diff --git a/controls/ccn_ol9.yml b/controls/ccn_ol9.yml index 9c0756c3efa1..c065f65c5eb2 100644 --- a/controls/ccn_ol9.yml +++ b/controls/ccn_ol9.yml @@ -623,10 +623,15 @@ controls: - banner_etc_motd - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text + - dconf_login_banner_text=cis_default + - dconf_login_banner_contents=cis_default - sshd_enable_warning_banner_net - login_banner_text=cis_default + - login_banner_contents=cis_default - motd_banner_text=cis_default + - motd_banner_contents=cis_default - remote_login_banner_text=cis_default + - remote_login_banner_contents=cis_default - id: A.11.SEC-OL5 title: Network Acess to the System is Controlled diff --git a/controls/cis_al2023.yml b/controls/cis_al2023.yml index 666a5322499e..ffb74aa0621b 100644 --- a/controls/cis_al2023.yml +++ b/controls/cis_al2023.yml @@ -468,6 +468,7 @@ controls: rules: - banner_etc_motd - motd_banner_text=cis_banners + - motd_banner_contents=cis_default - id: 1.7.2 title: Ensure local login warning banner is configured properly (Automated) @@ -477,6 +478,7 @@ controls: rules: - banner_etc_issue - login_banner_text=cis_banners + - login_banner_contents=cis_default - id: 1.7.3 title: Ensure remote login warning banner is configured properly (Automated) @@ -486,6 +488,7 @@ controls: rules: - banner_etc_issue_net - remote_login_banner_text=cis_banners + - remote_login_banner_contents=cis_default - id: 1.7.4 title: Ensure permissions on /etc/motd are configured (Automated) diff --git a/controls/cis_almalinux9.yml b/controls/cis_almalinux9.yml index 29fa4bd9b124..6d7189ce2877 100644 --- a/controls/cis_almalinux9.yml +++ b/controls/cis_almalinux9.yml @@ -691,7 +691,8 @@ controls: rules: - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text - - login_banner_text=cis_banners + - dconf_login_banner_text=cis_banners + - dconf_login_banner_contents=cis_default - id: 1.8.3 title: Ensure GDM disable-user-list option is enabled (Automated) diff --git a/controls/cis_debian12.yml b/controls/cis_debian12.yml index 8e0208f77309..6ffb09b7dda3 100644 --- a/controls/cis_debian12.yml +++ b/controls/cis_debian12.yml @@ -540,7 +540,8 @@ controls: - l1_server - l1_workstation rules: - - login_banner_text=cis_default + - dconf_login_banner_text=cis_default + - dconf_login_banner_contents=cis_default - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text status: automated diff --git a/controls/cis_fedora.yml b/controls/cis_fedora.yml index 3f76e1c78eb6..8821c83a893d 100644 --- a/controls/cis_fedora.yml +++ b/controls/cis_fedora.yml @@ -710,7 +710,8 @@ controls: rules: - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text - - login_banner_text=cis_banners + - dconf_login_banner_text=cis_banners + - dconf_login_banner_contents=cis_default - id: 1.8.2 title: Ensure GDM disable-user-list is configured (Automated) diff --git a/controls/cis_sle12.yml b/controls/cis_sle12.yml index d842d6e6c3c6..3e4d682ce3e6 100644 --- a/controls/cis_sle12.yml +++ b/controls/cis_sle12.yml @@ -457,6 +457,7 @@ controls: rules: - banner_etc_motd - motd_banner_text=cis_banners + - motd_banner_contents=cis_default - id: 1.8.1.2 title: Ensure local login warning banner is configured properly (Automated) @@ -467,6 +468,7 @@ controls: rules: - banner_etc_issue - login_banner_text=cis_banners + - login_banner_contents=cis_default - id: 1.8.1.3 title: Ensure remote login warning banner is configured properly (Automated) @@ -477,6 +479,7 @@ controls: rules: - banner_etc_issue_net - remote_login_banner_text=cis_banners + - remote_login_banner_contents=cis_default - id: 1.8.1.4 title: Ensure permissions on /etc/motd are configured (Automated) @@ -535,7 +538,8 @@ controls: - dconf_gnome_disable_user_list - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text - - login_banner_text=cis_default + - dconf_login_banner_text=cis_default + - dconf_login_banner_contents=cis_default - id: 2.1.1 title: Ensure xinetd is not installed (Automated) diff --git a/controls/cis_sle15.yml b/controls/cis_sle15.yml index 97c61f63374e..bf92b28d52f3 100644 --- a/controls/cis_sle15.yml +++ b/controls/cis_sle15.yml @@ -455,6 +455,7 @@ controls: rules: - banner_etc_motd - motd_banner_text=cis_banners + - motd_banner_contents=cis_default - id: 1.8.1.2 title: Ensure local login warning banner is configured properly (Automated) @@ -465,6 +466,7 @@ controls: rules: - banner_etc_issue - login_banner_text=cis_banners + - login_banner_contents=cis_default - id: 1.8.1.3 title: Ensure remote login warning banner is configured properly (Automated) @@ -475,6 +477,7 @@ controls: rules: - banner_etc_issue_net - remote_login_banner_text=cis_banners + - remote_login_banner_contents=cis_default - id: 1.8.1.4 title: Ensure permissions on /etc/motd are configured (Automated) @@ -532,7 +535,8 @@ controls: - enable_dconf_user_profile - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text - - login_banner_text=cis_default + - dconf_login_banner_text=cis_default + - dconf_login_banner_contents=cis_default - id: 2.1.1 title: Ensure xinetd is not installed (Automated) diff --git a/controls/cis_ubuntu2204.yml b/controls/cis_ubuntu2204.yml index 84f3287f32ee..997016fd1e97 100644 --- a/controls/cis_ubuntu2204.yml +++ b/controls/cis_ubuntu2204.yml @@ -528,7 +528,8 @@ controls: - l1_server - l1_workstation rules: - - login_banner_text=cis_default + - dconf_login_banner_text=cis_default + - dconf_login_banner_contents=cis_default - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text status: automated diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index 58c756c81c9d..d4e1dfde39c3 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -561,7 +561,8 @@ controls: - l1_server - l1_workstation rules: - - login_banner_text=cis_default + - dconf_login_banner_text=cis_default + - dconf_login_banner_contents=cis_default - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text status: automated diff --git a/controls/general_sle15.yml b/controls/general_sle15.yml index 73dca83f3e70..f637cbbd87d4 100644 --- a/controls/general_sle15.yml +++ b/controls/general_sle15.yml @@ -470,6 +470,7 @@ controls: rules: - banner_etc_motd - motd_banner_text=cis_banners + - motd_banner_contents=cis_default - id: SLES-15-151050030 title: Modify the System Login Banner @@ -479,6 +480,7 @@ controls: rules: - banner_etc_issue - login_banner_text=cis_banners + - login_banner_contents=cis_default - id: SLES-15-151050045 title: Modify the System Login Banner for Remote Connections @@ -488,6 +490,7 @@ controls: rules: - banner_etc_issue_net - remote_login_banner_text=cis_banners + - remote_login_banner_contents=cis_default - id: SLES-15-151050060 title: Configure access to the Message of the Day Banner @@ -535,7 +538,8 @@ controls: rules: - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text - - login_banner_text=cis_default + - dconf_login_banner_text=cis_default + - dconf_login_banner_contents=cis_default - id: SLES-15-151200135 title: Disable the GDM Login User List diff --git a/controls/general_slmicro5.yml b/controls/general_slmicro5.yml index 8a83a0b428fb..ac887def5ee4 100644 --- a/controls/general_slmicro5.yml +++ b/controls/general_slmicro5.yml @@ -269,6 +269,7 @@ controls: rules: - banner_etc_motd - motd_banner_text=cis_banners + - motd_banner_contents=cis_default - id: SLEM-5-SET-08010200 title: Modify the System Login Banner @@ -278,6 +279,7 @@ controls: rules: - banner_etc_issue - login_banner_text=cis_banners + - login_banner_contents=cis_default - id: SLEM-5-SET-08010300 title: Modify the System Login Banner for Remote Connections @@ -287,6 +289,7 @@ controls: rules: - banner_etc_issue_net - remote_login_banner_text=cis_banners + - remote_login_banner_contents=cis_default - id: SLEM-5-SET-08010400 title: Verify Ownership and Permissions of/on Message of the Day Banner @@ -1021,6 +1024,7 @@ controls: rules: - banner_etc_issue - login_banner_text=dod_banners + - login_banner_contents=dod_default - sshd_enable_warning_banner status: automated diff --git a/controls/nist_rhcos4.yml b/controls/nist_rhcos4.yml index 02690cb34dc1..6bee855d39fa 100644 --- a/controls/nist_rhcos4.yml +++ b/controls/nist_rhcos4.yml @@ -1228,6 +1228,7 @@ controls: rules: - banner_etc_issue - login_banner_text=dod_banners + - login_banner_contents=dod_default description: "The information system:\n a. Displays to users [Assignment: organization-defined\ \ system use notification message or banner] before granting access to the system that provides\ \ privacy and security notices consistent with applicable federal laws, Executive Orders, directives,\ diff --git a/controls/srg_gpos.yml b/controls/srg_gpos.yml index 5be978311df7..c44f13af6f94 100644 --- a/controls/srg_gpos.yml +++ b/controls/srg_gpos.yml @@ -26,5 +26,6 @@ controls: - var_accounts_authorized_local_users_regex=rhel9 - var_account_disable_post_pw_expiration=35 - login_banner_text=dod_banners + - login_banner_contents=dod_default - var_authselect_profile=sssd - var_auditd_name_format=stig diff --git a/controls/std_kylinserver10.yml b/controls/std_kylinserver10.yml index 8e101a908189..785c64550d9e 100644 --- a/controls/std_kylinserver10.yml +++ b/controls/std_kylinserver10.yml @@ -119,6 +119,7 @@ controls: rules: - banner_etc_issue - login_banner_text=cis_banners + - login_banner_contents=cis_default - id: 1.14 title: ensure-message-of-the-day-is-configured-properly @@ -127,7 +128,8 @@ controls: status: automated rules: - banner_etc_motd - - login_banner_text=cis_banners + - motd_banner_text=cis_banners + - motd_banner_contents=cis_default - id: 1.15 title: Ensure sshd PermitRootLogin is disabled (Automated) diff --git a/controls/std_tencentos4.yml b/controls/std_tencentos4.yml index 06aa7e4656de..b08775cbce91 100644 --- a/controls/std_tencentos4.yml +++ b/controls/std_tencentos4.yml @@ -114,6 +114,7 @@ controls: rules: - banner_etc_motd - motd_banner_text=cis_banners + - motd_banner_contents=cis_default - id: 1.4.2 title: Ensure local login warning banner is configured properly @@ -123,6 +124,7 @@ controls: rules: - banner_etc_issue - login_banner_text=cis_banners + - login_banner_contents=cis_default - id: 1.4.3 title: Ensure remote login warning banner is configured properly @@ -132,6 +134,7 @@ controls: rules: - banner_etc_issue_net - remote_login_banner_text=cis_banners + - remote_login_banner_contents=cis_default - id: 1.4.4 title: Ensure permissions on /etc/motd are configured diff --git a/controls/stig_ol9.yml b/controls/stig_ol9.yml index 9d8522165fb6..1e0f2d1511f8 100644 --- a/controls/stig_ol9.yml +++ b/controls/stig_ol9.yml @@ -53,6 +53,7 @@ controls: rules: - banner_etc_issue - login_banner_text=dod_default + - login_banner_contents=dod_default status: automated - id: OL09-00-000020 @@ -1972,7 +1973,8 @@ controls: or remote access to the system via a graphical user logon. rules: - dconf_gnome_login_banner_text - - login_banner_text=dod_default + - dconf_login_banner_text=dod_default + - dconf_login_banner_contents=dod_default - id: OL09-00-002122 levels: diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml index d39b265fff84..dbc58b097ca7 100644 --- a/controls/stig_slmicro5.yml +++ b/controls/stig_slmicro5.yml @@ -36,6 +36,7 @@ controls: rules: - banner_etc_issue - login_banner_text=dod_banners + - login_banner_contents=dod_default status: automated - id: SLEM-05-211025 diff --git a/controls/stig_ubuntu2204.yml b/controls/stig_ubuntu2204.yml index f22733c254ee..c830866ac571 100644 --- a/controls/stig_ubuntu2204.yml +++ b/controls/stig_ubuntu2204.yml @@ -551,6 +551,7 @@ controls: - medium rules: - remote_login_banner_text=dod_banners + - remote_login_banner_contents=dod_default - sshd_enable_warning_banner_net - banner_etc_issue_net status: automated @@ -653,7 +654,8 @@ controls: levels: - medium rules: - - login_banner_text=dod_banners + - dconf_login_banner_text=dod_banners + - dconf_login_banner_contents=dod_default - dconf_gnome_login_banner_text status: automated diff --git a/controls/stig_ubuntu2404.yml