Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set login banner message to /etc/issue in RHEL8 OSPP profile. #4728

Closed
wants to merge 2 commits into from
Closed

Set login banner message to /etc/issue in RHEL8 OSPP profile. #4728

wants to merge 2 commits into from

Conversation

ggbecker
Copy link
Member

Description:

  • Set login banner message to /etc/issue in RHEL8 OSPP profile. This banner is consumed by rule sshd_enable_warning_banner.

Rationale:

  • Unless the banner message is set to /etc/issue, SSH logins will show default message from issue file:
\S
Kernel \r on an \m

@ggbecker
Set login banner message to /etc/issue in RHEL8 OSPP profile.
5d94ea0 
This banner is consumed by rule sshd_enable_warning_banner.
@ggbecker ggbecker added this to the 0.1.46 milestone Aug 15, 2019
@ggbecker ggbecker mentioned this pull request Aug 15, 2019
Merged
@comps
Copy link
Collaborator

comps commented Aug 15, 2019

Is the usgcb banner exactly the same as the one from OSPP v4.2.1 Configuration Annex? ... https://www.niap-ccevs.org/MMO/PP/-442ConfigAnnex-/#logontext

@ggbecker
Copy link
Member Author

Is the usgcb banner exactly the same as the one from OSPP v4.2.1 Configuration Annex? ... https://www.niap-ccevs.org/MMO/PP/-442ConfigAnnex-/#logontext

It's not. The value of login_banner_text should be dod_banners. I'll update that.

@yuumasato
Copy link
Member

It's not. The value of login_banner_text should be dod_banners. I'll update that.

dod_banners or dod_default?
dod_banners is a combination of dod_default and dod_short, and allows either one.
The text in linked URL is dod_default.

@ggbecker
Copy link
Member Author

It's not. The value of login_banner_text should be dod_banners. I'll update that.

dod_banners or dod_default?
dod_banners is a combination of dod_default and dod_short, and allows either one.
The text in linked URL is dod_default.

I've updated to use the dod_default which should be the right case, unless requirement changes.

@yuumasato
Copy link
Member

I was going to suggest that login_banner_text be interactive, so that one can add its own banner during tailoring with SCAP Workbench.

content/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var

Line 13 in 30e5cd5

interactive: false

But the banner values are actually nasty regexes... so I don't think so.

@yuumasato yuumasato self-assigned this Aug 15, 2019
@ggbecker
Copy link
Member Author

The banner content is supposed to be defined by the organization itself. That means we cannot set a default there as it will be different for each case.

Ensuring that sshd_enable_warning_banner is properly checked and remediated is enough.

@ggbecker ggbecker closed this Aug 19, 2019
@ggbecker ggbecker deleted the set-banner-text branch August 27, 2019 11:19
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yuumasato yuumasato Awaiting requested review from yuumasato

Assignees

@yuumasato yuumasato

Labels
None yet
Projects
None yet
Milestone
0.1.46
Development

Successfully merging this pull request may close these issues.
3 participants
@ggbecker @comps @yuumasato