From fb5fe8c7dea9c83558b9e4fd7d2235caff6bd4db Mon Sep 17 00:00:00 2001
From: Marek Haicman <mhaicman@redhat.com>
Date: Wed, 4 Dec 2019 15:11:39 +0100
Subject: [PATCH 01/27] Create macro to translate text to banner text.
With banner texts having every whitespace replaced with more complex regular
expression, it's not really readable in that form. This macro should provide
way to write human readable text in source, and get machine readable text
as the output.
---
.../var_web_login_banner_text.var | 15 ++++++---------
.../banner_etc_issue/bash/shared.sh | 2 +-
...disa_dod_default_banner_no_newline.fail.sh | 19 +++++++++++++++++++
.../accounts-banners/login_banner_text.var | 12 ++++++------
shared/macros.jinja | 4 ++++
ssg/build_yaml.py | 2 +-
6 files changed, 37 insertions(+), 17 deletions(-)
create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_default_banner_no_newline.fail.sh
diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
index 61ebea65f3..72a728659b 100644
--- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
+++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
@@ -4,7 +4,7 @@ title: 'Web Login Banner Verbiage'
description: |-
Enter an appropriate login banner for your organization. Please note that new lines must
- be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\'.
+ be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\\'.
type: string
@@ -13,11 +13,8 @@ operator: equals
interactive: false
options:
- dod_banners: ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.|I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t.)$
- dod_default: You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.
- dod_short: I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t.
- dss_odaa_default: "[\\s\\n]+Use[\\s\\n]+of[\\s\\n]+this[\\s\\n]+or[\\s\\n]+any[\\s\\n]+other[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system[\\s\\n]+constitutes[\\s\\n]+consent[\\s\\n]+to[\\s\\n]+monitoring[\\s\\n]+at[\\s\\n]+all[\\s\\n]+times.[\\s\\n]+This[\\s\\n]+is[\\s\\n]+a[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system.[\\s\\n]+All[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+systems[\\s\\n]+and[\\s\\n]+related[\\s\\n]+equipment[\\s\\n]+are[\\s\\n]+intended[\\s\\n]+for[\\s\\n]+the[\\s\\n]+communication,[\\s\\n]+transmission,[\\s\\n]+processing,[\\s\\n]+and[\\s\\n]+storage[\\s\\n]+of[\\s\\n]+official[\\s\\n]+U.S.[\\s\\n]+Government[\\s\\n]+or[\\s\\n]+other[\\s\\n]+authorized[\\s\\n]+information[\\s\\n]+only.[\\s\\n]+All[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+systems[\\s\\n]+are[\\s\\n]+subject[\\s\\n]+to[\\s\\n]+monitoring[\\s\\n]+at[\\s\\n]+all[\\s\\n]+times[\\s\\n]+to[\\s\\n]+ensure[\\s\\n]+proper[\\s\\n]+functioning[\\s\\n]+of[\\\
- s\\n]+equipment[\\s\\n]+and[\\s\\n]+systems[\\s\\n]+including[\\s\\n]+security[\\s\\n]+devices[\\s\\n]+and[\\s\\n]+systems,[\\s\\n]+to[\\s\\n]+prevent[\\s\\n]+unauthorized[\\s\\n]+use[\\s\\n]+and[\\s\\n]+violations[\\s\\n]+of[\\s\\n]+statutes[\\s\\n]+and[\\s\\n]+security[\\s\\n]+regulations,[\\s\\n]+to[\\s\\n]+deter[\\s\\n]+criminal[\\s\\n]+activity,[\\s\\n]+and[\\s\\n]+for[\\s\\n]+other[\\s\\n]+similar[\\s\\n]+purposes.[\\s\\n]+Any[\\s\\n]+user[\\s\\n]+of[\\s\\n]+a[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system[\\s\\n]+should[\\s\\n]+be[\\s\\n]+aware[\\s\\n]+that[\\s\\n]+any[\\s\\n]+information[\\s\\n]+placed[\\s\\n]+in[\\s\\n]+the[\\s\\n]+system[\\s\\n]+is[\\s\\n]+subject[\\s\\n]+to[\\s\\n]+monitoring[\\s\\n]+and[\\s\\n]+is[\\s\\n]+not[\\s\\n]+subject[\\s\\n]+to[\\s\\n]+any[\\s\\n]+expectation[\\s\\n]+of[\\s\\n]+privacy.[\\s\\n]+If[\\s\\n]+monitoring[\\s\\n]+of[\\s\\n]+this[\\s\\n]+or[\\s\\n]+any[\\s\\n]+other[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system[\\\
- s\\n]+reveals[\\s\\n]+possible[\\s\\n]+evidence[\\s\\n]+of[\\s\\n]+violation[\\s\\n]+of[\\s\\n]+criminal[\\s\\n]+statutes,[\\s\\n]+this[\\s\\n]+evidence[\\s\\n]+and[\\s\\n]+any[\\s\\n]+other[\\s\\n]+related[\\s\\n]+information,[\\s\\n]+including[\\s\\n]+identification[\\s\\n]+information[\\s\\n]+about[\\s\\n]+the[\\s\\n]+user,[\\s\\n]+may[\\s\\n]+be[\\s\\n]+provided[\\s\\n]+to[\\s\\n]+law[\\s\\n]+enforcement[\\s\\n]+officials.[\\s\\n]+If[\\s\\n]+monitoring[\\s\\n]+of[\\s\\n]+this[\\s\\n]+or[\\s\\n]+any[\\s\\n]+other[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+systems[\\s\\n]+reveals[\\s\\n]+violations[\\s\\n]+of[\\s\\n]+security[\\s\\n]+regulations[\\s\\n]+or[\\s\\n]+unauthorized[\\s\\n]+use,[\\s\\n]+employees[\\s\\n]+who[\\s\\n]+violate[\\s\\n]+security[\\s\\n]+regulations[\\s\\n]+or[\\s\\n]+make[\\s\\n]+unauthorized[\\s\\n]+use[\\s\\n]+of[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+systems[\\s\\n]+are[\\s\\n]+subject[\\s\\n]+to[\\s\\n]+appropriate[\\s\\n]+disciplinary[\\\
- s\\n]+action.[\\s\\n]+Use[\\s\\n]+of[\\s\\n]+this[\\s\\n]+or[\\s\\n]+any[\\s\\n]+other[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system[\\s\\n]+constitutes[\\s\\n]+consent[\\s\\n]+to[\\s\\n]+monitoring[\\s\\n]+at[\\s\\n]+all[\\s\\n]+times."
- usgcb_default: --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials.
+ dod_banners: {{{ banner_flexibler(banner_text="^(You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.|I\\'ve read \& consent to terms in IS user agreem\\'t.)$") }}}
+ dod_default: {{{ banner_flexibler(banner_text="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.") }}}
+ dod_short: {{{ banner_flexibler(banner_text="I\\'ve read \& consent to terms in IS user agreem\\'t.") }}}
+ dss_odaa_default: {{{ banner_flexibler(banner_text="Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}}
+ usgcb_default: {{{ banner_flexibler(banner_text="-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}}
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
index 9617934e4f..54bc576551 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
@@ -3,7 +3,7 @@
populate login_banner_text
# There was a regular-expression matching various banners, needs to be expanded
-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/[^-]- /\n\n-/g;s/(n)\**//g')
+expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/\[n\]+/\n/g')
formatted=$(echo "$expanded" | fold -sw 80)
cat <<EOF >/etc/issue
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_default_banner_no_newline.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_default_banner_no_newline.fail.sh
new file mode 100644
index 0000000000..00121bae96
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_default_banner_no_newline.fail.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+#
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+# dod_default banner
+echo "You are accessing a U.S. Government (USG) Information System (IS) that is
+provided for USG-authorized use only. By using this IS (which includes any
+device attached to this IS), you consent to the following conditions:-The USG routinely intercepts and monitors communications on this IS for
+purposes including, but not limited to, penetration testing, COMSEC monitoring,
+network operations and defense, personnel misconduct (PM), law enforcement
+(LE), and counterintelligence (CI) investigations.-At any time, the USG may inspect and seize data stored on this IS.-Communications using, or data stored on, this IS are not private, are subject
+to routine monitoring, interception, and search, and may be disclosed or used
+for any USG-authorized purpose.-This IS includes security measures (e.g., authentication and access controls)
+to protect USG interests--not for your personal benefit or privacy.-Notwithstanding the above, using this IS does not constitute consent to PM, LE
+or CI investigative searching or monitoring of the content of privileged
+communications, or work product, related to personal representation or services
+by attorneys, psychotherapists, or clergy, and their assistants. Such
+communications and work product are private and confidential. See User
+Agreement for details." > /etc/issue
diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
index f3a4795bce..0c398bee9c 100644
--- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
+++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
@@ -4,7 +4,7 @@ title: 'Login Banner Verbiage'
description: |-
Enter an appropriate login banner for your organization. Please note that new lines must
- be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\'.
+ be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\\'.
type: string
@@ -14,8 +14,8 @@ interactive: false
options:
# First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accomodate banners of 1300 characters
- dod_banners: (^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.$|^I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)
- dod_default: You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.
- dod_short: I(\\\')*(\')*ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t.
