diff --git a/.gitignore b/.gitignore index ef19f89..a0b3fab 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/scap-security-guide-0.1.46.tar.bz2 +SOURCES/scap-security-guide-0.1.49.tar.bz2 diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata index 26ee133..c49602b 100644 --- a/.scap-security-guide.metadata +++ b/.scap-security-guide.metadata @@ -1 +1 @@ -05a9c42472d6918e10d25df002ab6b3c3d379016 SOURCES/scap-security-guide-0.1.46.tar.bz2 +abc5640ac0b212fbea8379036830f650dd2543db SOURCES/scap-security-guide-0.1.49.tar.bz2 diff --git a/SOURCES/disable-not-in-good-shape-profiles.patch b/SOURCES/disable-not-in-good-shape-profiles.patch new file mode 100644 index 0000000..d26c4b2 --- /dev/null +++ b/SOURCES/disable-not-in-good-shape-profiles.patch @@ -0,0 +1,105 @@ +From 2dfbfa76867db56ee90f168b478437d916e0cd4e Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 17 Jan 2020 19:01:22 +0100 +Subject: [PATCH] Disable profiles that are not in good shape for RHEL8 + +They raise too many errors and fails. +Also disable tables for profiles that are not built. +--- + rhel8/CMakeLists.txt | 2 -- + rhel8/profiles/cjis.profile | 2 +- + rhel8/profiles/cui.profile | 2 +- + rhel8/profiles/hipaa.profile | 2 +- + rhel8/profiles/rhelh-stig.profile | 2 +- + rhel8/profiles/rhelh-vpp.profile | 2 +- + rhel8/profiles/rht-ccp.profile | 2 +- + rhel8/profiles/standard.profile | 2 +- + 9 files changed, 8 insertions(+), 10 deletions(-) + +diff --git a/rhel8/CMakeLists.txt b/rhel8/CMakeLists.txt +index 40f2b2b0f..492a8dae1 100644 +--- a/rhel8/CMakeLists.txt ++++ b/rhel8/CMakeLists.txt +@@ -14,9 +14,8 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis") + ssg_build_html_table_by_ref(${PRODUCT} "pcidss") + ssg_build_html_table_by_ref(${PRODUCT} "anssi") + +-ssg_build_html_nistrefs_table(${PRODUCT} "standard") + ssg_build_html_nistrefs_table(${PRODUCT} "ospp") + ssg_build_html_nistrefs_table(${PRODUCT} "stig") + + # Uncomment when anssi profiles are marked documentation_complete: true + #ssg_build_html_anssirefs_table(${PRODUCT} "nt28_minimal") +diff --git a/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile +index 05ea9cdd6..9c55ac5b1 100644 +--- a/rhel8/profiles/cjis.profile ++++ b/rhel8/profiles/cjis.profile +@@ -1,4 +1,4 @@ +-documentation_complete: true ++documentation_complete: false + + title: 'Criminal Justice Information Services (CJIS) Security Policy' + +diff --git a/rhel8/profiles/cui.profile b/rhel8/profiles/cui.profile +index eb62252a4..e8f369708 100644 +--- a/rhel8/profiles/cui.profile ++++ b/rhel8/profiles/cui.profile +@@ -1,4 +1,4 @@ +-documentation_complete: true ++documentation_complete: false + + title: 'Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)' + +diff --git a/rhel8/profiles/hipaa.profile b/rhel8/profiles/hipaa.profile +index 8d20f9019..d641b56fe 100644 +--- a/rhel8/profiles/hipaa.profile ++++ b/rhel8/profiles/hipaa.profile +@@ -1,4 +1,4 @@ +-documentation_complete: True ++documentation_complete: false + + title: 'Health Insurance Portability and Accountability Act (HIPAA)' + +diff --git a/rhel8/profiles/rhelh-stig.profile b/rhel8/profiles/rhelh-stig.profile +index 1efca5f44..c3d0b0964 100644 +--- a/rhel8/profiles/rhelh-stig.profile ++++ b/rhel8/profiles/rhelh-stig.profile +@@ -1,4 +1,4 @@ +-documentation_complete: true ++documentation_complete: false + + title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH)' + +diff --git a/rhel8/profiles/rhelh-vpp.profile b/rhel8/profiles/rhelh-vpp.profile +index 2baee6d66..8592d7aaf 100644 +--- a/rhel8/profiles/rhelh-vpp.profile ++++ b/rhel8/profiles/rhelh-vpp.profile +@@ -1,4 +1,4 @@ +-documentation_complete: true ++documentation_complete: false + + title: 'VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enterprise Linux Hypervisor (RHELH)' + +diff --git a/rhel8/profiles/rht-ccp.profile b/rhel8/profiles/rht-ccp.profile +index c84579592..164ec98c4 100644 +--- a/rhel8/profiles/rht-ccp.profile ++++ b/rhel8/profiles/rht-ccp.profile +@@ -1,4 +1,4 @@ +-documentation_complete: true ++documentation_complete: false + + title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)' + +diff --git a/rhel8/profiles/standard.profile b/rhel8/profiles/standard.profile +index a63ae2cf3..da669bb84 100644 +--- a/rhel8/profiles/standard.profile ++++ b/rhel8/profiles/standard.profile +@@ -1,4 +1,4 @@ +-documentation_complete: true ++documentation_complete: false + + title: 'Standard System Security Profile for Red Hat Enterprise Linux 8' + +-- +2.21.1 + diff --git a/SOURCES/scap-security-guide-0.1.50-fix_sysctl_rules_description.patch b/SOURCES/scap-security-guide-0.1.50-fix_sysctl_rules_description.patch new file mode 100644 index 0000000..42f9811 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-fix_sysctl_rules_description.patch @@ -0,0 +1,102 @@ +From 99ad87babd43c95dc2787ba7e0301b3d2b650ab9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Tue, 10 Mar 2020 13:44:23 +0100 +Subject: [PATCH 1/3] Fix description of sysctl rules. + +As there is no way how to make the project aware of sysctl parameter defaults +in Linux upstream kernel or in specific Linux distributions, +the parameter has to be explicitly specified in a config file. +--- + shared/macros.jinja | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/shared/macros.jinja b/shared/macros.jinja +index 8a25acc937..ce27536dc2 100644 +--- a/shared/macros.jinja ++++ b/shared/macros.jinja +@@ -602,8 +602,8 @@ ocil_clause: "the correct value is not returned" + run the following command: +
$ sudo sysctl -w {{{ sysctl }}}={{{ value }}}
+ +- If this is not the system default value, add the following line to a file in the +- directory /etc/sysctl.d: ++ To make sure that the setting is persistent, ++ add the following line to a file in the directory /etc/sysctl.d: +
{{{ sysctl }}} = {{{ value }}}
+ {{%- endmacro %}} + + +From 5bffa9dc3d62f67364abb034b7da877935156764 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Wed, 11 Mar 2020 16:14:13 +0100 +Subject: [PATCH 2/3] Improved the OCIL entry for sysctl rules. + +--- + shared/macros.jinja | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +diff --git a/shared/macros.jinja b/shared/macros.jinja +index ce27536dc2..f81dbc7de6 100644 +--- a/shared/macros.jinja ++++ b/shared/macros.jinja +@@ -577,15 +577,18 @@ ocil_clause: "{{{ sebool }}} is not enabled" + + + {{% macro ocil_sysctl_option_value(sysctl, value) -%}} +- The status of the {{{ sysctl }}} kernel parameter can be queried +- by running the following command: +-
$ sysctl {{{ sysctl }}}
+- The output of the command should indicate a value of {{{ value }}}. +- If this value is not the default value, investigate how it could have been +- adjusted at runtime, and verify it is not set improperly. This has to be checked +- in all files in the /etc/sysctl.d directory and the deprecated +- /etc/sysctl.conf. You can verify this by running the following command: ++ The persistent kernel parameter configuration is performed by specifying the appropriate ++ assignment in any file located in the
/etc/sysctl.d
directory. ++ Verify that there is not any existing incorrect configuration by executing the following command: ++
$ grep -r '^\s*{{{ sysctl }}}\s*=' /etc/sysctl.conf /etc/sysctl.d
++ If any other assignments that ++
{{{ sysctl }}} = {{{ value }}}
++ are found, or the correct assignment is duplicated, remove those offending lines from respective files, ++ and make sure that exactly one file in ++ /etc/sysctl.d contains {{{ sysctl }}} = {{{ value }}}, and that one assignment ++ is returned when +
$ grep -r {{{ sysctl }}} /etc/sysctl.conf /etc/sysctl.d
++ is executed. + {{%- endmacro %}} + + + +From 5b5edc64773be690e4046dc88de9407d7c470702 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Thu, 12 Mar 2020 15:27:26 +0100 +Subject: [PATCH 3/3] Improved the text based on the reviewer feedback. + +--- + shared/macros.jinja | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/shared/macros.jinja b/shared/macros.jinja +index f81dbc7de6..edbaeeb56c 100644 +--- a/shared/macros.jinja ++++ b/shared/macros.jinja +@@ -577,11 +577,18 @@ ocil_clause: "{{{ sebool }}} is not enabled" + + + {{% macro ocil_sysctl_option_value(sysctl, value) -%}} ++ The runtime status of the {{{ sysctl }}} kernel parameter can be queried ++ by running the following command: ++
$ sysctl {{{ sysctl }}}
++ The output of the command should indicate a value of {{{ value }}}. ++ The preferable way how to assure the runtime compliance is to have ++ correct persistent configuration, and rebooting the system. ++ + The persistent kernel parameter configuration is performed by specifying the appropriate + assignment in any file located in the
/etc/sysctl.d
directory. + Verify that there is not any existing incorrect configuration by executing the following command: +
$ grep -r '^\s*{{{ sysctl }}}\s*=' /etc/sysctl.conf /etc/sysctl.d
+- If any other assignments that ++ If any assignments other than +
{{{ sysctl }}} = {{{ value }}}
+ are found, or the correct assignment is duplicated, remove those offending lines from respective files, + and make sure that exactly one file in diff --git a/SOURCES/scap-security-guide-0.1.50-parametrize_sshd_approved_ciphers.patch b/SOURCES/scap-security-guide-0.1.50-parametrize_sshd_approved_ciphers.patch new file mode 100644 index 0000000..f706894 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-parametrize_sshd_approved_ciphers.patch @@ -0,0 +1,315 @@ +From 67f0ba457c2dafd9077d80bd17d10857fe31a55d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Wed, 18 Mar 2020 16:44:49 +0100 +Subject: [PATCH 1/2] Parametrized the sshd_use_approved_ciphers rule. + +--- + .../ansible/shared.yml | 4 ++- + .../sshd_use_approved_ciphers/bash/shared.sh | 4 ++- + .../sshd_use_approved_ciphers/oval/shared.xml | 33 ++++++++++++++++--- + .../sshd_use_approved_ciphers/rule.yml | 3 +- + .../tests/stig_comment.fail.sh | 9 +++++ + .../tests/stig_correct_reduced_list.pass.sh | 9 +++++ + .../tests/stig_correct_scrambled.pass.sh | 9 +++++ + .../tests/stig_correct_value_full.pass.sh | 9 +++++ + .../tests/stig_line_not_there.fail.sh | 5 +++ + .../tests/stig_wrong_value.fail.sh | 9 +++++ + .../tests/wrong_value.fail.sh | 2 +- + .../sshd_use_approved_macs/rule.yml | 1 + + .../services/ssh/sshd_approved_ciphers.var | 16 +++++++++ + rhel7/profiles/stig.profile | 1 + + shared/macros.jinja | 5 +++ + 15 files changed, 111 insertions(+), 8 deletions(-) + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_comment.fail.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_reduced_list.pass.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_scrambled.pass.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_value_full.pass.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_line_not_there.fail.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_wrong_value.fail.sh + create mode 100644 linux_os/guide/services/ssh/sshd_approved_ciphers.var + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml +index ea05a8f896..ef331a843e 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml +@@ -3,4 +3,6 @@ + # strategy = restrict + # complexity = low + # disruption = low +-{{{ ansible_sshd_set(parameter="Ciphers", value="aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc") }}} ++- (xccdf-var sshd_approved_ciphers) ++ ++{{{ ansible_sshd_set(parameter="Ciphers", value="{{ sshd_approved_ciphers }}") }}} +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh +index 2475923e6e..a294138272 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh +@@ -3,4 +3,6 @@ + # Include source function library. + . /usr/share/scap-security-guide/remediation_functions + +-replace_or_append '/etc/ssh/sshd_config' '^Ciphers' 'aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc' '@CCENUM@' '%s %s' ++populate sshd_approved_ciphers ++ ++replace_or_append '/etc/ssh/sshd_config' '^Ciphers' "$sshd_approved_ciphers" '@CCENUM@' '%s %s' +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml +index 84c3c8aa48..19b63d404f 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml +@@ -32,14 +32,39 @@ + + + +- + +- +- ++ ++ ++ ++ ++ var_sshd_config_ciphers ++ ++ ++ ++ ++ ++ ++ + /etc/ssh/sshd_config +- ^[\s]*(?i)Ciphers(?-i)[\s]+((aes128-ctr|aes192-ctr|aes256-ctr|aes128-cbc|aes192-cbc|aes256-cbc|3des-cbc|rijndael-cbc@lysator\.liu\.se),?)+[\s]*(?:|(?:#.*))?$ ++ ^[\s]*(?i)Ciphers(?-i)[\s]+([\w,-@]+)+[\s]*(?:#.*)?$ + 1 + ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml +index f85b9016f9..e043b12c93 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml +@@ -13,7 +13,7 @@ description: |- + The man page sshd_config(5) contains a list of supported ciphers. + {{% if product in ["rhel7","ol7"] %}} +

+- The following ciphers are FIPS 140-2 certified on {{{ full_name }}}: ++ Only the following ciphers are FIPS 140-2 certified on {{{ full_name }}}: +
- aes128-ctr +
- aes192-ctr +