b/controls/stig_ubuntu2404.yml index cb85dc34866e..47c7e37b5d3c 100644 --- a/controls/stig_ubuntu2404.yml +++ b/controls/stig_ubuntu2404.yml @@ -441,6 +441,7 @@ controls: - medium rules: - remote_login_banner_text=dod_banners + - remote_login_banner_contents=dod_default - sshd_enable_warning_banner_net - banner_etc_issue_net status: automated @@ -461,7 +462,8 @@ controls: levels: - medium rules: - - login_banner_text=dod_banners + - dconf_login_banner_text=dod_banners + - dconf_login_banner_contents=dod_default - dconf_gnome_login_banner_text status: automated diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml index 7b15061e7aa4..c1f5e665bf57 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml @@ -1,15 +1,15 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_slmicro,multi_platform_almalinux +# platform = multi_platform_all # reboot = false # strategy = unknown # complexity = low # disruption = medium -{{{ ansible_instantiate_variables("login_banner_text") }}} +{{{ ansible_instantiate_variables("login_banner_contents") }}} {{%- if product not in ['sle15', 'slmicro5', 'slmicro6'] -%}} - name: "{{{ rule_title }}} - Ensure Correct Banner" ansible.builtin.copy: dest: /etc/issue - content: '{{{ ansible_deregexify_banner_etc_issue("login_banner_text") }}}' + content: "{{ login_banner_contents | replace('\\n', '\n') }}\n" {{%- else -%}} - name: {{{ rule_title }}} Ensure issue-generator is Installed ansible.builtin.package: @@ -19,7 +19,7 @@ - name: "{{{ rule_title }}} - Ensure Correct Banner" ansible.builtin.copy: dest: /etc/issue.d/99-oscap-setting - content: '{{{ ansible_deregexify_banner_etc_issue("login_banner_text") }}}' + content: "{{ login_banner_contents | replace('\\n', '\n') }}\n" - name: "{{{ rule_title }}} - Restart issue-generator Service on Issue Configuration Change" ansible.builtin.systemd: diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh index 177d34e2a3b7..6d0e75f418fa 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh @@ -1,31 +1,11 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_almalinux +# platform = multi_platform_all -read -r -d '' login_banner_text <<'EOF' || true -(bash-populate login_banner_text) -EOF - -# Multiple regexes transform the banner regex into a usable banner -# 0 - Remove anchors around the banner text -{{{ bash_deregexify_banner_anchors("login_banner_text") }}} -# 1 - Keep only the first banners if there are multiple -# (dod_banners contains the long and short banner) -{{{ bash_deregexify_multiple_banners("login_banner_text") }}} -# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ") -{{{ bash_deregexify_banner_space("login_banner_text") }}} -# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n") -{{{ bash_deregexify_banner_newline("login_banner_text", "\\n") }}} -# 4 - Remove any leftover backslash. (From any parenthesis in the banner, for example). -{{{ bash_deregexify_banner_backslash("login_banner_text") }}} -formatted=$(echo "$login_banner_text" | fold -sw 80) +login_banner_contents=$(echo "(bash-populate login_banner_contents)" | sed 's/\\n/\n/g') {{%- if product not in ['sle15', 'slmicro5', 'slmicro6'] %}} -cat </etc/issue -$formatted -EOF +echo "$login_banner_contents" > /etc/issue {{%- else %}} {{{ bash_package_install("issue-generator") }}} -cat </etc/issue.d/99-oscap-setting -$formatted -EOF +echo "$login_banner_contents" > /etc/issue.d/99-oscap-setting {{{ bash_service_command("restart", "issue-generator") }}} {{%- endif -%}} diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_cis_recommended.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_cis_recommended.pass.sh index bc0f5a7a0872..ce541f31864c 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_cis_recommended.pass.sh +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_cis_recommended.pass.sh @@ -2,4 +2,4 @@ # profiles = xccdf_org.ssgproject.content_profile_cis, xccdf_org.ssgproject.content_profile_cis_server_l1, xccdf_org.ssgproject.content_profile_cis_workstation_l1, xccdf_org.ssgproject.content_profile_cis_workstation_l2 # cis_default banner -echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue +echo "Authorized users only. All activity may be monitored and reported." > /etc/issue diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_short.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_short.fail.sh index 2b775d15e0eb..0623faba0be8 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_short.fail.sh +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_short.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# variables = login_banner_text=^I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.$ +# variables = login_banner_text=^I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.$,login_banner_contents=I've read & consent to terms in IS user agreem't. # dod_short banner echo "Hello, how are you" > /etc/issue diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_short.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_short.pass.sh index 3b8a52eed5d8..b3ea66d844d9 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_short.pass.sh +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_short.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# variables = login_banner_text=^I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.$ +# variables = login_banner_text=^I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.$,login_banner_contents=I've read & consent to terms in IS user agreem't. # dod_short banner echo "I've read & consent to terms in IS user agreem't." > /etc/issue diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/custom_banner.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/custom_banner.fail.sh new file mode 100644 index 000000000000..59d30c04fdd1 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/custom_banner.fail.sh @@ -0,0 +1,8 @@ +#!/bin/bash +{{% set ts_custom_banner = "This system is made available by ABCD Inc. exclusively for\nauthorized business use. Use may be monitored for technical or\nregulatory purposes. Do not use this system if you do not consent to\nsuch monitoring.\n\nCe système est mis à disposition par la Société ABCD exclusivement\npour un usage professionnel autorisé. L'utilisation peut faire l'objet\nd'une surveillance pour des raisons techniques ou réglementaires.\nN'utilisez pas ce système si vous n'acceptez pas cette surveillance." %}} +{{% set ts_custom_banner_regex="^This[\s\n]+system[\s\n]+is[\s\n]+made[\s\n]+available[\s\n]+by[\s\n]+ABCD[\s\n]+Inc\.[\s\n]+exclusively[\s\n]+for(?:[\n]+|(?:\\n)+)authorized[\s\n]+business[\s\n]+use\.[\s\n]+Use[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+for[\s\n]+technical[\s\n]+or(?:[\n]+|(?:\\n)+)regulatory[\s\n]+purposes\.[\s\n]+Do[\s\n]+not[\s\n]+use[\s\n]+this[\s\n]+system[\s\n]+if[\s\n]+you[\s\n]+do[\s\n]+not[\s\n]+consent[\s\n]+to(?:[\n]+|(?:\\n)+)such[\s\n]+monitoring\.(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)Ce[\s\n]+système[\s\n]+est[\s\n]+mis[\s\n]+à[\s\n]+disposition[\s\n]+par[\s\n]+la[\s\n]+Société[\s\n]+ABCD[\s\n]+exclusivement(?:[\n]+|(?:\\n)+)pour[\s\n]+un[\s\n]+usage[\s\n]+professionnel[\s\n]+autorisé\.[\s\n]+L'utilisation[\s\n]+peut[\s\n]+faire[\s\n]+l'objet(?:[\n]+|(?:\\n)+)d'une[\s\n]+surveillance[\s\n]+pour[\s\n]+des[\s\n]+raisons[\s\n]+techniques[\s\n]+ou[\s\n]+réglementaires\.(?:[\n]+|(?:\\n)+)N'utilisez[\s\n]+pas[\s\n]+ce[\s\n]+système[\s\n]+si[\s\n]+vous[\s\n]+n'acceptez[\s\n]+pas[\s\n]+cette[\s\n]+surveillance\.$" %}} +# variables = login_banner_contents={{{ ts_custom_banner | replace("\n", "\\n") }}},login_banner_text={{{ ts_custom_banner_regex | replace("\n", "\\n") }}} + +cat > /etc/issue <<'EOF' +This is a test banner. +EOF diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/custom_banner.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/custom_banner.pass.sh new file mode 100644 index 000000000000..4b9bd219e47e --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/custom_banner.pass.sh @@ -0,0 +1,8 @@ +#!/bin/bash +{{% set ts_custom_banner = "This system is made available by ABCD Inc. exclusively for\nauthorized business use. Use may be monitored for technical or\nregulatory purposes. Do not use this system if you do not consent to\nsuch monitoring.\n\nCe système est mis à disposition par la Société ABCD exclusivement\npour un usage professionnel autorisé. L'utilisation peut faire l'objet\nd'une surveillance pour des raisons techniques ou réglementaires.\nN'utilisez pas ce système si vous n'acceptez pas cette surveillance." %}} +{{% set ts_custom_banner_regex="^This[\s\n]+system[\s\n]+is[\s\n]+made[\s\n]+available[\s\n]+by[\s\n]+ABCD[\s\n]+Inc\.[\s\n]+exclusively[\s\n]+for(?:[\n]+|(?:\\n)+)authorized[\s\n]+business[\s\n]+use\.[\s\n]+Use[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+for[\s\n]+technical[\s\n]+or(?:[\n]+|(?:\\n)+)regulatory[\s\n]+purposes\.[\s\n]+Do[\s\n]+not[\s\n]+use[\s\n]+this[\s\n]+system[\s\n]+if[\s\n]+you[\s\n]+do[\s\n]+not[\s\n]+consent[\s\n]+to(?:[\n]+|(?:\\n)+)such[\s\n]+monitoring\.(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)Ce[\s\n]+système[\s\n]+est[\s\n]+mis[\s\n]+à[\s\n]+disposition[\s\n]+par[\s\n]+la[\s\n]+Société[\s\n]+ABCD[\s\n]+exclusivement(?:[\n]+|(?:\\n)+)pour[\s\n]+un[\s\n]+usage[\s\n]+professionnel[\s\n]+autorisé\.[\s\n]+L'utilisation[\s\n]+peut[\s\n]+faire[\s\n]+l'objet(?:[\n]+|(?:\\n)+)d'une[\s\n]+surveillance[\s\n]+pour[\s\n]+des[\s\n]+raisons[\s\n]+techniques[\s\n]+ou[\s\n]+réglementaires\.(?:[\n]+|(?:\\n)+)N'utilisez[\s\n]+pas[\s\n]+ce[\s\n]+système[\s\n]+si[\s\n]+vous[\s\n]+n'acceptez[\s\n]+pas[\s\n]+cette[\s\n]+surveillance\.$" %}} +# variables = login_banner_contents={{{ ts_custom_banner | replace("\n", "\\n") }}},login_banner_text={{{ ts_custom_banner_regex | replace("\n", "\\n") }}} + +cat > /etc/issue <<'EOF' +{{{ ts_custom_banner }}} +EOF diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/ansible/shared.yml index 828a9a9a0c2d..4a880dccde17 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/ansible/shared.yml @@ -3,9 +3,9 @@ # strategy = unknown # complexity = low # disruption = medium -{{{ ansible_instantiate_variables("remote_login_banner_text") }}} +{{{ ansible_instantiate_variables("remote_login_banner_contents") }}} - name: "{{{ rule_title }}} - ensure correct banner" ansible.builtin.copy: dest: /etc/issue.net - content: '{{{ ansible_deregexify_banner_etc_issue("remote_login_banner_text") }}}' + content: "{{ remote_login_banner_contents | replace('\\n', '\n') }}\n" diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/bash/shared.sh index 52eda0b4a9b6..bef6be11259b 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/bash/shared.sh @@ -1,21 +1,4 @@ # platform = multi_platform_all -{{{ bash_instantiate_variables("remote_login_banner_text") }}} - -# Multiple regexes transform the banner regex into a usable banner -# 0 - Remove anchors around the banner text -{{{ bash_deregexify_banner_anchors("remote_login_banner_text") }}} -# 1 - Keep only the first banners if there are multiple -# (dod_banners contains the long and short banner) -{{{ bash_deregexify_multiple_banners("remote_login_banner_text") }}} -# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ") -{{{ bash_deregexify_banner_space("remote_login_banner_text") }}} -# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n") -{{{ bash_deregexify_banner_newline("remote_login_banner_text", "\\n") }}} -# 4 - Remove any leftover backslash. (From any parenthesis in the banner, for example). -{{{ bash_deregexify_banner_backslash("remote_login_banner_text") }}} -formatted=$(echo "$remote_login_banner_text" | fold -sw 80) - -cat </etc/issue.net -$formatted -EOF +remote_login_banner_contents=$(echo "(bash-populate remote_login_banner_contents)" | sed 's/\\n/\n/g') +echo "$remote_login_banner_contents" > /etc/issue.net diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_cis_recommended.