Make login banner customizable

This patch makes it easier for deployers to customize their login
banner and it also fixes some documentation bugs around how to
configure the graphical login banner.

Closes-bug: 1679749
Change-Id: I755de63cc3965f065077c983dbf1015ad93dfa6c

defaults/main.yml

@@ -564,6 +564,15 @@ security_rhel7_session_timeout: 600                          # V-72223
 security_rhel7_enable_chrony: yes                            # V-72269
 # Restrict mail relaying.
 security_rhel7_restrict_mail_relaying: yes                   # V-72297
+# Deploy a login banner.                                     # V-72225 / V-71863
+security_login_banner_text: |
+  ------------------------------------------------------------------------------
+  * WARNING                                                                    *
+  * You are accessing a secured system and your actions will be logged along   *
+  * with identifying information. Disconnect immediately if you are not an     *
+  * authorized user of this system.                                            *
+  ------------------------------------------------------------------------------
+
 
 ## Packages (packages)
 # Remove packages from the system as required by the STIG. Set any of these

doc/metadata/rhel7/V-71861.rst

@@ -1,9 +1,28 @@
 ---
 id: V-71861
 status: implemented
-tag: sshd
+tag: graphical
 ---
 
-This control is implemented by the tasks for another control:
+The security role configures a login banner for graphical logins using
+``dconf``. Deployers can opt out of this change by setting the following
+Ansible variable:
 
-* :ref:`stig-V-72225`
+.. code-block:: yaml
+
+    security_enable_graphical_login_message: no
+
+The message is customized by setting another Ansible variable:
+
+.. code-block:: yaml
+
+    security_enable_graphical_login_message_text: >
+        You are accessing a secured system and your actions will be logged along
+        with identifying information. Disconnect immediately if you are not an
+        authorized user of this system.
+
+.. note::
+
+    The space available for the graphical banner is relatively short. Deployers
+    should limit the length of their graphical login banners to the shortest
+    length possible.

doc/metadata/rhel7/V-71863.rst

@@ -4,6 +4,7 @@ status: implemented
 tag: misc
 ---
 
-The STIG requires a standardized login banner for all command line user logins.
-The security role deploys a default banner from ``files/login_banner.txt`` to
-``/etc/issue`` on the system.
+The security role already deploys a login banner for console logins with tasks
+from another STIG:
+
+* :ref:`stig-V-V-7225`

doc/metadata/rhel7/V-72225.rst

@@ -15,5 +15,14 @@ following Ansible variable:
 
     security_sshd_banner_file: /etc/motd
 
-The text of the banner file is configurable by editing
-``files/login_banner.txt`` in the security role.
+The message is customized with the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_login_banner_text: |
+      ------------------------------------------------------------------------------
+      * WARNING                                                                    *
+      * You are accessing a secured system and your actions will be logged along   *
+      * with identifying information. Disconnect immediately if you are not an     *
+      * authorized user of this system.                                            *
+      ------------------------------------------------------------------------------

releasenotes/notes/customizable-login-banner-string-d8d5ae874e8e49f3.yaml

@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Deployers can provide a customized login banner via a new Ansible variable:
+    ``security_login_banner_text``. This banner text is used for non-graphical
+    logins, which includes console and ssh logins.

tasks/rhel7stig/misc.yml

@@ -406,12 +406,3 @@
     - high
     - misc
     - V-72313
-
-- name: V-71863 - Display a login banner for console prompts
-  copy:
-    src: login_banner.txt
-    dest: /etc/issue.net
-  tags:
-    - medium
-    - misc
-    - V-71863

tasks/rhel7stig/sshd.yml

@@ -30,7 +30,7 @@
 
 - name: Copy login warning banner
   copy:
-    src: login_banner.txt
+    content: "{{ security_login_banner_text }}"
     dest: "{{ security_sshd_banner_file }}"
     owner: root
     group: root