Blob Blame History Raw
From 023412217f4a73e47a7b5d8786b2b10974015615 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 19 Mar 2020 16:55:29 +0100
Subject: [PATCH 1/4] Make banner_etc_motd like banner_etc_issue

Both rules source the banner from the same XCCDF variable.
---
 .../banner_etc_motd/bash/shared.sh             | 18 +++++++++++++-----
 .../banner_etc_motd/oval/shared.xml            |  8 +++++++-
 2 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh
index ac04d93dd5..d731063b5a 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh
@@ -2,12 +2,20 @@
 . /usr/share/scap-security-guide/remediation_functions
 populate login_banner_text
 
-# There was a regular-expression matching various banners, needs to be expanded
-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/[^-]- /\n\n-/g;s/(n)\**//g')
-formatted=$(echo "$expanded" | fold -sw 80)
+# Multiple regexes transform the banner regex into a usable banner
+# 0 - Remove anchors around the banner text
+{{{ bash_deregexify_banner_anchors("login_banner_text") }}}
+# 1 - Keep only the first banners if there are multiple
+#    (dod_banners contains the long and short banner)
+{{{ bash_deregexify_multiple_banners("login_banner_text") }}}
+# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
+{{{ bash_deregexify_banner_space("login_banner_text") }}}
+# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n")
+{{{ bash_deregexify_banner_newline("login_banner_text", "\\n") }}}
+# 4 - Remove any leftover backslash. (From any parethesis in the banner, for example).
+{{{ bash_deregexify_banner_backslash("login_banner_text") }}}
+formatted=$(echo "$login_banner_text" | fold -sw 80)
 
 cat <<EOF >/etc/motd
 $formatted
 EOF
-
-printf "\n" >> /etc/motd
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/oval/shared.xml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/oval/shared.xml
index dfd3bb69c0..9b20ee032a 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/oval/shared.xml
@@ -18,14 +18,20 @@
 
   <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="correct banner in /etc/motd" id="test_banner_etc_motd" version="1">
     <ind:object object_ref="object_banner_etc_motd" />
+    <ind:state state_ref="state_banner_etc_motd" />
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="object_banner_etc_motd" version="1">
+    <ind:behaviors singleline="true" multiline="false" />
     <ind:filepath>/etc/motd</ind:filepath>
-    <ind:pattern var_ref="login_banner_text" operation="pattern match" />
+    <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
 
+  <ind:textfilecontent54_state id="state_banner_etc_motd" version="1">
+    <ind:subexpression datatype="string" var_ref="login_banner_text" operation="pattern match" />
+  </ind:textfilecontent54_state>
+
   <external_variable comment="warning banner text variable" datatype="string" id="login_banner_text" version="1" />
 
 </def-group>

From 38e7680395d78371a12d3afd2561533d9f1860c3 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 19 Mar 2020 16:59:45 +0100
Subject: [PATCH 2/4] Add Ansible for banner_etc_motd

---
 .../banner_etc_motd/ansible/shared.yml          | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml

diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml
new file mode 100644
index 0000000000..dfc1c519b7
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml
@@ -0,0 +1,17 @@
+# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# reboot = false
+# strategy = unknown
+# complexity = low
+# disruption = medium
+- (xccdf-var login_banner_text)
+
+- name: "{{{ rule_title }}} - remove incorrect banner"
+  file:
+    state: absent
+    path: /etc/motd
+
+- name: "{{{ rule_title }}} - add correct banner"
+  lineinfile:
+    dest: /etc/motd
+    line: '{{{ ansible_deregexify_banner_etc_issue("login_banner_text") }}}'
+    create: yes

From c6ea356cef8678cdf248fc8363767d8615fb7423 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 19 Mar 2020 17:20:38 +0100
Subject: [PATCH 3/4] Use profile "all" to test banner_etc_motd

When the profile doesn't do any selection, the default value is used.
When the variable doesn't define a default value, the first value is
considered the default.

