Display MOTD warning banner [+Docs]

The previous work done for RHEL-07-040170 didn't work properly on Ubuntu 16.04 due to the way the /etc/issue.net file is read. The login banner is now deployed to /etc/motd by default to make it work properly for all distributions. This also covers the requirements for RHEL-07-010040. Documentation is included. Implements: blueprint security-rhel7-stig Change-Id: I417449837eaecb311abd3fbcda326deba6643886
2016-12-01 08:07:47 -06:00
parent 51bd12f03f
commit 3fa6fd216f
4 changed files with 19 additions and 7 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -549,7 +549,7 @@ security_sshd_disallow_host_based_auth: yes                  # RHEL-07-010442
 # Set a list of allowed ssh ciphers.
 security_sshd_cipher_list: 'aes128-ctr,aes192-ctr,aes256-ctr' # RHEL-07-040110
 # Specify a text file to be displayed as the banner/MOTD for all sessions.
-security_sshd_banner_file: /etc/issue.net                    # RHEL-07-040170
+security_sshd_banner_file: /etc/motd                         # RHEL-07-010040 / RHEL-07-040170
 # Set the interval for max session length and the number of intervals to allow.
 security_sshd_client_alive_interval: 600                     # RHEL-07-040190
 security_sshd_client_alive_count_max: 0                      # RHEL-07-040191
--- a/doc/metadata/rhel7/RHEL-07-010040.rst
+++ b/doc/metadata/rhel7/RHEL-07-010040.rst
@@ -4,4 +4,6 @@ status: not implemented
 tag: misc
 ---

-This STIG requirement is not yet implemented.
+This control is implemented by the tasks for another control:
+
+* :ref:`stig-RHEL-07-040170`
--- a/doc/metadata/rhel7/RHEL-07-040170.rst
+++ b/doc/metadata/rhel7/RHEL-07-040170.rst
@@ -4,7 +4,16 @@ status: implemented
 tag: sshd
 ---

-The ``Banner`` configuration is set to ``/etc/issue.net`` in
-``/etc/ssh/sshd_config`` and sshd is restarted. In addition, the
-``files/login_banner.txt`` file is copied from the openstack-ansible-security
-role directory to ``/etc/issue.net`` on each host.
+The tasks in the security role deploy a standard notice and consent banner into
+``/etc/motd`` on each server.  Ubuntu, CentOS and Red Hat Enterprise Linux
+display this banner after each successful login via ssh or the console.
+
+Deployers can choose a different destination for the banner by setting the
+following Ansible variable:
+
+.. code-block:: yaml
+
+    security_sshd_banner_file: /etc/motd
+
+The text of the banner file is configurable by editing
+``files/login_banner.txt`` in the security role.
--- a/tasks/rhel7stig/sshd.yml
+++ b/tasks/rhel7stig/sshd.yml
@@ -28,7 +28,7 @@
    - always
    - sshd

- name: RHEL-07-040170 - Copy login warning banner
+- name: Copy login warning banner
  copy:
    src: login_banner.txt
    dest: "{{ security_sshd_banner_file }}"
@@ -37,6 +37,7 @@
  tags:
    - high
    - sshd
+    - RHEL-07-010040
    - RHEL-07-040170

 - name: Adjust ssh server configuration based on STIG requirements