-
Notifications
You must be signed in to change notification settings - Fork 684
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
More flexibility for login banners #7690
Conversation
Mind modifying the rhcos4 moderate profile? we'd probably use dod_banners as well |
Done @JAORMX . Please, take a look and let me know if it is fine or any additional update is necessary for rhcos4. Thanks |
/retest |
1 similar comment
/retest |
With this patch, our test scenarios detected issues related to |
Also fixed RHBZ#1983061 and defined a generic text as default content where not explicitly selected. Previously the DOD banners would be applied as default.
Removed unnecessary test scenarios and improved the necessary ones. Adjusted OVAL to allow absent /etc/motd file.
baaee21
to
330c0fb
Compare
@@ -6,7 +6,7 @@ | |||
</criteria> | |||
</definition> | |||
|
|||
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="correct banner in /etc/motd" id="test_banner_etc_motd" version="1"> | |||
<ind:textfilecontent54_test check="all" check_existence="any_exist" comment="correct banner in /etc/motd" id="test_banner_etc_motd" version="1"> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Different from /etc/issue
, /etc/motd
can be either removed or present with the expected content. So, absent file is also fine.
Correctly split login_banner_text variable when multiple banners are defined.
/retest |
...m/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_double_banner.fail.sh
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Description:
While some Security Guidelines require a specific content for login banners, like STIG, others are less restrictive, like CIS.
Currently, the variable
login_banner_text
expects predefined content for login banners, being prone to report incorrect assessment of relevant rules when CIS profile is chosen.Rationale:
The
login_banner_text
variable was updated to ensure compliance with CIS, only restricting technical information from the login banners when CIS profile is used.It was explicitly defined the correspondent content for each profile which uses login banner rules. Mainly the STIG profiles didn't have this variable defined, but were working because
dod_banners
was selected as default. Therefore, it was also created an explicit default for this variable, to not depend on ordering of the available options. The default content was the same used for CIS since it is short and generic.Finally, this patch also fixes the RHBZ#1983061.