- aes256-ctr +@@ -31,6 +31,7 @@ description: |- + {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf") }}} + {{% endif %}} + {{% endif %}} ++ The rule is parametrized to use the following ciphers: {{{ sub_var_value("sshd_approved_ciphers") }}}. + + rationale: |- + Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_comment.fail.sh +new file mode 100644 +index 0000000000..1be6371045 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_comment.fail.sh +@@ -0,0 +1,9 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++if grep -q "^Ciphers" /etc/ssh/sshd_config; then ++ sed -i "s/^Ciphers.*/# Ciphers aes128-ctr,aes192-ctr,aes256-ctr/" /etc/ssh/sshd_config ++else ++ echo "# Ciphers aes128-ctr,aes192-ctr,aes256-ctr" >> /etc/ssh/sshd_config ++fi +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_reduced_list.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_reduced_list.pass.sh +new file mode 100644 +index 0000000000..5393d96617 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_reduced_list.pass.sh +@@ -0,0 +1,9 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++if grep -q "^Ciphers" /etc/ssh/sshd_config; then ++ sed -i "s/^Ciphers.*/Ciphers aes128-ctr,aes192-ctr/" /etc/ssh/sshd_config ++else ++ echo "Ciphers aes128-ctr,aes192-ctr" >> /etc/ssh/sshd_config ++fi +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_scrambled.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_scrambled.pass.sh +new file mode 100644 +index 0000000000..cd1fbde03b +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_scrambled.pass.sh +@@ -0,0 +1,9 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++if grep -q "^Ciphers" /etc/ssh/sshd_config; then ++ sed -i "s/^Ciphers.*/Ciphers aes192-ctr,aes128-ctr,aes256-ctr/" /etc/ssh/sshd_config ++else ++ echo "Ciphers aes192-ctr,aes128-ctr,aes256-ctr" >> /etc/ssh/sshd_config ++fi +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_value_full.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_value_full.pass.sh +new file mode 100644 +index 0000000000..ad6d9f887c +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_value_full.pass.sh +@@ -0,0 +1,9 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++if grep -q "^Ciphers" /etc/ssh/sshd_config; then ++ sed -i "s/^Ciphers.*/Ciphers aes128-ctr,aes192-ctr,aes256-ctr/" /etc/ssh/sshd_config ++else ++ echo 'Ciphers aes128-ctr,aes192-ctr,aes256-ctr' >> /etc/ssh/sshd_config ++fi +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_line_not_there.fail.sh +new file mode 100644 +index 0000000000..f73d82e221 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_line_not_there.fail.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++sed -i "/^Ciphers.*/d" /etc/ssh/sshd_config +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_wrong_value.fail.sh +new file mode 100644 +index 0000000000..46b437944f +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_wrong_value.fail.sh +@@ -0,0 +1,9 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++if grep -q "^Ciphers" /etc/ssh/sshd_config; then ++ sed -i "s/^Ciphers.*/# Ciphers aes128-ctr,aes192-ctr,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc/" /etc/ssh/sshd_config ++else ++ echo "Ciphers aes128-ctr,aes192-ctr,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc" >> /etc/ssh/sshd_config ++fi +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/wrong_value.fail.sh +index 550c55968b..ffd8eda6e8 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/wrong_value.fail.sh ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/wrong_value.fail.sh +@@ -5,5 +5,5 @@ + if grep -q "^Ciphers" /etc/ssh/sshd_config; then + sed -i "s/^Ciphers.*/# Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se/" /etc/ssh/sshd_config + else +- echo "Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se" >> /etc/ssh/sshd_config ++ echo "# Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se" >> /etc/ssh/sshd_config + fi +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml +index b64be010cd..6a582c9577 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml +@@ -32,6 +32,7 @@ description: |- + {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf") }}} + {{% endif %}} + {{% endif %}} ++ The rule is parametrized to use the following MACs: {{{ sub_var_value("sshd_approved_macs") }}}. + + rationale: |- + DoD Information Systems are required to use FIPS-approved cryptographic hash +diff --git a/linux_os/guide/services/ssh/sshd_approved_ciphers.var b/linux_os/guide/services/ssh/sshd_approved_ciphers.var +new file mode 100644 +index 0000000000..66d0776949 +--- /dev/null ++++ b/linux_os/guide/services/ssh/sshd_approved_ciphers.var +@@ -0,0 +1,16 @@ ++documentation_complete: true ++ ++title: 'SSH Approved ciphers by FIPS' ++ ++description: "Specify the FIPS approved ciphers \n\tthat are used for data integrity protection by the SSH server." ++ ++type: string ++ ++operator: equals ++ ++interactive: false ++ ++options: ++ stig: aes128-ctr,aes192-ctr,aes256-ctr ++ default: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se ++ +diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile +index e148325d3e..9b6ecfa543 100644 +--- a/rhel7/profiles/stig.profile ++++ b/rhel7/profiles/stig.profile +@@ -228,6 +228,7 @@ selections: + - install_antivirus + - accounts_max_concurrent_login_sessions + - configure_firewalld_ports ++ - sshd_approved_ciphers=stig + - sshd_use_approved_ciphers + - accounts_tmout + - sshd_enable_warning_banner +diff --git a/shared/macros.jinja b/shared/macros.jinja +index edbaeeb56c..d80eeb69b3 100644 +--- a/shared/macros.jinja ++++ b/shared/macros.jinja +@@ -35,6 +35,11 @@ ocil_clause: "the {{{ option }}} is not present in the output line, or there is + {{%- endmacro %}} + + ++{{% macro sub_var_value(varname) -%}} ++ ++{{%- endmacro %}} ++ ++ + {{% macro complete_ocil_entry_mount_option(point, option) -%}} + ocil: | + {{{ ocil_mount_option(point, option) | indent(4) }}} + +From 12eca02a6d16d723c90fb95b21d9992af53befab Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Thu, 19 Mar 2020 09:56:35 +0100 +Subject: [PATCH 2/2] Streamlined description by removing ineffective escape + sequences. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Co-Authored-By: Jan Černý +--- + linux_os/guide/services/ssh/sshd_approved_ciphers.var | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/linux_os/guide/services/ssh/sshd_approved_ciphers.var b/linux_os/guide/services/ssh/sshd_approved_ciphers.var +index 66d0776949..30e58336ce 100644 +--- a/linux_os/guide/services/ssh/sshd_approved_ciphers.var ++++ b/linux_os/guide/services/ssh/sshd_approved_ciphers.var +@@ -2,7 +2,7 @@ documentation_complete: true + + title: 'SSH Approved ciphers by FIPS' + +-description: "Specify the FIPS approved ciphers \n\tthat are used for data integrity protection by the SSH server." ++description: "Specify the FIPS approved ciphers that are used for data integrity protection by the SSH server." + + type: string + +@@ -13,4 +13,3 @@ interactive: false + options: + stig: aes128-ctr,aes192-ctr,aes256-ctr + default: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se +- diff --git a/SOURCES/scap-security-guide-0.1.50-simplify_login_banner.patch b/SOURCES/scap-security-guide-0.1.50-simplify_login_banner.patch new file mode 100644 index 0000000..1a1a271 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-simplify_login_banner.patch @@ -0,0 +1,1728 @@ +From fb5fe8c7dea9c83558b9e4fd7d2235caff6bd4db Mon Sep 17 00:00:00 2001 +From: Marek Haicman +Date: Wed, 4 Dec 2019 15:11:39 +0100 +Subject: [PATCH 01/27] Create macro to translate text to banner text. + +With banner texts having every whitespace replaced with more complex regular +expression, it's not really readable in that form. This macro should provide +way to write human readable text in source, and get machine readable text +as the output. +--- + .../var_web_login_banner_text.var | 15 ++++++--------- + .../banner_etc_issue/bash/shared.sh | 2 +- + ...disa_dod_default_banner_no_newline.fail.sh | 19 +++++++++++++++++++ + .../accounts-banners/login_banner_text.var | 12 ++++++------ + shared/macros.jinja | 4 ++++ + ssg/build_yaml.py | 2 +- + 6 files changed, 37 insertions(+), 17 deletions(-) + create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_default_banner_no_newline.fail.sh + +diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var +index 61ebea65f3..72a728659b 100644 +--- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var ++++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var +@@ -4,7 +4,7 @@ title: 'Web Login Banner Verbiage' + + description: |- + Enter an appropriate login banner for your organization. Please note that new lines must +- be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\'. ++ be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\\'. + + type: string + +@@ -13,11 +13,8 @@ operator: equals + interactive: false + + options: +- dod_banners: ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.|I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t.)$ +- dod_default: You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details. +- dod_short: I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t. +- dss_odaa_default: "[\\s\\n]+Use[\\s\\n]+of[\\s\\n]+this[\\s\\n]+or[\\s\\n]+any[\\s\\n]+other[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system[\\s\\n]+constitutes[\\s\\n]+consent[\\s\\n]+to[\\s\\n]+monitoring[\\s\\n]+at[\\s\\n]+all[\\s\\n]+times.[\\s\\n]+This[\\s\\n]+is[\\s\\n]+a[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system.[\\s\\n]+All[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+systems[\\s\\n]+and[\\s\\n]+related[\\s\\n]+equipment[\\s\\n]+are[\\s\\n]+intended[\\s\\n]+for[\\s\\n]+the[\\s\\n]+communication,[\\s\\n]+transmission,[\\s\\n]+processing,[\\s\\n]+and[\\s\\n]+storage[\\s\\n]+of[\\s\\n]+official[\\s\\n]+U.S.[\\s\\n]+Government[\\s\\n]+or[\\s\\n]+other[\\s\\n]+authorized[\\s\\n]+information[\\s\\n]+only.[\\s\\n]+All[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+systems[\\s\\n]+are[\\s\\n]+subject[\\s\\n]+to[\\s\\n]+monitoring[\\s\\n]+at[\\s\\n]+all[\\s\\n]+times[\\s\\n]+to[\\s\\n]+ensure[\\s\\n]+proper[\\s\\n]+functioning[\\s\\n]+of[\\\ +- s\\n]+equipment[\\s\\n]+and[\\s\\n]+systems[\\s\\n]+including[\\s\\n]+security[\\s\\n]+devices[\\s\\n]+and[\\s\\n]+systems,[\\s\\n]+to[\\s\\n]+prevent[\\s\\n]+unauthorized[\\s\\n]+use[\\s\\n]+and[\\s\\n]+violations[\\s\\n]+of[\\s\\n]+statutes[\\s\\n]+and[\\s\\n]+security[\\s\\n]+regulations,[\\s\\n]+to[\\s\\n]+deter[\\s\\n]+criminal[\\s\\n]+activity,[\\s\\n]+and[\\s\\n]+for[\\s\\n]+other[\\s\\n]+similar[\\s\\n]+purposes.[\\s\\n]+Any[\\s\\n]+user[\\s\\n]+of[\\s\\n]+a[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system[\\s\\n]+should[\\s\\n]+be[\\s\\n]+aware[\\s\\n]+that[\\s\\n]+any[\\s\\n]+information[\\s\\n]+placed[\\s\\n]+in[\\s\\n]+the[\\s\\n]+system[\\s\\n]+is[\\s\\n]+subject[\\s\\n]+to[\\s\\n]+monitoring[\\s\\n]+and[\\s\\n]+is[\\s\\n]+not[\\s\\n]+subject[\\s\\n]+to[\\s\\n]+any[\\s\\n]+expectation[\\s\\n]+of[\\s\\n]+privacy.[\\s\\n]+If[\\s\\n]+monitoring[\\s\\n]+of[\\s\\n]+this[\\s\\n]+or[\\s\\n]+any[\\s\\n]+other[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system[\\\ +- s\\n]+reveals[\\s\\n]+possible[\\s\\n]+evidence[\\s\\n]+of[\\s\\n]+violation[\\s\\n]+of[\\s\\n]+criminal[\\s\\n]+statutes,[\\s\\n]+this[\\s\\n]+evidence[\\s\\n]+and[\\s\\n]+any[\\s\\n]+other[\\s\\n]+related[\\s\\n]+information,[\\s\\n]+including[\\s\\n]+identification[\\s\\n]+information[\\s\\n]+about[\\s\\n]+the[\\s\\n]+user,[\\s\\n]+may[\\s\\n]+be[\\s\\n]+provided[\\s\\n]+to[\\s\\n]+law[\\s\\n]+enforcement[\\s\\n]+officials.[\\s\\n]+If[\\s\\n]+monitoring[\\s\\n]+of[\\s\\n]+this[\\s\\n]+or[\\s\\n]+any[\\s\\n]+other[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+systems[\\s\\n]+reveals[\\s\\n]+violations[\\s\\n]+of[\\s\\n]+security[\\s\\n]+regulations[\\s\\n]+or[\\s\\n]+unauthorized[\\s\\n]+use,[\\s\\n]+employees[\\s\\n]+who[\\s\\n]+violate[\\s\\n]+security[\\s\\n]+regulations[\\s\\n]+or[\\s\\n]+make[\\s\\n]+unauthorized[\\s\\n]+use[\\s\\n]+of[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+systems[\\s\\n]+are[\\s\\n]+subject[\\s\\n]+to[\\s\\n]+appropriate[\\s\\n]+disciplinary[\\\ +- s\\n]+action.[\\s\\n]+Use[\\s\\n]+of[\\s\\n]+this[\\s\\n]+or[\\s\\n]+any[\\s\\n]+other[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system[\\s\\n]+constitutes[\\s\\n]+consent[\\s\\n]+to[\\s\\n]+monitoring[\\s\\n]+at[\\s\\n]+all[\\s\\n]+times." +- usgcb_default: --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. ++ dod_banners: {{{ banner_flexibler(banner_text="^(You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.|I\\'ve read \& consent to terms in IS user agreem\\'t.)$") }}} ++ dod_default: {{{ banner_flexibler(banner_text="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.") }}} ++ dod_short: {{{ banner_flexibler(banner_text="I\\'ve read \& consent to terms in IS user agreem\\'t.") }}} ++ dss_odaa_default: {{{ banner_flexibler(banner_text="Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}} ++ usgcb_default: {{{ banner_flexibler(banner_text="-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}} +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh +index 9617934e4f..54bc576551 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh +@@ -3,7 +3,7 @@ + populate login_banner_text + + # There was a regular-expression matching various banners, needs to be expanded +-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/[^-]- /\n\n-/g;s/(n)\**//g') ++expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/\[n\]+/\n/g') + formatted=$(echo "$expanded" | fold -sw 80) + + cat </etc/issue +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_default_banner_no_newline.