- dss_odaa_default: Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times.[\s\n]+This[\s\n]+is[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+and[\s\n]+related[\s\n]+equipment[\s\n]+are[\s\n]+intended[\s\n]+for[\s\n]+the[\s\n]+communication,[\s\n]+transmission,[\s\n]+processing,[\s\n]+and[\s\n]+storage[\s\n]+of[\s\n]+official[\s\n]+U.S.[\s\n]+Government[\s\n]+or[\s\n]+other[\s\n]+authorized[\s\n]+information[\s\n]+only.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times[\s\n]+to[\s\n]+ensure[\s\n]+proper[\s\n]+functioning[\s\n]+of[\s\n]+equipment[\s\n]+and[\s\n]+systems[\s\n]+including[\s\n]+security[\s\n]+devices[\s\n]+and[\s\n]+systems,[\s\n]+to[\s\n]+prevent[\s\n]+unauthorized[\s\n]+use[\s\n]+and[\s\n]+violations[\s\n]+of[\s\n]+statutes[\s\n]+and[\s\n]+security[\s\n]+regulations,[\s\n]+to[\s\n]+deter[\s\n]+criminal[\s\n]+activity,[\s\n]+and[\s\n]+for[\s\n]+other[\s\n]+similar[\s\n]+purposes.[\s\n]+Any[\s\n]+user[\s\n]+of[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+should[\s\n]+be[\s\n]+aware[\s\n]+that[\s\n]+any[\s\n]+information[\s\n]+placed[\s\n]+in[\s\n]+the[\s\n]+system[\s\n]+is[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+not[\s\n]+subject[\s\n]+to[\s\n]+any[\s\n]+expectation[\s\n]+of[\s\n]+privacy.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+violation[\s\n]+of[\s\n]+criminal[\s\n]+statutes,[\s\n]+this[\s\n]+evidence[\s\n]+and[\s\n]+any[\s\n]+other[\s\n]+related[\s\n]+information,[\s\n]+including[\s\n]+identification[\s\n]+information[\s\n]+about[\s\n]+the[\s\n]+user,[\s\n]+may[\s\n]+be[\s\n]+provided[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+reveals[\s\n]+violations[\s\n]+of[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+unauthorized[\s\n]+use,[\s\n]+employees[\s\n]+who[\s\n]+violate[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+make[\s\n]+unauthorized[\s\n]+use[\s\n]+of[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+appropriate[\s\n]+disciplinary[\s\n]+action.[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times.
- usgcb_default: --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials.
+ dod_banners: {{{ banner_flexibler(banner_text="^(You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.|I\\'ve read \& consent to terms in IS user agreem\\'t.)$") }}}
+ dod_default: {{{ banner_flexibler(banner_text="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.") }}}
+ dod_short: {{{ banner_flexibler(banner_text="I\\'ve read \& consent to terms in IS user agreem\\'t.") }}}
+ dss_odaa_default: {{{ banner_flexibler(banner_text="Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}}
+ usgcb_default: {{{ banner_flexibler(banner_text="-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}}
diff --git a/shared/macros.jinja b/shared/macros.jinja
index 8a25acc937..3c617040bf 100644
--- a/shared/macros.jinja
+++ b/shared/macros.jinja
@@ -657,3 +657,7 @@ openssl()
)
{{%- endmacro %}}
+
+{{% macro banner_flexibler(banner_text) -%}}
+{{{ banner_text|replace("\n", "BFLMPSVZ")|replace(" ", "[\s\\n]+")|replace("BFLMPSVZ", "[\\n]+") }}}
+{{% endmacro %}}
diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py
index 357d0e8d99..700e496246 100644
--- a/ssg/build_yaml.py
+++ b/ssg/build_yaml.py
@@ -327,7 +327,7 @@ def __init__(self, id_):
@staticmethod
def from_yaml(yaml_file, env_yaml=None):
- yaml_contents = open_and_expand(yaml_file, env_yaml)
+ yaml_contents = open_and_macro_expand(yaml_file, env_yaml)
if yaml_contents is None:
return None
From 23185944dd5db08cfee599c62717f1b0f23df683 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 27 Feb 2020 18:03:37 +0100
Subject: [PATCH 02/27] Fix stripping of short banner from dod_banners
Format of dod_banners changed a bit, and stripping of tailing
short dod banner got broken.
Goal of dod_banners is to check for either long or shord DoD, but
default to remediating with the long banner.
---
.../accounts/accounts-banners/banner_etc_issue/bash/shared.sh | 2 +-
.../dconf_gnome_login_banner_text/bash/shared.sh | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
index 54bc576551..1b2052a658 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
@@ -3,7 +3,7 @@
populate login_banner_text
# There was a regular-expression matching various banners, needs to be expanded
-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/\[n\]+/\n/g')
+expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/\[n\]+/\n/g')
formatted=$(echo "$expanded" | fold -sw 80)
cat <<EOF >/etc/issue
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
index 1614098c8c..bc6a31bc74 100644
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
@@ -2,7 +2,7 @@
. /usr/share/scap-security-guide/remediation_functions
populate login_banner_text
-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
+expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
{{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}}
{{{ bash_dconf_lock("org/gnome/login-screen", "banner-message-text", "gdm.d", "00-security-settings-lock") }}}
From ed7a96bc41d31ceeeb6b75b2a9565521f4f3eda5 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 2 Mar 2020 17:31:49 +0100
Subject: [PATCH 03/27] Fix test scenarios for OSPP profile
OSPP profile doesn't select banner_etc_issue
---
...banner_etc_issue_ospp_usbcg_banner.fail.sh | 2 +-
...banner_etc_issue_ospp_usbcg_banner.pass.sh | 30 +++++++++++++------
2 files changed, 22 insertions(+), 10 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.fail.sh
index db0b72089c..0f962279be 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.fail.sh
@@ -1,5 +1,5 @@
#!/bin/bash
#
-# profiles = xccdf_org.ssgproject.content_profile_ospp
+# profiles = xccdf_org.ssgproject.content_profile_stig
echo "This is not the expected banner" > /etc/issue
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.pass.sh
index d36b3a146b..9bb0319323 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.pass.sh
@@ -1,12 +1,24 @@
#!/bin/bash
#
-# profiles = xccdf_org.ssgproject.content_profile_ospp
+# profiles = xccdf_org.ssgproject.content_profile_stig
-# usgcb_default banner
-echo "-- WARNING -- This system is for the use of authorized users only. Individuals
-using this computer system without authority or in excess of their authority
-are subject to having all their activities on this system monitored and
-recorded by system personnel. Anyone using this system expressly consents to
-such monitoring and is advised that if such monitoring reveals possible
-evidence of criminal activity system personal may provide the evidence of such
-monitoring to law enforcement officials." > /etc/issue
+# dod_banners banner
+echo "You are accessing a U.S. Government (USG) Information System (IS) that is
+provided for USG-authorized use only. By using this IS (which includes any
+device attached to this IS), you consent to the following conditions:
+-The USG routinely intercepts and monitors communications on this IS for
+purposes including, but not limited to, penetration testing, COMSEC monitoring,
+network operations and defense, personnel misconduct (PM), law enforcement
+(LE), and counterintelligence (CI) investigations.
+-At any time, the USG may inspect and seize data stored on this IS.
+-Communications using, or data stored on, this IS are not private, are subject
+to routine monitoring, interception, and search, and may be disclosed or used
+for any USG-authorized purpose.
+-This IS includes security measures (e.g., authentication and access controls)
+to protect USG interests--not for your personal benefit or privacy.
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE
+or CI investigative searching or monitoring of the content of privileged
+communications, or work product, related to personal representation or services
+by attorneys, psychotherapists, or clergy, and their assistants. Such
+communications and work product are private and confidential. See User
+Agreement for details." > /etc/issue
From c0e947ab378de0c3c45b1a0be0b3f7a239c3d6f4 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 3 Mar 2020 10:26:40 +0100
Subject: [PATCH 04/27] Update test scenario metadata for banner tests
---
.../dconf_gnome_login_banner_text/tests/correct_value.pass.sh | 1 +
.../tests/correct_value_stig.pass.sh | 2 +-
.../tests/missing_value_stig.fail.sh | 2 +-
.../dconf_gnome_login_banner_text/tests/wrong_value.fail.sh | 1 +
.../tests/wrong_value_stig.fail.sh | 2 +-
5 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value.pass.sh
index 2c92fcbeb8..230a8b0a22 100644
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value.pass.sh
@@ -1,4 +1,5 @@
#!/bin/bash
+# platform = Red Hat Enterprise Linux 7
# profiles = xccdf_org.ssgproject.content_profile_ncp
source $SHARED/dconf_test_functions.sh
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh
index 8a142b740e..d59f9071f0 100644
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh
@@ -1,5 +1,5 @@
#!/bin/bash
-# platform = Red Hat Enterprise Linux 7
+# platform = Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8
# profiles = xccdf_org.ssgproject.content_profile_stig
source $SHARED/dconf_test_functions.sh
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh
index 1fea01471e..9638681130 100644
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh
@@ -1,5 +1,5 @@
#!/bin/bash
-# platform = Red Hat Enterprise Linux 7
+# platform = Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8
# profiles = xccdf_org.ssgproject.content_profile_stig
source $SHARED/dconf_test_functions.sh
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh
index af4ea0ab82..7f7123a8be 100644
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh
@@ -1,4 +1,5 @@
#!/bin/bash
+# platform = Red Hat Enterprise Linux 7
# profiles = xccdf_org.ssgproject.content_profile_ncp
source $SHARED/dconf_test_functions.sh
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh
index e0f43ec001..cd65f885a2 100644
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh
@@ -1,5 +1,5 @@
#!/bin/bash
-# platform = Red Hat Enterprise Linux 7
+# platform = Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8
# profiles = xccdf_org.ssgproject.content_profile_stig
source $SHARED/dconf_test_functions.sh
From 12f6616d83a23de27ebca932710a8128474068ff Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 3 Mar 2020 10:28:07 +0100
Subject: [PATCH 05/27] Fix text of banners, remove space after dash
Per DISA STIG reference, there is no space after the list items.