The test scenarios of banner_etcmotd are aligned with the first value of
login_banner_text.
---
 .../tests/banner_etc_motd_disa_dod_default_banner.pass.sh       | 2 --
 .../tests/banner_etc_motd_disa_dod_short.pass.sh                | 2 --
 .../tests/banner_etc_motd_disa_double_banner.fail.sh            | 2 --
 .../tests/banner_etc_motd_disa_usgcb_banner.fail.sh             | 2 --
 .../tests/banner_etc_motd_ospp_usbcg_banner.fail.sh             | 2 --
 .../tests/banner_etc_motd_ospp_usbcg_banner.pass.sh             | 2 --
 6 files changed, 12 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_dod_default_banner.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_dod_default_banner.pass.sh
index a926abd7dd..96e5e11e5b 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_dod_default_banner.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_dod_default_banner.pass.sh
@@ -1,6 +1,4 @@
 #!/bin/bash
-#
-# profiles = xccdf_org.ssgproject.content_profile_stig
 
 # dod_default banner
 echo "You are accessing a U.S. Government (USG) Information System (IS) that is 
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_dod_short.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_dod_short.pass.sh
index a2624e1066..ddf1efa43c 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_dod_short.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_dod_short.pass.sh
@@ -1,6 +1,4 @@
 #!/bin/bash
-#
-# profiles = xccdf_org.ssgproject.content_profile_stig
 
 # dod_short banner
 echo "I've read & consent to terms in IS user agreem't." > /etc/motd
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_double_banner.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_double_banner.fail.sh
index 93c00cfde7..8cd0d30fa9 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_double_banner.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_double_banner.fail.sh
@@ -1,6 +1,4 @@
 #!/bin/bash
-#
-# profiles = xccdf_org.ssgproject.content_profile_stig
 
 # dod_default|dod_short banner
 echo "You are accessing a U.S. Government (USG) Information System (IS) that is 
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_usgcb_banner.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_usgcb_banner.fail.sh
index 3878983a19..5abacbb535 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_usgcb_banner.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_usgcb_banner.fail.sh
@@ -1,6 +1,4 @@
 #!/bin/bash
-#
-# profiles = xccdf_org.ssgproject.content_profile_stig
 
 # usgcb_default banner
 echo "-- WARNING -- This system is for the use of authorized users only. Individuals 
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.fail.sh
index c82a8e39b2..43b2e0a2e9 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.fail.sh
@@ -1,5 +1,3 @@
 #!/bin/bash
-#
-# profiles = xccdf_org.ssgproject.content_profile_ospp
 
 echo "This is not the expected banner" > /etc/motd
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.pass.sh
index 41894c998b..5abacbb535 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.pass.sh
@@ -1,6 +1,4 @@
 #!/bin/bash
-#
-# profiles = xccdf_org.ssgproject.content_profile_ospp
 
 # usgcb_default banner
 echo "-- WARNING -- This system is for the use of authorized users only. Individuals 

From 4cb5b1f167a1ac3de94626d82eb6d3779a443475 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 19 Mar 2020 18:04:14 +0100
Subject: [PATCH 4/4] Remove test that doesn't make sense

At the moment no profile selects this rules.
The value of the variable will be the default (first) value of
variable login_banner_text. Thus, second pass test doesn't make sense.
---
 .../tests/banner_etc_motd_ospp_usbcg_banner.pass.sh    | 10 ----------
 1 file changed, 10 deletions(-)
 delete mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.pass.sh

diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.pass.sh
deleted file mode 100644
index 5abacbb535..0000000000
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.pass.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash
-
-# usgcb_default banner
-echo "-- WARNING -- This system is for the use of authorized users only. Individuals 
-using this computer system without authority or in excess of their authority 
-are subject to having all their activities on this system monitored and 
-recorded by system personnel. Anyone using this system expressly consents to 
-such monitoring and is advised that if such monitoring reveals possible 
-evidence of criminal activity system personal may provide the evidence of such 
-monitoring to law enforcement officials." > /etc/motd