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_default_banner_no_newline.fail.sh +new file mode 100644 +index 0000000000..00121bae96 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_default_banner_no_newline.fail.sh +@@ -0,0 +1,19 @@ ++#!/bin/bash ++# ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++# dod_default banner ++echo "You are accessing a U.S. Government (USG) Information System (IS) that is ++provided for USG-authorized use only. By using this IS (which includes any ++device attached to this IS), you consent to the following conditions:-The USG routinely intercepts and monitors communications on this IS for ++purposes including, but not limited to, penetration testing, COMSEC monitoring, ++network operations and defense, personnel misconduct (PM), law enforcement ++(LE), and counterintelligence (CI) investigations.-At any time, the USG may inspect and seize data stored on this IS.-Communications using, or data stored on, this IS are not private, are subject ++to routine monitoring, interception, and search, and may be disclosed or used ++for any USG-authorized purpose.-This IS includes security measures (e.g., authentication and access controls) ++to protect USG interests--not for your personal benefit or privacy.-Notwithstanding the above, using this IS does not constitute consent to PM, LE ++or CI investigative searching or monitoring of the content of privileged ++communications, or work product, related to personal representation or services ++by attorneys, psychotherapists, or clergy, and their assistants. Such ++communications and work product are private and confidential. See User ++Agreement for details." > /etc/issue +diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var +index f3a4795bce..0c398bee9c 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var ++++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var +@@ -4,7 +4,7 @@ title: 'Login Banner Verbiage' + + description: |- + Enter an appropriate login banner for your organization. Please note that new lines must +- be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\'. ++ be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\\'. + + type: string + +@@ -14,8 +14,8 @@ interactive: false + + options: + # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accomodate banners of 1300 characters +- dod_banners: (^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.$|^I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$) +- dod_default: You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details. +- dod_short: I(\\\')*(\')*ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t. +- dss_odaa_default: Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times.[\s\n]+This[\s\n]+is[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+and[\s\n]+related[\s\n]+equipment[\s\n]+are[\s\n]+intended[\s\n]+for[\s\n]+the[\s\n]+communication,[\s\n]+transmission,[\s\n]+processing,[\s\n]+and[\s\n]+storage[\s\n]+of[\s\n]+official[\s\n]+U.S.[\s\n]+Government[\s\n]+or[\s\n]+other[\s\n]+authorized[\s\n]+information[\s\n]+only.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times[\s\n]+to[\s\n]+ensure[\s\n]+proper[\s\n]+functioning[\s\n]+of[\s\n]+equipment[\s\n]+and[\s\n]+systems[\s\n]+including[\s\n]+security[\s\n]+devices[\s\n]+and[\s\n]+systems,[\s\n]+to[\s\n]+prevent[\s\n]+unauthorized[\s\n]+use[\s\n]+and[\s\n]+violations[\s\n]+of[\s\n]+statutes[\s\n]+and[\s\n]+security[\s\n]+regulations,[\s\n]+to[\s\n]+deter[\s\n]+criminal[\s\n]+activity,[\s\n]+and[\s\n]+for[\s\n]+other[\s\n]+similar[\s\n]+purposes.[\s\n]+Any[\s\n]+user[\s\n]+of[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+should[\s\n]+be[\s\n]+aware[\s\n]+that[\s\n]+any[\s\n]+information[\s\n]+placed[\s\n]+in[\s\n]+the[\s\n]+system[\s\n]+is[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+not[\s\n]+subject[\s\n]+to[\s\n]+any[\s\n]+expectation[\s\n]+of[\s\n]+privacy.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+violation[\s\n]+of[\s\n]+criminal[\s\n]+statutes,[\s\n]+this[\s\n]+evidence[\s\n]+and[\s\n]+any[\s\n]+other[\s\n]+related[\s\n]+information,[\s\n]+including[\s\n]+identification[\s\n]+information[\s\n]+about[\s\n]+the[\s\n]+user,[\s\n]+may[\s\n]+be[\s\n]+provided[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+reveals[\s\n]+violations[\s\n]+of[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+unauthorized[\s\n]+use,[\s\n]+employees[\s\n]+who[\s\n]+violate[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+make[\s\n]+unauthorized[\s\n]+use[\s\n]+of[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+appropriate[\s\n]+disciplinary[\s\n]+action.[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times. +- usgcb_default: --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. ++ dod_banners: {{{ banner_flexibler(banner_text="^(You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.|I\\'ve read \& consent to terms in IS user agreem\\'t.)$") }}} ++ dod_default: {{{ banner_flexibler(banner_text="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.") }}} ++ dod_short: {{{ banner_flexibler(banner_text="I\\'ve read \& consent to terms in IS user agreem\\'t.") }}} ++ dss_odaa_default: {{{ banner_flexibler(banner_text="Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}} ++ usgcb_default: {{{ banner_flexibler(banner_text="-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}} +diff --git a/shared/macros.jinja b/shared/macros.jinja +index 8a25acc937..3c617040bf 100644 +--- a/shared/macros.jinja ++++ b/shared/macros.jinja +@@ -657,3 +657,7 @@ openssl() + ) + + {{%- endmacro %}} ++ ++{{% macro banner_flexibler(banner_text) -%}} ++{{{ banner_text|replace("\n", "BFLMPSVZ")|replace(" ", "[\s\\n]+")|replace("BFLMPSVZ", "[\\n]+") }}} ++{{% endmacro %}} +diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py +index 357d0e8d99..700e496246 100644 +--- a/ssg/build_yaml.py ++++ b/ssg/build_yaml.py +@@ -327,7 +327,7 @@ def __init__(self, id_): + + @staticmethod + def from_yaml(yaml_file, env_yaml=None): +- yaml_contents = open_and_expand(yaml_file, env_yaml) ++ yaml_contents = open_and_macro_expand(yaml_file, env_yaml) + if yaml_contents is None: + return None + + +From 23185944dd5db08cfee599c62717f1b0f23df683 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 27 Feb 2020 18:03:37 +0100 +Subject: [PATCH 02/27] Fix stripping of short banner from dod_banners + +Format of dod_banners changed a bit, and stripping of tailing +short dod banner got broken. + +Goal of dod_banners is to check for either long or shord DoD, but +default to remediating with the long banner. +--- + .../accounts/accounts-banners/banner_etc_issue/bash/shared.sh | 2 +- + .../dconf_gnome_login_banner_text/bash/shared.sh | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh +index 54bc576551..1b2052a658 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh +@@ -3,7 +3,7 @@ + populate login_banner_text + + # There was a regular-expression matching various banners, needs to be expanded +-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/\[n\]+/\n/g') ++expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/\[n\]+/\n/g') + formatted=$(echo "$expanded" | fold -sw 80) + + cat </etc/issue +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh +index 1614098c8c..bc6a31bc74 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh +@@ -2,7 +2,7 @@ + . /usr/share/scap-security-guide/remediation_functions + populate login_banner_text + +-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') ++expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') + + {{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}} + {{{ bash_dconf_lock("org/gnome/login-screen", "banner-message-text", "gdm.d", "00-security-settings-lock") }}} + +From ed7a96bc41d31ceeeb6b75b2a9565521f4f3eda5 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 2 Mar 2020 17:31:49 +0100 +Subject: [PATCH 03/27] Fix test scenarios for OSPP profile + +OSPP profile doesn't select banner_etc_issue +--- + ...banner_etc_issue_ospp_usbcg_banner.fail.sh | 2 +- + ...banner_etc_issue_ospp_usbcg_banner.pass.sh | 30 +++++++++++++------ + 2 files changed, 22 insertions(+), 10 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.fail.sh +index db0b72089c..0f962279be 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.fail.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.fail.sh +@@ -1,5 +1,5 @@ + #!/bin/bash + # +-# profiles = xccdf_org.ssgproject.content_profile_ospp ++# profiles = xccdf_org.ssgproject.content_profile_stig + + echo "This is not the expected banner" > /etc/issue +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.pass.sh +index d36b3a146b..9bb0319323 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.pass.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.pass.sh +@@ -1,12 +1,24 @@ + #!/bin/bash + # +-# profiles = xccdf_org.ssgproject.content_profile_ospp ++# profiles = xccdf_org.ssgproject.content_profile_stig + +-# usgcb_default banner +-echo "-- WARNING -- This system is for the use of authorized users only. Individuals +-using this computer system without authority or in excess of their authority +-are subject to having all their activities on this system monitored and +-recorded by system personnel. Anyone using this system expressly consents to +-such monitoring and is advised that if such monitoring reveals possible +-evidence of criminal activity system personal may provide the evidence of such +-monitoring to law enforcement officials." > /etc/issue ++# dod_banners banner ++echo "You are accessing a U.S. Government (USG) Information System (IS) that is ++provided for USG-authorized use only. By using this IS (which includes any ++device attached to this IS), you consent to the following conditions: ++-The USG routinely intercepts and monitors communications on this IS for ++purposes including, but not limited to, penetration testing, COMSEC monitoring, ++network operations and defense, personnel misconduct (PM), law enforcement ++(LE), and counterintelligence (CI) investigations. ++-At any time, the USG may inspect and seize data stored on this IS. ++-Communications using, or data stored on, this IS are not private, are subject ++to routine monitoring, interception, and search, and may be disclosed or used ++for any USG-authorized purpose. ++-This IS includes security measures (e.g., authentication and access controls) ++to protect USG interests--not for your personal benefit or privacy. ++-Notwithstanding the above, using this IS does not constitute consent to PM, LE ++or CI investigative searching or monitoring of the content of privileged ++communications, or work product, related to personal representation or services ++by attorneys, psychotherapists, or clergy, and their assistants. Such ++communications and work product are private and confidential. See User ++Agreement for details." > /etc/issue + +From c0e947ab378de0c3c45b1a0be0b3f7a239c3d6f4 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 3 Mar 2020 10:26:40 +0100 +Subject: [PATCH 04/27] Update test scenario metadata for banner tests + +--- + .../dconf_gnome_login_banner_text/tests/correct_value.pass.sh | 1 + + .../tests/correct_value_stig.pass.sh | 2 +- + .../tests/missing_value_stig.fail.sh | 2 +- + .../dconf_gnome_login_banner_text/tests/wrong_value.fail.sh | 1 + + .../tests/wrong_value_stig.fail.sh | 2 +- + 5 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value.pass.sh +index 2c92fcbeb8..230a8b0a22 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value.pass.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value.pass.sh +@@ -1,4 +1,5 @@ + #!/bin/bash ++# platform = Red Hat Enterprise Linux 7 + # profiles = xccdf_org.ssgproject.content_profile_ncp + + source $SHARED/dconf_test_functions.sh +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh +index 8a142b740e..d59f9071f0 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh +@@ -1,5 +1,5 @@ + #!/bin/bash +-# platform = Red Hat Enterprise Linux 7 ++# platform = Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8 + # profiles = xccdf_org.ssgproject.content_profile_stig + + source $SHARED/dconf_test_functions.sh +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh +index 1fea01471e..9638681130 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh +@@ -1,5 +1,5 @@ + #!/bin/bash +-# platform = Red Hat Enterprise Linux 7 ++# platform = Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8 + # profiles = xccdf_org.ssgproject.content_profile_stig + + source $SHARED/dconf_test_functions.sh +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh +index af4ea0ab82..7f7123a8be 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh +@@ -1,4 +1,5 @@ + #!