-text
dac76a
-    value: '''{{ login_banner_text | regex_replace("\^\((.*)\|.*$", "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", "(n)\*") | regex_replace("\\", "") | regex_replace("\(n\)\*", "\\n") }}'''
dac76a
+    value: '{{{ ansible_deregexify_banner_dconf_gnome("login_banner_text") }}}'
dac76a
     create: yes
dac76a
     no_extra_spaces: yes
dac76a
 
dac76a
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
dac76a
index 0d023553a7..5deb7ceb80 100644
dac76a
--- a/shared/macros-ansible.jinja
dac76a
+++ b/shared/macros-ansible.jinja
dac76a
@@ -217,3 +217,57 @@
dac76a
         {{{ contents|trim()|indent(8) }}}
dac76a
     force: yes
dac76a
 {{%- endmacro %}}
dac76a
+
dac76a
+{{#
dac76a
+  Formats a banner regex for use in /etc/issue
dac76a
+  Parameters:
dac76a
+    - banner_var_name - name of ansible variable with the banner regex
dac76a
+#}}
dac76a
+{{% macro ansible_deregexify_banner_etc_issue(banner_var_name) -%}}
dac76a
+{{ {{{ banner_var_name }}} |
dac76a
+{{{ ansible_deregexify_multiple_banners() }}} |
dac76a
+{{{ ansible_deregexify_banner_space() }}} |
dac76a
+{{{ ansible_deregexify_banner_newline("\\n") }}} |
dac76a
+{{{ ansible_deregexify_banner_backslash() }}} |
dac76a
+wordwrap() }}
dac76a
+{{%- endmacro %}}
dac76a
+
dac76a
+{{#
dac76a
+  Formats a banner regex for use in dconf
dac76a
+  Parameters:
dac76a
+    - banner_var_name - name of ansible variable with the banner regex
dac76a
+#}}
dac76a
+{{% macro ansible_deregexify_banner_dconf_gnome(banner_var_name) -%}}
dac76a
+''{{ {{{ banner_var_name }}} |
dac76a
+{{{ ansible_deregexify_multiple_banners() }}} |
dac76a
+{{{ ansible_deregexify_banner_space() }}} |
dac76a
+{{{ ansible_deregexify_banner_newline("(n)*") }}} |
dac76a
+{{{ ansible_deregexify_banner_backslash() }}} |
dac76a
+{{{ ansible_deregexify_banner_newline_token()}}} }}''
dac76a
+{{%- endmacro %}}
dac76a
+
dac76a
+    line: '{{ login_banner_text | | regex_replace("\\", "") | wordwrap() }}'
dac76a
+{{# Strips multibanner regex and keeps only the first banner #}}
dac76a
+{{% macro ansible_deregexify_multiple_banners() -%}}
dac76a
+regex_replace("\^\((.*)\|.*$", "\1")
dac76a
+{{%- endmacro %}}
dac76a
+
dac76a
+{{# Strips whitespace or newline regex #}}
dac76a
+{{% macro ansible_deregexify_banner_space() -%}}
dac76a
+regex_replace("\[\\s\\n\]\+"," ")
dac76a
+{{%- endmacro %}}
dac76a
+
dac76a
+{{# Strips newline or newline escape sequence regex #}}
dac76a
+{{% macro ansible_deregexify_banner_newline(newline) -%}}
dac76a
+regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", "{{{ newline }}}")
dac76a
+{{%- endmacro %}}
dac76a
+
dac76a
+{{# Strips newline token for a newline escape sequence regex #}}
dac76a
+{{% macro ansible_deregexify_banner_newline_token() -%}}
dac76a
+regex_replace("\(n\)\*", "\\n")
dac76a
+{{%- endmacro %}}
dac76a
+
dac76a
+{{# Strips backslash regex #}}
dac76a
+{{% macro ansible_deregexify_banner_backslash() -%}}
dac76a
+regex_replace("\\", "")
dac76a
+{{%- endmacro %}}
dac76a
dac76a
From 890e79ea0a9eff8cab05d8ef06e96900d95b2617 Mon Sep 17 00:00:00 2001
dac76a
From: Watson Sato <wsato@redhat.com>
dac76a
Date: Sun, 8 Mar 2020 10:58:12 +0100
dac76a
Subject: [PATCH 16/27] Move the DoD banners into jinja variables
dac76a
dac76a
The variables are used to easily combine them in the regex for the
dac76a
"multiple banners allowed regex".
dac76a
Lets avoid repeating ourselves.
dac76a
---
dac76a
 .../httpd_secure_content/var_web_login_banner_text.var   | 9 ++++++---
dac76a
 .../accounts/accounts-banners/login_banner_text.var      | 9 ++++++---
dac76a
 2 files changed, 12 insertions(+), 6 deletions(-)
dac76a
dac76a
diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
dac76a
index 72a728659b..96b6ac8e71 100644
dac76a
--- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
dac76a
+++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
dac76a
@@ -12,9 +12,12 @@ operator: equals
dac76a
 
dac76a
 interactive: false
dac76a
 
dac76a
+{{% set var_dod_default = "You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}}
dac76a
+{{% set var_dod_short = "I\\'ve read \& consent to terms in IS user agreem\\'t." %}}
dac76a
+
dac76a
 options:
dac76a
-    dod_banners: {{{ banner_flexibler(banner_text="^(You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.|I\\'ve read \& consent to terms in IS user agreem\\'t.)$") }}}
dac76a
-    dod_default: {{{ banner_flexibler(banner_text="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.") }}}
dac76a
-    dod_short: {{{ banner_flexibler(banner_text="I\\'ve read \& consent to terms in IS user agreem\\'t.") }}}
dac76a
+    dod_banners: {{{ banner_flexibler("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}}
dac76a
+    dod_default: {{{ banner_flexibler(var_dod_default) }}}
dac76a
+    dod_short: {{{ banner_flexibler(var_dod_short) }}}
dac76a
     dss_odaa_default: {{{ banner_flexibler(banner_text="Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}}
dac76a
     usgcb_default: {{{ banner_flexibler(banner_text="-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}}
dac76a
diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
dac76a
index 0c398bee9c..400a4299e6 100644
dac76a
--- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
dac76a
+++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
dac76a
@@ -12,10 +12,13 @@ operator: equals
dac76a
 
