From 005fa52c66544f05f8ac88e7f0a873c2d2e1cfdc Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Wed, 5 Apr 2017 08:32:34 -0500 Subject: [PATCH] Make login banner customizable This patch makes it easier for deployers to customize their login banner and it also fixes some documentation bugs around how to configure the graphical login banner. Closes-bug: 1679749 Change-Id: I755de63cc3965f065077c983dbf1015ad93dfa6c --- defaults/main.yml | 9 +++++++ doc/metadata/rhel7/V-71861.rst | 25 ++++++++++++++++--- doc/metadata/rhel7/V-71863.rst | 7 +++--- doc/metadata/rhel7/V-72225.rst | 13 ++++++++-- ...-login-banner-string-d8d5ae874e8e49f3.yaml | 6 +++++ tasks/rhel7stig/misc.yml | 9 ------- tasks/rhel7stig/sshd.yml | 2 +- 7 files changed, 53 insertions(+), 18 deletions(-) create mode 100644 releasenotes/notes/customizable-login-banner-string-d8d5ae874e8e49f3.yaml diff --git a/defaults/main.yml b/defaults/main.yml index a3ac75b7..4e91c5eb 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -564,6 +564,15 @@ security_rhel7_session_timeout: 600 # V-72223 security_rhel7_enable_chrony: yes # V-72269 # Restrict mail relaying. security_rhel7_restrict_mail_relaying: yes # V-72297 +# Deploy a login banner. # V-72225 / V-71863 +security_login_banner_text: | + ------------------------------------------------------------------------------ + * WARNING * + * You are accessing a secured system and your actions will be logged along * + * with identifying information. Disconnect immediately if you are not an * + * authorized user of this system. * + ------------------------------------------------------------------------------ + ## Packages (packages) # Remove packages from the system as required by the STIG. Set any of these diff --git a/doc/metadata/rhel7/V-71861.rst b/doc/metadata/rhel7/V-71861.rst index 8aee5f10..e196b71c 100644 --- a/doc/metadata/rhel7/V-71861.rst +++ b/doc/metadata/rhel7/V-71861.rst @@ -1,9 +1,28 @@ --- id: V-71861 status: implemented -tag: sshd +tag: graphical --- -This control is implemented by the tasks for another control: +The security role configures a login banner for graphical logins using +``dconf``. Deployers can opt out of this change by setting the following +Ansible variable: -* :ref:`stig-V-72225` +.. code-block:: yaml + + security_enable_graphical_login_message: no + +The message is customized by setting another Ansible variable: + +.. code-block:: yaml + + security_enable_graphical_login_message_text: > + You are accessing a secured system and your actions will be logged along + with identifying information. Disconnect immediately if you are not an + authorized user of this system. + +.. note:: + + The space available for the graphical banner is relatively short. Deployers + should limit the length of their graphical login banners to the shortest + length possible. diff --git a/doc/metadata/rhel7/V-71863.rst b/doc/metadata/rhel7/V-71863.rst index 70d01204..6f0c8de0 100644 --- a/doc/metadata/rhel7/V-71863.rst +++ b/doc/metadata/rhel7/V-71863.rst @@ -4,6 +4,7 @@ status: implemented tag: misc --- -The STIG requires a standardized login banner for all command line user logins. -The security role deploys a default banner from ``files/login_banner.txt`` to -``/etc/issue`` on the system. +The security role already deploys a login banner for console logins with tasks +from another STIG: + +* :ref:`stig-V-V-7225` diff --git a/doc/metadata/rhel7/V-72225.rst b/doc/metadata/rhel7/V-72225.rst index 2c8eed19..ff131710 100644 --- a/doc/metadata/rhel7/V-72225.rst +++ b/doc/metadata/rhel7/V-72225.rst @@ -15,5 +15,14 @@ following Ansible variable: security_sshd_banner_file: /etc/motd -The text of the banner file is configurable by editing -``files/login_banner.txt`` in the security role. +The message is customized with the following Ansible variable: + +.. code-block:: yaml + + security_login_banner_text: | + ------------------------------------------------------------------------------ + * WARNING * + * You are accessing a secured system and your actions will be logged along * + * with identifying information. Disconnect immediately if you are not an * + * authorized user of this system. * + ------------------------------------------------------------------------------ diff --git a/releasenotes/notes/customizable-login-banner-string-d8d5ae874e8e49f3.yaml b/releasenotes/notes/customizable-login-banner-string-d8d5ae874e8e49f3.yaml new file mode 100644 index 00000000..08fefdd0 --- /dev/null +++ b/releasenotes/notes/customizable-login-banner-string-d8d5ae874e8e49f3.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Deployers can provide a customized login banner via a new Ansible variable: + ``security_login_banner_text``. This banner text is used for non-graphical + logins, which includes console and ssh logins. diff --git a/tasks/rhel7stig/misc.yml b/tasks/rhel7stig/misc.yml index 34fd1749..68d0ea57 100644 --- a/tasks/rhel7stig/misc.yml +++ b/tasks/rhel7stig/misc.yml @@ -406,12 +406,3 @@ - high - misc - V-72313 - -- name: V-71863 - Display a login banner for console prompts - copy: - src: login_banner.txt - dest: /etc/issue.net - tags: - - medium - - misc - - V-71863 diff --git a/tasks/rhel7stig/sshd.yml b/tasks/rhel7stig/sshd.yml index 6f417dee..6bafe142 100644 --- a/tasks/rhel7stig/sshd.yml +++ b/tasks/rhel7stig/sshd.yml @@ -30,7 +30,7 @@ - name: Copy login warning banner copy: - src: login_banner.txt + content: "{{ security_login_banner_text }}" dest: "{{ security_sshd_banner_file }}" owner: root group: root