---
.../dconf_gnome_login_banner_text/bash/shared.sh | 2 +-
.../tests/correct_value_stig.pass.sh | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
index bc6a31bc74..d9dca1bef9 100644
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
@@ -2,7 +2,7 @@
. /usr/share/scap-security-guide/remediation_functions
populate login_banner_text
-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
+expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
{{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}}
{{{ bash_dconf_lock("org/gnome/login-screen", "banner-message-text", "gdm.d", "00-security-settings-lock") }}}
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh
index d59f9071f0..dca4b8e99b 100644
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh
@@ -6,7 +6,7 @@ source $SHARED/dconf_test_functions.sh
install_dconf_and_gdm_if_needed
-login_banner_text="(^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.$|^I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)"
+login_banner_text="(^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.$|^I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)"
expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
clean_dconf_settings
From b09ddb6a040c980ccf1c55d3f4fe700953195d77 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 3 Mar 2020 11:01:25 +0100
Subject: [PATCH 06/27] Make banner compatible with console and dconf
The banner in /etc/issue is expected to have actual newlines, while the
banner in /etc/dconf/db/gdm.d/ is expected to have the escape sequence
'\n'.
This commit transforms the newline from the input banner into a regex
that matches either the newline or the escape sequence.
During remediation, each rule will replace the regular expression for
the correct "version" of the newline.
---
.../accounts/accounts-banners/banner_etc_issue/bash/shared.sh | 2 +-
.../dconf_gnome_login_banner_text/bash/shared.sh | 2 +-
shared/macros.jinja | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
index 1b2052a658..fcaaa2c794 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
@@ -3,7 +3,7 @@
populate login_banner_text
# There was a regular-expression matching various banners, needs to be expanded
-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/\[n\]+/\n/g')
+expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/\n/g;s/\\//g;')
formatted=$(echo "$expanded" | fold -sw 80)
cat <<EOF >/etc/issue
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
index d9dca1bef9..2b51e7c94c 100644
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
@@ -2,7 +2,7 @@
. /usr/share/scap-security-guide/remediation_functions
populate login_banner_text
-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
+expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/(n)\*/g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
{{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}}
{{{ bash_dconf_lock("org/gnome/login-screen", "banner-message-text", "gdm.d", "00-security-settings-lock") }}}
diff --git a/shared/macros.jinja b/shared/macros.jinja
index 3c617040bf..b178088f0c 100644
--- a/shared/macros.jinja
+++ b/shared/macros.jinja
@@ -659,5 +659,5 @@ openssl()
{{%- endmacro %}}
{{% macro banner_flexibler(banner_text) -%}}
-{{{ banner_text|replace("\n", "BFLMPSVZ")|replace(" ", "[\s\\n]+")|replace("BFLMPSVZ", "[\\n]+") }}}
+{{{ banner_text|replace("\n", "BFLMPSVZ")|replace(" ", "[\s\\n]+")|replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)") }}}
{{% endmacro %}}
From fc6fe07f12faac1023b65551eaa82dc50e12303b Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 3 Mar 2020 12:46:30 +0100
Subject: [PATCH 07/27] Simplify banner remediation regexes
Remove unneded sed's for single quote (\x27)
---
.../accounts/accounts-banners/banner_etc_issue/bash/shared.sh | 2 +-
.../dconf_gnome_login_banner_text/bash/shared.sh | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
index fcaaa2c794..5d079e9271 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
@@ -3,7 +3,7 @@
populate login_banner_text
# There was a regular-expression matching various banners, needs to be expanded
-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/\n/g;s/\\//g;')
+expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/\n/g;s/\\//g;')
formatted=$(echo "$expanded" | fold -sw 80)
cat <<EOF >/etc/issue
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
index 2b51e7c94c..568942e892 100644
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
@@ -2,7 +2,7 @@
. /usr/share/scap-security-guide/remediation_functions
populate login_banner_text
-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/(n)\*/g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
+expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/(n)\*/g;s/\\//g;s/(n)\*/\\n/g;')
{{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}}
{{{ bash_dconf_lock("org/gnome/login-screen", "banner-message-text", "gdm.d", "00-security-settings-lock") }}}
From f94f4ba5a5d650c5ae50f83d59b7464e7f785b9d Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 3 Mar 2020 12:48:10 +0100
Subject: [PATCH 08/27] Document what the regexes do in the banner
---
.../accounts-banners/banner_etc_issue/bash/shared.sh | 7 ++++++-
.../dconf_gnome_login_banner_text/bash/shared.sh | 8 ++++++++
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
index 5d079e9271..07b88bf039 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
@@ -2,7 +2,12 @@
. /usr/share/scap-security-guide/remediation_functions
populate login_banner_text
-# There was a regular-expression matching various banners, needs to be expanded
+# Multiple regexes transform the banner regex into a usable banner
+# 1 - Keep only the first banners if there are multiple, and remove wrapping regex syntax.
+# (dod_banners contains the long and shor banner)
+# 2- Add spaces ' '. (Transforms regex for "space or newline" into a " ")
+# 3- Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n")
+# 4- Remove any leftover backslash. (From any parethesis in the banner, for example).
expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/\n/g;s/\\//g;')
formatted=$(echo "$expanded" | fold -sw 80)
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
index 568942e892..658205bd2c 100644
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
@@ -2,6 +2,14 @@
. /usr/share/scap-security-guide/remediation_functions
populate login_banner_text
+# Multiple regexes transform the banner regex into a usable banner
+# 1 - Keep only the first banners if there are multiple, and remove wrapping regex syntax.
+# (dod_banners contains the long and shor banner)
+# 2- Add spaces ' '. (Transforms regex for "space or newline" into a " ")
+# 3- Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*")
+# 4- Remove any leftover backslash. (From any parethesis in the banner, for example).
+# 5- Removes the newline "token." (Transforms them into newline escape sequences "\n").
+# ( Needs to be done after 4, otherwise the escapce sequence will become just "n".
expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/(n)\*/g;s/\\//g;s/(n)\*/\\n/g;')
{{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}}
From b7545c3ab81758f89e034fdab7f2c573f287d770 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 3 Mar 2020 12:49:02 +0100
Subject: [PATCH 09/27] Add rule to check dconf banner
The STIG profile sets the banner, and checks whether it is enabled for
dconf, but never checked the banner text.
---
rhel8/profiles/stig.profile | 1 +
1 file changed, 1 insertion(+)
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index 7eb1869a3c..f315df7d06 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -21,6 +21,7 @@ extends: ospp
- login_banner_text=dod_banners
- dconf_db_up_to_date
- dconf_gnome_banner_enabled
+ - dconf_gnome_login_banner_text
- banner_etc_issue
- accounts_password_set_min_life_existing
- accounts_password_set_max_life_existing
From 21ae88f72c1c9a324041637b0f52eea6b90fb03f Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 6 Mar 2020 15:37:46 +0100
Subject: [PATCH 10/27] Fix Ansible for dconf banner-message-text lock
---
.../dconf_gnome_login_banner_text/ansible/shared.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml
index 6946c9ddf7..303f505968 100644
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml
@@ -38,7 +38,7 @@
- name: "Prevent user modification of the GNOME3 Login Warning Banner Text"
lineinfile:
path: '/etc/dconf/db/gdm.d/locks/00-security-settings-lock'
- regexp: '^org/gnome/login-screen/banner-message-text$'
- line: 'org/gnome/login-screen/banner-message-text'
+ regexp: '^/org/gnome/login-screen/banner-message-text$'
+ line: '/org/gnome/login-screen/banner-message-text'
create: yes
state: present
From 54ec93ae3254c726b8313646419fa9f1a9fbbcb5 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 6 Mar 2020 15:58:38 +0100
Subject: [PATCH 11/27] Fix banner regex stripping for Ansible
Do similar regex stripping as done in Bash remediaiton.
The triple single quotes is necessary for the jinja template expansion
to add the banner wrapped in single quotes.
---
.../dconf_gnome_login_banner_text/ansible/shared.yml | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml
index 303f505968..5d5e92530a 100644
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml
@@ -32,8 +32,9 @@
dest: /etc/dconf/db/gdm.d/00-security-settings
section: org/gnome/login-screen
option: banner-message-text
- value: '{{ login_banner_text }}'
+ value: '''{{ login_banner_text | regex_replace("\^\((.*)\|.*$", "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", "(n)\*") | regex_replace("\\", "") | regex_replace("\(n\)\*", "\\n") }}'''
create: yes
+ no_extra_spaces: yes
- name: "Prevent user modification of the GNOME3 Login Warning Banner Text"
lineinfile:
From a4755e87a66ad8b47f22444bde9a2e48c6f33aca Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 6 Mar 2020 16:09:50 +0100
Subject: [PATCH 12/27] Add Ansible remediation for banner_etc_issue
---
.../banner_etc_issue/ansible/shared.yml | 12 ++++++++++++
1 file changed, 12 insertions(+)
create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
new file mode 100644
index 0000000000..e136304020
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
@@ -0,0 +1,12 @@
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
+# reboot = false
+# strategy = unknown
+# complexity = low
+# disruption = medium
+- (xccdf-var login_banner_text)
+
+- name: "{{{ rule_title }}}"
+ lineinfile:
+ dest: /etc/issue
+ line: '{{ login_banner_text | regex_replace("\^\((.*)\|.*$", "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", "\n") | regex_replace("\\", "") | wordwrap() }}'
+ create: yes
From ac5d4b7482f4dc673f8f5d8dbbc95c42700bb251 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 6 Mar 2020 16:52:09 +0100
Subject: [PATCH 13/27] Update reference RHEL8 STIG profile
---
tests/data/profile_stability/rhel8/stig.profile | 1 +
1 file changed, 1 insertion(+)
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 843267d589..381cf54b3a 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -84,6 +84,7 @@ selections:
- coredump_disable_storage
- dconf_db_up_to_date
- dconf_gnome_banner_enabled
+- dconf_gnome_login_banner_text
- disable_ctrlaltdel_burstaction
- disable_ctrlaltdel_reboot
- disable_host_auth
From 6b27221e857cefe7efaa04f4491c506ea0cb096c Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Sat, 7 Mar 2020 13:12:28 +0100
Subject: [PATCH 14/27] Move bash banner deregexification to macros
This aims to increase maintenability and readability.
