Disable dynamic motd message

Right now default cloud images of Ubuntu does contain dynamic MOTD by default, that takes around extra 0.4 sec for establishing connection. Disabiling MOTD should improve responsivness of hosts and speedup ansible execution as well. With that we're keeping static MOTD that has no impact on connection speed. Change-Id: Iaf25f6f444055cefd60dd2e3b4d5579f2a6fcdb1
2023-10-26 10:25:27 +02:00 · 2023-10-26 10:25:27 +02:00 · b31cd46c18
commit b31cd46c18
parent abfa76ba93
3 changed files with 14 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -334,6 +334,8 @@ security_sshd_disallow_host_based_auth: yes                  # V-71959
 security_sshd_cipher_list: 'aes128-ctr,aes192-ctr,aes256-ctr' # V-72221
 # Specify a text file to be displayed as the banner/MOTD for all sessions.
 security_sshd_banner_file: /etc/motd                         # V-71861 / V-72225
+# Disable dynamic MOTD banner that is provided by /run/motd.dynamic
+security_sshd_dynamic_banner_disable: True
 # Set the interval for max session length and the number of intervals to allow.
 security_sshd_client_alive_interval: 600                     # V-72237
 security_sshd_client_alive_count_max: 0                      # V-72241
--- a/tasks/rhel7stig/sshd.yml
+++ b/tasks/rhel7stig/sshd.yml
@ -148,3 +148,11 @@
    - medium
    - sshd
    - V-72257
+
+- name: Remove motd from pam.d
+  lineinfile:
+    path: /etc/pam.d/sshd
+    regexp: '^(#\s)?(session\s*optional\s*pam_motd.so.*)$'
+    line: '{{ (security_sshd_dynamic_banner_disable | bool) | ternary("# \2", "\2") }}'
+    backrefs: yes
+  when: security_sshd_dynamic_banner_disable | bool
--- a/vars/main.yml
+++ b/vars/main.yml
@ -430,3 +430,7 @@ sshd_settings_rhel7:
    value: "yes"
    enabled: "{{ security_sshd_enable_strict_modes | bool }}"
    stig_id: V-72263
+  - name: PrintMotd
+    value: "{{ (security_sshd_dynamic_banner_disable | bool) | ternary('yes', 'no') }}"
+    enabled: true
+    stig_id: V-71861