/bin/bash ++# platform = Red Hat Enterprise Linux 7 + # profiles = xccdf_org.ssgproject.content_profile_ncp + + source $SHARED/dconf_test_functions.sh +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh +index e0f43ec001..cd65f885a2 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh +@@ -1,5 +1,5 @@ + #!/bin/bash +-# platform = Red Hat Enterprise Linux 7 ++# platform = Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8 + # profiles = xccdf_org.ssgproject.content_profile_stig + + source $SHARED/dconf_test_functions.sh + +From 12f6616d83a23de27ebca932710a8128474068ff Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 3 Mar 2020 10:28:07 +0100 +Subject: [PATCH 05/27] Fix text of banners, remove space after dash + +Per DISA STIG reference, there is no space after the list items. +--- + .../dconf_gnome_login_banner_text/bash/shared.sh | 2 +- + .../tests/correct_value_stig.pass.sh | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh +index bc6a31bc74..d9dca1bef9 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh +@@ -2,7 +2,7 @@ + . /usr/share/scap-security-guide/remediation_functions + populate login_banner_text + +-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') ++expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') + + {{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}} + {{{ bash_dconf_lock("org/gnome/login-screen", "banner-message-text", "gdm.d", "00-security-settings-lock") }}} +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh +index d59f9071f0..dca4b8e99b 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh +@@ -6,7 +6,7 @@ source $SHARED/dconf_test_functions.sh + + install_dconf_and_gdm_if_needed + +-login_banner_text="(^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.$|^I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)" ++login_banner_text="(^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.$|^I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)" + expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') + + clean_dconf_settings + +From b09ddb6a040c980ccf1c55d3f4fe700953195d77 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 3 Mar 2020 11:01:25 +0100 +Subject: [PATCH 06/27] Make banner compatible with console and dconf + +The banner in /etc/issue is expected to have actual newlines, while the +banner in /etc/dconf/db/gdm.d/ is expected to have the escape sequence +'\n'. + +This commit transforms the newline from the input banner into a regex +that matches either the newline or the escape sequence. + +During remediation, each rule will replace the regular expression for +the correct "version" of the newline. +--- + .../accounts/accounts-banners/banner_etc_issue/bash/shared.sh | 2 +- + .../dconf_gnome_login_banner_text/bash/shared.sh | 2 +- + shared/macros.jinja | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh +index 1b2052a658..fcaaa2c794 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh +@@ -3,7 +3,7 @@ + populate login_banner_text + + # There was a regular-expression matching various banners, needs to be expanded +-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/\[n\]+/\n/g') ++expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/\n/g;s/\\//g;') + formatted=$(echo "$expanded" | fold -sw 80) + + cat </etc/issue +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh +index d9dca1bef9..2b51e7c94c 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh +@@ -2,7 +2,7 @@ + . /usr/share/scap-security-guide/remediation_functions + populate login_banner_text + +-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') ++expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/(n)\*/g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') + + {{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}} + {{{ bash_dconf_lock("org/gnome/login-screen", "banner-message-text", "gdm.d", "00-security-settings-lock") }}} +diff --git a/shared/macros.jinja b/shared/macros.jinja +index 3c617040bf..b178088f0c 100644 +--- a/shared/macros.jinja ++++ b/shared/macros.jinja +@@ -659,5 +659,5 @@ openssl() + {{%- endmacro %}} + + {{% macro banner_flexibler(banner_text) -%}} +-{{{ banner_text|replace("\n", "BFLMPSVZ")|replace(" ", "[\s\\n]+")|replace("BFLMPSVZ", "[\\n]+") }}} ++{{{ banner_text|replace("\n", "BFLMPSVZ")|replace(" ", "[\s\\n]+")|replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)") }}} + {{% endmacro %}} + +From fc6fe07f12faac1023b65551eaa82dc50e12303b Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 3 Mar 2020 12:46:30 +0100 +Subject: [PATCH 07/27] Simplify banner remediation regexes + +Remove unneded sed's for single quote (\x27) +--- + .../accounts/accounts-banners/banner_etc_issue/bash/shared.sh | 2 +- + .../dconf_gnome_login_banner_text/bash/shared.sh | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh +index fcaaa2c794..5d079e9271 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh +@@ -3,7 +3,7 @@ + populate login_banner_text + + # There was a regular-expression matching various banners, needs to be expanded +-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/\n/g;s/\\//g;') ++expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/\n/g;s/\\//g;') + formatted=$(echo "$expanded" | fold -sw 80) + + cat </etc/issue +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh +index 2b51e7c94c..568942e892 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh +@@ -2,7 +2,7 @@ + . /usr/share/scap-security-guide/remediation_functions + populate login_banner_text + +-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/(n)\*/g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') ++expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/(n)\*/g;s/\\//g;s/(n)\*/\\n/g;') + + {{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}} + {{{ bash_dconf_lock("org/gnome/login-screen", "banner-message-text", "gdm.d", "00-security-settings-lock") }}} + +From f94f4ba5a5d650c5ae50f83d59b7464e7f785b9d Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 3 Mar 2020 12:48:10 +0100 +Subject: [PATCH 08/27] Document what the regexes do in the banner + +--- + .../accounts-banners/banner_etc_issue/bash/shared.sh | 7 ++++++- + .../dconf_gnome_login_banner_text/bash/shared.sh | 8 ++++++++ + 2 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh +index 5d079e9271..07b88bf039 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh +@@ -2,7 +2,12 @@ + . /usr/share/scap-security-guide/remediation_functions + populate login_banner_text + +-# There was a regular-expression matching various banners, needs to be expanded ++# Multiple regexes transform the banner regex into a usable banner ++# 1 - Keep only the first banners if there are multiple, and remove wrapping regex syntax. ++# (dod_banners contains the long and shor banner) ++# 2- Add spaces ' '. (Transforms regex for "space or newline" into a " ") ++# 3- Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n") ++# 4- Remove any leftover backslash. (From any parethesis in the banner, for example). + expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/\n/g;s/\\//g;') + formatted=$(echo "$expanded" | fold -sw 80) + +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh +index 568942e892..658205bd2c 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh +@@ -2,6 +2,14 @@ + . /usr/share/scap-security-guide/remediation_functions + populate login_banner_text + ++# Multiple regexes transform the banner regex into a usable banner ++# 1 - Keep only the first banners if there are multiple, and remove wrapping regex syntax. ++# (dod_banners contains the long and shor banner) ++# 2- Add spaces ' '. (Transforms regex for "space or newline" into a " ") ++# 3- Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*") ++# 4- Remove any leftover backslash. (From any parethesis in the banner, for example). ++# 5- Removes the newline "token." (Transforms them into newline escape sequences "\n"). ++# ( Needs to be done after 4, otherwise the escapce sequence will become just "n". + expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/(n)\*/g;s/\\//g;s/(n)\*/\\n/g;') + + {{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}} + +From b7545c3ab81758f89e034fdab7f2c573f287d770 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 3 Mar 2020 12:49:02 +0100 +Subject: [PATCH 09/27] Add rule to check dconf banner + +The STIG profile sets the banner, and checks whether it is enabled for +dconf, but never checked the banner text. +--- + rhel8/profiles/stig.profile | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile +index 7eb1869a3c..f315df7d06 100644 +--- a/rhel8/profiles/stig.profile ++++ b/rhel8/profiles/stig.profile +@@ -21,6 +21,7 @@ extends: ospp + - login_banner_text=dod_banners + - dconf_db_up_to_date + - dconf_gnome_banner_enabled ++ - dconf_gnome_login_banner_text + - banner_etc_issue + - accounts_password_set_min_life_existing + - accounts_password_set_max_life_existing + +From 21ae88f72c1c9a324041637b0f52eea6b90fb03f Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 6 Mar 2020 15:37:46 +0100 +Subject: [PATCH 10/27] Fix Ansible for dconf banner-message-text lock + +--- + .../dconf_gnome_login_banner_text/ansible/shared.yml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml +index 6946c9ddf7..303f505968 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml +@@ -38,7 +38,7 @@ + - name: "Prevent user modification of the GNOME3 Login Warning Banner Text" + lineinfile: + path: '/etc/dconf/db/gdm.d/locks/00-security-settings-lock' +- regexp: '^org/gnome/login-screen/banner-message-text$' +- line: 'org/gnome/login-screen/banner-message-text' ++ regexp: '^/org/gnome/login-screen/banner-message-text$' ++ line: '/org/gnome/login-screen/banner-message-text' + create: yes + state: present + +From 54ec93ae3254c726b8313646419fa9f1a9fbbcb5 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 6 Mar 2020 15:58:38 +0100 +Subject: [PATCH 11/27] Fix banner regex stripping for Ansible + +Do similar regex stripping as done in Bash remediaiton. +The triple single quotes is necessary for the jinja template expansion +to add the banner wrapped in single quotes. +--- + .../dconf_gnome_login_banner_text/ansible/shared.yml | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml +index 303f505968..5d5e92530a 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml +@@ -32,8 +32,9 @@ + dest: /etc/dconf/db/gdm.d/00-security-settings + section: org/gnome/login-screen + option: banner-message-text +- value: '{{ login_banner_text }}' ++ value: '''{{ login_banner_text | regex_replace("\^\((.*)\|.*$", "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", "(n)\*") | regex_replace("\\", "") | regex_replace("\(n\)\*", "\\n") }}''' + create: yes ++ no_extra_spaces: yes + + - name: "Prevent user modification of the GNOME3 Login Warning Banner Text" + lineinfile: + +From a4755e87a66ad8b47f22444bde9a2e48c6f33aca Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 6 Mar 2020 16:09:50 +0100 +Subject: [PATCH 12/27] Add Ansible remediation for banner_etc_issue + +--- + .../banner_etc_issue/ansible/shared.yml | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml + +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml +new file mode 100644 +index 0000000000..e136304020 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml +@@ -0,0 +1,12 @@ ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol ++# reboot = false ++# strategy = unknown ++# complexity = low ++# disruption = medium ++- (xccdf-var login_banner_text) ++ ++- name: "{{{ rule_title }}}" ++ lineinfile: ++ dest: /etc/issue ++ line: '{{ login_banner_text | regex_replace("\^\((.*)\|.