dac76a
 interactive: false
dac76a
 
dac76a
+{{% set var_dod_default="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}}
dac76a
+{{% set var_dod_short = "I\\'ve read \& consent to terms in IS user agreem\\'t." %}}
dac76a
+
dac76a
 options:
dac76a
 # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accomodate banners of 1300 characters
dac76a
-    dod_banners: {{{ banner_flexibler(banner_text="^(You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.|I\\'ve read \& consent to terms in IS user agreem\\'t.)$") }}}
dac76a
-    dod_default: {{{ banner_flexibler(banner_text="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.") }}}
dac76a
-    dod_short: {{{ banner_flexibler(banner_text="I\\'ve read \& consent to terms in IS user agreem\\'t.") }}}
dac76a
+    dod_banners: {{{ banner_flexibler("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}}
dac76a
+    dod_default: {{{ banner_flexibler(var_dod_default) }}}
dac76a
+    dod_short: {{{ banner_flexibler(var_dod_short) }}}
dac76a
     dss_odaa_default: {{{ banner_flexibler(banner_text="Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}}
dac76a
     usgcb_default: {{{ banner_flexibler(banner_text="-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}}
dac76a
dac76a
From f17b39f5a55f92ae4d0e4e03cbd26dd55137b083 Mon Sep 17 00:00:00 2001
dac76a
From: Watson Sato <wsato@redhat.com>
dac76a
Date: Sun, 8 Mar 2020 11:14:09 +0100
dac76a
Subject: [PATCH 17/27] Remove unecessary escapping in short banner
dac76a
dac76a
---
dac76a
 .../httpd_secure_content/var_web_login_banner_text.var          | 2 +-
dac76a
 .../system/accounts/accounts-banners/login_banner_text.var      | 2 +-
dac76a
 2 files changed, 2 insertions(+), 2 deletions(-)
dac76a
dac76a
diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
dac76a
index 96b6ac8e71..c98d2441cf 100644
dac76a
--- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
dac76a
+++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
dac76a
@@ -13,7 +13,7 @@ operator: equals
dac76a
 interactive: false
dac76a
 
dac76a
 {{% set var_dod_default = "You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}}
dac76a
-{{% set var_dod_short = "I\\'ve read \& consent to terms in IS user agreem\\'t." %}}
dac76a
+{{% set var_dod_short = "I've read & consent to terms in IS user agreem't." %}}
dac76a
 
dac76a
 options:
dac76a
     dod_banners: {{{ banner_flexibler("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}}
dac76a
diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
dac76a
index 400a4299e6..fc65772554 100644
dac76a
--- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
dac76a
+++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
dac76a
@@ -13,7 +13,7 @@ operator: equals
dac76a
 interactive: false
dac76a
 
dac76a
 {{% set var_dod_default="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}}
dac76a
-{{% set var_dod_short = "I\\'ve read \& consent to terms in IS user agreem\\'t." %}}
dac76a
+{{% set var_dod_short = "I've read & consent to terms in IS user agreem't." %}}
dac76a
 
dac76a
 options:
dac76a
 # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accomodate banners of 1300 characters
dac76a
dac76a
From bb2dcd9212bb6e83c53bfb9df10bc7e236dec722 Mon Sep 17 00:00:00 2001
dac76a
From: Watson Sato <wsato@redhat.com>
dac76a
Date: Sun, 8 Mar 2020 15:23:31 +0100
dac76a
Subject: [PATCH 18/27] Add utility to regexify a login banner
dac76a
dac76a
Moved the banner_flexibler macro to python code, and renamed to
dac76a
banner_regexify, to be aligned with Ansible and Bash counter parts
dac76a
"deregexify".
dac76a
dac76a
The utility will make it easy to add you own login banner on a tailoring
dac76a
file, or via SCAP Workbench.
dac76a
---
dac76a
 .../var_web_login_banner_text.var             | 10 +++----
dac76a
 .../accounts-banners/login_banner_text.var    | 10 +++----
dac76a
 shared/macros.jinja                           |  4 ---
dac76a
 ssg/jinja.py                                  |  3 +-
dac76a
 ssg/utils.py                                  |  3 ++
dac76a
 utils/regexify_banner.py                      | 29 +++++++++++++++++++
dac76a
 6 files changed, 44 insertions(+), 15 deletions(-)
dac76a
 create mode 100644 utils/regexify_banner.py
dac76a
dac76a
diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
dac76a
index c98d2441cf..d3f72cbd97 100644
dac76a
--- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
dac76a
+++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
dac76a
@@ -16,8 +16,8 @@ interactive: false
dac76a
 {{% set var_dod_short = "I've read & consent to terms in IS user agreem't." %}}
dac76a
 
dac76a
 options:
dac76a
-    dod_banners: {{{ banner_flexibler("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}}
dac76a
-    dod_default: {{{ banner_flexibler(var_dod_default) }}}
dac76a
-    dod_short: {{{ banner_flexibler(var_dod_short) }}}
dac76a
-    dss_odaa_default: {{{ banner_flexibler(banner_text="Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}}
dac76a
-    usgcb_default: {{{ banner_flexibler(banner_text="-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}}
dac76a
+    dod_banners: {{{ banner_regexify("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}}
dac76a
+    dod_default: {{{ banner_regexify(var_dod_default) }}}
dac76a
+    dod_short: {{{ banner_regexify(var_dod_short) }}}
dac76a
+    dss_odaa_default: {{{ banner_regexify("Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}}
dac76a
+    usgcb_default: {{{ banner_regexify("-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}}
dac76a
diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
dac76a
index fc65772554..f6eab9bf33 100644
dac76a
--- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
dac76a
+++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
dac76a
@@ -17,8 +17,8 @@ interactive: false
dac76a
 
dac76a
 options:
dac76a
 # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accomodate banners of 1300 characters
dac76a
-    dod_banners: {{{ banner_flexibler("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}}
dac76a
-    dod_default: {{{ banner_flexibler(var_dod_default) }}}
dac76a
-    dod_short: {{{ banner_flexibler(var_dod_short) }}}
dac76a
-    dss_odaa_default: {{{ banner_flexibler(banner_text="Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}}
dac76a
-    usgcb_default: {{{ banner_flexibler(banner_text="-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}}
dac76a
+    dod_banners: {{{ banner_regexify("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}}
dac76a
+    dod_default: {{{ banner_regexify(var_dod_default) }}}
dac76a
+    dod_short: {{{ banner_regexify(var_dod_short) }}}
dac76a
+    dss_odaa_default: {{{ banner_regexify("Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}}
dac76a
+    usgcb_default: {{{ banner_regexify("-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}}
dac76a
diff --git a/shared/macros.jinja b/shared/macros.jinja
dac76a
index b178088f0c..8a25acc937 100644
dac76a
--- a/shared/macros.jinja
dac76a
+++ b/shared/macros.jinja
dac76a
@@ -657,7 +657,3 @@ openssl()
dac76a
 )
dac76a
 
dac76a
 {{%- endmacro %}}
dac76a
-
dac76a
-{{% macro banner_flexibler(banner_text) -%}}
dac76a
-{{{ banner_text|replace("\n", "BFLMPSVZ")|replace(" ", "[\s\\n]+")|replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)") }}}
dac76a
-{{% endmacro %}}
dac76a
diff --git a/ssg/jinja.py b/ssg/jinja.py
dac76a
index 700466b8c3..471fbf4140 100644
dac76a
--- a/ssg/jinja.py
dac76a
+++ b/ssg/jinja.py
dac76a
@@ -10,7 +10,7 @@
dac76a
                         JINJA_MACROS_BASH_DEFINITIONS,
dac76a
                         JINJA_MACROS_OVAL_DEFINITIONS,
dac76a
                         )
dac76a
-from .utils import required_key, prodtype_to_name, name_to_platform, prodtype_to_platform
dac76a
+from .utils import required_key, prodtype_to_name, name_to_platform, prodtype_to_platform, banner_regexify
dac76a
 