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_cis_recommended.pass.sh index a4d328e76565..5d58cbc2588e 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_cis_recommended.pass.sh +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_cis_recommended.pass.sh @@ -2,4 +2,4 @@ # profiles = xccdf_org.ssgproject.content_profile_cis # cis_default banner -echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue.net +echo "Authorized users only. All activity may be monitored and reported." > /etc/issue.net diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_mingetty.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_mingetty.fail.sh new file mode 100644 index 000000000000..4730f4332b42 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_mingetty.fail.sh @@ -0,0 +1,4 @@ +#!/bin/bash +# variables = remote_login_banner_text=^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$,remote_login_banner_contents=Authorized users only. All activity may be monitored and reported. + +echo "System name \s version \s " > /etc/issue.net diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_osid.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_osid.fail.sh new file mode 100644 index 000000000000..c579e36e5942 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_osid.fail.sh @@ -0,0 +1,4 @@ +#!/bin/bash +# variables = remote_login_banner_text=^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$,remote_login_banner_contents=Authorized users only. All activity may be monitored and reported. + +echo "This system is rhel." > /etc/issue.net diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_recommended.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_recommended.pass.sh new file mode 100644 index 000000000000..a78e272e8d67 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_recommended.pass.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# variables = remote_login_banner_text=^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$,remote_login_banner_contents=Authorized users only. All activity may be monitored and reported. + +# cis_default banner +echo "Authorized users only. All activity may be monitored and reported." > /etc/issue.net diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml index 252618dedd57..8a3cc3128262 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml @@ -3,9 +3,9 @@ # strategy = unknown # complexity = low # disruption = medium -{{{ ansible_instantiate_variables("motd_banner_text") }}} +{{{ ansible_instantiate_variables("motd_banner_contents") }}} - name: "{{{ rule_title }}} - ensure correct banner" ansible.builtin.copy: dest: /etc/motd - content: '{{{ ansible_deregexify_banner_etc_issue("motd_banner_text") }}}' + content: "{{ motd_banner_contents | replace('\\n', '\n') }}\n" diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh index f8f5e59a2420..1f8d36fe3ce6 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh @@ -1,21 +1,4 @@ -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_almalinux +# platform = multi_platform_all -{{{ bash_instantiate_variables("motd_banner_text") }}} - -# Multiple regexes transform the banner regex into a usable banner -# 0 - Remove anchors around the banner text -{{{ bash_deregexify_banner_anchors("motd_banner_text") }}} -# 1 - Keep only the first banners if there are multiple -# (dod_banners contains the long and short banner) -{{{ bash_deregexify_multiple_banners("motd_banner_text") }}} -# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ") -{{{ bash_deregexify_banner_space("motd_banner_text") }}} -# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n") -{{{ bash_deregexify_banner_newline("motd_banner_text", "\\n") }}} -# 4 - Remove any leftover backslash. (From any parenthesis in the banner, for example). -{{{ bash_deregexify_banner_backslash("motd_banner_text") }}} -formatted=$(echo "$motd_banner_text" | fold -sw 80) - -cat </etc/motd -$formatted -EOF +motd_banner_contents=$(echo "(bash-populate motd_banner_contents)" | sed 's/\\n/\n/g') +echo "$motd_banner_contents" > /etc/motd diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/oval/shared.xml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/oval/shared.xml index be13d1d65419..dbfadc63d9ec 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/oval/shared.xml @@ -15,7 +15,7 @@ /etc/motd - + diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_cis_recommended.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_cis_recommended.pass.sh index 1cacc28d7328..049470d872e4 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_cis_recommended.pass.sh +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_cis_recommended.pass.sh @@ -2,4 +2,4 @@ # profiles = xccdf_org.ssgproject.content_profile_cis, xccdf_org.ssgproject.content_profile_cis_server_l1, xccdf_org.ssgproject.content_profile_cis_workstation_l1, xccdf_org.ssgproject.content_profile_cis_workstation_l2 # cis_default banner -echo "Authorized uses only. All activity may be monitored and reported." > /etc/motd +echo "Authorized users only. All activity may be monitored and reported." > /etc/motd diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_default.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_default.pass.sh index 8aeedeb1b322..4b7e6447efc9 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_default.pass.sh +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_default.pass.sh @@ -1,4 +1,4 @@ #!/bin/bash -# default banner from motd_banner_text.var -echo "Authorized uses only. All activity may be monitored and reported." > /etc/motd +# default banner from motd_banner_contents.var +echo "Authorized users only. All activity may be monitored and reported." > /etc/motd diff --git a/linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_contents.var b/linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_contents.var new file mode 100644 index 000000000000..bd366b4da215 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_contents.var @@ -0,0 +1,25 @@ +documentation_complete: true + +title: 'Login Banner Verbiage' + +description: >- + Enter an appropriate login banner text for your organization. + This variable is used only in remediations. + In OVAL checks a regular expression specified in the login_banner_text variable is used instead. + Using a regular expression is needed because some profiles (eg. STIG) allow multiple different banners. + +type: string + +operator: equals + +interactive: true + +options: + default: 'Authorized users only. All activity may be monitored and reported.' +# CIS doesn't enforce any specific content for login banners, but doesn't allow technical information. +# There is a generic content in case a remediation is necessary. + cis_default: 'Authorized uses only. All activity may be monitored and reported.' + dod_default: 'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.' + dod_short: 'I''ve read & consent to terms in IS user agreem''t.' + dss_odaa_default: 'Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.' + usgcb_default: '-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.' diff --git a/linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_text.var new file mode 100644 index 000000000000..0f838c065d56 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_text.var @@ -0,0 +1,33 @@ +documentation_complete: true + +title: Dconf GDM Login Banner Verbiage Regular Expression + +description: >- + Enter an appropriate login banner regular expression for your organization. + Using a regular expression is needed because some profiles (eg. STIG) allow multiple different banners. + This regular expression is used only in OVAL checks. + In remediations the login_banner_contents variable is used instead. + For information about how to generate banner regular expression for your tailoring files, + see: https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions + +type: string + +operator: equals + +interactive: true + +options: +# CIS doesn't enforce any specific content for login banners, but doesn't allow technical information. +# There is a generic content in case a remediation is necessary. +# How to generate banner regex: https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions +# CIS recommends to use "Authorized uses only" for Dconf GDM requirements which is +# different text that in other login banners where CIS recommends "Authorized users only". + cis_banners: ^(Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$ + cis_default: ^Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$ +# First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accommodate banners of 1300 characters + dod_banners: ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.|I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.)$ + dod_default: ^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.$ + dod_short: ^I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.$ + dss_odaa_default: ^Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times\.[\s\n]+This[\s\n]+is[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system\.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+and[\s\n]+related[\s\n]+equipment[\s\n]+are[\s\n]+intended[\s\n]+for[\s\n]+the[\s\n]+communication,[\s\n]+transmission,[\s\n]+processing,[\s\n]+and[\s\n]+storage[\s\n]+of[\s\n]+official[\s\n]+U\.S\.[\s\n]+Government[\s\n]+or[\s\n]+other[\s\n]+authorized[\s\n]+information[\s\n]+only\.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times[\s\n]+to[\s\n]+ensure[\s\n]+proper[\s\n]+functioning[\s\n]+of[\s\n]+equipment[\s\n]+and[\s\n]+systems[\s\n]+including[\s\n]+security[\s\n]+devices[\s\n]+and[\s\n]+systems,[\s\n]+to[\s\n]+prevent[\s\n]+unauthorized[\s\n]+use[\s\n]+and[\s\n]+violations[\s\n]+of[\s\n]+statutes[\s\n]+and[\s\n]+security[\s\n]+regulations,[\s\n]+to[\s\n]+deter[\s\n]+criminal[\s\n]+activity,[\s\n]+and[\s\n]+for[\s\n]+other[\s\n]+similar[\s\n]+purposes\.[\s\n]+Any[\s\n]+user[\s\n]+of[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+should[\s\n]+be[\s\n]+aware[\s\n]+that[\s\n]+any[\s\n]+information[\s\n]+placed[\s\n]+in[\s\n]+the[\s\n]+system[\s\n]+is[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+not[\s\n]+subject[\s\n]+to[\s\n]+any[\s\n]+expectation[\s\n]+of[\s\n]+privacy\.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+violation[\s\n]+of[\s\n]+criminal[\s\n]+statutes,[\s\n]+this[\s\n]+evidence[\s\n]+and[\s\n]+any[\s\n]+other[\s\n]+related[\s\n]+information,[\s\n]+including[\s\n]+identification[\s\n]+information[\s\n]+about[\s\n]+the[\s\n]+user,[\s\n]+may[\s\n]+be[\s\n]+provided[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials\.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+reveals[\s\n]+violations[\s\n]+of[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+unauthorized[\s\n]+use,[\s\n]+employees[\s\n]+who[\s\n]+violate[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+make[\s\n]+unauthorized[\s\n]+use[\s\n]+of[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+appropriate[\s\n]+disciplinary[\s\n]+action\.[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times\.$ + usgcb_default: ^\-\-[\s\n]+WARNING[\s\n]+\-\-[\s\n]+This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only\.[\s\n]+Individuals[\s\n]+using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]+authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]+monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel\.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]+system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]+if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]+system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials\.