*$", "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", "\n") | regex_replace("\\", "") | wordwrap() }}' ++ create: yes + +From ac5d4b7482f4dc673f8f5d8dbbc95c42700bb251 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 6 Mar 2020 16:52:09 +0100 +Subject: [PATCH 13/27] Update reference RHEL8 STIG profile + +--- + tests/data/profile_stability/rhel8/stig.profile | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index 843267d589..381cf54b3a 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -84,6 +84,7 @@ selections: + - coredump_disable_storage + - dconf_db_up_to_date + - dconf_gnome_banner_enabled ++- dconf_gnome_login_banner_text + - disable_ctrlaltdel_burstaction + - disable_ctrlaltdel_reboot + - disable_host_auth + +From 6b27221e857cefe7efaa04f4491c506ea0cb096c Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Sat, 7 Mar 2020 13:12:28 +0100 +Subject: [PATCH 14/27] Move bash banner deregexification to macros + +This aims to increase maintenability and readability. +Every step in the deregexification is a separate macro. +The macros 'bash_deregexify_banner_etc_issue' and +'bash_deregexify_banner_dconf_gnome' build upon the basic steps. +--- + .../banner_etc_issue/bash/shared.sh | 9 ++++--- + .../bash/shared.sh | 10 +++++--- + shared/macros-bash.jinja | 25 +++++++++++++++++++ + 3 files changed, 38 insertions(+), 6 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh +index 07b88bf039..119413005e 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh +@@ -4,12 +4,15 @@ populate login_banner_text + + # Multiple regexes transform the banner regex into a usable banner + # 1 - Keep only the first banners if there are multiple, and remove wrapping regex syntax. +-# (dod_banners contains the long and shor banner) ++# (dod_banners contains the long and short banner) ++{{{ bash_deregexify_multiple_banners("login_banner_text") }}} + # 2- Add spaces ' '. (Transforms regex for "space or newline" into a " ") ++{{{ bash_deregexify_banner_space("login_banner_text") }}} + # 3- Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n") ++{{{ bash_deregexify_banner_newline("login_banner_text", "\\n") }}} + # 4- Remove any leftover backslash. (From any parethesis in the banner, for example). +-expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/\n/g;s/\\//g;') +-formatted=$(echo "$expanded" | fold -sw 80) ++{{{ bash_deregexify_banner_backslash("login_banner_text") }}} ++formatted=$(echo "$login_banner_text" | fold -sw 80) + + cat </etc/issue + $formatted +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh +index 658205bd2c..4011932790 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh +@@ -4,13 +4,17 @@ populate login_banner_text + + # Multiple regexes transform the banner regex into a usable banner + # 1 - Keep only the first banners if there are multiple, and remove wrapping regex syntax. +-# (dod_banners contains the long and shor banner) ++# (dod_banners contains the long and short banner) ++{{{ bash_deregexify_multiple_banners("login_banner_text") }}} + # 2- Add spaces ' '. (Transforms regex for "space or newline" into a " ") ++{{{ bash_deregexify_banner_space("login_banner_text") }}} + # 3- Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*") ++{{{ bash_deregexify_banner_newline("login_banner_text", "(n)*") }}} + # 4- Remove any leftover backslash. (From any parethesis in the banner, for example). ++{{{ bash_deregexify_banner_backslash("login_banner_text") }}} + # 5- Removes the newline "token." (Transforms them into newline escape sequences "\n"). + # ( Needs to be done after 4, otherwise the escapce sequence will become just "n". +-expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/(n)\*/g;s/\\//g;s/(n)\*/\\n/g;') ++{{{ bash_deregexify_banner_newline_token("login_banner_text")}}} + +-{{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}} ++{{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${login_banner_text}'", "gdm.d", "00-security-settings") }}} + {{{ bash_dconf_lock("org/gnome/login-screen", "banner-message-text", "gdm.d", "00-security-settings-lock") }}} +diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja +index 2756cc0c00..6d72684c6d 100644 +--- a/shared/macros-bash.jinja ++++ b/shared/macros-bash.jinja +@@ -521,3 +521,28 @@ cat << 'EOF' > {{{ filepath }}} + {{{ contents|trim() }}} + EOF + {{%- endmacro %}} ++ ++{{# Strips multibanner regex and keeps only the first banner #}} ++{{% macro bash_deregexify_multiple_banners(banner_var_name) -%}} ++{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/\^(\(.*\)|.*$/\1/g') ++{{%- endmacro %}} ++ ++{{# Strips whitespace or newline regex #}} ++{{% macro bash_deregexify_banner_space(banner_var_name) -%}} ++{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/\[\\s\\n\]+/ /g') ++{{%- endmacro %}} ++ ++{{# Strips newline or newline escape sequence regex #}} ++{{% macro bash_deregexify_banner_newline(banner_var_name, newline) -%}} ++{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/(?:\[\\n\]+|(?:\\n)+)/{{{ newline }}}/g') ++{{%- endmacro %}} ++ ++{{# Strips newline token for a newline escape sequence regex #}} ++{{% macro bash_deregexify_banner_newline_token(banner_var_name) -%}} ++{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/(n)\*/\\n/g') ++{{%- endmacro %}} ++ ++{{# Strips backslash regex #}} ++{{% macro bash_deregexify_banner_backslash(banner_var_name) -%}} ++{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/\\//g') ++{{%- endmacro %}} + +From 4e2f96de31ed24c5e58ffc8da07b689a461d385f Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Sat, 7 Mar 2020 14:04:40 +0100 +Subject: [PATCH 15/27] Move ansible banner deregexification to macros + +This aims to increase maintenability and readability. +Every step in the deregexification is a separate macro. +The macros 'ansible_deregexify_banner_etc_issue' and +'ansible_deregexify_banner_dconf_gnome' build upon the basic steps. +--- + .../banner_etc_issue/ansible/shared.yml | 2 +- + .../ansible/shared.yml | 2 +- + shared/macros-ansible.jinja | 54 +++++++++++++++++++ + 3 files changed, 56 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml +index e136304020..42c19194e4 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml +@@ -8,5 +8,5 @@ + - name: "{{{ rule_title }}}" + lineinfile: + dest: /etc/issue +- line: '{{ login_banner_text | regex_replace("\^\((.*)\|.*$", "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", "\n") | regex_replace("\\", "") | wordwrap() }}' ++ line: '{{{ ansible_deregexify_banner_etc_issue("login_banner_text") }}}' + create: yes +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml +index 5d5e92530a..40cce05fbc 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml +@@ -32,7 +32,7 @@ + dest: /etc/dconf/db/gdm.d/00-security-settings + section: org/gnome/login-screen + option: banner-message-text +- value: '''{{ login_banner_text | regex_replace("\^\((.*)\|.*$", "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", "(n)\*") | regex_replace("\\", "") | regex_replace("\(n\)\*", "\\n") }}''' ++ value: '{{{ ansible_deregexify_banner_dconf_gnome("login_banner_text") }}}' + create: yes + no_extra_spaces: yes + +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index 0d023553a7..5deb7ceb80 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -217,3 +217,57 @@ + {{{ contents|trim()|indent(8) }}} + force: yes + {{%- endmacro %}} ++ ++{{# ++ Formats a banner regex for use in /etc/issue ++ Parameters: ++ - banner_var_name - name of ansible variable with the banner regex ++#}} ++{{% macro ansible_deregexify_banner_etc_issue(banner_var_name) -%}} ++{{ {{{ banner_var_name }}} | ++{{{ ansible_deregexify_multiple_banners() }}} | ++{{{ ansible_deregexify_banner_space() }}} | ++{{{ ansible_deregexify_banner_newline("\\n") }}} | ++{{{ ansible_deregexify_banner_backslash() }}} | ++wordwrap() }} ++{{%- endmacro %}} ++ ++{{# ++ Formats a banner regex for use in dconf ++ Parameters: ++ - banner_var_name - name of ansible variable with the banner regex ++#}} ++{{% macro ansible_deregexify_banner_dconf_gnome(banner_var_name) -%}} ++''{{ {{{ banner_var_name }}} | ++{{{ ansible_deregexify_multiple_banners() }}} | ++{{{ ansible_deregexify_banner_space() }}} | ++{{{ ansible_deregexify_banner_newline("(n)*") }}} | ++{{{ ansible_deregexify_banner_backslash() }}} | ++{{{ ansible_deregexify_banner_newline_token()}}} }}'' ++{{%- endmacro %}} ++ ++ line: '{{ login_banner_text | | regex_replace("\\", "") | wordwrap() }}' ++{{# Strips multibanner regex and keeps only the first banner #}} ++{{% macro ansible_deregexify_multiple_banners() -%}} ++regex_replace("\^\((.*)\|.*$", "\1") ++{{%- endmacro %}} ++ ++{{# Strips whitespace or newline regex #}} ++{{% macro ansible_deregexify_banner_space() -%}} ++regex_replace("\[\\s\\n\]\+"," ") ++{{%- endmacro %}} ++ ++{{# Strips newline or newline escape sequence regex #}} ++{{% macro ansible_deregexify_banner_newline(newline) -%}} ++regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", "{{{ newline }}}") ++{{%- endmacro %}} ++ ++{{# Strips newline token for a newline escape sequence regex #}} ++{{% macro ansible_deregexify_banner_newline_token() -%}} ++regex_replace("\(n\)\*", "\\n") ++{{%- endmacro %}} ++ ++{{# Strips backslash regex #}} ++{{% macro ansible_deregexify_banner_backslash() -%}} ++regex_replace("\\", "") ++{{%- endmacro %}} + +From 890e79ea0a9eff8cab05d8ef06e96900d95b2617 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Sun, 8 Mar 2020 10:58:12 +0100 +Subject: [PATCH 16/27] Move the DoD banners into jinja variables + +The variables are used to easily combine them in the regex for the +"multiple banners allowed regex". +Lets avoid repeating ourselves. +--- + .../httpd_secure_content/var_web_login_banner_text.var | 9 ++++++--- + .../accounts/accounts-banners/login_banner_text.var | 9 ++++++--- + 2 files changed, 12 insertions(+), 6 deletions(-) + +diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var +index 72a728659b..96b6ac8e71 100644 +--- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var ++++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var +@@ -12,9 +12,12 @@ operator: equals + + interactive: false + ++{{% set var_dod_default = "You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}} ++{{% set var_dod_short = "I\\'ve read \& consent to terms in IS user agreem\\'t." %}} ++ + options: +- dod_banners: {{{ banner_flexibler(banner_text="^(You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.|I\\'ve read \& consent to terms in IS user agreem\\'t.)$") }}} +- dod_default: {{{ banner_flexibler(banner_text="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.") }}} +- dod_short: {{{ banner_flexibler(banner_text="I\\'ve read \& consent to terms in IS user agreem\\'t.") }}} ++ dod_banners: {{{ banner_flexibler("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}} ++ dod_default: {{{ banner_flexibler(var_dod_default) }}} ++ dod_short: {{{ banner_flexibler(var_dod_short) }}} + dss_odaa_default: {{{ banner_flexibler(banner_text="Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}} + usgcb_default: {{{ banner_flexibler(banner_text="-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}} +diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var +index 0c398bee9c..400a4299e6 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var ++++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var +@@ -12,10 +12,13 @@ operator: equals + + interactive: false + ++{{% set var_dod_default="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}} ++{{% set var_dod_short = "I\\'ve read \& consent to terms in IS user agreem\\'t." %}} ++ + options: + # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accomodate banners of 1300 characters +- dod_banners: {{{ banner_flexibler(banner_text="^(You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.|I\\'ve read \& consent to terms in IS user agreem\\'t.)$") }}} +- dod_default: {{{ banner_flexibler(banner_text="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.") }}} +- dod_short: {{{ banner_flexibler(banner_text="I\\'ve read \& consent to terms in IS user agreem\\'t.") }}} ++ dod_banners: {{{ banner_flexibler("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}} ++ dod_default: {{{ banner_flexibler(var_dod_default) }}} ++ dod_short: {{{ banner_flexibler(var_dod_short) }}} + dss_odaa_default: {{{ banner_flexibler(banner_text="Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}} + usgcb_default: {{{ banner_flexibler(banner_text="-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}} + +From f17b39f5a55f92ae4d0e4e03cbd26dd55137b083 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Sun, 8 Mar 2020 11:14:09 +0100 +Subject: [PATCH 17/27] Remove unecessary escapping in short banner + +--- + .../httpd_secure_content/var_web_login_banner_text.var | 2 +- + .../system/accounts/accounts-banners/login_banner_text.var | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var +index 96b6ac8e71..c98d2441cf 100644 +--- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var ++++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var +@@ -13,7 +13,7 @@ operator: equals + interactive: false + + {{% set var_dod_default = "You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}} +-{{% set var_dod_short = "I\\'ve read \& consent to terms in IS user agreem\\'t." %}} ++{{% set var_dod_short = "I've read & consent to terms in IS user agreem't." %}} + + options: + dod_banners: {{{ banner_flexibler("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}} +diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var +index 400a4299e6..fc65772554 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var ++++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var +@@ -13,7 +13,7 @@ operator: equals + interactive: false + + {{% set var_dod_default="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}} +-{{% set var_dod_short = "I\\'ve read \& consent to terms in IS user agreem\\'t." %}} ++{{% set var_dod_short = "I've read & consent to terms in IS user agreem't." %}} + + options: + # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accomodate banners of 1300 characters + +From bb2dcd9212bb6e83c53bfb9df10bc7e236dec722 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Sun, 8 Mar 2020 15:23:31 +0100 +Subject: [PATCH 18/27] Add utility to regexify a login banner + +Moved the banner_flexibler macro to python code, and renamed to +banner_regexify, to be aligned with Ansible and Bash counter parts +"deregexify". + +The utility will make it easy to add you own login banner on a tailoring +file, or via SCAP