dac76a
 
dac76a
 class MacroError(RuntimeError):
dac76a
@@ -112,6 +112,7 @@ def add_python_functions(substitutions_dict):
dac76a
     substitutions_dict['prodtype_to_name'] = prodtype_to_name
dac76a
     substitutions_dict['name_to_platform'] = name_to_platform
dac76a
     substitutions_dict['prodtype_to_platform'] = prodtype_to_platform
dac76a
+    substitutions_dict['banner_regexify'] = banner_regexify
dac76a
     substitutions_dict['raise'] = raise_exception
dac76a
 
dac76a
 
dac76a
diff --git a/ssg/utils.py b/ssg/utils.py
dac76a
index 16b1aebe33..3823e02a2d 100644
dac76a
--- a/ssg/utils.py
dac76a
+++ b/ssg/utils.py
dac76a
@@ -248,3 +248,6 @@ def mkdir_p(path):
dac76a
             pass
dac76a
         else:
dac76a
             raise
dac76a
+
dac76a
+def banner_regexify(banner_text):
dac76a
+    return banner_text.replace("\n", "BFLMPSVZ").replace(" ", "[\s\\n]+").replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)")
dac76a
diff --git a/utils/regexify_banner.py b/utils/regexify_banner.py
dac76a
new file mode 100644
dac76a
index 0000000000..7bdf69b702
dac76a
--- /dev/null
dac76a
+++ b/utils/regexify_banner.py
dac76a
@@ -0,0 +1,29 @@
dac76a
+import argparse
dac76a
+import ssg.utils
dac76a
+
dac76a
+def parse_args():
dac76a
+    p = argparse.ArgumentParser()
dac76a
+    p.add_argument("--output", help="Path to output regexified banner")
dac76a
+    p.add_argument("input", help="Path to file with banner to regexify")
dac76a
+
dac76a
+    return p.parse_args()
dac76a
+
dac76a
+
dac76a
+def main():
dac76a
+
dac76a
+    args = parse_args()
dac76a
+    with open(args.input, "r") as file_in:
dac76a
+        # rstrip is used to remove newline at the end of file
dac76a
+        banner_text = file_in.read().rstrip()
dac76a
+
dac76a
+    banner_regex = ssg.utils.banner_regexify(banner_text)
dac76a
+
dac76a
+    if args.output:
dac76a
+        with open(args.output, "w") as file_out:
dac76a
+            file_out.write(banner_regex)
dac76a
+    else:
dac76a
+        print(banner_regex)
dac76a
+
dac76a
+
dac76a
+if __name__ == "__main__":
dac76a
+    main()
dac76a
dac76a
From 5c81e70d14ee90877630610bf0a2215199a3e491 Mon Sep 17 00:00:00 2001
dac76a
From: Watson Sato <wsato@redhat.com>
dac76a
Date: Sun, 8 Mar 2020 15:31:12 +0100
dac76a
Subject: [PATCH 19/27] Move the macro to be a Jinja2 filter
dac76a
dac76a
This is done so that we can apply banner_regexify indvidually in each
dac76a
banner of dod_banners.
dac76a
---
dac76a
 .../httpd_secure_content/var_web_login_banner_text.var | 10 +++++-----
dac76a
 .../accounts/accounts-banners/login_banner_text.var    | 10 +++++-----
dac76a
 ssg/jinja.py                                           |  2 +-
dac76a
 3 files changed, 11 insertions(+), 11 deletions(-)
dac76a
dac76a
diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
dac76a
index d3f72cbd97..e990f0cb23 100644
dac76a
--- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
dac76a
+++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
dac76a
@@ -16,8 +16,8 @@ interactive: false
dac76a
 {{% set var_dod_short = "I've read & consent to terms in IS user agreem't." %}}
dac76a
 
dac76a
 options:
dac76a
-    dod_banners: {{{ banner_regexify("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}}
dac76a
-    dod_default: {{{ banner_regexify(var_dod_default) }}}
dac76a
-    dod_short: {{{ banner_regexify(var_dod_short) }}}
dac76a
-    dss_odaa_default: {{{ banner_regexify("Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}}
dac76a
-    usgcb_default: {{{ banner_regexify("-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}}
dac76a
+    dod_banners: {{{ "^(" ~ var_dod_default|banner_regexify ~ "|" ~ var_dod_short|banner_regexify ~ ")$" }}}
dac76a
+    dod_default: {{{ var_dod_default|banner_regexify }}}
dac76a
+    dod_short: {{{ var_dod_short|banner_regexify }}}
dac76a
+    dss_odaa_default: {{{ "Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times."|banner_regexify }}}
dac76a
+    usgcb_default: {{{ "-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials."|banner_regexify }}}
dac76a
diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
dac76a
index f6eab9bf33..e059174cb5 100644
dac76a
--- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
dac76a
+++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
dac76a
@@ -17,8 +17,8 @@ interactive: false
dac76a
 
dac76a
 options:
dac76a
 # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accomodate banners of 1300 characters
dac76a
-    dod_banners: {{{ banner_regexify("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}}
dac76a
-    dod_default: {{{ banner_regexify(var_dod_default) }}}
dac76a
-    dod_short: {{{ banner_regexify(var_dod_short) }}}
dac76a
-    dss_odaa_default: {{{ banner_regexify("Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}}
dac76a
-    usgcb_default: {{{ banner_regexify("-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}}
dac76a
+    dod_banners: {{{ "^(" ~ var_dod_default|banner_regexify ~ "|" ~ var_dod_short|banner_regexify ~ ")$" }}}
dac76a
+    dod_default: {{{ var_dod_default|banner_regexify }}}
dac76a
+    dod_short: {{{ var_dod_short|banner_regexify }}}
dac76a
+    dss_odaa_default: {{{ "Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times."|banner_regexify }}}
dac76a
+    usgcb_default: {{{ "-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials."|banner_regexify }}}
dac76a
diff --git a/ssg/jinja.py b/ssg/jinja.py
dac76a
index 471fbf4140..e779466838 100644
dac76a
--- a/ssg/jinja.py
dac76a
+++ b/ssg/jinja.py
dac76a
@@ -71,6 +71,7 @@ def _get_jinja_environment(substitutions_dict):
dac76a
             loader=AbsolutePathFileSystemLoader(),
dac76a
             bytecode_cache=bytecode_cache
dac76a
         )
dac76a
+        _get_jinja_environment.env.filters['banner_regexify'] = banner_regexify
dac76a
 
dac76a
     return _get_jinja_environment.env
dac76a
 
dac76a
@@ -112,7 +113,6 @@ def add_python_functions(substitutions_dict):
dac76a
     substitutions_dict['prodtype_to_name'] = prodtype_to_name
dac76a
     substitutions_dict['name_to_platform'] = name_to_platform
dac76a
     substitutions_dict['prodtype_to_platform'] = prodtype_to_platform
dac76a
-    substitutions_dict['banner_regexify'] = banner_regexify
dac76a
     substitutions_dict['raise'] = raise_exception
dac76a
 