$ + default: ^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$ diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml index 33d95980ded9..38bd849f78c4 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = unknown # complexity = low # disruption = medium -{{{ ansible_instantiate_variables("login_banner_text") }}} +{{{ ansible_instantiate_variables("dconf_login_banner_contents") }}} - name: "{{{ rule_title }}}" ansible.builtin.file: @@ -32,7 +32,7 @@ dest: /etc/dconf/db/{{{ dconf_gdm_dir }}}/00-security-settings section: org/gnome/login-screen option: banner-message-text - value: '{{{ ansible_deregexify_banner_dconf_gnome("login_banner_text") }}}' + value: '''{{ dconf_login_banner_contents }}''' create: yes no_extra_spaces: yes register: result_ini diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh index 930d5fe18189..c686cbe1dbf3 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh @@ -1,22 +1,5 @@ # platform = multi_platform_all -login_banner_text='(bash-populate login_banner_text)' - -# Multiple regexes transform the banner regex into a usable banner -# 0 - Remove anchors around the banner text -{{{ bash_deregexify_banner_anchors("login_banner_text") }}} -# 1 - Keep only the first banners if there are multiple -# (dod_banners contains the long and short banner) -{{{ bash_deregexify_multiple_banners("login_banner_text") }}} -# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ") -{{{ bash_deregexify_banner_space("login_banner_text") }}} -# 3 - Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*") -{{{ bash_deregexify_banner_newline("login_banner_text", "(n)*") }}} -# 4 - Remove any leftover backslash. (From any parenthesis in the banner, for example). -{{{ bash_deregexify_banner_backslash("login_banner_text") }}} -# 5 - Removes the newline "token." (Transforms them into newline escape sequences "\n"). -# ( Needs to be done after 4, otherwise the escapce sequence will become just "n". -{{{ bash_deregexify_banner_newline_token("login_banner_text")}}} - -{{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${login_banner_text}'", dconf_gdm_dir, "00-security-settings", rule_id=rule_id) }}} +dconf_login_banner_contents=$(echo "(bash-populate dconf_login_banner_contents)" ) +{{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${dconf_login_banner_contents}'", dconf_gdm_dir, "00-security-settings", rule_id=rule_id) }}} {{{ bash_dconf_lock("org/gnome/login-screen", "banner-message-text", dconf_gdm_dir, "00-security-settings-lock") }}} diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/ubuntu.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/ubuntu.sh index 57e577df79b9..4d38311e4e43 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/ubuntu.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/ubuntu.sh @@ -1,28 +1,11 @@ # platform = multi_platform_ubuntu -{{{ bash_instantiate_variables("login_banner_text") }}} - -# Multiple regexes transform the banner regex into a usable banner -# 0 - Remove anchors around the banner text -{{{ bash_deregexify_banner_anchors("login_banner_text") }}} -# 1 - Keep only the first banners if there are multiple -# (dod_banners contains the long and short banner) -{{{ bash_deregexify_multiple_banners("login_banner_text") }}} -# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ") -{{{ bash_deregexify_banner_space("login_banner_text") }}} -# 3 - Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*") -{{{ bash_deregexify_banner_newline("login_banner_text", "(n)*") }}} -# 4 - Remove any leftover backslash. (From any parenthesis in the banner, for example). -{{{ bash_deregexify_banner_backslash("login_banner_text") }}} -# 5 - Removes the newline "token." (Transforms them into newline escape sequences "\n"). -# ( Needs to be done after 4, otherwise the escapce sequence will become just "n". -{{{ bash_deregexify_banner_newline_token("login_banner_text")}}} - {{{ bash_enable_dconf_user_profile(profile="user", database="local") }}} {{{ bash_enable_dconf_user_profile(profile="gdm", database="gdm") }}} +dconf_login_banner_contents=$(echo "(bash-populate dconf_login_banner_contents)" ) # Will do both approach, since we plan to migrate to checks over dconf db. That way, future updates of the tool # will pass the check even if we decide to check only for the dconf db path. -{{{ set_config_file("/etc/gdm3/greeter.dconf-defaults", "banner-message-text", value="'${login_banner_text}'", create='no', insert_after="\[org/gnome/login-screen\]", insert_before="", separator="=", separator_regex="", prefix_regex="^\s*", rule_id=rule_id) }}} -{{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${login_banner_text}'", dconf_gdm_dir, "00-security-settings", rule_id=rule_id) }}} +{{{ set_config_file("/etc/gdm3/greeter.dconf-defaults", "banner-message-text", value="'${dconf_login_banner_contents}'", create='no', insert_after="\[org/gnome/login-screen\]", insert_before="", separator="=", separator_regex="", prefix_regex="^\s*", rule_id=rule_id) }}} +{{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${dconf_login_banner_contents}'", dconf_gdm_dir, "00-security-settings", rule_id=rule_id) }}} # No need to use dconf update, since bash_dconf_settings does that already diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/oval/shared.xml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/oval/shared.xml index 0a6b6a9c829f..4b957be47881 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/oval/shared.xml @@ -39,9 +39,9 @@ - + - + diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/oval/ubuntu.xml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/oval/ubuntu.xml index 3baac57772f3..208572acae53 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/oval/ubuntu.xml +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/oval/ubuntu.xml @@ -37,9 +37,9 @@ - + - + diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh index 6ff96441acd3..c2caa11732c3 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh @@ -7,11 +7,39 @@ source $SHARED/dconf_test_functions.sh install_dconf_and_gdm_if_needed -login_banner_text="(^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.$|^I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)" -expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') +login_banner_contents=$(cat <<'EOF' +You are accessing a U.S. Government (USG) Information System (IS) that is +provided for USG-authorized use only. By using this IS (which includes any +device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for +purposes including, but not limited to, penetration testing, COMSEC monitoring, +network operations and defense, personnel misconduct (PM), law enforcement +(LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject +to routine monitoring, interception, and search, and may be disclosed or used +for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) +to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE +or CI investigative searching or monitoring of the content of privileged +communications, or work product, related to personal representation or services +by attorneys, psychotherapists, or clergy, and their assistants. Such +communications and work product are private and confidential. See User +Agreement for details. +EOF +) + +# replace two subsequent newlines with a \n\n and single newlines with a space +login_banner_text_escaped=$(printf '%s' "$login_banner_contents" | sed ':a;N;$!ba;s/\n\n/\\n\\n/g;s/\n/ /g') clean_dconf_settings -add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'${expanded}'" "{{{ dconf_gdm_dir }}}" "00-security-settings" +add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'${login_banner_text_escaped}'" "{{{ dconf_gdm_dir }}}" "00-security-settings" add_dconf_lock "org/gnome/login-screen" "banner-message-text" "{{{ dconf_gdm_dir }}}" "00-security-settings-lock" dconf update diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig_wrong_db.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig_wrong_db.fail.sh index 9969fcc6f0d2..c8077d767d35 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig_wrong_db.fail.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig_wrong_db.fail.sh @@ -7,11 +7,39 @@ source $SHARED/dconf_test_functions.sh install_dconf_and_gdm_if_needed -login_banner_text="(^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.$|^I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)" -expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') +login_banner_contents=$(cat <<'EOF' +You are accessing a U.S. Government (USG) Information System (IS) that is +provided for USG-authorized use only. By using this IS (which includes any +device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for +purposes including, but not limited to, penetration testing, COMSEC monitoring, +network operations and defense, personnel misconduct (PM), law enforcement +(LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject +to routine monitoring, interception, and search, and may be disclosed or used +for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) +to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE +or CI investigative searching or monitoring of the content of privileged +communications, or work product, related to personal representation or services +by attorneys, psychotherapists, or clergy, and their assistants. Such +communications and work product are private and confidential. See User +Agreement for details. +EOF +) + +# replace two subsequent newlines with a \n\n and single newlines with a space +login_banner_text_escaped=$(printf '%s' "$login_banner_contents" | sed ':a;N;$!ba;s/\n\n/\\n\\n/g;s/\n/ /g') clean_dconf_settings -add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'${expanded}'" "dummy.d" "00-security-settings" +add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'${login_banner_text_escaped}'" "dummy.d" "00-security-settings" add_dconf_lock "org/gnome/login-screen" "banner-message-text" "dummy.d" "00-security-settings-lock" dconf update diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh index c316d7c8f74b..56eb33cd1061 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh @@ -7,8 +7,8 @@ source $SHARED/dconf_test_functions.sh install_dconf_and_gdm_if_needed -# login_banner_text="(^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.$|^I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)" -# expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') +# login_banner_contents="(^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.$|^I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)" +# expanded=$(echo "$login_banner_contents" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') clean_dconf_settings add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "{{{ dconf_gdm_dir }}}" "00-security-settings" diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_correct_value.pass.sh index 9b0d6ebb73f3..8d3f075bdb73 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_correct_value.pass.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_correct_value.pass.sh @@ -1,7 +1,7 @@ #!/bin/bash # platform = multi_platform_ubuntu # packages = gdm3 -# variables = login_banner_text=Authorized users only. All activity may be monitored and reported. +# variables = dconf_login_banner_text=Authorized users only. All activity may be monitored and reported. source $SHARED/dconf_test_functions.sh clean_dconf_settings diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_correct_value_defaults.pass.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_correct_value_defaults.pass.sh index 2ffb8ec5fb19..380397ebba55 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_correct_value_defaults.pass.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_correct_value_defaults.pass.sh @@ -1,7 +1,7 @@ #!/bin/bash # platform = multi_platform_ubuntu # packages = gdm3 -# variables = login_banner_text=Authorized users only. All activity may be monitored and reported. +# variables = dconf_login_banner_text=Authorized users only. All activity may be monitored and reported. source $SHARED/dconf_test_functions.sh clean_dconf_settings diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_wrong_value.fail.sh index cf9bb8d31b34..e013ae2dd447 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_wrong_value.fail.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_wrong_value.fail.sh @@ -1,7 +1,7 @@ #!