Workbench. +--- + .../var_web_login_banner_text.var | 10 +++---- + .../accounts-banners/login_banner_text.var | 10 +++---- + shared/macros.jinja | 4 --- + ssg/jinja.py | 3 +- + ssg/utils.py | 3 ++ + utils/regexify_banner.py | 29 +++++++++++++++++++ + 6 files changed, 44 insertions(+), 15 deletions(-) + create mode 100644 utils/regexify_banner.py + +diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var +index c98d2441cf..d3f72cbd97 100644 +--- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var ++++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var +@@ -16,8 +16,8 @@ interactive: false + {{% set var_dod_short = "I've read & consent to terms in IS user agreem't." %}} + + options: +- dod_banners: {{{ banner_flexibler("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}} +- dod_default: {{{ banner_flexibler(var_dod_default) }}} +- dod_short: {{{ banner_flexibler(var_dod_short) }}} +- dss_odaa_default: {{{ banner_flexibler(banner_text="Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}} +- usgcb_default: {{{ banner_flexibler(banner_text="-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}} ++ dod_banners: {{{ banner_regexify("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}} ++ dod_default: {{{ banner_regexify(var_dod_default) }}} ++ dod_short: {{{ banner_regexify(var_dod_short) }}} ++ dss_odaa_default: {{{ banner_regexify("Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}} ++ usgcb_default: {{{ banner_regexify("-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}} +diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var +index fc65772554..f6eab9bf33 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var ++++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var +@@ -17,8 +17,8 @@ interactive: false + + options: + # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accomodate banners of 1300 characters +- dod_banners: {{{ banner_flexibler("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}} +- dod_default: {{{ banner_flexibler(var_dod_default) }}} +- dod_short: {{{ banner_flexibler(var_dod_short) }}} +- dss_odaa_default: {{{ banner_flexibler(banner_text="Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}} +- usgcb_default: {{{ banner_flexibler(banner_text="-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}} ++ dod_banners: {{{ banner_regexify("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}} ++ dod_default: {{{ banner_regexify(var_dod_default) }}} ++ dod_short: {{{ banner_regexify(var_dod_short) }}} ++ dss_odaa_default: {{{ banner_regexify("Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}} ++ usgcb_default: {{{ banner_regexify("-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}} +diff --git a/shared/macros.jinja b/shared/macros.jinja +index b178088f0c..8a25acc937 100644 +--- a/shared/macros.jinja ++++ b/shared/macros.jinja +@@ -657,7 +657,3 @@ openssl() + ) + + {{%- endmacro %}} +- +-{{% macro banner_flexibler(banner_text) -%}} +-{{{ banner_text|replace("\n", "BFLMPSVZ")|replace(" ", "[\s\\n]+")|replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)") }}} +-{{% endmacro %}} +diff --git a/ssg/jinja.py b/ssg/jinja.py +index 700466b8c3..471fbf4140 100644 +--- a/ssg/jinja.py ++++ b/ssg/jinja.py +@@ -10,7 +10,7 @@ + JINJA_MACROS_BASH_DEFINITIONS, + JINJA_MACROS_OVAL_DEFINITIONS, + ) +-from .utils import required_key, prodtype_to_name, name_to_platform, prodtype_to_platform ++from .utils import required_key, prodtype_to_name, name_to_platform, prodtype_to_platform, banner_regexify + + + class MacroError(RuntimeError): +@@ -112,6 +112,7 @@ def add_python_functions(substitutions_dict): + substitutions_dict['prodtype_to_name'] = prodtype_to_name + substitutions_dict['name_to_platform'] = name_to_platform + substitutions_dict['prodtype_to_platform'] = prodtype_to_platform ++ substitutions_dict['banner_regexify'] = banner_regexify + substitutions_dict['raise'] = raise_exception + + +diff --git a/ssg/utils.py b/ssg/utils.py +index 16b1aebe33..3823e02a2d 100644 +--- a/ssg/utils.py ++++ b/ssg/utils.py +@@ -248,3 +248,6 @@ def mkdir_p(path): + pass + else: + raise ++ ++def banner_regexify(banner_text): ++ return banner_text.replace("\n", "BFLMPSVZ").replace(" ", "[\s\\n]+").replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)") +diff --git a/utils/regexify_banner.py b/utils/regexify_banner.py +new file mode 100644 +index 0000000000..7bdf69b702 +--- /dev/null ++++ b/utils/regexify_banner.py +@@ -0,0 +1,29 @@ ++import argparse ++import ssg.utils ++ ++def parse_args(): ++ p = argparse.ArgumentParser() ++ p.add_argument("--output", help="Path to output regexified banner") ++ p.add_argument("input", help="Path to file with banner to regexify") ++ ++ return p.parse_args() ++ ++ ++def main(): ++ ++ args = parse_args() ++ with open(args.input, "r") as file_in: ++ # rstrip is used to remove newline at the end of file ++ banner_text = file_in.read().rstrip() ++ ++ banner_regex = ssg.utils.banner_regexify(banner_text) ++ ++ if args.output: ++ with open(args.output, "w") as file_out: ++ file_out.write(banner_regex) ++ else: ++ print(banner_regex) ++ ++ ++if __name__ == "__main__": ++ main() + +From 5c81e70d14ee90877630610bf0a2215199a3e491 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Sun, 8 Mar 2020 15:31:12 +0100 +Subject: [PATCH 19/27] Move the macro to be a Jinja2 filter + +This is done so that we can apply banner_regexify indvidually in each +banner of dod_banners. +--- + .../httpd_secure_content/var_web_login_banner_text.var | 10 +++++----- + .../accounts/accounts-banners/login_banner_text.var | 10 +++++----- + ssg/jinja.py | 2 +- + 3 files changed, 11 insertions(+), 11 deletions(-) + +diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var +index d3f72cbd97..e990f0cb23 100644 +--- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var ++++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var +@@ -16,8 +16,8 @@ interactive: false + {{% set var_dod_short = "I've read & consent to terms in IS user agreem't." %}} + + options: +- dod_banners: {{{ banner_regexify("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}} +- dod_default: {{{ banner_regexify(var_dod_default) }}} +- dod_short: {{{ banner_regexify(var_dod_short) }}} +- dss_odaa_default: {{{ banner_regexify("Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}} +- usgcb_default: {{{ banner_regexify("-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}} ++ dod_banners: {{{ "^(" ~ var_dod_default|banner_regexify ~ "|" ~ var_dod_short|banner_regexify ~ ")$" }}} ++ dod_default: {{{ var_dod_default|banner_regexify }}} ++ dod_short: {{{ var_dod_short|banner_regexify }}} ++ dss_odaa_default: {{{ "Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times."|banner_regexify }}} ++ usgcb_default: {{{ "-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials."|banner_regexify }}} +diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var +index f6eab9bf33..e059174cb5 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var ++++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var +@@ -17,8 +17,8 @@ interactive: false + + options: + # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accomodate banners of 1300 characters +- dod_banners: {{{ banner_regexify("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}} +- dod_default: {{{ banner_regexify(var_dod_default) }}} +- dod_short: {{{ banner_regexify(var_dod_short) }}} +- dss_odaa_default: {{{ banner_regexify("Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}} +- usgcb_default: {{{ banner_regexify("-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}} ++ dod_banners: {{{ "^(" ~ var_dod_default|banner_regexify ~ "|" ~ var_dod_short|banner_regexify ~ ")$" }}} ++ dod_default: {{{ var_dod_default|banner_regexify }}} ++ dod_short: {{{ var_dod_short|banner_regexify }}} ++ dss_odaa_default: {{{ "Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times."|banner_regexify }}} ++ usgcb_default: {{{ "-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials."|banner_regexify }}} +diff --git a/ssg/jinja.py b/ssg/jinja.py +index 471fbf4140..e779466838 100644 +--- a/ssg/jinja.py ++++ b/ssg/jinja.py +@@ -71,6 +71,7 @@ def _get_jinja_environment(substitutions_dict): + loader=AbsolutePathFileSystemLoader(), + bytecode_cache=bytecode_cache + ) ++ _get_jinja_environment.env.filters['banner_regexify'] = banner_regexify + + return _get_jinja_environment.env + +@@ -112,7 +113,6 @@ def add_python_functions(substitutions_dict): + substitutions_dict['prodtype_to_name'] = prodtype_to_name + substitutions_dict['name_to_platform'] = name_to_platform + substitutions_dict['prodtype_to_platform'] = prodtype_to_platform +- substitutions_dict['banner_regexify'] = banner_regexify + substitutions_dict['raise'] = raise_exception + + + +From d416cb9e78842767f08d9c38d9ea0b79b05f00dd Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Sun, 8 Mar 2020 15:53:07 +0100 +Subject: [PATCH 20/27] Automatically escape regex unsafe chars in banner + +Let the banner_regexify filter escape regex unsafe chars, no need for +manual escaping. +--- + .../httpd_secure_content/var_web_login_banner_text.var | 2 +- + .../system/accounts/accounts-banners/login_banner_text.var | 2 +- + ssg/utils.py | 5 +++++ + 3 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var +index e990f0cb23..e59cdc0782 100644 +--- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var ++++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var +@@ -12,7 +12,7 @@ operator: equals + + interactive: false + +-{{% set var_dod_default = "You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}} ++{{% set var_dod_default = "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}} + {{% set var_dod_short = "I've read & consent to terms in IS user agreem't." %}} + + options: +diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var +index e059174cb5..1c6a39f481 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var ++++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var +@@ -12,7 +12,7 @@ operator: equals + + interactive: false + +-{{% set var_dod_default="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}} ++{{% set var_dod_default="You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}} + {{% set var_dod_short = "I've read & consent to terms in IS user agreem't." %}} + + options: +diff --git a/ssg/utils.py b/ssg/utils.py +index 3823e02a2d..7584e38a16 100644 +--- a/ssg/utils.py ++++ b/ssg/utils.py +@@ -250,4 +250,9 @@ def mkdir_p(path): + raise + + def banner_regexify(banner_text): ++ # We could use re.escape(), but it escapes too many characters, including plain white space. ++ # In python 3.7 the set of charaters escaped by re.escape is reasonable, so lets mimic it. ++ # See https://docs.python.org/3/library/re.html#re.sub ++ # '!', '"', '%', "'", ',', '/', ':', ';', '<', '=', '>', '@', and "`" are not escaped. ++ banner_text = re.sub(r"([#$&*+-.^`|~:()])", r"\\\1", banner_text) + return banner_text.replace("\n", "BFLMPSVZ").replace(" ", "[\s\\n]+").replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)") + +From 35e962ce5c5c28d29d120723715d64dcbd567197 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Sun, 8 Mar 2020 17:00:26 +0100 +Subject: [PATCH 21/27] Document the new macros, filter and utility + +--- + docs/manual/developer_guide.adoc | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +diff --git a/docs/manual/developer_guide.adoc b/docs/manual/developer_guide.adoc +index 76c1c10218..739a6a823c 100644 +--- a/docs/manual/developer_guide.adoc ++++ b/docs/manual/developer_guide.adoc +@@ -752,6 +752,14 @@ $ ./build-scripts/profile_tool.py sub --profile1 rhel7/profiles/ospp.profile --p + + This will result in a new YAML profile containing exclusive rules to the profile pointed by the --profile1 option. + ++=== Generating login banner regular expressions ++ ++Rules like `banner_etc_issue` and `dconf_gnome_login_banner_text` will check for configuration of login banners and remediate them. Both rules source the banner text from the same variable `login_banner_text`, and the banner texts need to be in the form of a regular expression. ++There are a few utilities you can use to transform your text into the appropriate regular expression: ++ ++When adding a new banner directly to the `login_banner_text`, use the custom Jinja filter `banner_regexify`. + ++If customizing content via SCAP Workbench, or directly writing your tailoring XML, use `utils/regexify_banner.py` to generate the appropriate regular expression. ++ + == Contributing with XCCDFs, OVALs and remediations + + There are three main types of content in the project, they are rules, defined using the XCCDF standard, checks, usually written in link:https://oval.mitre.org/language/about/[OVAL] format, and remediations, that can be executed on ansible, bash, anaconda installer, puppet and ignition. +@@ -1279,6 +1287,8 @@ Jinja macros for Ansible content are located in `/shared/macros-ansible.jinja`. + - `ansible_sshd_set` -- set a parameter in the sshd configuration + - `ansible_etc_profile_set` -- ensure a command gets executed or