Every step in the deregexification is a separate macro.
The macros 'bash_deregexify_banner_etc_issue' and
'bash_deregexify_banner_dconf_gnome' build upon the basic steps.
---
.../banner_etc_issue/bash/shared.sh | 9 ++++---
.../bash/shared.sh | 10 +++++---
shared/macros-bash.jinja | 25 +++++++++++++++++++
3 files changed, 38 insertions(+), 6 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
index 07b88bf039..119413005e 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
@@ -4,12 +4,15 @@ populate login_banner_text
# Multiple regexes transform the banner regex into a usable banner
# 1 - Keep only the first banners if there are multiple, and remove wrapping regex syntax.
-# (dod_banners contains the long and shor banner)
+# (dod_banners contains the long and short banner)
+{{{ bash_deregexify_multiple_banners("login_banner_text") }}}
# 2- Add spaces ' '. (Transforms regex for "space or newline" into a " ")
+{{{ bash_deregexify_banner_space("login_banner_text") }}}
# 3- Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n")
+{{{ bash_deregexify_banner_newline("login_banner_text", "\\n") }}}
# 4- Remove any leftover backslash. (From any parethesis in the banner, for example).
-expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/\n/g;s/\\//g;')
-formatted=$(echo "$expanded" | fold -sw 80)
+{{{ bash_deregexify_banner_backslash("login_banner_text") }}}
+formatted=$(echo "$login_banner_text" | fold -sw 80)
cat <<EOF >/etc/issue
$formatted
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
index 658205bd2c..4011932790 100644
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
@@ -4,13 +4,17 @@ populate login_banner_text
# Multiple regexes transform the banner regex into a usable banner
# 1 - Keep only the first banners if there are multiple, and remove wrapping regex syntax.
-# (dod_banners contains the long and shor banner)
+# (dod_banners contains the long and short banner)
+{{{ bash_deregexify_multiple_banners("login_banner_text") }}}
# 2- Add spaces ' '. (Transforms regex for "space or newline" into a " ")
+{{{ bash_deregexify_banner_space("login_banner_text") }}}
# 3- Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*")
+{{{ bash_deregexify_banner_newline("login_banner_text", "(n)*") }}}
# 4- Remove any leftover backslash. (From any parethesis in the banner, for example).
+{{{ bash_deregexify_banner_backslash("login_banner_text") }}}
# 5- Removes the newline "token." (Transforms them into newline escape sequences "\n").
# ( Needs to be done after 4, otherwise the escapce sequence will become just "n".
-expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/(n)\*/g;s/\\//g;s/(n)\*/\\n/g;')
+{{{ bash_deregexify_banner_newline_token("login_banner_text")}}}
-{{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}}
+{{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${login_banner_text}'", "gdm.d", "00-security-settings") }}}
{{{ bash_dconf_lock("org/gnome/login-screen", "banner-message-text", "gdm.d", "00-security-settings-lock") }}}
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
index 2756cc0c00..6d72684c6d 100644
--- a/shared/macros-bash.jinja
+++ b/shared/macros-bash.jinja
@@ -521,3 +521,28 @@ cat << 'EOF' > {{{ filepath }}}
{{{ contents|trim() }}}
EOF
{{%- endmacro %}}
+
+{{# Strips multibanner regex and keeps only the first banner #}}
+{{% macro bash_deregexify_multiple_banners(banner_var_name) -%}}
+{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/\^(\(.*\)|.*$/\1/g')
+{{%- endmacro %}}
+
+{{# Strips whitespace or newline regex #}}
+{{% macro bash_deregexify_banner_space(banner_var_name) -%}}
+{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/\[\\s\\n\]+/ /g')
+{{%- endmacro %}}
+
+{{# Strips newline or newline escape sequence regex #}}
+{{% macro bash_deregexify_banner_newline(banner_var_name, newline) -%}}
+{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/(?:\[\\n\]+|(?:\\n)+)/{{{ newline }}}/g')
+{{%- endmacro %}}
+
+{{# Strips newline token for a newline escape sequence regex #}}
+{{% macro bash_deregexify_banner_newline_token(banner_var_name) -%}}
+{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/(n)\*/\\n/g')
+{{%- endmacro %}}
+
+{{# Strips backslash regex #}}
+{{% macro bash_deregexify_banner_backslash(banner_var_name) -%}}
+{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/\\//g')
+{{%- endmacro %}}
From 4e2f96de31ed24c5e58ffc8da07b689a461d385f Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Sat, 7 Mar 2020 14:04:40 +0100
Subject: [PATCH 15/27] Move ansible banner deregexification to macros
This aims to increase maintenability and readability.
Every step in the deregexification is a separate macro.
The macros 'ansible_deregexify_banner_etc_issue' and
'ansible_deregexify_banner_dconf_gnome' build upon the basic steps.
---
.../banner_etc_issue/ansible/shared.yml | 2 +-
.../ansible/shared.yml | 2 +-
shared/macros-ansible.jinja | 54 +++++++++++++++++++
3 files changed, 56 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
index e136304020..42c19194e4 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
@@ -8,5 +8,5 @@
- name: "{{{ rule_title }}}"
lineinfile:
dest: /etc/issue
- line: '{{ login_banner_text | regex_replace("\^\((.*)\|.*$", "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", "\n") | regex_replace("\\", "") | wordwrap() }}'
+ line: '{{{ ansible_deregexify_banner_etc_issue("login_banner_text") }}}'
create: yes
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml
index 5d5e92530a..40cce05fbc 100644
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml
@@ -32,7 +32,7 @@
dest: /etc/dconf/db/gdm.d/00-security-settings
section: org/gnome/login-screen
option: banner-message-text
- value: '''{{ login_banner_text | regex_replace("\^\((.*)\|.*$", "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", "(n)\*") | regex_replace("\\", "") | regex_replace("\(n\)\*", "\\n") }}'''
+ value: '{{{ ansible_deregexify_banner_dconf_gnome("login_banner_text") }}}'
create: yes
no_extra_spaces: yes
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 0d023553a7..5deb7ceb80 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -217,3 +217,57 @@
{{{ contents|trim()|indent(8) }}}
force: yes
{{%- endmacro %}}
+
+{{#
+ Formats a banner regex for use in /etc/issue
+ Parameters:
+ - banner_var_name - name of ansible variable with the banner regex
+#}}
+{{% macro ansible_deregexify_banner_etc_issue(banner_var_name) -%}}
+{{ {{{ banner_var_name }}} |
+{{{ ansible_deregexify_multiple_banners() }}} |
+{{{ ansible_deregexify_banner_space() }}} |
+{{{ ansible_deregexify_banner_newline("\\n") }}} |
+{{{ ansible_deregexify_banner_backslash() }}} |
+wordwrap() }}
+{{%- endmacro %}}
+
+{{#
+ Formats a banner regex for use in dconf
+ Parameters:
+ - banner_var_name - name of ansible variable with the banner regex
+#}}
+{{% macro ansible_deregexify_banner_dconf_gnome(banner_var_name) -%}}
+''{{ {{{ banner_var_name }}} |
+{{{ ansible_deregexify_multiple_banners() }}} |
+{{{ ansible_deregexify_banner_space() }}} |
+{{{ ansible_deregexify_banner_newline("(n)*") }}} |
+{{{ ansible_deregexify_banner_backslash() }}} |
+{{{ ansible_deregexify_banner_newline_token()}}} }}''
+{{%- endmacro %}}
+
+ line: '{{ login_banner_text | | regex_replace("\\", "") | wordwrap() }}'
+{{# Strips multibanner regex and keeps only the first banner #}}
+{{% macro ansible_deregexify_multiple_banners() -%}}
+regex_replace("\^\((.*)\|.*$", "\1")
+{{%- endmacro %}}
+
+{{# Strips whitespace or newline regex #}}
+{{% macro ansible_deregexify_banner_space() -%}}
+regex_replace("\[\\s\\n\]\+"," ")
+{{%- endmacro %}}
+
+{{# Strips newline or newline escape sequence regex #}}
+{{% macro ansible_deregexify_banner_newline(newline) -%}}
+regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", "{{{ newline }}}")
+{{%- endmacro %}}
+
+{{# Strips newline token for a newline escape sequence regex #}}
+{{% macro ansible_deregexify_banner_newline_token() -%}}
+regex_replace("\(n\)\*", "\\n")
+{{%- endmacro %}}
+
+{{# Strips backslash regex #}}
+{{% macro ansible_deregexify_banner_backslash() -%}}
+regex_replace("\\", "")
+{{%- endmacro %}}
From 890e79ea0a9eff8cab05d8ef06e96900d95b2617 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Sun, 8 Mar 2020 10:58:12 +0100
Subject: [PATCH 16/27] Move the DoD banners into jinja variables
The variables are used to easily combine them in the regex for the
"multiple banners allowed regex".