dac76a
 
dac76a
dac76a
From d416cb9e78842767f08d9c38d9ea0b79b05f00dd Mon Sep 17 00:00:00 2001
dac76a
From: Watson Sato <wsato@redhat.com>
dac76a
Date: Sun, 8 Mar 2020 15:53:07 +0100
dac76a
Subject: [PATCH 20/27] Automatically escape regex unsafe chars in banner
dac76a
dac76a
Let the banner_regexify filter escape regex unsafe chars, no need for
dac76a
manual escaping.
dac76a
---
dac76a
 .../httpd_secure_content/var_web_login_banner_text.var       | 2 +-
dac76a
 .../system/accounts/accounts-banners/login_banner_text.var   | 2 +-
dac76a
 ssg/utils.py                                                 | 5 +++++
dac76a
 3 files changed, 7 insertions(+), 2 deletions(-)
dac76a
dac76a
diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
dac76a
index e990f0cb23..e59cdc0782 100644
dac76a
--- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
dac76a
+++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
dac76a
@@ -12,7 +12,7 @@ operator: equals
dac76a
 
dac76a
 interactive: false
dac76a
 
dac76a
-{{% set var_dod_default = "You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}}
dac76a
+{{% set var_dod_default = "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}}
dac76a
 {{% set var_dod_short = "I've read & consent to terms in IS user agreem't." %}}
dac76a
 
dac76a
 options:
dac76a
diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
dac76a
index e059174cb5..1c6a39f481 100644
dac76a
--- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
dac76a
+++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
dac76a
@@ -12,7 +12,7 @@ operator: equals
dac76a
 
dac76a
 interactive: false
dac76a
 
dac76a
-{{% set var_dod_default="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}}
dac76a
+{{% set var_dod_default="You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}}
dac76a
 {{% set var_dod_short = "I've read & consent to terms in IS user agreem't." %}}
dac76a
 
dac76a
 options:
dac76a
diff --git a/ssg/utils.py b/ssg/utils.py
dac76a
index 3823e02a2d..7584e38a16 100644
dac76a
--- a/ssg/utils.py
dac76a
+++ b/ssg/utils.py
dac76a
@@ -250,4 +250,9 @@ def mkdir_p(path):
dac76a
             raise
dac76a
 
dac76a
 def banner_regexify(banner_text):
dac76a
+    # We could use re.escape(), but it escapes too many characters, including plain white space.
dac76a
+    # In python 3.7 the set of charaters escaped by re.escape is reasonable, so lets mimic it.
dac76a
+    # See https://docs.python.org/3/library/re.html#re.sub
dac76a
+    # '!', '"', '%', "'", ',', '/', ':', ';', '<', '=', '>', '@', and "`" are not escaped.
dac76a
+    banner_text = re.sub(r"([#$&*+-.^`|~:()])", r"\\\1", banner_text)
dac76a
     return banner_text.replace("\n", "BFLMPSVZ").replace(" ", "[\s\\n]+").replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)")
dac76a
dac76a
From 35e962ce5c5c28d29d120723715d64dcbd567197 Mon Sep 17 00:00:00 2001
dac76a
From: Watson Sato <wsato@redhat.com>
dac76a
Date: Sun, 8 Mar 2020 17:00:26 +0100
dac76a
Subject: [PATCH 21/27] Document the new macros, filter and utility
dac76a
dac76a
---
dac76a
 docs/manual/developer_guide.adoc | 26 ++++++++++++++++++++++++++
dac76a
 1 file changed, 26 insertions(+)
dac76a
dac76a
diff --git a/docs/manual/developer_guide.adoc b/docs/manual/developer_guide.adoc
dac76a
index 76c1c10218..739a6a823c 100644
dac76a
--- a/docs/manual/developer_guide.adoc
dac76a
+++ b/docs/manual/developer_guide.adoc
dac76a
@@ -752,6 +752,14 @@ $ ./build-scripts/profile_tool.py sub --profile1 rhel7/profiles/ospp.profile --p
dac76a
 
dac76a
 This will result in a new YAML profile containing exclusive rules to the profile pointed by the --profile1 option.
dac76a
 
dac76a
+=== Generating login banner regular expressions
dac76a
+
dac76a
+Rules like `banner_etc_issue` and `dconf_gnome_login_banner_text` will check for configuration of login banners and remediate them. Both rules source the banner text from the same variable `login_banner_text`, and the banner texts need to be in the form of a regular expression.
dac76a
+There are a few utilities you can use to transform your text into the appropriate regular expression:
dac76a
+
dac76a
+When adding a new banner directly to the `login_banner_text`, use the custom Jinja filter `banner_regexify`. +
dac76a
+If customizing content via SCAP Workbench, or directly writing your tailoring XML, use `utils/regexify_banner.py` to generate the appropriate regular expression.
dac76a
+
dac76a
 == Contributing with XCCDFs, OVALs and remediations
dac76a
 
dac76a
 There are three main types of content in the project, they are rules, defined using the XCCDF standard, checks, usually written in link:https://oval.mitre.org/language/about/[OVAL] format, and remediations, that can be executed on ansible, bash, anaconda installer, puppet and ignition.
dac76a
@@ -1279,6 +1287,8 @@ Jinja macros for Ansible content are located in `/shared/macros-ansible.jinja`.
dac76a
 - `ansible_sshd_set` -- set a parameter in the sshd configuration
dac76a
 - `ansible_etc_profile_set` -- ensure a command gets executed or a variable gets set in /etc/profile or /etc/profile.d
dac76a
 - `ansible_tmux_set` -- set a command in tmux configuration
dac76a
+- `ansible_deregexify_banner_etc_issue` -- Formats a banner regex for use in /etc/issue
dac76a
+- `ansible_deregexify_banner_dconf_gnome` -- Formats a banner regex for use in dconf
dac76a
 
dac76a
 They also include several low-level macros:
dac76a
 
dac76a
@@ -1289,6 +1299,14 @@ They also include several low-level macros:
dac76a
 - `ansible_set_config_file` -- for configuration files; set the given configuration value and ensure no conflicting values
dac76a
 - `ansible_set_config_file_dir` -- for configuration files and files in configuration directories; set the given configuration value and ensure no conflicting values
dac76a
 
dac76a
+Low level macros to make login banner regular expressions usable in Ansible remediations
dac76a
+
dac76a
+- `ansible_deregexify_multiple_banners` -- Strips multibanner regex and keeps only the first banner
dac76a
+- `ansible_deregexify_banner_space` -- Strips whitespace or newline regex
dac76a
+- `ansible_deregexify_banner_newline` -- Strips newline or newline escape sequence regex
dac76a
+- `ansible_deregexify_banner_newline_token` -- Strips newline token for a newline escape sequence regex
dac76a
+- `ansible_deregexify_banner_backslash` - Strips backslash regex
dac76a
+
dac76a
 When `msg` is absent from any of the above macros, rule title will be substituted instead.
dac76a
 
dac76a
 Whenever possible, please reuse the macros and form high-level simplifications.
dac76a
@@ -1348,6 +1366,14 @@ Available low-level Jinja macros that can be used in Bash remediations:
dac76a
 - `die` - Function to terminate the remediation
dac76a
 - `set_config_file` - Add an entry to a text configuration file
dac76a
 