/bin/bash # platform = multi_platform_ubuntu # packages = gdm3 -# variables = login_banner_text=default +# variables = dconf_login_banner_text=default source $SHARED/dconf_test_functions.sh clean_dconf_settings diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_wrong_value_defaults.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_wrong_value_defaults.fail.sh index 07e8cacfd78a..51ac9ff10ab7 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_wrong_value_defaults.fail.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_wrong_value_defaults.fail.sh @@ -1,7 +1,7 @@ #!/bin/bash # platform = multi_platform_ubuntu # packages = gdm3 -# variables = login_banner_text=default +# variables = dconf_login_banner_text=default source $SHARED/dconf_test_functions.sh clean_dconf_settings diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh index 38b8ee45b0a8..28b573bc3a9a 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh @@ -7,8 +7,8 @@ source $SHARED/dconf_test_functions.sh install_dconf_and_gdm_if_needed -login_banner_text="Some text before --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. And some after." -expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') +dconf_login_banner_contents="Some text before --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. And some after." +expanded=$(echo "$dconf_login_banner_contents" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') clean_dconf_settings add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'${expanded}'" "{{{ dconf_gdm_dir }}}" "00-security-settings" diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh index 6a3b00b8cafa..577d3a876327 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh @@ -7,8 +7,8 @@ source $SHARED/dconf_test_functions.sh install_dconf_and_gdm_if_needed -login_banner_text="Wrong Banner Text" -expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') +login_banner_contents="Wrong Banner Text" +expanded=$(echo "$login_banner_contents" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') clean_dconf_settings add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'${expanded}'" "{{{ dconf_gdm_dir }}}" "00-security-settings" diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh index 7c7d4c073e3d..1c04437538a8 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh @@ -3,8 +3,8 @@ # profiles = xccdf_org.ssgproject.content_profile_stig # packages = dconf,gdm -login_banner_text="Wrong Banner Text" -expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') +login_banner_contents="Wrong Banner Text" +expanded=$(echo "$login_banner_contents" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') {{% if 'ubuntu' not in product %}} source $SHARED/dconf_test_functions.sh diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_contents.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_contents.var new file mode 100644 index 000000000000..d39a75fd02fd --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_contents.var @@ -0,0 +1,25 @@ +documentation_complete: true + +title: 'Login Banner Verbiage' + +description: >- + Enter an appropriate login banner text for your organization. + This variable is used only in remediations. + In OVAL checks a regular expression specified in the login_banner_text variable is used instead. + Using a regular expression is needed because some profiles (eg. STIG) allow multiple different banners. + +type: string + +operator: equals + +interactive: true + +options: + default: 'Authorized users only. All activity may be monitored and reported.' +# CIS doesn't enforce any specific content for login banners, but doesn't allow technical information. +# There is a generic content in case a remediation is necessary. + cis_default: 'Authorized users only. All activity may be monitored and reported.' + dod_default: 'You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only. By using this IS (which includes any\ndevice attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject\nto routine monitoring, interception, and search, and may be disclosed or used\nfor any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls)\nto protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE\nor CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.' + dod_short: 'I''ve read & consent to terms in IS user agreem''t.' + dss_odaa_default: 'Use of this or any other DoD interest computer system constitutes consent to\nmonitoring at all times. This is a DoD interest computer system. All DoD\ninterest computer systems and related equipment are intended for the\ncommunication, transmission, processing, and storage of official U.S.\nGovernment or other authorized information only. All DoD interest computer\nsystems are subject to monitoring at all times to ensure proper functioning of\nequipment and systems including security devices and systems, to prevent\nunauthorized use and violations of statutes and security regulations, to deter\ncriminal activity, and for other similar purposes. Any user of a DoD interest\ncomputer system should be aware that any information placed in the system is\nsubject to monitoring and is not subject to any expectation of privacy. If\nmonitoring of this or any other DoD interest computer system reveals possible\nevidence of violation of criminal statutes, this evidence and any other related\ninformation, including identification information about the user, may be\nprovided to law enforcement officials. If monitoring of this or any other DoD\ninterest computer systems reveals violations of security regulations or\nunauthorized use, employees who violate security regulations or make\nunauthorized use of DoD interest computer systems are subject to appropriate\ndisciplinary action. Use of this or any other DoD interest computer system\nconstitutes consent to monitoring at all times.' + usgcb_default: '-- WARNING -- This system is for the use of authorized users only. Individuals\nusing this computer system without authority or in excess of their authority\nare subject to having all their activities on this system monitored and\nrecorded by system personnel. Anyone using this system expressly consents to\nsuch monitoring and is advised that if such monitoring reveals possible\nevidence of criminal activity system personal may provide the evidence of such\nmonitoring to law enforcement officials.' diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var index a8a9e9337576..6a44de843411 100644 --- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var +++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var @@ -1,21 +1,25 @@ documentation_complete: true -title: 'Login Banner Verbiage' +title: Login Banner Verbiage Regular Expression -description: |- - Enter an appropriate login banner for your organization. Please note that new lines must - be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\\'. +description: >- + Enter an appropriate login banner regular expression for your organization. + Using a regular expression is needed because some profiles (eg. STIG) allow multiple different banners. + This regular expression is used only in OVAL checks. + In remediations the login_banner_contents variable is used instead. + For information about how to generate banner regular expression for your tailoring files, + see: https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions type: string operator: equals -interactive: false +interactive: true options: # CIS doesn't enforce any specific content for login banners, but doesn't allow technical information. # There is a generic content in case a remediation is necessary. -# How to generate banner, check https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions +# How to generate banner regex: https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions cis_banners: ^(Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$ cis_default: ^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$ # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accommodate banners of 1300 characters diff --git a/linux_os/guide/system/accounts/accounts-banners/motd_banner_contents.var b/linux_os/guide/system/accounts/accounts-banners/motd_banner_contents.var new file mode 100644 index 000000000000..07fab0040f52 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/motd_banner_contents.var @@ -0,0 +1,25 @@ +documentation_complete: true + +title: 'MotD Banner Verbiage' + +description: >- + Enter an appropriate login banner text for your organization. + This variable is used only in remediations. + In OVAL checks a regular expression specified in the login_banner_text variable is used instead. + Using a regular expression is needed because some profiles (eg. STIG) allow multiple different banners. + +type: string + +operator: equals + +interactive: true + +options: + default: 'Authorized users only. All activity may be monitored and reported.' +# CIS doesn't enforce any specific content for login banners, but doesn't allow technical information. +# There is a generic content in case a remediation is necessary. + cis_default: 'Authorized users only. All activity may be monitored and reported.' + dod_default: 'You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only. By using this IS (which includes any\ndevice attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject\nto routine monitoring, interception, and search, and may be disclosed or used\nfor any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls)\nto protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE\nor CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.' + dod_short: 'I''ve read & consent to terms in IS user agreem''t.' + dss_odaa_default: 'Use of this or any other DoD interest computer system constitutes consent to\nmonitoring at all times. This is a DoD interest computer system. All DoD\ninterest computer systems and related equipment are intended for the\ncommunication, transmission, processing, and storage of official U.S.\nGovernment or other authorized information only. All DoD interest computer\nsystems are subject to monitoring at all times to ensure proper functioning of\nequipment and systems including security devices and systems, to prevent\nunauthorized use and violations of statutes and security regulations, to deter\ncriminal activity, and for other similar purposes. Any user of a DoD interest\ncomputer system should be aware that any information placed in the system is\nsubject to monitoring and is not subject to any expectation of privacy. If\nmonitoring of this or any other DoD interest computer system reveals possible\nevidence of violation of criminal statutes, this evidence and any other related\ninformation, including identification information about the user, may be\nprovided to law enforcement officials. If monitoring of this or any other DoD\ninterest computer systems reveals violations of security regulations or\nunauthorized use, employees who violate security regulations or make\nunauthorized use of DoD interest computer systems are subject to appropriate\ndisciplinary action. Use of this or any other DoD interest computer system\nconstitutes consent to monitoring at all times.' + usgcb_default: '-- WARNING -- This system is for the use of authorized users only. Individuals\nusing this computer system without authority or in excess of their authority\nare subject to having all their activities on this system monitored and\nrecorded by system personnel. Anyone using this system expressly consents to\nsuch monitoring and is advised that if such monitoring reveals possible\nevidence of criminal activity system personal may provide the evidence of such\nmonitoring to law enforcement officials.' diff --git a/linux_os/guide/system/accounts/accounts-banners/motd_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/motd_banner_text.var index 6c7fff79ebc7..8b6fdbfc7b2d 100644 --- a/linux_os/guide/system/accounts/accounts-banners/motd_banner_text.var +++ b/linux_os/guide/system/accounts/accounts-banners/motd_banner_text.var @@ -1,27 +1,31 @@ documentation_complete: true -title: 'MotD Banner Verbiage' +title: Motd Banner Verbiage Regular Expression -description: |- - Enter an appropriate login banner for your organization. Please note that new lines must - be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\\'. +description: >- + Enter an appropriate login banner regular expression for your organization. + Using a regular expression is needed because some profiles (eg. STIG) allow multiple different banners. + This regular expression is used only in OVAL checks. + In remediations the motd_banner_contents variable is used instead. + For information about how to generate banner regular expression for your tailoring files, + see: https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions type: string operator: equals -interactive: false +interactive: true options: # CIS doesn't enforce any specific content for login banners, but doesn't allow technical information. # There is a generic content in case a remediation is necessary. # How to generate banner, check https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions - cis_banners: ^(Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$ - cis_default: ^Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$ + cis_banners: ^(Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$ + cis_default: ^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$ # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accommodate banners of 1300 characters dod_banners: ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.