a variable gets set in /etc/profile or /etc/profile.d + - `ansible_tmux_set` -- set a command in tmux configuration ++- `ansible_deregexify_banner_etc_issue` -- Formats a banner regex for use in /etc/issue ++- `ansible_deregexify_banner_dconf_gnome` -- Formats a banner regex for use in dconf + + They also include several low-level macros: + +@@ -1289,6 +1299,14 @@ They also include several low-level macros: + - `ansible_set_config_file` -- for configuration files; set the given configuration value and ensure no conflicting values + - `ansible_set_config_file_dir` -- for configuration files and files in configuration directories; set the given configuration value and ensure no conflicting values + ++Low level macros to make login banner regular expressions usable in Ansible remediations ++ ++- `ansible_deregexify_multiple_banners` -- Strips multibanner regex and keeps only the first banner ++- `ansible_deregexify_banner_space` -- Strips whitespace or newline regex ++- `ansible_deregexify_banner_newline` -- Strips newline or newline escape sequence regex ++- `ansible_deregexify_banner_newline_token` -- Strips newline token for a newline escape sequence regex ++- `ansible_deregexify_banner_backslash` - Strips backslash regex ++ + When `msg` is absent from any of the above macros, rule title will be substituted instead. + + Whenever possible, please reuse the macros and form high-level simplifications. +@@ -1348,6 +1366,14 @@ Available low-level Jinja macros that can be used in Bash remediations: + - `die` - Function to terminate the remediation + - `set_config_file` - Add an entry to a text configuration file + ++Low level macros to make login banner regular expressions usable in Bash remediations ++ ++- `bash_deregexify_multiple_banners` - Strips multibanner regex and keeps only the first banner ++- `bash_deregexify_banner_space` - Strips whitespace or newline regex ++- `bash_deregexify_banner_newline` - Strips newline or newline escape sequence regex ++- `bash_deregexify_banner_newline_token` - Strips newline token for a newline escape sequence regex ++- `bash_deregexify_banner_backslash` - Strips backslash regex ++ + === Templating + + Writing OVAL checks, Bash, or any other content can be tedious work. For + +From ad5526d6704299cfd01c818fa8a79e3587b90cb5 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Sun, 8 Mar 2020 17:56:44 +0100 +Subject: [PATCH 22/27] Code style fixes + +--- + ssg/jinja.py | 7 ++++++- + ssg/utils.py | 5 ++++- + utils/regexify_banner.py | 1 + + 3 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/ssg/jinja.py b/ssg/jinja.py +index e779466838..e014768e2b 100644 +--- a/ssg/jinja.py ++++ b/ssg/jinja.py +@@ -10,7 +10,12 @@ + JINJA_MACROS_BASH_DEFINITIONS, + JINJA_MACROS_OVAL_DEFINITIONS, + ) +-from .utils import required_key, prodtype_to_name, name_to_platform, prodtype_to_platform, banner_regexify ++from .utils import (required_key, ++ prodtype_to_name, ++ name_to_platform, ++ prodtype_to_platform, ++ banner_regexify ++ ) + + + class MacroError(RuntimeError): +diff --git a/ssg/utils.py b/ssg/utils.py +index 7584e38a16..472ac73b81 100644 +--- a/ssg/utils.py ++++ b/ssg/utils.py +@@ -249,10 +249,13 @@ def mkdir_p(path): + else: + raise + ++ + def banner_regexify(banner_text): + # We could use re.escape(), but it escapes too many characters, including plain white space. + # In python 3.7 the set of charaters escaped by re.escape is reasonable, so lets mimic it. + # See https://docs.python.org/3/library/re.html#re.sub + # '!', '"', '%', "'", ',', '/', ':', ';', '<', '=', '>', '@', and "`" are not escaped. + banner_text = re.sub(r"([#$&*+-.^`|~:()])", r"\\\1", banner_text) +- return banner_text.replace("\n", "BFLMPSVZ").replace(" ", "[\s\\n]+").replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)") ++ banner_text = banner_text.replace("\n", "BFLMPSVZ") ++ banner_text = banner_text.replace(" ", "[\\s\\n]+") ++ return banner_text.replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)") +diff --git a/utils/regexify_banner.py b/utils/regexify_banner.py +index 7bdf69b702..c794c02a37 100644 +--- a/utils/regexify_banner.py ++++ b/utils/regexify_banner.py +@@ -1,6 +1,7 @@ + import argparse + import ssg.utils + ++ + def parse_args(): + p = argparse.ArgumentParser() + p.add_argument("--output", help="Path to output regexified banner") + +From 86439fed8f2d431da76bd613c87b38c4eda6457b Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 11 Mar 2020 13:44:02 +0100 +Subject: [PATCH 23/27] regexify_banner.py: Set x permission and shebang + +--- + utils/regexify_banner.py | 1 + + 1 file changed, 1 insertion(+) + mode change 100644 => 100755 utils/regexify_banner.py + +diff --git a/utils/regexify_banner.py b/utils/regexify_banner.py +old mode 100644 +new mode 100755 +index c794c02a37..15584693bf +--- a/utils/regexify_banner.py ++++ b/utils/regexify_banner.py +@@ -1,3 +1,4 @@ ++#!/usr/bin/env python + import argparse + import ssg.utils + + +From 556018017f7fbb2d7707aaf673ecd9d4edb53aae Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 11 Mar 2020 14:16:03 +0100 +Subject: [PATCH 24/27] The whole /etc/issue file should be evaluated + +Added test scenario where the banner is followed by an +extraneous line. This caused the rule to pass unexpectedly. + +Updated OVAL check to consider the all lines of /etc/issue the object to +be evaluated and compared against a state. +Also updated Bash remediation to not add extra newline at the end, and +Asnbile remediation to remove any extraneous line in /etc/issue +--- + .../banner_etc_issue/ansible/shared.yml | 7 ++++- + .../banner_etc_issue/bash/shared.sh | 2 -- + .../banner_etc_issue/oval/shared.xml | 8 ++++- + ...ner_etc_issue_disa_with_extra_line.fail.sh | 30 +++++++++++++++++++ + 4 files changed, 43 insertions(+), 4 deletions(-) + create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_with_extra_line.fail.sh + +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml +index 42c19194e4..21f0925268 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml +@@ -5,7 +5,12 @@ + # disruption = medium + - (xccdf-var login_banner_text) + +-- name: "{{{ rule_title }}}" ++- name: "{{{ rule_title }}} - remove incorrect banner" ++ file: ++ state: absent ++ path: /etc/issue ++ ++- name: "{{{ rule_title }}} - add correct banner" + lineinfile: + dest: /etc/issue + line: '{{{ ansible_deregexify_banner_etc_issue("login_banner_text") }}}' +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh +index 119413005e..1a0c11f569 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh +@@ -17,5 +17,3 @@ formatted=$(echo "$login_banner_text" | fold -sw 80) + cat </etc/issue + $formatted + EOF +- +-printf "\n" >> /etc/issue +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/oval/shared.xml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/oval/shared.xml +index 3317251d41..032c65b340 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/oval/shared.xml ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/oval/shared.xml +@@ -12,14 +12,20 @@ + + + ++ + + + ++ + /etc/issue +- ++ ^(.*)$ + 1 + + ++ ++ ++ ++ + + + +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_with_extra_line.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_with_extra_line.fail.sh +new file mode 100644 +index 0000000000..dfa48bd61a +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_with_extra_line.fail.sh +@@ -0,0 +1,30 @@ ++#!/bin/bash ++# ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++# dod_default|dod_short banner ++echo "You are accessing a U.S. Government (USG) Information System (IS) that is ++provided for USG-authorized use only. By using this IS (which includes any ++device attached to this IS), you consent to the following conditions: ++ ++-The USG routinely intercepts and monitors communications on this IS for ++purposes including, but not limited to, penetration testing, COMSEC monitoring, ++network operations and defense, personnel misconduct (PM), law enforcement ++(LE), and counterintelligence (CI) investigations. ++ ++-At any time, the USG may inspect and seize data stored on this IS. ++ ++-Communications using, or data stored on, this IS are not private, are subject ++to routine monitoring, interception, and search, and may be disclosed or used ++for any USG-authorized purpose. ++ ++-This IS includes security measures (e.g., authentication and access controls) ++to protect USG interests--not for your personal benefit or privacy. ++ ++-Notwithstanding the above, using this IS does not constitute consent to PM, LE ++or CI investigative searching or monitoring of the content of privileged ++communications, or work product, related to personal representation or services ++by attorneys, psychotherapists, or clergy, and their assistants. Such ++communications and work product are private and confidential. See User ++Agreement for details. ++Extra line at end." > /etc/issue + +From 488c5259595032f25dd98d45c1b38a65ed248647 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 11 Mar 2020 18:52:37 +0100 +Subject: [PATCH 25/27] Wrap banner text with regex anchors + +We need to be sure that the whole banners matches the banner variable. +This commit includes a test scenario that reproduces the issue. + +All the harness around banners have been updated, regexify, deregexify +and utility. +--- + .../var_web_login_banner_text.var | 8 ++++---- + .../banner_etc_issue/bash/shared.sh | 10 ++++++---- + .../dconf_gnome_login_banner_text/bash/shared.sh | 12 +++++++----- + .../tests/wrapped_banner.fail.sh | 16 ++++++++++++++++ + .../accounts-banners/login_banner_text.var | 8 ++++---- + shared/macros-ansible.jinja | 10 ++++++++-- + shared/macros-bash.jinja | 7 ++++++- + ssg/jinja.py | 4 +++- + ssg/utils.py | 3 +++ + utils/regexify_banner.py | 1 + + 10 files changed, 58 insertions(+), 21 deletions(-) + create mode 100644 linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh + +diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var +index e59cdc0782..dc10e8c3cf 100644 +--- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var ++++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var +@@ -17,7 +17,7 @@ interactive: false + + options: + dod_banners: {{{ "^(" ~ var_dod_default|banner_regexify ~ "|" ~ var_dod_short|banner_regexify ~ ")$" }}} +- dod_default: {{{ var_dod_default|banner_regexify }}} +- dod_short: {{{ var_dod_short|banner_regexify }}} +- dss_odaa_default: {{{ "Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times."|banner_regexify }}} +- usgcb_default: {{{ "-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials."|banner_regexify }}} ++ dod_default: {{{ var_dod_default|banner_regexify|banner_anchor_wrap }}} ++ dod_short: {{{ var_dod_short|banner_regexify|banner_anchor_wrap }}} ++ dss_odaa_default: {{{ "Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times."|banner_regexify|banner_anchor_wrap }}} ++ usgcb_default: {{{ "-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials."|banner_regexify|banner_anchor_wrap }}} +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh +index 1a0c11f569..30449d5e9d 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh +@@ -3,14 +3,16 @@ + populate login_banner_text + + # Multiple regexes transform the banner regex into a usable banner +-# 1 - Keep only the first banners if there are multiple, and remove wrapping regex syntax. ++# 0 - Remove anchors around the banner text ++{{{ bash_deregexify_banner_anchors("login_banner_text") }}} ++# 1 - Keep only the first banners if there are multiple + # (dod_banners contains the long and short banner) + {{{ bash_deregexify_multiple_banners("login_banner_text") }}} +-# 2- Add spaces ' '. (Transforms regex for "space or newline" into a " ") ++# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ") + {{{ bash_deregexify_banner_space("login_banner_text") }}} +-# 3- Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n") ++# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n") + {{{ bash_deregexify_banner_newline("login_banner_text", "\\n") }}} +-# 4- Remove any leftover backslash. (From any parethesis in the banner, for example). ++# 4 - Remove any leftover backslash. (From any parethesis in the banner, for example). + {{{ bash_deregexify_banner_backslash("login_banner_text") }}} + formatted=$(echo "$login_banner_text" | fold -sw 80) + +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh +index 4011932790..85ddd893c6 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh +@@ -3,16 +3,18 @@ + populate login_banner_text + + # Multiple regexes transform the banner regex into a usable banner +-# 1 - Keep only the first banners if there are multiple, and remove wrapping regex syntax. ++# 0 - Remove anchors around the banner text ++{{{ bash_deregexify_banner_anchors("login_banner_text") }}} ++# 1 - Keep only the first banners if there are multiple + # (dod_banners contains the long and short banner) + {{{ bash_deregexify_multiple_banners("login_banner_text") }}} +-# 2- Add spaces ' '. (Transforms regex for "space or newline" into a " ") ++# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ") + {{{ bash_deregexify_banner_space("login_banner_text") }}} +-# 3- Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*") ++# 3 - Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*") + {{{ bash_deregexify_banner_newline("login_banner_text", "(n)*") }}} +-# 4- Remove any leftover backslash. (From any parethesis in the banner, for example). ++# 4 - Remove any leftover backslash. (From any parethesis in the banner, for example). + {{{ bash_deregexify_banner_backslash("login_banner_text") }}} +-# 5- Removes the newline "token." (Transforms them into newline escape sequences "\n"). ++# 5 - Removes the newline "token." (Transforms them into newline escape sequences "\n"). + # ( Needs to be done after 4, otherwise the escapce sequence will become just "n". + {{{ bash_deregexify_banner_newline_token("login_banner_text")}}} + +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh +new file mode 100644 +index 0000000000..1c6b9a23af +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh +@@ -0,0 +1,16 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 7 ++# profiles = xccdf_org.ssgproject.content_profile_ncp ++ ++source $SHARED/dconf_test_functions.sh ++ ++install_dconf_and_gdm_if_needed ++ ++login_banner_text="Some text before --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. And some after." ++expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') ++ ++clean_dconf_settings ++add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'${expanded}'" "gdm.d" "00-security-settings" ++add_dconf_lock "org/gnome/login-screen" "banner-message-text" "gdm.d" "00-security-settings-lock" ++ ++dconf update +diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var +index 1c6a39f481..d00782f380 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var ++++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var +@@ -18,7 +18,7 @@ interactive: false + options: + # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accomodate banners of 1300 characters + dod_banners: {{{ "^(" ~ var_dod_default|banner_regexify ~ "|" ~ var_dod_short|banner_regexify ~ ")$" }}} +- dod_default: {{{ var_dod_default|banner_regexify }}} +- dod_short: {{{ var_dod_short|banner_regexify }}} +- dss_odaa_default: {{{ "Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times."|banner_regexify }}} +- usgcb_default: {{{ "-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials."|banner_regexify }}} ++ dod_default: {{{ var_dod_default|banner_regexify|banner_anchor_wrap }}} ++ dod_short: {{{ var_dod_short|banner_regexify|banner_anchor_wrap }}} ++ dss_odaa_default: {{{ "Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times."|banner_regexify|banner_anchor_wrap }}} ++ usgcb_default: {{{ "-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials."|banner_regexify|banner_anchor_wrap }}} +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index 5deb7ceb80..11fb79a4d9 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -225,6 +225,7 @@ + #}} + {{% macro ansible_deregexify_banner_etc_issue(banner_var_name) -%}} + {{ {{{ banner_var_name }}} | ++{{{ ansible_deregexify_banner_anchors() }}} | + {{{ ansible_deregexify_multiple_banners() }}} | + {{{ ansible_deregexify_banner_space() }}} | + {{{ ansible_deregexify_banner_newline("\\n") }}} | +@@ -239,6 +240,7 @@ wordwrap() }} + #}} + {{% macro ansible_deregexify_banner_dconf_gnome(banner_var_name) -%}} + ''{{ {{{ banner_var_name }}} | ++{{{ ansible_deregexify_banner_anchors() }}} | + {{{ ansible_deregexify_multiple_banners() }}} | + {{{ ansible_deregexify_banner_space() }}} | + {{{ ansible_deregexify_banner_newline("(n)*") }}} | +@@ -246,10 +248,14 @@ wordwrap() }} + {{{ ansible_deregexify_banner_newline_token()}}} }}'' + {{%- endmacro %}} + +- line: '{{ login_banner_text | | regex_replace("\\", "") | wordwrap() }}' ++{{# Strips anchors around the banner #}} ++{{% macro ansible_deregexify_banner_anchors() -%}} ++regex_replace("^\^(.*)\$$", "\1") ++{{%- endmacro %}} ++ + {{# Strips multibanner regex and keeps only the first banner #}} + {{% macro ansible_deregexify_multiple_banners() -%}} +-regex_replace("\^\((.*)\|.*$", "\1") ++regex_replace("\((.*)\|.*$", "\1") + {{%- endmacro %}} + + {{# Strips whitespace or newline regex #}} +diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja +index 6d72684c6d..03b381c3ca 100644 +--- a/shared/macros-bash.jinja ++++ b/shared/macros-bash.jinja +@@ -522,9 +522,14 @@ cat << 'EOF' > {{{ filepath }}} + EOF + {{%- endmacro %}} + ++{{# Strips anchors regex around the banner text #}} ++{{% macro bash_deregexify_banner_anchors(banner_var_name) -%}} ++{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/^\^\(.*\)\$$/\1/g') ++{{%- endmacro %}} ++ + {{# Strips multibanner regex and keeps only the first banner #}} + {{% macro bash_deregexify_multiple_banners(banner_var_name) -%}} +-{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/\^(\(.*\)|.*$/\1/g') ++{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/(\(.*\)|.*$/\1/g') + {{%- endmacro %}} + + {{# Strips whitespace or newline regex #}} +diff --git a/ssg/jinja.py b/ssg/jinja.py +index e014768e2b..da3e403a1b 100644 +--- a/ssg/jinja.py ++++ b/ssg/jinja.py +@@ -14,7 +14,8 @@ + prodtype_to_name, + name_to_platform, + prodtype_to_platform, +- banner_regexify ++ banner_regexify, ++ banner_anchor_wrap + ) + + +@@ -77,6 +78,7 @@ def _get_jinja_environment(substitutions_dict): + bytecode_cache=bytecode_cache + ) + _get_jinja_environment.env.filters['banner_regexify'] = banner_regexify ++ _get_jinja_environment.env.filters['banner_anchor_wrap'] = banner_anchor_wrap + + return _get_jinja_environment.env + +diff --git a/ssg/utils.py b/ssg/utils.py +index 472ac73b81..9b437d5556 100644 +--- a/ssg/utils.py ++++ b/ssg/utils.py +@@ -259,3 +259,6 @@ def banner_regexify(banner_text): + banner_text = banner_text.replace("\n", "BFLMPSVZ") + banner_text = banner_text.replace(" ", "[\\s\\n]+") + return banner_text.replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)") ++ ++def banner_anchor_wrap(banner_text): ++ return "^" + banner_text + "$" +diff --git a/utils/regexify_banner.py b/utils/regexify_banner.py +index 15584693bf..c17213d66d 100755 +--- a/utils/regexify_banner.py ++++ b/utils/regexify_banner.py +@@ -19,6 +19,7 @@ def main(): + banner_text = file_in.read().rstrip() + + banner_regex = ssg.utils.banner_regexify(banner_text) ++ banner_regex = ssg.utils.banner_anchor_wrap(banner_text) + + if args.output: + with open(args.output, "w") as file_out: + +From d30eb89a68ae536707b8535c47eba4a422e2f252 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 12 Mar 2020 13:27:22 +0100 +Subject: [PATCH 26/27] Fix call of banner_anchor_wrap + +--- + utils/regexify_banner.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/utils/regexify_banner.py b/utils/regexify_banner.py +index c17213d66d..16ec4ba6ef 100755 +--- a/utils/regexify_banner.py ++++ b/utils/regexify_banner.py +@@ -19,7 +19,7 @@ def main(): + banner_text = file_in.read().rstrip() + + banner_regex = ssg.utils.banner_regexify(banner_text) +- banner_regex = ssg.utils.banner_anchor_wrap(banner_text) ++ banner_regex = ssg.utils.banner_anchor_wrap(banner_regex) + + if args.output: + with open(args.output, "w") as file_out: + +From 90280f39e8548f2a7a22d1e328de72bc1b756099 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 12 Mar 2020 16:09:25 +0100 +Subject: [PATCH 27/27] Fix multiple banner regex stripping + +Anchor the opening parenthesis to beginning of banner, and add anchord +closing parenthesis to pattern. +--- + shared/macros-ansible.jinja | 2 +- + shared/macros-bash.jinja | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index 11fb79a4d9..b020246ef2 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -255,7 +255,7 @@ regex_replace("^\^(.*)\$$", "\1") + + {{# Strips multibanner regex and keeps only the first banner #}} + {{% macro ansible_deregexify_multiple_banners() -%}} +-regex_replace("\((.*)\|.*$", "\1") ++regex_replace("^\((.*)\|.*\)$", "\1") + {{%- endmacro %}} + + {{# Strips whitespace or newline regex #}} +diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja +index 03b381c3ca..bc6c6f6486 100644 +--- a/shared/macros-bash.jinja ++++ b/shared/macros-bash.jinja +@@ -529,7 +529,7 @@ EOF + + {{# Strips multibanner regex and keeps only the first banner #}} + {{% macro bash_deregexify_multiple_banners(banner_var_name) -%}} +-{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/(\(.*\)|.*$/\1/g') ++{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/^(\(.*\)|.*)$/\1/g') + {{%- endmacro %}} + + {{# Strips whitespace or newline regex #}} diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec index 3e8f103..b6e762f 100644 --- a/SPECS/scap-security-guide.spec +++ b/SPECS/scap-security-guide.spec @@ -3,14 +3,18 @@ %global _pkgdocdir %{_docdir}/%{name}-%{version} Name: scap-security-guide -Version: 0.1.46 -Release: 1%{?dist} +Version: 0.1.49 +Release: 2%{?dist} Summary: Security guidance and baselines in SCAP formats Group: System Environment/Base License: BSD-3-Clause URL: https://github.com/ComplianceAsCode/content Source0: %{name}-%{version}.tar.bz2 +Patch0: disable-not-in-good-shape-profiles.patch +Patch1: scap-security-guide-0.1.50-simplify_login_banner.patch +Patch2: scap-security-guide-0.1.50-fix_sysctl_rules_description.patch +Patch3: scap-security-guide-0.1.50-parametrize_sshd_approved_ciphers.patch BuildArch: noarch BuildRequires: libxslt, expat, python, openscap-scanner >= 1.2.16, python-jinja2, cmake >= 2.8, PyYAML @@ -38,6 +42,10 @@ been generated from XCCDF benchmarks present in %{name} package. %prep %setup -q -n %{name}-%{version} +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 # Workaround to remove Python byte cache files from the upstream sources # See https://github.com/ComplianceAsCode/content/issues/4042 find . -name '*.pyc' -exec rm -f {} ';' @@ -46,30 +54,12 @@ mkdir build %build mkdir -p build && cd build %cmake -D CMAKE_INSTALL_DOCDIR=%{_pkgdocdir} \ --DSSG_PRODUCT_EXAMPLE:BOOL=OFF \ --DSSG_PRODUCT_CHROMIUM:BOOL=OFF \ --DSSG_PRODUCT_DEBIAN8:BOOL=OFF \ --DSSG_PRODUCT_FEDORA:BOOL=OFF \ +-DSSG_PRODUCT_DEFAULT:BOOL=OFF \ -DSSG_PRODUCT_FIREFOX:BOOL=ON \ --DSSG_PRODUCT_EAP6:BOOL=OFF \ --DSSG_PRODUCT_FUSE6:BOOL=OFF \ -DSSG_PRODUCT_JRE:BOOL=ON \ --DSSG_PRODUCT_OCP3:BOOL=OFF \ --DSSG_PRODUCT_OPENSUSE:BOOL=OFF \ --DSSG_PRODUCT_RHOSP13:BOOL=OFF \ -DSSG_PRODUCT_RHEL6:BOOL=ON \ -DSSG_PRODUCT_RHEL7:BOOL=ON \ --DSSG_PRODUCT_RHEL8:BOOL=OFF \ --DSSG_PRODUCT_RHV4:BOOL=OFF \ --DSSG_PRODUCT_SLE11:BOOL=OFF \ --DSSG_PRODUCT_SLE12:BOOL=OFF \ --DSSG_PRODUCT_UBUNTU1404:BOOL=OFF \ --DSSG_PRODUCT_UBUNTU1604:BOOL=OFF \ --DSSG_PRODUCT_UBUNTU1804:BOOL=OFF \ --DSSG_PRODUCT_WRLINUX8:BOOL=OFF \ --DSSG_PRODUCT_WRLINUX1019:BOOL=OFF \ --DSSG_PRODUCT_OL7:BOOL=OFF \ --DSSG_PRODUCT_OL8:BOOL=OFF \ +-DSSG_PRODUCT_RHEL8:BOOL=ON \ -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \ -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF \ ../ @@ -97,6 +87,50 @@ cd build %doc build/guides/ssg-*-guide-*.html %changelog +* Tue Mar 31 2020 Watson Sato - 0.1.49-2 +- Fix remediation of dconf_gnome_login_banner_text (RHBZ#1776780) +- Fix misleading sysctl rules description (RHBZ#1494606) +- Update STIG FIPS approved SSHD ciphers (RHBZ#1781244) + +* Thu Mar 19 2020 Gabriel Becker - 0.1.49-1 +- Update to the latest upstream release (RHBZ#1815008) + +* Thu Nov 28 2019 Jan Černý - 0.1.46-11 +- Ship RHEL 8 content (RHBZ#1777862) + +* Wed Nov 20 2019 Vojtech Polasek - 0.1.46-10 +- Added missing CCE for rule sudo_require_authentication. (RHBZ#1755192) +- fix check and remediation for rule aide_periodic_cron_checking (RHBZ#1658036) + +* Mon Nov 18 2019 Gabriel Becker - 0.1.46-9 +- Fixed missing CCE for OSPP, E8 and STIG profiles. (RHBZ#1726698) +- Added kickstart file for the Essential Eight (e8) profile. (RHBZ#1755192) + +* Fri Nov 15 2019 Gabriel Becker - 0.1.46-8 +- Fix an omission on backporting the patch which fixes krb_sec rule. (RHBZ#1726698) + +* Fri Nov 15 2019 Matěj Týč - 0.1.46-7 +- Added support for the Essential Eight (e8) profile. (RHBZ#1755192) +- Fixed issues with sshd rules used in the e8 profile. (RHBZ#1755192) + +* Wed Nov 13 2019 Gabriel Becker - 0.1.46-6 +- Updated ansible playbooks to use modules in favor of shell. (RHBZ#1726698) +- Removed rule directory_access_var_log_audit from OSPP profile. (RHBZ#1726698) +- Fixed ansible playbooks failing when running in --check mode. (RHBZ#1726698) + +* Mon Nov 11 2019 Gabriel Becker - 0.1.46-5 +- Fixed grub2_enable_fips_mode rule when installing RHEL on machines with AES-enabled processors. (RHBZ#1754532) + +* Wed Nov 06 2019 Jan Černý - 0.1.46-4 +- Fix evaluation and remediation of audit rules in PCI-DSS profile (RHBZ#1754550) +- Fixed mtab handling of remediation of /dev/shm/noexec (RHBZ#1754553) + +* Tue Nov 05 2019 Matěj Týč - 0.1.46-3 +- Made the cmake product selection future-proof. (RHBZ#1726698) + +* Tue Nov 05 2019 Jan Černý - 0.1.46-2 +- Fix rules file_permissions_unauthorized_suid and sgid (RHBZ#1693026) + * Mon Sep 02 2019 Watson Sato - 0.1.46-1 - Update to the latest upstream release 0.1.46 (RHBZ#1726698)