Lets avoid repeating ourselves.
---
.../httpd_secure_content/var_web_login_banner_text.var | 9 ++++++---
.../accounts/accounts-banners/login_banner_text.var | 9 ++++++---
2 files changed, 12 insertions(+), 6 deletions(-)
diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
index 72a728659b..96b6ac8e71 100644
--- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
+++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
@@ -12,9 +12,12 @@ operator: equals
interactive: false
+{{% set var_dod_default = "You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}}
+{{% set var_dod_short = "I\\'ve read \& consent to terms in IS user agreem\\'t." %}}
+
options:
- dod_banners: {{{ banner_flexibler(banner_text="^(You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.|I\\'ve read \& consent to terms in IS user agreem\\'t.)$") }}}
- dod_default: {{{ banner_flexibler(banner_text="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.") }}}
- dod_short: {{{ banner_flexibler(banner_text="I\\'ve read \& consent to terms in IS user agreem\\'t.") }}}
+ dod_banners: {{{ banner_flexibler("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}}
+ dod_default: {{{ banner_flexibler(var_dod_default) }}}
+ dod_short: {{{ banner_flexibler(var_dod_short) }}}
dss_odaa_default: {{{ banner_flexibler(banner_text="Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}}
usgcb_default: {{{ banner_flexibler(banner_text="-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}}
diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
index 0c398bee9c..400a4299e6 100644
--- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
+++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
@@ -12,10 +12,13 @@ operator: equals
interactive: false
+{{% set var_dod_default="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}}
+{{% set var_dod_short = "I\\'ve read \& consent to terms in IS user agreem\\'t." %}}
+
options:
# First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accomodate banners of 1300 characters
- dod_banners: {{{ banner_flexibler(banner_text="^(You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.|I\\'ve read \& consent to terms in IS user agreem\\'t.)$") }}}
- dod_default: {{{ banner_flexibler(banner_text="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.") }}}
- dod_short: {{{ banner_flexibler(banner_text="I\\'ve read \& consent to terms in IS user agreem\\'t.") }}}
+ dod_banners: {{{ banner_flexibler("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}}
+ dod_default: {{{ banner_flexibler(var_dod_default) }}}
+ dod_short: {{{ banner_flexibler(var_dod_short) }}}
dss_odaa_default: {{{ banner_flexibler(banner_text="Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}}
usgcb_default: {{{ banner_flexibler(banner_text="-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}}
From f17b39f5a55f92ae4d0e4e03cbd26dd55137b083 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Sun, 8 Mar 2020 11:14:09 +0100
Subject: [PATCH 17/27] Remove unecessary escapping in short banner
---
.../httpd_secure_content/var_web_login_banner_text.var | 2 +-
.../system/accounts/accounts-banners/login_banner_text.var | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
index 96b6ac8e71..c98d2441cf 100644
--- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
+++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
@@ -13,7 +13,7 @@ operator: equals
interactive: false
{{% set var_dod_default = "You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}}
-{{% set var_dod_short = "I\\'ve read \& consent to terms in IS user agreem\\'t." %}}
+{{% set var_dod_short = "I've read & consent to terms in IS user agreem't." %}}
options:
dod_banners: {{{ banner_flexibler("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}}
diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
index 400a4299e6..fc65772554 100644
--- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
+++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
@@ -13,7 +13,7 @@ operator: equals
interactive: false
{{% set var_dod_default="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}}
-{{% set var_dod_short = "I\\'ve read \& consent to terms in IS user agreem\\'t." %}}
+{{% set var_dod_short = "I've read & consent to terms in IS user agreem't." %}}
options:
# First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accomodate banners of 1300 characters
From bb2dcd9212bb6e83c53bfb9df10bc7e236dec722 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Sun, 8 Mar 2020 15:23:31 +0100
Subject: [PATCH 18/27] Add utility to regexify a login banner
Moved the banner_flexibler macro to python code, and renamed to
banner_regexify, to be aligned with Ansible and Bash counter parts
"deregexify".
The utility will make it easy to add you own login banner on a tailoring
file, or via SCAP Workbench.
---
.../var_web_login_banner_text.var | 10 +++----
.../accounts-banners/login_banner_text.var | 10 +++----
shared/macros.jinja | 4 ---
ssg/jinja.py | 3 +-
ssg/utils.py | 3 ++
utils/regexify_banner.py | 29 +++++++++++++++++++
6 files changed, 44 insertions(+), 15 deletions(-)
create mode 100644 utils/regexify_banner.py
diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
index c98d2441cf..d3f72cbd97 100644
--- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
+++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
@@ -16,8 +16,8 @@ interactive: false
{{% set var_dod_short = "I've read & consent to terms in IS user agreem't." %}}
options:
- dod_banners: {{{ banner_flexibler("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}}
- dod_default: {{{ banner_flexibler(var_dod_default) }}}
- dod_short: {{{ banner_flexibler(var_dod_short) }}}
- dss_odaa_default: {{{ banner_flexibler(banner_text="Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}}
- usgcb_default: {{{ banner_flexibler(banner_text="-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}}
+ dod_banners: {{{ banner_regexify("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}}
+ dod_default: {{{ banner_regexify(var_dod_default) }}}
+ dod_short: {{{ banner_regexify(var_dod_short) }}}
+ dss_odaa_default: {{{ banner_regexify("Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}}
+ usgcb_default: {{{ banner_regexify("-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}}
diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
index fc65772554..f6eab9bf33 100644
--- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
+++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
@@ -17,8 +17,8 @@ interactive: false
options:
# First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accomodate banners of 1300 characters
- dod_banners: {{{ banner_flexibler("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}}
- dod_default: {{{ banner_flexibler(var_dod_default) }}}
- dod_short: {{{ banner_flexibler(var_dod_short) }}}
- dss_odaa_default: {{{ banner_flexibler(banner_text="Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}}
- usgcb_default: {{{ banner_flexibler(banner_text="-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}}
+ dod_banners: {{{ banner_regexify("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}}
+ dod_default: {{{ banner_regexify(var_dod_default) }}}
+ dod_short: {{{ banner_regexify(var_dod_short) }}}
+ dss_odaa_default: {{{ banner_regexify("Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}}
+ usgcb_default: {{{ banner_regexify("-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}}
diff --git a/shared/macros.jinja b/shared/macros.jinja
index b178088f0c..8a25acc937 100644
--- a/shared/macros.jinja
+++ b/shared/macros.jinja
@@ -657,7 +657,3 @@ openssl()
)
{{%- endmacro %}}
-
-{{% macro banner_flexibler(banner_text) -%}}
-{{{ banner_text|replace("\n", "BFLMPSVZ")|replace(" ", "[\s\\n]+")|replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)") }}}
-{{% endmacro %}}
diff --git a/ssg/jinja.py b/ssg/jinja.py
index 700466b8c3..471fbf4140 100644
--- a/ssg/jinja.py
+++ b/ssg/jinja.py
@@ -10,7 +10,7 @@
JINJA_MACROS_BASH_DEFINITIONS,
JINJA_MACROS_OVAL_DEFINITIONS,
)
-from .utils import required_key, prodtype_to_name, name_to_platform, prodtype_to_platform
+from .utils import required_key, prodtype_to_name, name_to_platform, prodtype_to_platform, banner_regexify
class MacroError(RuntimeError):
@@ -112,6 +112,7 @@ def add_python_functions(substitutions_dict):
substitutions_dict['prodtype_to_name'] = prodtype_to_name
substitutions_dict['name_to_platform'] = name_to_platform
substitutions_dict['prodtype_to_platform'] = prodtype_to_platform
+ substitutions_dict['banner_regexify'] = banner_regexify
substitutions_dict['raise'] = raise_exception
diff --git a/ssg/utils.py b/ssg/utils.py
index 16b1aebe33..3823e02a2d 100644
--- a/ssg/utils.py
+++ b/ssg/utils.py
@@ -248,3 +248,6 @@ def mkdir_p(path):
pass
else:
raise
+
+def banner_regexify(banner_text):
+ return banner_text.replace("\n", "BFLMPSVZ").replace(" ", "[\s\\n]+").replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)")
diff --git a/utils/regexify_banner.py b/utils/regexify_banner.py
new file mode 100644
index 0000000000..7bdf69b702
--- /dev/null
+++ b/utils/regexify_banner.py
@@ -0,0 +1,29 @@
+import argparse
+import ssg.utils
+
+def parse_args():
+ p = argparse.ArgumentParser()
+ p.add_argument("--output", help="Path to output regexified banner")
+ p.add_argument("input", help="Path to file with banner to regexify")
+
+ return p.parse_args()
+
+
+def main():
+
+ args = parse_args()
+ with open(args.input, "r") as file_in:
+ # rstrip is used to remove newline at the end of file
+ banner_text = file_in.read().rstrip()
+
+ banner_regex = ssg.utils.banner_regexify(banner_text)
+
+ if args.output:
+ with open(args.output, "w") as file_out:
+ file_out.write(banner_regex)
+ else:
+ print(banner_regex)
+
+
+if __name__ == "__main__":
+ main()
From 5c81e70d14ee90877630610bf0a2215199a3e491 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Sun, 8 Mar 2020 15:31:12 +0100
Subject: [PATCH 19/27] Move the macro to be a Jinja2 filter
This is done so that we can apply banner_regexify indvidually in each
banner of dod_banners.