|I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.)$ dod_default: ^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.$ dod_short: ^I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.$ dss_odaa_default: ^Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times\.[\s\n]+This[\s\n]+is[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system\.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+and[\s\n]+related[\s\n]+equipment[\s\n]+are[\s\n]+intended[\s\n]+for[\s\n]+the[\s\n]+communication,[\s\n]+transmission,[\s\n]+processing,[\s\n]+and[\s\n]+storage[\s\n]+of[\s\n]+official[\s\n]+U\.S\.[\s\n]+Government[\s\n]+or[\s\n]+other[\s\n]+authorized[\s\n]+information[\s\n]+only\.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times[\s\n]+to[\s\n]+ensure[\s\n]+proper[\s\n]+functioning[\s\n]+of[\s\n]+equipment[\s\n]+and[\s\n]+systems[\s\n]+including[\s\n]+security[\s\n]+devices[\s\n]+and[\s\n]+systems,[\s\n]+to[\s\n]+prevent[\s\n]+unauthorized[\s\n]+use[\s\n]+and[\s\n]+violations[\s\n]+of[\s\n]+statutes[\s\n]+and[\s\n]+security[\s\n]+regulations,[\s\n]+to[\s\n]+deter[\s\n]+criminal[\s\n]+activity,[\s\n]+and[\s\n]+for[\s\n]+other[\s\n]+similar[\s\n]+purposes\.[\s\n]+Any[\s\n]+user[\s\n]+of[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+should[\s\n]+be[\s\n]+aware[\s\n]+that[\s\n]+any[\s\n]+information[\s\n]+placed[\s\n]+in[\s\n]+the[\s\n]+system[\s\n]+is[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+not[\s\n]+subject[\s\n]+to[\s\n]+any[\s\n]+expectation[\s\n]+of[\s\n]+privacy\.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+violation[\s\n]+of[\s\n]+criminal[\s\n]+statutes,[\s\n]+this[\s\n]+evidence[\s\n]+and[\s\n]+any[\s\n]+other[\s\n]+related[\s\n]+information,[\s\n]+including[\s\n]+identification[\s\n]+information[\s\n]+about[\s\n]+the[\s\n]+user,[\s\n]+may[\s\n]+be[\s\n]+provided[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials\.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+reveals[\s\n]+violations[\s\n]+of[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+unauthorized[\s\n]+use,[\s\n]+employees[\s\n]+who[\s\n]+violate[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+make[\s\n]+unauthorized[\s\n]+use[\s\n]+of[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+appropriate[\s\n]+disciplinary[\s\n]+action\.[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times\.$ usgcb_default: ^\-\-[\s\n]+WARNING[\s\n]+\-\-[\s\n]+This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only\.[\s\n]+Individuals[\s\n]+using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]+authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]+monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel\.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]+system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]+if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]+system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials\.$ - default: ^Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$ + default: ^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$ diff --git a/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_contents.var b/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_contents.var new file mode 100644 index 000000000000..d2b77661b666 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_contents.var @@ -0,0 +1,25 @@ +documentation_complete: true + +title: 'Remote Login Banner Verbiage' + +description: >- + Enter an appropriate login banner text for your organization. + This variable is used only in remediations. + In OVAL checks a regular expression specified in the remote_login_banner_text variable is used instead. + Using a regular expression is needed because some profiles (eg. STIG) allow multiple different banners. + +type: string + +operator: equals + +interactive: true + +options: + default: 'Authorized users only. All activity may be monitored and reported.' +# CIS doesn't enforce any specific content for login banners, but doesn't allow technical information. +# There is a generic content in case a remediation is necessary. + cis_default: 'Authorized users only. All activity may be monitored and reported.' + dod_default: 'You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only. By using this IS (which includes any\ndevice attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject\nto routine monitoring, interception, and search, and may be disclosed or used\nfor any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls)\nto protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE\nor CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.' + dod_short: 'I''ve read & consent to terms in IS user agreem''t.' + dss_odaa_default: 'Use of this or any other DoD interest computer system constitutes consent to\nmonitoring at all times. This is a DoD interest computer system. All DoD\ninterest computer systems and related equipment are intended for the\ncommunication, transmission, processing, and storage of official U.S.\nGovernment or other authorized information only. All DoD interest computer\nsystems are subject to monitoring at all times to ensure proper functioning of\nequipment and systems including security devices and systems, to prevent\nunauthorized use and violations of statutes and security regulations, to deter\ncriminal activity, and for other similar purposes. Any user of a DoD interest\ncomputer system should be aware that any information placed in the system is\nsubject to monitoring and is not subject to any expectation of privacy. If\nmonitoring of this or any other DoD interest computer system reveals possible\nevidence of violation of criminal statutes, this evidence and any other related\ninformation, including identification information about the user, may be\nprovided to law enforcement officials. If monitoring of this or any other DoD\ninterest computer systems reveals violations of security regulations or\nunauthorized use, employees who violate security regulations or make\nunauthorized use of DoD interest computer systems are subject to appropriate\ndisciplinary action. Use of this or any other DoD interest computer system\nconstitutes consent to monitoring at all times.' + usgcb_default: '-- WARNING -- This system is for the use of authorized users only. Individuals\nusing this computer system without authority or in excess of their authority\nare subject to having all their activities on this system monitored and\nrecorded by system personnel. Anyone using this system expressly consents to\nsuch monitoring and is advised that if such monitoring reveals possible\nevidence of criminal activity system personal may provide the evidence of such\nmonitoring to law enforcement officials.' diff --git a/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_text.var index 5f64f4f4af63..a4e24de44962 100644 --- a/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_text.var +++ b/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_text.var @@ -1,28 +1,31 @@ documentation_complete: true -title: 'Remote Login Banner Verbiage' +title: Remote Login Banner Verbiage Regular Expression -description: |- - Enter an appropriate login banner for your organization. Please note that new lines must - be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\\'. +description: >- + Enter an appropriate login banner regular expression for your organization. + Using a regular expression is needed because some profiles (eg. STIG) allow multiple different banners. + This regular expression is used only in OVAL checks. + In remediations the remote_login_banner_contents variable is used instead. + For information about how to generate banner regular expression for your tailoring files, + see: https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions type: string operator: equals -interactive: false - +interactive: true options: # CIS doesn't enforce any specific content for login banners, but doesn't allow technical information. # There is a generic content in case a remediation is necessary. # How to generate banner, check https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions - cis_banners: ^(Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$ - cis_default: ^Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$ + cis_banners: ^(Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$ + cis_default: ^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$ # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accommodate banners of 1300 characters dod_banners: ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.|I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.)$ dod_default: ^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.$ dod_short: ^I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.$ dss_odaa_default: ^Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times\.[\s\n]+This[\s\n]+is[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system\.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+and[\s\n]+related[\s\n]+equipment[\s\n]+are[\s\n]+intended[\s\n]+for[\s\n]+the[\s\n]+communication,[\s\n]+transmission,[\s\n]+processing,[\s\n]+and[\s\n]+storage[\s\n]+of[\s\n]+official[\s\n]+U\.S\.[\s\n]+Government[\s\n]+or[\s\n]+other[\s\n]+authorized[\s\n]+information[\s\n]+only\.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times[\s\n]+to[\s\n]+ensure[\s\n]+proper[\s\n]+functioning[\s\n]+of[\s\n]+equipment[\s\n]+and[\s\n]+systems[\s\n]+including[\s\n]+security[\s\n]+devices[\s\n]+and[\s\n]+systems,[\s\n]+to[\s\n]+prevent[\s\n]+unauthorized[\s\n]+use[\s\n]+and[\s\n]+violations[\s\n]+of[\s\n]+statutes[\s\n]+and[\s\n]+security[\s\n]+regulations,[\s\n]+to[\s\n]+deter[\s\n]+criminal[\s\n]+activity,[\s\n]+and[\s\n]+for[\s\n]+other[\s\n]+similar[\s\n]+purposes\.[\s\n]+Any[\s\n]+user[\s\n]+of[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+should[\s\n]+be[\s\n]+aware[\s\n]+that[\s\n]+any[\s\n]+information[\s\n]+placed[\s\n]+in[\s\n]+the[\s\n]+system[\s\n]+is[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+not[\s\n]+subject[\s\n]+to[\s\n]+any[\s\n]+expectation[\s\n]+of[\s\n]+privacy\.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+violation[\s\n]+of[\s\n]+criminal[\s\n]+statutes,[\s\n]+this[\s\n]+evidence[\s\n]+and[\s\n]+any[\s\n]+other[\s\n]+related[\s\n]+information,[\s\n]+including[\s\n]+identification[\s\n]+information[\s\n]+about[\s\n]+the[\s\n]+user,[\s\n]+may[\s\n]+be[\s\n]+provided[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials\.