dac76a
+Low level macros to make login banner regular expressions usable in Bash remediations
dac76a
+
dac76a
+- `bash_deregexify_multiple_banners` - Strips multibanner regex and keeps only the first banner
dac76a
+- `bash_deregexify_banner_space` - Strips whitespace or newline regex
dac76a
+- `bash_deregexify_banner_newline` - Strips newline or newline escape sequence regex
dac76a
+- `bash_deregexify_banner_newline_token` - Strips newline token for a newline escape sequence regex
dac76a
+- `bash_deregexify_banner_backslash` - Strips backslash regex
dac76a
+
dac76a
 === Templating
dac76a
 
dac76a
 Writing OVAL checks, Bash, or any other content can be tedious work. For
dac76a
dac76a
From ad5526d6704299cfd01c818fa8a79e3587b90cb5 Mon Sep 17 00:00:00 2001
dac76a
From: Watson Sato <wsato@redhat.com>
dac76a
Date: Sun, 8 Mar 2020 17:56:44 +0100
dac76a
Subject: [PATCH 22/27] Code style fixes
dac76a
dac76a
---
dac76a
 ssg/jinja.py             | 7 ++++++-
dac76a
 ssg/utils.py             | 5 ++++-
dac76a
 utils/regexify_banner.py | 1 +
dac76a
 3 files changed, 11 insertions(+), 2 deletions(-)
dac76a
dac76a
diff --git a/ssg/jinja.py b/ssg/jinja.py
dac76a
index e779466838..e014768e2b 100644
dac76a
--- a/ssg/jinja.py
dac76a
+++ b/ssg/jinja.py
dac76a
@@ -10,7 +10,12 @@
dac76a
                         JINJA_MACROS_BASH_DEFINITIONS,
dac76a
                         JINJA_MACROS_OVAL_DEFINITIONS,
dac76a
                         )
dac76a
-from .utils import required_key, prodtype_to_name, name_to_platform, prodtype_to_platform, banner_regexify
dac76a
+from .utils import (required_key,
dac76a
+                    prodtype_to_name,
dac76a
+                    name_to_platform,
dac76a
+                    prodtype_to_platform,
dac76a
+                    banner_regexify
dac76a
+                    )
dac76a
 
dac76a
 
dac76a
 class MacroError(RuntimeError):
dac76a
diff --git a/ssg/utils.py b/ssg/utils.py
dac76a
index 7584e38a16..472ac73b81 100644
dac76a
--- a/ssg/utils.py
dac76a
+++ b/ssg/utils.py
dac76a
@@ -249,10 +249,13 @@ def mkdir_p(path):
dac76a
         else:
dac76a
             raise
dac76a
 
dac76a
+
dac76a
 def banner_regexify(banner_text):
dac76a
     # We could use re.escape(), but it escapes too many characters, including plain white space.
dac76a
     # In python 3.7 the set of charaters escaped by re.escape is reasonable, so lets mimic it.
dac76a
     # See https://docs.python.org/3/library/re.html#re.sub
dac76a
     # '!', '"', '%', "'", ',', '/', ':', ';', '<', '=', '>', '@', and "`" are not escaped.
dac76a
     banner_text = re.sub(r"([#$&*+-.^`|~:()])", r"\\\1", banner_text)
dac76a
-    return banner_text.replace("\n", "BFLMPSVZ").replace(" ", "[\s\\n]+").replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)")
dac76a
+    banner_text = banner_text.replace("\n", "BFLMPSVZ")
dac76a
+    banner_text = banner_text.replace(" ", "[\\s\\n]+")
dac76a
+    return banner_text.replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)")
dac76a
diff --git a/utils/regexify_banner.py b/utils/regexify_banner.py
dac76a
index 7bdf69b702..c794c02a37 100644
dac76a
--- a/utils/regexify_banner.py
dac76a
+++ b/utils/regexify_banner.py
dac76a
@@ -1,6 +1,7 @@
dac76a
 import argparse
dac76a
 import ssg.utils
dac76a
 
dac76a
+
dac76a
 def parse_args():
dac76a
     p = argparse.ArgumentParser()
dac76a
     p.add_argument("--output", help="Path to output regexified banner")
dac76a
dac76a
From 86439fed8f2d431da76bd613c87b38c4eda6457b Mon Sep 17 00:00:00 2001
dac76a
From: Watson Sato <wsato@redhat.com>
dac76a
Date: Wed, 11 Mar 2020 13:44:02 +0100
dac76a
Subject: [PATCH 23/27] regexify_banner.py: Set x permission and shebang
dac76a
dac76a
---
dac76a
 utils/regexify_banner.py | 1 +
dac76a
 1 file changed, 1 insertion(+)
dac76a
 mode change 100644 => 100755 utils/regexify_banner.py
dac76a
dac76a
diff --git a/utils/regexify_banner.py b/utils/regexify_banner.py
dac76a
old mode 100644
dac76a
new mode 100755
dac76a
index c794c02a37..15584693bf
dac76a
--- a/utils/regexify_banner.py
dac76a
+++ b/utils/regexify_banner.py
dac76a
@@ -1,3 +1,4 @@
dac76a
+#!/usr/bin/env python
dac76a
 import argparse
dac76a
 import ssg.utils
dac76a
 
dac76a
dac76a
From 556018017f7fbb2d7707aaf673ecd9d4edb53aae Mon Sep 17 00:00:00 2001
dac76a
From: Watson Sato <wsato@redhat.com>
dac76a
Date: Wed, 11 Mar 2020 14:16:03 +0100
dac76a
Subject: [PATCH 24/27] The whole /etc/issue file should be evaluated
dac76a
dac76a
Added test scenario where the banner is followed by an
dac76a
extraneous line. This caused the rule to pass unexpectedly.
dac76a
dac76a
Updated OVAL check to consider the all lines of /etc/issue the object to
dac76a
be evaluated and compared against a state.
dac76a
Also updated Bash remediation to not add extra newline at the end, and
dac76a
Asnbile remediation to remove any extraneous line in /etc/issue
dac76a
---
dac76a
 .../banner_etc_issue/ansible/shared.yml       |  7 ++++-
dac76a
 .../banner_etc_issue/bash/shared.sh           |  2 --
dac76a
 .../banner_etc_issue/oval/shared.xml          |  8 ++++-
dac76a
 ...ner_etc_issue_disa_with_extra_line.fail.sh | 30 +++++++++++++++++++
dac76a
 4 files changed, 43 insertions(+), 4 deletions(-)
dac76a
 create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_with_extra_line.fail.sh
dac76a
dac76a
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
dac76a
index 42c19194e4..21f0925268 100644
dac76a
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
dac76a
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
dac76a
@@ -5,7 +5,12 @@
dac76a
 # disruption = medium
dac76a
 - (xccdf-var login_banner_text)
dac76a
 