---
.../httpd_secure_content/var_web_login_banner_text.var | 10 +++++-----
.../accounts/accounts-banners/login_banner_text.var | 10 +++++-----
ssg/jinja.py | 2 +-
3 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
index d3f72cbd97..e990f0cb23 100644
--- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
+++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
@@ -16,8 +16,8 @@ interactive: false
{{% set var_dod_short = "I've read & consent to terms in IS user agreem't." %}}
options:
- dod_banners: {{{ banner_regexify("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}}
- dod_default: {{{ banner_regexify(var_dod_default) }}}
- dod_short: {{{ banner_regexify(var_dod_short) }}}
- dss_odaa_default: {{{ banner_regexify("Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}}
- usgcb_default: {{{ banner_regexify("-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}}
+ dod_banners: {{{ "^(" ~ var_dod_default|banner_regexify ~ "|" ~ var_dod_short|banner_regexify ~ ")$" }}}
+ dod_default: {{{ var_dod_default|banner_regexify }}}
+ dod_short: {{{ var_dod_short|banner_regexify }}}
+ dss_odaa_default: {{{ "Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times."|banner_regexify }}}
+ usgcb_default: {{{ "-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials."|banner_regexify }}}
diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
index f6eab9bf33..e059174cb5 100644
--- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
+++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
@@ -17,8 +17,8 @@ interactive: false
options:
# First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accomodate banners of 1300 characters
- dod_banners: {{{ banner_regexify("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}}
- dod_default: {{{ banner_regexify(var_dod_default) }}}
- dod_short: {{{ banner_regexify(var_dod_short) }}}
- dss_odaa_default: {{{ banner_regexify("Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}}
- usgcb_default: {{{ banner_regexify("-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}}
+ dod_banners: {{{ "^(" ~ var_dod_default|banner_regexify ~ "|" ~ var_dod_short|banner_regexify ~ ")$" }}}
+ dod_default: {{{ var_dod_default|banner_regexify }}}
+ dod_short: {{{ var_dod_short|banner_regexify }}}
+ dss_odaa_default: {{{ "Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times."|banner_regexify }}}
+ usgcb_default: {{{ "-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials."|banner_regexify }}}
diff --git a/ssg/jinja.py b/ssg/jinja.py
index 471fbf4140..e779466838 100644
--- a/ssg/jinja.py
+++ b/ssg/jinja.py
@@ -71,6 +71,7 @@ def _get_jinja_environment(substitutions_dict):
loader=AbsolutePathFileSystemLoader(),
bytecode_cache=bytecode_cache
)
+ _get_jinja_environment.env.filters['banner_regexify'] = banner_regexify
return _get_jinja_environment.env
@@ -112,7 +113,6 @@ def add_python_functions(substitutions_dict):
substitutions_dict['prodtype_to_name'] = prodtype_to_name
substitutions_dict['name_to_platform'] = name_to_platform
substitutions_dict['prodtype_to_platform'] = prodtype_to_platform
- substitutions_dict['banner_regexify'] = banner_regexify
substitutions_dict['raise'] = raise_exception
From d416cb9e78842767f08d9c38d9ea0b79b05f00dd Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Sun, 8 Mar 2020 15:53:07 +0100
Subject: [PATCH 20/27] Automatically escape regex unsafe chars in banner
Let the banner_regexify filter escape regex unsafe chars, no need for
manual escaping.
---
.../httpd_secure_content/var_web_login_banner_text.var | 2 +-
.../system/accounts/accounts-banners/login_banner_text.var | 2 +-
ssg/utils.py | 5 +++++
3 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
index e990f0cb23..e59cdc0782 100644
--- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
+++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
@@ -12,7 +12,7 @@ operator: equals
interactive: false
-{{% set var_dod_default = "You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}}
+{{% set var_dod_default = "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}}
{{% set var_dod_short = "I've read & consent to terms in IS user agreem't." %}}
options:
diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
index e059174cb5..1c6a39f481 100644
--- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
+++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
@@ -12,7 +12,7 @@ operator: equals
interactive: false
-{{% set var_dod_default="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}}
+{{% set var_dod_default="You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}}
{{% set var_dod_short = "I've read & consent to terms in IS user agreem't." %}}
options:
diff --git a/ssg/utils.py b/ssg/utils.py
index 3823e02a2d..7584e38a16 100644
--- a/ssg/utils.py
+++ b/ssg/utils.py
@@ -250,4 +250,9 @@ def mkdir_p(path):
raise
def banner_regexify(banner_text):
+ # We could use re.escape(), but it escapes too many characters, including plain white space.
+ # In python 3.7 the set of charaters escaped by re.escape is reasonable, so lets mimic it.
+ # See https://docs.python.org/3/library/re.html#re.sub
+ # '!', '"', '%', "'", ',', '/', ':', ';', '<', '=', '>', '@', and "`" are not escaped.
+ banner_text = re.sub(r"([#$&*+-.^`|~:()])", r"\\\1", banner_text)
return banner_text.replace("\n", "BFLMPSVZ").replace(" ", "[\s\\n]+").replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)")
From 35e962ce5c5c28d29d120723715d64dcbd567197 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Sun, 8 Mar 2020 17:00:26 +0100
Subject: [PATCH 21/27] Document the new macros, filter and utility
---
docs/manual/developer_guide.adoc | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/docs/manual/developer_guide.adoc b/docs/manual/developer_guide.adoc
index 76c1c10218..739a6a823c 100644
--- a/docs/manual/developer_guide.adoc
+++ b/docs/manual/developer_guide.adoc
@@ -752,6 +752,14 @@ $ ./build-scripts/profile_tool.py sub --profile1 rhel7/profiles/ospp.profile --p
This will result in a new YAML profile containing exclusive rules to the profile pointed by the --profile1 option.
+=== Generating login banner regular expressions
+
+Rules like `banner_etc_issue` and `dconf_gnome_login_banner_text` will check for configuration of login banners and remediate them. Both rules source the banner text from the same variable `login_banner_text`, and the banner texts need to be in the form of a regular expression.
+There are a few utilities you can use to transform your text into the appropriate regular expression:
+
+When adding a new banner directly to the `login_banner_text`, use the custom Jinja filter `banner_regexify`. +
+If customizing content via SCAP Workbench, or directly writing your tailoring XML, use `utils/regexify_banner.py` to generate the appropriate regular expression.
+
== Contributing with XCCDFs, OVALs and remediations
There are three main types of content in the project, they are rules, defined using the XCCDF standard, checks, usually written in link:https://oval.mitre.org/language/about/[OVAL] format, and remediations, that can be executed on ansible, bash, anaconda installer, puppet and ignition.
@@ -1279,6 +1287,8 @@ Jinja macros for Ansible content are located in `/shared/macros-ansible.jinja`.
- `ansible_sshd_set` -- set a parameter in the sshd configuration
- `ansible_etc_profile_set` -- ensure a command gets executed or a variable gets set in /etc/profile or /etc/profile.d
- `ansible_tmux_set` -- set a command in tmux configuration
+- `ansible_deregexify_banner_etc_issue` -- Formats a banner regex for use in /etc/issue
+- `ansible_deregexify_banner_dconf_gnome` -- Formats a banner regex for use in dconf
They also include several low-level macros:
@@ -1289,6 +1299,14 @@ They also include several low-level macros:
- `ansible_set_config_file` -- for configuration files; set the given configuration value and ensure no conflicting values
- `ansible_set_config_file_dir` -- for configuration files and files in configuration directories; set the given configuration value and ensure no conflicting values
+Low level macros to make login banner regular expressions usable in Ansible remediations
+
+- `ansible_deregexify_multiple_banners` -- Strips multibanner regex and keeps only the first banner
+- `ansible_deregexify_banner_space` -- Strips whitespace or newline regex
+- `ansible_deregexify_banner_newline` -- Strips newline or newline escape sequence regex
+- `ansible_deregexify_banner_newline_token` -- Strips newline token for a newline escape sequence regex
+- `ansible_deregexify_banner_backslash` - Strips backslash regex
+
When `msg` is absent from any of the above macros, rule title will be substituted instead.
Whenever possible, please reuse the macros and form high-level simplifications.
