From 3fa6fd216fcd30447653dcc9b6e21de6bc85a852 Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Thu, 1 Dec 2016 08:07:47 -0600 Subject: [PATCH] Display MOTD warning banner [+Docs] The previous work done for RHEL-07-040170 didn't work properly on Ubuntu 16.04 due to the way the /etc/issue.net file is read. The login banner is now deployed to /etc/motd by default to make it work properly for all distributions. This also covers the requirements for RHEL-07-010040. Documentation is included. Implements: blueprint security-rhel7-stig Change-Id: I417449837eaecb311abd3fbcda326deba6643886 --- defaults/main.yml | 2 +- doc/metadata/rhel7/RHEL-07-010040.rst | 4 +++- doc/metadata/rhel7/RHEL-07-040170.rst | 17 +++++++++++++---- tasks/rhel7stig/sshd.yml | 3 ++- 4 files changed, 19 insertions(+), 7 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 4e52813b..5da520fe 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -549,7 +549,7 @@ security_sshd_disallow_host_based_auth: yes # RHEL-07-010442 # Set a list of allowed ssh ciphers. security_sshd_cipher_list: 'aes128-ctr,aes192-ctr,aes256-ctr' # RHEL-07-040110 # Specify a text file to be displayed as the banner/MOTD for all sessions. -security_sshd_banner_file: /etc/issue.net # RHEL-07-040170 +security_sshd_banner_file: /etc/motd # RHEL-07-010040 / RHEL-07-040170 # Set the interval for max session length and the number of intervals to allow. security_sshd_client_alive_interval: 600 # RHEL-07-040190 security_sshd_client_alive_count_max: 0 # RHEL-07-040191 diff --git a/doc/metadata/rhel7/RHEL-07-010040.rst b/doc/metadata/rhel7/RHEL-07-010040.rst index 77ecf584..4d012da2 100644 --- a/doc/metadata/rhel7/RHEL-07-010040.rst +++ b/doc/metadata/rhel7/RHEL-07-010040.rst @@ -4,4 +4,6 @@ status: not implemented tag: misc --- -This STIG requirement is not yet implemented. +This control is implemented by the tasks for another control: + +* :ref:`stig-RHEL-07-040170` diff --git a/doc/metadata/rhel7/RHEL-07-040170.rst b/doc/metadata/rhel7/RHEL-07-040170.rst index bb309995..83fe5216 100644 --- a/doc/metadata/rhel7/RHEL-07-040170.rst +++ b/doc/metadata/rhel7/RHEL-07-040170.rst @@ -4,7 +4,16 @@ status: implemented tag: sshd --- -The ``Banner`` configuration is set to ``/etc/issue.net`` in -``/etc/ssh/sshd_config`` and sshd is restarted. In addition, the -``files/login_banner.txt`` file is copied from the openstack-ansible-security -role directory to ``/etc/issue.net`` on each host. +The tasks in the security role deploy a standard notice and consent banner into +``/etc/motd`` on each server. Ubuntu, CentOS and Red Hat Enterprise Linux +display this banner after each successful login via ssh or the console. + +Deployers can choose a different destination for the banner by setting the +following Ansible variable: + +.. code-block:: yaml + + security_sshd_banner_file: /etc/motd + +The text of the banner file is configurable by editing +``files/login_banner.txt`` in the security role. diff --git a/tasks/rhel7stig/sshd.yml b/tasks/rhel7stig/sshd.yml index 56f9cd0b..b5f4fad9 100644 --- a/tasks/rhel7stig/sshd.yml +++ b/tasks/rhel7stig/sshd.yml @@ -28,7 +28,7 @@ - always - sshd -- name: RHEL-07-040170 - Copy login warning banner +- name: Copy login warning banner copy: src: login_banner.txt dest: "{{ security_sshd_banner_file }}" @@ -37,6 +37,7 @@ tags: - high - sshd + - RHEL-07-010040 - RHEL-07-040170 - name: Adjust ssh server configuration based on STIG requirements