dac76a
-- name: "{{{ rule_title }}}"
dac76a
+- name: "{{{ rule_title }}} - remove incorrect banner"
dac76a
+  file:
dac76a
+    state: absent
dac76a
+    path: /etc/issue
dac76a
+
dac76a
+- name: "{{{ rule_title }}} - add correct banner"
dac76a
   lineinfile:
dac76a
     dest: /etc/issue
dac76a
     line: '{{{ ansible_deregexify_banner_etc_issue("login_banner_text") }}}'
dac76a
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
dac76a
index 119413005e..1a0c11f569 100644
dac76a
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
dac76a
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
dac76a
@@ -17,5 +17,3 @@ formatted=$(echo "$login_banner_text" | fold -sw 80)
dac76a
 cat <<EOF >/etc/issue
dac76a
 $formatted
dac76a
 EOF
dac76a
-
dac76a
-printf "\n" >> /etc/issue
dac76a
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/oval/shared.xml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/oval/shared.xml
dac76a
index 3317251d41..032c65b340 100644
dac76a
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/oval/shared.xml
dac76a
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/oval/shared.xml
dac76a
@@ -12,14 +12,20 @@
dac76a
 
dac76a
   <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="correct banner in /etc/issue" id="test_banner_etc_issue" version="1">
dac76a
     <ind:object object_ref="object_banner_etc_issue" />
dac76a
+    <ind:state state_ref="state_banner_etc_issue" />
dac76a
   </ind:textfilecontent54_test>
dac76a
 
dac76a
   <ind:textfilecontent54_object id="object_banner_etc_issue" version="1">
dac76a
+    <ind:behaviors singleline="true" multiline="false" />
dac76a
     <ind:filepath>/etc/issue</ind:filepath>
dac76a
-    <ind:pattern var_ref="login_banner_text" operation="pattern match" />
dac76a
+    <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
dac76a
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
dac76a
   </ind:textfilecontent54_object>
dac76a
 
dac76a
+  <ind:textfilecontent54_state id="state_banner_etc_issue" version="1">
dac76a
+    <ind:subexpression datatype="string" var_ref="login_banner_text" operation="pattern match" />
dac76a
+  </ind:textfilecontent54_state>
dac76a
+
dac76a
   <external_variable comment="warning banner text variable" datatype="string" id="login_banner_text" version="1" />
dac76a
 
dac76a
 </def-group>
dac76a
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_with_extra_line.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_with_extra_line.fail.sh
dac76a
new file mode 100644
dac76a
index 0000000000..dfa48bd61a
dac76a
--- /dev/null
dac76a
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_with_extra_line.fail.sh
dac76a
@@ -0,0 +1,30 @@
dac76a
+#!/bin/bash
dac76a
+#
dac76a
+# profiles = xccdf_org.ssgproject.content_profile_stig
dac76a
+
dac76a
+# dod_default|dod_short banner
dac76a
+echo "You are accessing a U.S. Government (USG) Information System (IS) that is 
dac76a
+provided for USG-authorized use only. By using this IS (which includes any 
dac76a
+device attached to this IS), you consent to the following conditions:
dac76a
+
dac76a
+-The USG routinely intercepts and monitors communications on this IS for 
dac76a
+purposes including, but not limited to, penetration testing, COMSEC monitoring, 
dac76a
+network operations and defense, personnel misconduct (PM), law enforcement 
dac76a
+(LE), and counterintelligence (CI) investigations.
dac76a
+
dac76a
+-At any time, the USG may inspect and seize data stored on this IS.
dac76a
+
dac76a
+-Communications using, or data stored on, this IS are not private, are subject 
dac76a
+to routine monitoring, interception, and search, and may be disclosed or used 
dac76a
+for any USG-authorized purpose.
dac76a
+
dac76a
+-This IS includes security measures (e.g., authentication and access controls) 
dac76a
+to protect USG interests--not for your personal benefit or privacy.
dac76a
+
dac76a
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE 
dac76a
+or CI investigative searching or monitoring of the content of privileged 
dac76a
+communications, or work product, related to personal representation or services 
dac76a
+by attorneys, psychotherapists, or clergy, and their assistants. Such 
dac76a
+communications and work product are private and confidential. See User 
dac76a
+Agreement for details.
dac76a
+Extra line at end." > /etc/issue
dac76a
dac76a
From 488c5259595032f25dd98d45c1b38a65ed248647 Mon Sep 17 00:00:00 2001
dac76a
From: Watson Sato <wsato@redhat.com>
dac76a
Date: Wed, 11 Mar 2020 18:52:37 +0100
dac76a
Subject: [PATCH 25/27] Wrap banner text with regex anchors
dac76a
dac76a
We need to be sure that the whole banners matches the banner variable.
dac76a
This commit includes a test scenario that reproduces the issue.
dac76a
dac76a
All the harness around banners have been updated, regexify, deregexify
dac76a
and utility.
dac76a
---
dac76a
 .../var_web_login_banner_text.var                |  8 ++++----
dac76a
 .../banner_etc_issue/bash/shared.sh              | 10 ++++++----
dac76a
 .../dconf_gnome_login_banner_text/bash/shared.sh | 12 +++++++-----
dac76a
 .../tests/wrapped_banner.fail.sh                 | 16 ++++++++++++++++
dac76a
 .../accounts-banners/login_banner_text.var       |  8 ++++----
dac76a
 shared/macros-ansible.jinja                      | 10 ++++++++--
dac76a
 shared/macros-bash.jinja                         |  7 ++++++-
dac76a
 ssg/jinja.py                                     |  4 +++-
dac76a
 ssg/utils.py                                     |  3 +++
dac76a
 utils/regexify_banner.py                         |  1 +
dac76a
 10 files changed, 58 insertions(+), 21 deletions(-)
dac76a
 create mode 100644 linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh
dac76a
dac76a
diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
dac76a
index e59cdc0782..dc10e8c3cf 100644
dac76a
--- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
dac76a
+++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
dac76a
@@ -17,7 +17,7 @@ interactive: false
dac76a
 
dac76a
 options:
dac76a
     dod_banners: {{{ "^(" ~ var_dod_default|banner_regexify ~ "|" ~ var_dod_short|banner_regexify ~ ")$" }}}
dac76a
-    dod_default: {{{ var_dod_default|banner_regexify }}}
dac76a
-    dod_short: {{{ var_dod_short|banner_regexify }}}
dac76a
-    dss_odaa_default: {{{ "Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times."|banner_regexify }}}
dac76a
-    usgcb_default: {{{ "-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials."|banner_regexify }}}
dac76a
+    dod_default: {{{ var_dod_default|banner_regexify|banner_anchor_wrap }}}
dac76a
+    dod_short: {{{ var_dod_short|banner_regexify|banner_anchor_wrap }}}
dac76a
+    dss_odaa_default: {{{ "Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times."|banner_regexify|banner_anchor_wrap }}}
dac76a
+    usgcb_default: {{{ "-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials."|banner_regexify|banner_anchor_wrap }}}
dac76a
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
dac76a
index 1a0c11f569..30449d5e9d 100644
dac76a
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
dac76a
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
dac76a
@@ -3,14 +3,16 @@
dac76a
 populate login_banner_text
dac76a
 