@@ -1348,6 +1366,14 @@ Available low-level Jinja macros that can be used in Bash remediations:
- `die` - Function to terminate the remediation
- `set_config_file` - Add an entry to a text configuration file
+Low level macros to make login banner regular expressions usable in Bash remediations
+
+- `bash_deregexify_multiple_banners` - Strips multibanner regex and keeps only the first banner
+- `bash_deregexify_banner_space` - Strips whitespace or newline regex
+- `bash_deregexify_banner_newline` - Strips newline or newline escape sequence regex
+- `bash_deregexify_banner_newline_token` - Strips newline token for a newline escape sequence regex
+- `bash_deregexify_banner_backslash` - Strips backslash regex
+
=== Templating
Writing OVAL checks, Bash, or any other content can be tedious work. For
From ad5526d6704299cfd01c818fa8a79e3587b90cb5 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Sun, 8 Mar 2020 17:56:44 +0100
Subject: [PATCH 22/27] Code style fixes
---
ssg/jinja.py | 7 ++++++-
ssg/utils.py | 5 ++++-
utils/regexify_banner.py | 1 +
3 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/ssg/jinja.py b/ssg/jinja.py
index e779466838..e014768e2b 100644
--- a/ssg/jinja.py
+++ b/ssg/jinja.py
@@ -10,7 +10,12 @@
JINJA_MACROS_BASH_DEFINITIONS,
JINJA_MACROS_OVAL_DEFINITIONS,
)
-from .utils import required_key, prodtype_to_name, name_to_platform, prodtype_to_platform, banner_regexify
+from .utils import (required_key,
+ prodtype_to_name,
+ name_to_platform,
+ prodtype_to_platform,
+ banner_regexify
+ )
class MacroError(RuntimeError):
diff --git a/ssg/utils.py b/ssg/utils.py
index 7584e38a16..472ac73b81 100644
--- a/ssg/utils.py
+++ b/ssg/utils.py
@@ -249,10 +249,13 @@ def mkdir_p(path):
else:
raise
+
def banner_regexify(banner_text):
# We could use re.escape(), but it escapes too many characters, including plain white space.
# In python 3.7 the set of charaters escaped by re.escape is reasonable, so lets mimic it.
# See https://docs.python.org/3/library/re.html#re.sub
# '!', '"', '%', "'", ',', '/', ':', ';', '<', '=', '>', '@', and "`" are not escaped.
banner_text = re.sub(r"([#$&*+-.^`|~:()])", r"\\\1", banner_text)
- return banner_text.replace("\n", "BFLMPSVZ").replace(" ", "[\s\\n]+").replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)")
+ banner_text = banner_text.replace("\n", "BFLMPSVZ")
+ banner_text = banner_text.replace(" ", "[\\s\\n]+")
+ return banner_text.replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)")
diff --git a/utils/regexify_banner.py b/utils/regexify_banner.py
index 7bdf69b702..c794c02a37 100644
--- a/utils/regexify_banner.py
+++ b/utils/regexify_banner.py
@@ -1,6 +1,7 @@
import argparse
import ssg.utils
+
def parse_args():
p = argparse.ArgumentParser()
p.add_argument("--output", help="Path to output regexified banner")
From 86439fed8f2d431da76bd613c87b38c4eda6457b Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 11 Mar 2020 13:44:02 +0100
Subject: [PATCH 23/27] regexify_banner.py: Set x permission and shebang
---
utils/regexify_banner.py | 1 +
1 file changed, 1 insertion(+)
mode change 100644 => 100755 utils/regexify_banner.py
diff --git a/utils/regexify_banner.py b/utils/regexify_banner.py
old mode 100644
new mode 100755
index c794c02a37..15584693bf
--- a/utils/regexify_banner.py
+++ b/utils/regexify_banner.py
@@ -1,3 +1,4 @@
+#!/usr/bin/env python
import argparse
import ssg.utils
From 556018017f7fbb2d7707aaf673ecd9d4edb53aae Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 11 Mar 2020 14:16:03 +0100
Subject: [PATCH 24/27] The whole /etc/issue file should be evaluated
Added test scenario where the banner is followed by an
extraneous line. This caused the rule to pass unexpectedly.
Updated OVAL check to consider the all lines of /etc/issue the object to
be evaluated and compared against a state.
Also updated Bash remediation to not add extra newline at the end, and
Asnbile remediation to remove any extraneous line in /etc/issue
---
.../banner_etc_issue/ansible/shared.yml | 7 ++++-
.../banner_etc_issue/bash/shared.sh | 2 --
.../banner_etc_issue/oval/shared.xml | 8 ++++-
...ner_etc_issue_disa_with_extra_line.fail.sh | 30 +++++++++++++++++++
4 files changed, 43 insertions(+), 4 deletions(-)
create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_with_extra_line.fail.sh
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
index 42c19194e4..21f0925268 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
@@ -5,7 +5,12 @@
# disruption = medium
- (xccdf-var login_banner_text)
-- name: "{{{ rule_title }}}"
+- name: "{{{ rule_title }}} - remove incorrect banner"
+ file:
+ state: absent
+ path: /etc/issue
+
+- name: "{{{ rule_title }}} - add correct banner"
lineinfile:
dest: /etc/issue
line: '{{{ ansible_deregexify_banner_etc_issue("login_banner_text") }}}'
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
index 119413005e..1a0c11f569 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
@@ -17,5 +17,3 @@ formatted=$(echo "$login_banner_text" | fold -sw 80)
cat <<EOF >/etc/issue
$formatted
EOF
-
-printf "\n" >> /etc/issue
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/oval/shared.xml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/oval/shared.xml
index 3317251d41..032c65b340 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/oval/shared.xml
@@ -12,14 +12,20 @@
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="correct banner in /etc/issue" id="test_banner_etc_issue" version="1">
<ind:object object_ref="object_banner_etc_issue" />
+ <ind:state state_ref="state_banner_etc_issue" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_banner_etc_issue" version="1">
+ <ind:behaviors singleline="true" multiline="false" />
<ind:filepath>/etc/issue</ind:filepath>
- <ind:pattern var_ref="login_banner_text" operation="pattern match" />
+ <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
+ <ind:textfilecontent54_state id="state_banner_etc_issue" version="1">
+ <ind:subexpression datatype="string" var_ref="login_banner_text" operation="pattern match" />
+ </ind:textfilecontent54_state>
+
<external_variable comment="warning banner text variable" datatype="string" id="login_banner_text" version="1" />
</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_with_extra_line.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_with_extra_line.fail.sh
new file mode 100644
index 0000000000..dfa48bd61a
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_with_extra_line.fail.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+#
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+# dod_default|dod_short banner
+echo "You are accessing a U.S. Government (USG) Information System (IS) that is
+provided for USG-authorized use only. By using this IS (which includes any
+device attached to this IS), you consent to the following conditions:
+
+-The USG routinely intercepts and monitors communications on this IS for
+purposes including, but not limited to, penetration testing, COMSEC monitoring,
+network operations and defense, personnel misconduct (PM), law enforcement
+(LE), and counterintelligence (CI) investigations.
+
+-At any time, the USG may inspect and seize data stored on this IS.
+
+-Communications using, or data stored on, this IS are not private, are subject
+to routine monitoring, interception, and search, and may be disclosed or used
+for any USG-authorized purpose.
+
+-This IS includes security measures (e.g., authentication and access controls)
+to protect USG interests--not for your personal benefit or privacy.
+
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE
+or CI investigative searching or monitoring of the content of privileged
+communications, or work product, related to personal representation or services
+by attorneys, psychotherapists, or clergy, and their assistants. Such
+communications and work product are private and confidential. See User
+Agreement for details.
+Extra line at end." > /etc/issue
From 488c5259595032f25dd98d45c1b38a65ed248647 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 11 Mar 2020 18:52:37 +0100
Subject: [PATCH 25/27] Wrap banner text with regex anchors
We need to be sure that the whole banners matches the banner variable.
This commit includes a test scenario that reproduces the issue.
All the harness around banners have been updated, regexify, deregexify
and utility.
---
.../var_web_login_banner_text.var | 8 ++++----
.../banner_etc_issue/bash/shared.sh | 10 ++++++----
.../dconf_gnome_login_banner_text/bash/shared.sh | 12 +++++++-----
.../tests/wrapped_banner.fail.sh | 16 ++++++++++++++++
.../accounts-banners/login_banner_text.var | 8 ++++----
shared/macros-ansible.jinja | 10 ++++++++--
shared/macros-bash.jinja | 7 ++++++-
ssg/jinja.py | 4 +++-
ssg/utils.py | 3 +++
utils/regexify_banner.py | 1 +
10 files changed, 58 insertions(+), 21 deletions(-)
create mode 100644 linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh
diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
index e59cdc0782..dc10e8c3cf 100644
--- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
+++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
@@ -17,7 +17,7 @@ interactive: false
options:
dod_banners: {{{ "^(" ~ var_dod_default|banner_regexify ~ "|" ~ var_dod_short|banner_regexify ~ ")$" }}}
- dod_default: {{{ var_dod_default|banner_regexify }}}
- dod_short: {{{ var_dod_short|banner_regexify }}}
- dss_odaa_default: {{{ "Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times."|banner_regexify }}}
- usgcb_default: {{{ "-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials."|banner_regexify }}}
+ dod_default: {{{ var_dod_default|banner_regexify|banner_anchor_wrap }}}
+ dod_short: {{{ var_dod_short|banner_regexify|banner_anchor_wrap }}}
+ dss_odaa_default: {{{ "Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times."|banner_regexify|banner_anchor_wrap }}}
+ usgcb_default: {{{ "-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials."|banner_regexify|banner_anchor_wrap }}}
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
index 1a0c11f569..30449d5e9d 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
@@ -3,14 +3,16 @@
populate login_banner_text
# Multiple regexes transform the banner regex into a usable banner
-# 1 - Keep only the first banners if there are multiple, and remove wrapping regex syntax.
+# 0 - Remove anchors around the banner text
+{{{ bash_deregexify_banner_anchors("login_banner_text") }}}
+# 1 - Keep only the first banners if there are multiple
# (dod_banners contains the long and short banner)
{{{ bash_deregexify_multiple_banners("login_banner_text") }}}
-# 2- Add spaces ' '. (Transforms regex for "space or newline" into a " ")
+# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
{{{ bash_deregexify_banner_space("login_banner_text") }}}
-# 3- Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n")
+# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n")
{{{ bash_deregexify_banner_newline("login_banner_text", "\\n") }}}
-# 4- Remove any leftover backslash. (From any parethesis in the banner, for example).
+# 4 - Remove any leftover backslash. (From any parethesis in the banner, for example).