dac76a
 # Multiple regexes transform the banner regex into a usable banner
dac76a
-# 1 - Keep only the first banners if there are multiple, and remove wrapping regex syntax.
dac76a
+# 0 - Remove anchors around the banner text
dac76a
+{{{ bash_deregexify_banner_anchors("login_banner_text") }}}
dac76a
+# 1 - Keep only the first banners if there are multiple
dac76a
 #    (dod_banners contains the long and short banner)
dac76a
 {{{ bash_deregexify_multiple_banners("login_banner_text") }}}
dac76a
-# 2- Add spaces ' '. (Transforms regex for "space or newline" into a " ")
dac76a
+# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
dac76a
 {{{ bash_deregexify_banner_space("login_banner_text") }}}
dac76a
-# 3- Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n")
dac76a
+# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n")
dac76a
 {{{ bash_deregexify_banner_newline("login_banner_text", "\\n") }}}
dac76a
-# 4- Remove any leftover backslash. (From any parethesis in the banner, for example).
dac76a
+# 4 - Remove any leftover backslash. (From any parethesis in the banner, for example).
dac76a
 {{{ bash_deregexify_banner_backslash("login_banner_text") }}}
dac76a
 formatted=$(echo "$login_banner_text" | fold -sw 80)
dac76a
 
dac76a
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
dac76a
index 4011932790..85ddd893c6 100644
dac76a
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
dac76a
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
dac76a
@@ -3,16 +3,18 @@
dac76a
 populate login_banner_text
dac76a
 
dac76a
 # Multiple regexes transform the banner regex into a usable banner
dac76a
-# 1 - Keep only the first banners if there are multiple, and remove wrapping regex syntax.
dac76a
+# 0 - Remove anchors around the banner text
dac76a
+{{{ bash_deregexify_banner_anchors("login_banner_text") }}}
dac76a
+# 1 - Keep only the first banners if there are multiple
dac76a
 #    (dod_banners contains the long and short banner)
dac76a
 {{{ bash_deregexify_multiple_banners("login_banner_text") }}}
dac76a
-# 2- Add spaces ' '. (Transforms regex for "space or newline" into a " ")
dac76a
+# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
dac76a
 {{{ bash_deregexify_banner_space("login_banner_text") }}}
dac76a
-# 3- Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*")
dac76a
+# 3 - Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*")
dac76a
 {{{ bash_deregexify_banner_newline("login_banner_text", "(n)*") }}}
dac76a
-# 4- Remove any leftover backslash. (From any parethesis in the banner, for example).
dac76a
+# 4 - Remove any leftover backslash. (From any parethesis in the banner, for example).
dac76a
 {{{ bash_deregexify_banner_backslash("login_banner_text") }}}
dac76a
-# 5- Removes the newline "token." (Transforms them into newline escape sequences "\n").
dac76a
+# 5 - Removes the newline "token." (Transforms them into newline escape sequences "\n").
dac76a
 #    ( Needs to be done after 4, otherwise the escapce sequence will become just "n".
dac76a
 {{{ bash_deregexify_banner_newline_token("login_banner_text")}}}
dac76a
 
dac76a
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh
dac76a
new file mode 100644
dac76a
index 0000000000..1c6b9a23af
dac76a
--- /dev/null
dac76a
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh
dac76a
@@ -0,0 +1,16 @@
dac76a
+#!/bin/bash
dac76a
+# platform = Red Hat Enterprise Linux 7
dac76a
+# profiles = xccdf_org.ssgproject.content_profile_ncp
dac76a
+
dac76a
+source $SHARED/dconf_test_functions.sh
dac76a
+
dac76a
+install_dconf_and_gdm_if_needed
dac76a
+
dac76a
+login_banner_text="Some text before --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. And some after."
dac76a
+expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
dac76a
+
dac76a
+clean_dconf_settings
dac76a
+add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'${expanded}'" "gdm.d" "00-security-settings"
dac76a
+add_dconf_lock "org/gnome/login-screen" "banner-message-text" "gdm.d" "00-security-settings-lock"
dac76a
+
dac76a
+dconf update
dac76a
diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
dac76a
index 1c6a39f481..d00782f380 100644
dac76a
--- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
dac76a
+++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
dac76a
@@ -18,7 +18,7 @@ interactive: false
dac76a
 options:
dac76a
 # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accomodate banners of 1300 characters
dac76a
     dod_banners: {{{ "^(" ~ var_dod_default|banner_regexify ~ "|" ~ var_dod_short|banner_regexify ~ ")$" }}}
dac76a
-    dod_default: {{{ var_dod_default|banner_regexify }}}
dac76a
-    dod_short: {{{ var_dod_short|banner_regexify }}}
dac76a
-    dss_odaa_default: {{{ "Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times."|banner_regexify }}}
dac76a
-    usgcb_default: {{{ "-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials."|banner_regexify }}}
dac76a
+    dod_default: {{{ var_dod_default|banner_regexify|banner_anchor_wrap }}}
dac76a
+    dod_short: {{{ var_dod_short|banner_regexify|banner_anchor_wrap }}}
dac76a
+    dss_odaa_default: {{{ "Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times."|banner_regexify|banner_anchor_wrap }}}
dac76a
+    usgcb_default: {{{ "-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials."|banner_regexify|banner_anchor_wrap }}}
dac76a
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
dac76a
index 5deb7ceb80..11fb79a4d9 100644
dac76a
--- a/shared/macros-ansible.jinja
dac76a
+++ b/shared/macros-ansible.jinja
dac76a
@@ -225,6 +225,7 @@
dac76a
 #}}
dac76a
 {{% macro ansible_deregexify_banner_etc_issue(banner_var_name) -%}}
dac76a
 {{ {{{ banner_var_name }}} |
dac76a
+{{{ ansible_deregexify_banner_anchors() }}} |
dac76a
 {{{ ansible_deregexify_multiple_banners() }}} |
dac76a
 {{{ ansible_deregexify_banner_space() }}} |
dac76a
 {{{ ansible_deregexify_banner_newline("\\n") }}} |
dac76a
@@ -239,6 +240,7 @@ wordwrap() }}
dac76a
 #}}
dac76a
 {{% macro ansible_deregexify_banner_dconf_gnome(banner_var_name) -%}}
dac76a
 ''{{ {{{ banner_var_name }}} |
dac76a
+{{{ ansible_deregexify_banner_anchors() }}} |
dac76a
 {{{ ansible_deregexify_multiple_banners() }}} |
dac76a
 {{{ ansible_deregexify_banner_space() }}} |
dac76a
 {{{ ansible_deregexify_banner_newline("(n)*") }}} |
dac76a
@@ -246,10 +248,14 @@ wordwrap() }}
dac76a
 {{{ ansible_deregexify_banner_newline_token()}}} }}''
dac76a
 {{%- endmacro %}}
dac76a
 
dac76a
-    line: '{{ login_banner_text | | regex_replace("\\", "") | wordwrap() }}'
dac76a
+{{# Strips anchors around the banner #}}
dac76a
+{{% macro ansible_deregexify_banner_anchors() -%}}
dac76a
+regex_replace("^\^(.*)\$$", "\1")
dac76a
+{{%- endmacro %}}
dac76a
+
dac76a
 {{# Strips multibanner regex and keeps only the first banner #}}
dac76a
 {{% macro ansible_deregexify_multiple_banners() -%}}
dac76a
-regex_replace("\^\((.*)\|.*$", "\1")
dac76a
+regex_replace("\((.*)\|.*$", "\1")
dac76a
 {{%- endmacro %}}
dac76a
 