{{{ bash_deregexify_banner_backslash("login_banner_text") }}}
formatted=$(echo "$login_banner_text" | fold -sw 80)
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
index 4011932790..85ddd893c6 100644
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
@@ -3,16 +3,18 @@
populate login_banner_text
# Multiple regexes transform the banner regex into a usable banner
-# 1 - Keep only the first banners if there are multiple, and remove wrapping regex syntax.
+# 0 - Remove anchors around the banner text
+{{{ bash_deregexify_banner_anchors("login_banner_text") }}}
+# 1 - Keep only the first banners if there are multiple
# (dod_banners contains the long and short banner)
{{{ bash_deregexify_multiple_banners("login_banner_text") }}}
-# 2- Add spaces ' '. (Transforms regex for "space or newline" into a " ")
+# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
{{{ bash_deregexify_banner_space("login_banner_text") }}}
-# 3- Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*")
+# 3 - Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*")
{{{ bash_deregexify_banner_newline("login_banner_text", "(n)*") }}}
-# 4- Remove any leftover backslash. (From any parethesis in the banner, for example).
+# 4 - Remove any leftover backslash. (From any parethesis in the banner, for example).
{{{ bash_deregexify_banner_backslash("login_banner_text") }}}
-# 5- Removes the newline "token." (Transforms them into newline escape sequences "\n").
+# 5 - Removes the newline "token." (Transforms them into newline escape sequences "\n").
# ( Needs to be done after 4, otherwise the escapce sequence will become just "n".
{{{ bash_deregexify_banner_newline_token("login_banner_text")}}}
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh
new file mode 100644
index 0000000000..1c6b9a23af
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 7
+# profiles = xccdf_org.ssgproject.content_profile_ncp
+
+source $SHARED/dconf_test_functions.sh
+
+install_dconf_and_gdm_if_needed
+
+login_banner_text="Some text before --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. And some after."
+expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
+
+clean_dconf_settings
+add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'${expanded}'" "gdm.d" "00-security-settings"
+add_dconf_lock "org/gnome/login-screen" "banner-message-text" "gdm.d" "00-security-settings-lock"
+
+dconf update
diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
index 1c6a39f481..d00782f380 100644
--- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
+++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
@@ -18,7 +18,7 @@ interactive: false
options:
# First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accomodate banners of 1300 characters
dod_banners: {{{ "^(" ~ var_dod_default|banner_regexify ~ "|" ~ var_dod_short|banner_regexify ~ ")$" }}}
- dod_default: {{{ var_dod_default|banner_regexify }}}
- dod_short: {{{ var_dod_short|banner_regexify }}}
- dss_odaa_default: {{{ "Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times."|banner_regexify }}}
- usgcb_default: {{{ "-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials."|banner_regexify }}}
+ dod_default: {{{ var_dod_default|banner_regexify|banner_anchor_wrap }}}
+ dod_short: {{{ var_dod_short|banner_regexify|banner_anchor_wrap }}}
+ dss_odaa_default: {{{ "Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times."|banner_regexify|banner_anchor_wrap }}}
+ usgcb_default: {{{ "-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials."|banner_regexify|banner_anchor_wrap }}}
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 5deb7ceb80..11fb79a4d9 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -225,6 +225,7 @@
#}}
{{% macro ansible_deregexify_banner_etc_issue(banner_var_name) -%}}
{{ {{{ banner_var_name }}} |
+{{{ ansible_deregexify_banner_anchors() }}} |
{{{ ansible_deregexify_multiple_banners() }}} |
{{{ ansible_deregexify_banner_space() }}} |
{{{ ansible_deregexify_banner_newline("\\n") }}} |
@@ -239,6 +240,7 @@ wordwrap() }}
#}}
{{% macro ansible_deregexify_banner_dconf_gnome(banner_var_name) -%}}
''{{ {{{ banner_var_name }}} |
+{{{ ansible_deregexify_banner_anchors() }}} |
{{{ ansible_deregexify_multiple_banners() }}} |
{{{ ansible_deregexify_banner_space() }}} |
{{{ ansible_deregexify_banner_newline("(n)*") }}} |
@@ -246,10 +248,14 @@ wordwrap() }}
{{{ ansible_deregexify_banner_newline_token()}}} }}''
{{%- endmacro %}}
- line: '{{ login_banner_text | | regex_replace("\\", "") | wordwrap() }}'
+{{# Strips anchors around the banner #}}
+{{% macro ansible_deregexify_banner_anchors() -%}}
+regex_replace("^\^(.*)\$$", "\1")
+{{%- endmacro %}}
+
{{# Strips multibanner regex and keeps only the first banner #}}
{{% macro ansible_deregexify_multiple_banners() -%}}
-regex_replace("\^\((.*)\|.*$", "\1")
+regex_replace("\((.*)\|.*$", "\1")
{{%- endmacro %}}
{{# Strips whitespace or newline regex #}}
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
index 6d72684c6d..03b381c3ca 100644
--- a/shared/macros-bash.jinja
+++ b/shared/macros-bash.jinja
@@ -522,9 +522,14 @@ cat << 'EOF' > {{{ filepath }}}
EOF
{{%- endmacro %}}
+{{# Strips anchors regex around the banner text #}}
+{{% macro bash_deregexify_banner_anchors(banner_var_name) -%}}
+{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/^\^\(.*\)\$$/\1/g')
+{{%- endmacro %}}
+
{{# Strips multibanner regex and keeps only the first banner #}}
{{% macro bash_deregexify_multiple_banners(banner_var_name) -%}}
-{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/\^(\(.*\)|.*$/\1/g')
+{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/(\(.*\)|.*$/\1/g')
{{%- endmacro %}}
{{# Strips whitespace or newline regex #}}
diff --git a/ssg/jinja.py b/ssg/jinja.py
index e014768e2b..da3e403a1b 100644
--- a/ssg/jinja.py
+++ b/ssg/jinja.py
@@ -14,7 +14,8 @@
prodtype_to_name,
name_to_platform,
prodtype_to_platform,
- banner_regexify
+ banner_regexify,
+ banner_anchor_wrap
)
@@ -77,6 +78,7 @@ def _get_jinja_environment(substitutions_dict):
bytecode_cache=bytecode_cache
)
_get_jinja_environment.env.filters['banner_regexify'] = banner_regexify
+ _get_jinja_environment.env.filters['banner_anchor_wrap'] = banner_anchor_wrap
return _get_jinja_environment.env
diff --git a/ssg/utils.py b/ssg/utils.py
index 472ac73b81..9b437d5556 100644
--- a/ssg/utils.py
+++ b/ssg/utils.py
@@ -259,3 +259,6 @@ def banner_regexify(banner_text):
banner_text = banner_text.replace("\n", "BFLMPSVZ")
banner_text = banner_text.replace(" ", "[\\s\\n]+")
return banner_text.replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)")
+
+def banner_anchor_wrap(banner_text):
+ return "^" + banner_text + "$"
diff --git a/utils/regexify_banner.py b/utils/regexify_banner.py
index 15584693bf..c17213d66d 100755
--- a/utils/regexify_banner.py
+++ b/utils/regexify_banner.py
@@ -19,6 +19,7 @@ def main():
banner_text = file_in.read().rstrip()
banner_regex = ssg.utils.banner_regexify(banner_text)
+ banner_regex = ssg.utils.banner_anchor_wrap(banner_text)
if args.output:
with open(args.output, "w") as file_out:
From d30eb89a68ae536707b8535c47eba4a422e2f252 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 12 Mar 2020 13:27:22 +0100
Subject: [PATCH 26/27] Fix call of banner_anchor_wrap
---
utils/regexify_banner.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/utils/regexify_banner.py b/utils/regexify_banner.py
index c17213d66d..16ec4ba6ef 100755
--- a/utils/regexify_banner.py
+++ b/utils/regexify_banner.py
@@ -19,7 +19,7 @@ def main():
banner_text = file_in.read().rstrip()
banner_regex = ssg.utils.banner_regexify(banner_text)
- banner_regex = ssg.utils.banner_anchor_wrap(banner_text)
+ banner_regex = ssg.utils.banner_anchor_wrap(banner_regex)
if args.output:
with open(args.output, "w") as file_out:
From 90280f39e8548f2a7a22d1e328de72bc1b756099 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 12 Mar 2020 16:09:25 +0100
Subject: [PATCH 27/27] Fix multiple banner regex stripping
Anchor the opening parenthesis to beginning of banner, and add anchord
closing parenthesis to pattern.
---
shared/macros-ansible.jinja | 2 +-
shared/macros-bash.jinja | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 11fb79a4d9..b020246ef2 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -255,7 +255,7 @@ regex_replace("^\^(.*)\$$", "\1")
{{# Strips multibanner regex and keeps only the first banner #}}
{{% macro ansible_deregexify_multiple_banners() -%}}
-regex_replace("\((.*)\|.*$", "\1")
+regex_replace("^\((.*)\|.*\)$", "\1")
{{%- endmacro %}}
{{# Strips whitespace or newline regex #}}
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
index 03b381c3ca..bc6c6f6486 100644
--- a/shared/macros-bash.jinja
+++ b/shared/macros-bash.jinja
@@ -529,7 +529,7 @@ EOF
{{# Strips multibanner regex and keeps only the first banner #}}
{{% macro bash_deregexify_multiple_banners(banner_var_name) -%}}
-{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/(\(.*\)|.*$/\1/g')
+{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/^(\(.*\)|.*)$/\1/g')
{{%- endmacro %}}
{{# Strips whitespace or newline regex #}}