dac76a
 {{# Strips whitespace or newline regex #}}
dac76a
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
dac76a
index 6d72684c6d..03b381c3ca 100644
dac76a
--- a/shared/macros-bash.jinja
dac76a
+++ b/shared/macros-bash.jinja
dac76a
@@ -522,9 +522,14 @@ cat << 'EOF' > {{{ filepath }}}
dac76a
 EOF
dac76a
 {{%- endmacro %}}
dac76a
 
dac76a
+{{# Strips anchors regex around the banner text #}}
dac76a
+{{% macro bash_deregexify_banner_anchors(banner_var_name) -%}}
dac76a
+{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/^\^\(.*\)\$$/\1/g')
dac76a
+{{%- endmacro %}}
dac76a
+
dac76a
 {{# Strips multibanner regex and keeps only the first banner #}}
dac76a
 {{% macro bash_deregexify_multiple_banners(banner_var_name) -%}}
dac76a
-{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/\^(\(.*\)|.*$/\1/g')
dac76a
+{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/(\(.*\)|.*$/\1/g')
dac76a
 {{%- endmacro %}}
dac76a
 
dac76a
 {{# Strips whitespace or newline regex #}}
dac76a
diff --git a/ssg/jinja.py b/ssg/jinja.py
dac76a
index e014768e2b..da3e403a1b 100644
dac76a
--- a/ssg/jinja.py
dac76a
+++ b/ssg/jinja.py
dac76a
@@ -14,7 +14,8 @@
dac76a
                     prodtype_to_name,
dac76a
                     name_to_platform,
dac76a
                     prodtype_to_platform,
dac76a
-                    banner_regexify
dac76a
+                    banner_regexify,
dac76a
+                    banner_anchor_wrap
dac76a
                     )
dac76a
 
dac76a
 
dac76a
@@ -77,6 +78,7 @@ def _get_jinja_environment(substitutions_dict):
dac76a
             bytecode_cache=bytecode_cache
dac76a
         )
dac76a
         _get_jinja_environment.env.filters['banner_regexify'] = banner_regexify
dac76a
+        _get_jinja_environment.env.filters['banner_anchor_wrap'] = banner_anchor_wrap
dac76a
 
dac76a
     return _get_jinja_environment.env
dac76a
 
dac76a
diff --git a/ssg/utils.py b/ssg/utils.py
dac76a
index 472ac73b81..9b437d5556 100644
dac76a
--- a/ssg/utils.py
dac76a
+++ b/ssg/utils.py
dac76a
@@ -259,3 +259,6 @@ def banner_regexify(banner_text):
dac76a
     banner_text = banner_text.replace("\n", "BFLMPSVZ")
dac76a
     banner_text = banner_text.replace(" ", "[\\s\\n]+")
dac76a
     return banner_text.replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)")
dac76a
+
dac76a
+def banner_anchor_wrap(banner_text):
dac76a
+    return "^" + banner_text + "$"
dac76a
diff --git a/utils/regexify_banner.py b/utils/regexify_banner.py
dac76a
index 15584693bf..c17213d66d 100755
dac76a
--- a/utils/regexify_banner.py
dac76a
+++ b/utils/regexify_banner.py
dac76a
@@ -19,6 +19,7 @@ def main():
dac76a
         banner_text = file_in.read().rstrip()
dac76a
 
dac76a
     banner_regex = ssg.utils.banner_regexify(banner_text)
dac76a
+    banner_regex = ssg.utils.banner_anchor_wrap(banner_text)
dac76a
 
dac76a
     if args.output:
dac76a
         with open(args.output, "w") as file_out:
dac76a
dac76a
From d30eb89a68ae536707b8535c47eba4a422e2f252 Mon Sep 17 00:00:00 2001
dac76a
From: Watson Sato <wsato@redhat.com>
dac76a
Date: Thu, 12 Mar 2020 13:27:22 +0100
dac76a
Subject: [PATCH 26/27] Fix call of banner_anchor_wrap
dac76a
dac76a
---
dac76a
 utils/regexify_banner.py | 2 +-
dac76a
 1 file changed, 1 insertion(+), 1 deletion(-)
dac76a
dac76a
diff --git a/utils/regexify_banner.py b/utils/regexify_banner.py
dac76a
index c17213d66d..16ec4ba6ef 100755
dac76a
--- a/utils/regexify_banner.py
dac76a
+++ b/utils/regexify_banner.py
dac76a
@@ -19,7 +19,7 @@ def main():
dac76a
         banner_text = file_in.read().rstrip()
dac76a
 
dac76a
     banner_regex = ssg.utils.banner_regexify(banner_text)
dac76a
-    banner_regex = ssg.utils.banner_anchor_wrap(banner_text)
dac76a
+    banner_regex = ssg.utils.banner_anchor_wrap(banner_regex)
dac76a
 
dac76a
     if args.output:
dac76a
         with open(args.output, "w") as file_out:
dac76a
dac76a
From 90280f39e8548f2a7a22d1e328de72bc1b756099 Mon Sep 17 00:00:00 2001
dac76a
From: Watson Sato <wsato@redhat.com>
dac76a
Date: Thu, 12 Mar 2020 16:09:25 +0100
dac76a
Subject: [PATCH 27/27] Fix multiple banner regex stripping
dac76a
dac76a
Anchor the opening parenthesis to beginning of banner, and add anchord
dac76a
closing parenthesis to pattern.
dac76a
---
dac76a
 shared/macros-ansible.jinja | 2 +-
dac76a
 shared/macros-bash.jinja    | 2 +-
dac76a
 2 files changed, 2 insertions(+), 2 deletions(-)
dac76a
dac76a
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
dac76a
index 11fb79a4d9..b020246ef2 100644
dac76a
--- a/shared/macros-ansible.jinja
dac76a
+++ b/shared/macros-ansible.jinja
dac76a
@@ -255,7 +255,7 @@ regex_replace("^\^(.*)\$$", "\1")
dac76a
 
dac76a
 {{# Strips multibanner regex and keeps only the first banner #}}
dac76a
 {{% macro ansible_deregexify_multiple_banners() -%}}
dac76a
-regex_replace("\((.*)\|.*$", "\1")
dac76a
+regex_replace("^\((.*)\|.*\)$", "\1")
dac76a
 {{%- endmacro %}}
dac76a
 
dac76a
 {{# Strips whitespace or newline regex #}}
dac76a
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
dac76a
index 03b381c3ca..bc6c6f6486 100644
dac76a
--- a/shared/macros-bash.jinja
dac76a
+++ b/shared/macros-bash.jinja
dac76a
@@ -529,7 +529,7 @@ EOF
dac76a
 
dac76a
 {{# Strips multibanner regex and keeps only the first banner #}}
dac76a
 {{% macro bash_deregexify_multiple_banners(banner_var_name) -%}}
dac76a
-{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/(\(.*\)|.*$/\1/g')
dac76a
+{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/^(\(.*\)|.*)$/\1/g')
dac76a
 {{%- endmacro %}}
dac76a
 
dac76a
 {{# Strips whitespace or newline regex #}}