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+reveals[\s\n]+violations[\s\n]+of[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+unauthorized[\s\n]+use,[\s\n]+employees[\s\n]+who[\s\n]+violate[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+make[\s\n]+unauthorized[\s\n]+use[\s\n]+of[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+appropriate[\s\n]+disciplinary[\s\n]+action\.[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times\.$ usgcb_default: ^\-\-[\s\n]+WARNING[\s\n]+\-\-[\s\n]+This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only\.[\s\n]+Individuals[\s\n]+using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]+authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]+monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel\.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]+system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]+if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]+system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials\.$ - default: ^Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$ + default: ^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$ diff --git a/products/anolis23/profiles/standard.profile b/products/anolis23/profiles/standard.profile index 2cf3bfda5a31..69e8d39628fc 100644 --- a/products/anolis23/profiles/standard.profile +++ b/products/anolis23/profiles/standard.profile @@ -369,12 +369,14 @@ selections: ## 4.1-ensure-message-of-the-day-is-configured-properly ### Level 1 - banner_etc_motd - - login_banner_text=cis_banners + - motd_banner_text=cis_banners + - motd_banner_contents=cis_default ## 4.2-ensure-local-login-warning-banner-is-configured-properly ### Level 1 - banner_etc_issue - login_banner_text=cis_banners + - login_banner_contents=cis_default ## 4.3-ensure-remote-login-warning-banner-is-configured-properly ### Level 1 diff --git a/products/anolis8/profiles/standard.profile b/products/anolis8/profiles/standard.profile index b60cba9e23d0..91f13490b1ab 100644 --- a/products/anolis8/profiles/standard.profile +++ b/products/anolis8/profiles/standard.profile @@ -369,12 +369,14 @@ selections: ## 4.1-ensure-message-of-the-day-is-configured-properly ### Level 1 - banner_etc_motd - - login_banner_text=cis_banners + - motd_banner_text=cis_banners + - motd_banner_contents=cis_default ## 4.2-ensure-local-login-warning-banner-is-configured-properly ### Level 1 - banner_etc_issue - login_banner_text=cis_banners + - login_banner_contents=cis_default ## 4.3-ensure-remote-login-warning-banner-is-configured-properly ### Level 1 diff --git a/products/fedora/profiles/ospp.profile b/products/fedora/profiles/ospp.profile index 601f0e2375ec..ea79c4506a7e 100644 --- a/products/fedora/profiles/ospp.profile +++ b/products/fedora/profiles/ospp.profile @@ -103,11 +103,14 @@ selections: - rsyslog_remote_loghost - auditd_audispd_encrypt_sent_records - login_banner_text=usgcb_default + - login_banner_contents=usgcb_default - sshd_enable_warning_banner - banner_etc_issue - sshd_rekey_limit - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text + - dconf_login_banner_text=usgcb_default + - dconf_login_banner_contents=usgcb_default - audit_rules_login_events_faillock - audit_rules_login_events_lastlog - audit_rules_login_events_tallylog diff --git a/products/ol7/profiles/ncp.profile b/products/ol7/profiles/ncp.profile index 2acb9c798f04..426901de8641 100644 --- a/products/ol7/profiles/ncp.profile +++ b/products/ol7/profiles/ncp.profile @@ -36,6 +36,7 @@ extends: ospp selections: - installed_OS_is_vendor_supported - login_banner_text=usgcb_default + - login_banner_contents=usgcb_default - inactivity_timeout_value=15_minutes - var_password_pam_minlen=15 - accounts_password_all_shadowed @@ -323,6 +324,8 @@ selections: - dconf_gnome_disable_wifi_notification - dconf_gnome_enable_smartcard_auth - dconf_gnome_login_banner_text + - dconf_login_banner_text=usgcb_default + - dconf_login_banner_contents=usgcb_default - dconf_gnome_login_retries - dconf_gnome_remote_access_credential_prompt - dconf_gnome_remote_access_encryption diff --git a/products/ol7/profiles/stig.profile b/products/ol7/profiles/stig.profile index 133832c72af2..27085939d81a 100644 --- a/products/ol7/profiles/stig.profile +++ b/products/ol7/profiles/stig.profile @@ -8,6 +8,7 @@ description: |- selections: - login_banner_text=dod_banners + - login_banner_contents=dod_default - inactivity_timeout_value=15_minutes - var_screensaver_lock_delay=5_seconds - sshd_idle_timeout_value=10_minutes @@ -54,6 +55,8 @@ selections: - dconf_db_up_to_date - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text + - dconf_login_banner_text=dod_default + - dconf_login_banner_contents=dod_default - banner_etc_issue - dconf_gnome_screensaver_lock_enabled - dconf_gnome_screensaver_lock_locked diff --git a/products/ol8/profiles/stig.profile b/products/ol8/profiles/stig.profile index 9aa7aad5ac4f..622bfa8a1e6b 100644 --- a/products/ol8/profiles/stig.profile +++ b/products/ol8/profiles/stig.profile @@ -61,6 +61,9 @@ selections: - var_auditd_disk_full_action=ol8 - var_sssd_certificate_verification_digest_function=sha1 - login_banner_text=dod_banners + - login_banner_contents=dod_default + - dconf_login_banner_text=dod_banners + - dconf_login_banner_contents=dod_default - var_authselect_profile=sssd - var_multiple_time_servers=stig diff --git a/products/openembedded/profiles/expanded.profile b/products/openembedded/profiles/expanded.profile index 13db15a9530b..a43e6745f40c 100644 --- a/products/openembedded/profiles/expanded.profile +++ b/products/openembedded/profiles/expanded.profile @@ -112,8 +112,10 @@ selections: - service_dovecot_disabled - banner_etc_motd - motd_banner_text=cis_banners + - motd_banner_contents=cis_default - banner_etc_issue - login_banner_text=cis_banners + - login_banner_contents=cis_default - file_groupowner_etc_motd - file_owner_etc_motd - file_permissions_etc_motd diff --git a/products/openembedded/profiles/standard.profile b/products/openembedded/profiles/standard.profile index 37547a454e83..d183617a264b 100644 --- a/products/openembedded/profiles/standard.profile +++ b/products/openembedded/profiles/standard.profile @@ -107,8 +107,10 @@ selections: - service_dovecot_disabled - banner_etc_motd - motd_banner_text=cis_banners + - motd_banner_contents=cis_default - banner_etc_issue - login_banner_text=cis_banners + - login_banner_contents=cis_default - file_groupowner_etc_motd - file_owner_etc_motd - file_permissions_etc_motd diff --git a/products/rhel10/controls/cis_rhel10.yml b/products/rhel10/controls/cis_rhel10.yml index 8269196f2993..7f699bed4f29 100644 --- a/products/rhel10/controls/cis_rhel10.yml +++ b/products/rhel10/controls/cis_rhel10.yml @@ -706,7 +706,8 @@ controls: rules: - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text - - login_banner_text=cis_banners + - dconf_login_banner_text=cis_banners + - dconf_login_banner_contents=cis_default - id: 1.8.2 title: Ensure GDM disable-user-list is configured (Automated) diff --git a/products/rhel8/controls/cis_rhel8.yml b/products/rhel8/controls/cis_rhel8.yml index cbe5d4d6454e..68f020aa956b 100644 --- a/products/rhel8/controls/cis_rhel8.yml +++ b/products/rhel8/controls/cis_rhel8.yml @@ -740,7 +740,8 @@ controls: rules: - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text - - login_banner_text=cis_banners + - dconf_login_banner_text=cis_banners + - dconf_login_banner_contents=cis_default - id: 1.8.2 title: Ensure GDM disable-user-list is configured (Automated) diff --git a/products/rhel8/controls/stig_rhel8.yml b/products/rhel8/controls/stig_rhel8.yml index a50b9e2e66a3..4c2de6146d37 100644 --- a/products/rhel8/controls/stig_rhel8.yml +++ b/products/rhel8/controls/stig_rhel8.yml @@ -67,6 +67,9 @@ controls: - var_auditd_disk_full_action=rhel8 - var_sssd_certificate_verification_digest_function=sha1 - login_banner_text=dod_banners + - login_banner_contents=dod_default + - dconf_login_banner_text=dod_banners + - dconf_login_banner_contents=dod_default - var_authselect_profile=sssd - var_multiple_time_servers=stig - var_time_service_set_maxpoll=18_hours diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile index 4e67d3893c0c..cff0b644c55a 100644 --- a/products/rhel8/profiles/rht-ccp.profile +++ b/products/rhel8/profiles/rht-ccp.profile @@ -27,6 +27,7 @@ selections: - var_password_pam_difok=3 - var_password_pam_unix_remember=5 - var_accounts_user_umask=077 + - login_banner_contents=usgcb_default - login_banner_text=usgcb_default - partition_for_tmp - partition_for_var diff --git a/products/rhel9/controls/ccn_rhel9.yml b/products/rhel9/controls/ccn_rhel9.yml index 6f0dcc2928f3..84a168b77395 100644 --- a/products/rhel9/controls/ccn_rhel9.yml +++ b/products/rhel9/controls/ccn_rhel9.yml @@ -635,11 +635,17 @@ controls: - banner_etc_issue - banner_etc_issue_net - banner_etc_motd + - motd_banner_text=cis_banners + - motd_banner_contents=cis_default - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text + - dconf_login_banner_text=cis_banners + - dconf_login_banner_contents=cis_default - sshd_enable_warning_banner_net - login_banner_text=cis_banners + - login_banner_contents=cis_default - remote_login_banner_text=cis_banners + - remote_login_banner_contents=cis_default - id: A.11.SEC-RHEL5 title: Network Acess to the System is Controlled diff --git a/products/rhel9/controls/cis_rhel9.yml b/products/rhel9/controls/cis_rhel9.yml index f73fbd1f6d79..cdcf1807ad14 100644 --- a/products/rhel9/controls/cis_rhel9.yml +++ b/products/rhel9/controls/cis_rhel9.yml @@ -690,7 +690,8 @@ controls: rules: - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text - - login_banner_text=cis_banners + - dconf_login_banner_text=cis_banners + - dconf_login_banner_contents=cis_default - id: 1.8.3 title: Ensure GDM disable-user-list option is enabled (Automated) diff --git a/products/rhel9/controls/stig_rhel9.yml b/products/rhel9/controls/stig_rhel9.yml index 39bb4a26a47e..554496291306 100644 --- a/products/rhel9/controls/stig_rhel9.yml +++ b/products/rhel9/controls/stig_rhel9.yml @@ -25,6 +25,8 @@ controls: - medium rules: - dconf_gnome_login_banner_text + - dconf_login_banner_text=dod_banners + - dconf_login_banner_contents=dod_default - id: RHEL-09-211010 levels: - high @@ -49,6 +51,7 @@ controls: rules: - banner_etc_issue - login_banner_text=dod_banners + - login_banner_contents=dod_default status: automated - id: RHEL-09-211030 diff --git a/products/rhv4/profiles/rhvh-stig.profile b/products/rhv4/profiles/rhvh-stig.profile index ec2dd7bdbfb5..a0c8bc01d309 100644 --- a/products/rhv4/profiles/rhvh-stig.profile +++ b/products/rhv4/profiles/rhvh-stig.profile @@ -17,6 +17,7 @@ description: |- selections: - installed_OS_is_FIPS_certified - login_banner_text=dod_banners + - login_banner_contents=dod_default - inactivity_timeout_value=15_minutes - var_password_pam_minlen=15 - accounts_password_pam_minlen diff --git a/products/sle12/profiles/stig.profile b/products/sle12/profiles/stig.profile index 33b341569721..54f62c322a2f 100644 --- a/products/sle12/profiles/stig.profile +++ b/products/sle12/profiles/stig.profile @@ -32,6 +32,9 @@ selections: - var_password_pam_ucredit=1 - var_accounts_maximum_age_login_defs=60 - login_banner_text=dod_banners + - login_banner_contents=dod_default + - dconf_login_banner_text=dod_banners + - dconf_login_banner_contents=dod_default # # Note: must configure "var_accounts_authorized_local_users_regex" when # "accounts_authorized_local_users" rule is enabled diff --git a/products/sle15/profiles/pcs-hardening-sap.profile b/products/sle15/profiles/pcs-hardening-sap.profile index 63231a2b3b34..22c9e487becf 100644 --- a/products/sle15/profiles/pcs-hardening-sap.profile +++ b/products/sle15/profiles/pcs-hardening-sap.profile @@ -5,7 +5,7 @@ metadata: SMEs: - esampson -reference: +reference: title: 'Hardening for Public Cloud Image of SUSE Linux Enterprise Server (SLES) for SAP Applications 15' @@ -24,8 +24,9 @@ selections: - var_apparmor_mode=complain - motd_banner_text=cis_banners - login_banner_text=cis_banners + - login_banner_contents=cis_default - remote_login_banner_text=cis_banners - - login_banner_text=cis_default + - remote_login_banner_contents=cis_default - var_multiple_time_servers=suse - var_multiple_time_pools=suse - var_postfix_inet_interfaces=loopback-only diff --git a/products/sle15/profiles/pcs-hardening.profile b/products/sle15/profiles/pcs-hardening.profile index 69da010c6d09..0bfc746d362c 100644 --- a/products/sle15/profiles/pcs-hardening.profile +++ b/products/sle15/profiles/pcs-hardening.profile @@ -5,7 +5,7 @@ metadata: SMEs: - esampson -reference: +reference: title: 'Public Cloud Hardening for SUSE Linux Enterprise 15' @@ -31,6 +31,9 @@ selections: - var_password_pam_delay=4000000 #- login_banner_text=dod_banners - login_banner_text=cis_banners + - login_banner_contents=cis_default + - motd_banner_text=cis_banners + - motd_banner_contents=cis_default # # Note: must configure "var_accounts_authorized_local_users_regex" when # "accounts_authorized_local_users" rule is enabled @@ -410,7 +413,7 @@ selections: #- package_net-snmp_removed #- package_telnet_removed #- package_telnet-server_removed - #### OTHER + #### OTHER #### can't do at image build time #- accounts_authorized_local_users #- accounts_max_concurrent_login_sessions diff --git a/products/sle15/profiles/stig.profile b/products/sle15/profiles/stig.profile index e6e28fc03306..37233d8004c5 100644 --- a/products/sle15/profiles/stig.profile +++ b/products/sle15/profiles/stig.profile @@ -31,6 +31,9 @@ selections: - var_accounts_maximum_age_login_defs=60 - var_password_pam_delay=4000000 - login_banner_text=dod_banners + - login_banner_contents=dod_default + - dconf_login_banner_text=dod_banners + - dconf_login_banner_contents=dod_default # # Note: must configure "var_accounts_authorized_local_users_regex" when # "accounts_authorized_local_users" rule is enabled diff --git a/tests/data/profile_stability/rhel10/cis.profile b/tests/data/profile_stability/rhel10/cis.profile index acb21b876b66..703560adda42 100644 --- a/tests/data/profile_stability/rhel10/cis.profile +++ b/tests/data/profile_stability/rhel10/cis.profile @@ -140,6 +140,8 @@ dconf_gnome_screensaver_idle_delay dconf_gnome_screensaver_lock_delay dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks +dconf_login_banner_contents=cis_default +dconf_login_banner_text=cis_banners dir_perms_world_writable_sticky_bits directory_groupowner_sshd_config_d directory_owner_sshd_config_d @@ -285,7 +287,6 @@ kernel_module_squashfs_disabled kernel_module_tipc_disabled kernel_module_udf_disabled kernel_module_usb-storage_disabled -login_banner_text=cis_banners mount_option_dev_shm_nodev mount_option_dev_shm_noexec mount_option_dev_shm_nosuid diff --git a/tests/data/profile_stability/rhel10/cis_server_l1.profile b/tests/data/profile_stability/rhel10/cis_server_l1.profile index 1a8d4a413244..c8adbcf11520 100644 --- a/tests/data/profile_stability/rhel10/cis_server_l1.profile +++ b/tests/data/profile_stability/rhel10/cis_server_l1.profile @@ -63,6 +63,8 @@ dconf_gnome_screensaver_idle_delay dconf_gnome_screensaver_lock_delay dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks +dconf_login_banner_contents=cis_default +dconf_login_banner_text=cis_banners dir_perms_world_writable_sticky_bits directory_groupowner_sshd_config_d directory_owner_sshd_config_d @@ -192,7 +194,6 @@ kernel_module_rds_disabled kernel_module_sctp_disabled kernel_module_tipc_disabled kernel_module_usb-storage_disabled -login_banner_text=cis_banners mount_option_dev_shm_nodev mount_option_dev_shm_noexec mount_option_dev_shm_nosuid diff --git a/tests/data/profile_stability/rhel10/cis_workstation_l1.profile b/tests/data/profile_stability/rhel10/cis_workstation_l1.profile index 63186a34c258..5feb1df7b612 100644 --- a/tests/data/profile_stability/rhel10/cis_workstation_l1.profile +++ b/tests/data/profile_stability/rhel10/cis_workstation_l1.profile @@ -61,6 +61,8 @@ dconf_gnome_screensaver_idle_delay dconf_gnome_screensaver_lock_delay dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks +dconf_login_banner_contents=cis_default +dconf_login_banner_text=cis_banners dir_perms_world_writable_sticky_bits directory_groupowner_sshd_config_d directory_owner_sshd_config_d @@ -188,7 +190,6 @@ kernel_module_jffs2_disabled kernel_module_rds_disabled kernel_module_sctp_disabled kernel_module_tipc_disabled -login_banner_text=cis_banners mount_option_dev_shm_nodev mount_option_dev_shm_noexec mount_option_dev_shm_nosuid diff --git a/tests/data/profile_stability/rhel10/cis_workstation_l2.profile b/tests/data/profile_stability/rhel10/cis_workstation_l2.profile index 221ffac17557..43ecd6581e9d 100644 --- a/tests/data/profile_stability/rhel10/cis_workstation_l2.profile +++ b/tests/data/profile_stability/rhel10/cis_workstation_l2.profile @@ -140,6 +140,8 @@ dconf_gnome_screensaver_idle_delay dconf_gnome_screensaver_lock_delay dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks +dconf_login_banner_contents=cis_default +dconf_login_banner_text=cis_banners dir_perms_world_writable_sticky_bits directory_groupowner_sshd_config_d directory_owner_sshd_config_d @@ -285,7 +287,6 @@ kernel_module_squashfs_disabled kernel_module_tipc_disabled kernel_module_udf_disabled kernel_module_usb-storage_disabled -login_banner_text=cis_banners mount_option_dev_shm_nodev mount_option_dev_shm_noexec mount_option_dev_shm_nosuid diff --git a/tests/data/profile_stability/rhel10/stig.profile b/tests/data/profile_stability/rhel10/stig.profile index d9709ad69bbf..dd157f79d28e 100644 --- a/tests/data/profile_stability/rhel10/stig.profile +++ b/tests/data/profile_stability/rhel10/stig.profile @@ -318,6 +318,7 @@ kernel_module_sctp_disabled kernel_module_tipc_disabled kernel_module_usb-storage_disabled libreswan_approved_tunnels +login_banner_contents=dod_default login_banner_text=dod_banners logind_session_timeout mount_option_boot_nodev diff --git a/tests/data/profile_stability/rhel10/stig_gui.profile b/tests/data/profile_stability/rhel10/stig_gui.profile index e5632d66dad0..22c29b3b1a40 100644 --- a/tests/data/profile_stability/rhel10/stig_gui.profile +++ b/tests/data/profile_stability/rhel10/stig_gui.profile @@ -318,6 +318,7 @@ kernel_module_sctp_disabled kernel_module_tipc_disabled kernel_module_usb-storage_disabled libreswan_approved_tunnels +login_banner_contents=dod_default login_banner_text=dod_banners mount_option_boot_nodev mount_option_boot_nosuid diff --git a/tests/data/profile_stability/rhel8/cis.profile b/tests/data/profile_stability/rhel8/cis.profile index 40ef7718866d..9e30070d1b8f 100644 --- a/tests/data/profile_stability/rhel8/cis.profile +++ b/tests/data/profile_stability/rhel8/cis.profile @@ -130,6 +130,8 @@ dconf_gnome_screensaver_idle_delay dconf_gnome_screensaver_lock_delay dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks +dconf_login_banner_contents=cis_default +dconf_login_banner_text=cis_banners dir_perms_world_writable_sticky_bits directory_permissions_var_log_audit disable_host_auth @@ -283,7 +285,6 @@ kernel_module_squashfs_disabled kernel_module_tipc_disabled kernel_module_udf_disabled kernel_module_usb-storage_disabled -login_banner_text=cis_banners mount_option_dev_shm_nodev mount_option_dev_shm_noexec mount_option_dev_shm_nosuid diff --git a/tests/data/profile_stability/rhel8/cis_server_l1.profile b/tests/data/profile_stability/rhel8/cis_server_l1.profile index c186914d253b..747124962916 100644 --- a/tests/data/profile_stability/rhel8/cis_server_l1.profile +++ b/tests/data/profile_stability/rhel8/cis_server_l1.profile @@ -63,6 +63,8 @@ dconf_gnome_screensaver_idle_delay dconf_gnome_screensaver_lock_delay dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks +dconf_login_banner_contents=cis_default +dconf_login_banner_text=cis_banners dir_perms_world_writable_sticky_bits disable_host_auth disable_users_coredumps @@ -200,7 +202,6 @@ kernel_module_rds_disabled kernel_module_sctp_disabled kernel_module_tipc_disabled kernel_module_usb-storage_disabled -login_banner_text=cis_banners mount_option_dev_shm_nodev mount_option_dev_shm_noexec mount_option_dev_shm_nosuid diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile index f53d2e0dd714..c6dcbe89a610 100644 --- a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile +++ b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile @@ -61,6 +61,8 @@ dconf_gnome_screensaver_idle_delay dconf_gnome_screensaver_lock_delay dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks +dconf_login_banner_contents=cis_default +dconf_login_banner_text=cis_banners dir_perms_world_writable_sticky_bits disable_host_auth disable_users_coredumps @@ -197,7 +199,6 @@ kernel_module_jffs2_disabled kernel_module_rds_disabled kernel_module_sctp_disabled kernel_module_tipc_disabled -login_banner_text=cis_banners mount_option_dev_shm_nodev mount_option_dev_shm_noexec mount_option_dev_shm_nosuid diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile index f43c7d9ea9b5..1aeeb3681d3e 100644 --- a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile +++ b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile @@ -130,6 +130,8 @@ dconf_gnome_screensaver_idle_delay dconf_gnome_screensaver_lock_delay dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks +dconf_login_banner_contents=cis_default +dconf_login_banner_text=cis_banners dir_perms_world_writable_sticky_bits directory_permissions_var_log_audit disable_host_auth @@ -283,7 +285,6 @@ kernel_module_squashfs_disabled kernel_module_tipc_disabled kernel_module_udf_disabled kernel_module_usb-storage_disabled -login_banner_text=cis_banners mount_option_dev_shm_nodev mount_option_dev_shm_noexec mount_option_dev_shm_nosuid diff --git a/tests/data/profile_stability/rhel8/rht-ccp.profile b/tests/data/profile_stability/rhel8/rht-ccp.profile index 6d06160f5770..4faa19a2b5ec 100644 --- a/tests/data/profile_stability/rhel8/rht-ccp.profile +++ b/tests/data/profile_stability/rhel8/rht-ccp.profile @@ -41,6 +41,7 @@ firewalld_sshd_port_enabled grub2_password kernel_module_dccp_disabled kernel_module_sctp_disabled +login_banner_contents=usgcb_default login_banner_text=usgcb_default no_empty_passwords no_shelllogin_for_systemaccounts diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index a07eb83d2943..e6e3561e18a8 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -154,6 +154,8 @@ dconf_gnome_screensaver_lock_enabled dconf_gnome_screensaver_lock_locked dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks +dconf_login_banner_contents=dod_default +dconf_login_banner_text=dod_banners dir_group_ownership_library_dirs dir_ownership_library_dirs dir_permissions_library_dirs @@ -225,6 +227,7 @@ kernel_module_sctp_disabled kernel_module_tipc_disabled kernel_module_usb-storage_disabled kernel_module_uvcvideo_disabled +login_banner_contents=dod_default login_banner_text=dod_banners logind_session_timeout mount_option_boot_efi_nosuid diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile index 52f48890ab39..79544c850455 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -154,6 +154,8 @@ dconf_gnome_screensaver_lock_enabled dconf_gnome_screensaver_lock_locked dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks +dconf_login_banner_contents=dod_default +dconf_login_banner_text=dod_banners dir_group_ownership_library_dirs dir_ownership_library_dirs dir_permissions_library_dirs @@ -225,6 +227,7 @@ kernel_module_sctp_disabled kernel_module_tipc_disabled kernel_module_usb-storage_disabled kernel_module_uvcvideo_disabled +login_banner_contents=dod_default login_banner_text=dod_banners mount_option_boot_efi_nosuid mount_option_boot_nosuid diff --git a/tests/data/profile_stability/rhel9/ccn_advanced.profile b/tests/data/profile_stability/rhel9/ccn_advanced.profile index 00b9660909b3..5a07e93c9a1c 100644 --- a/tests/data/profile_stability/rhel9/ccn_advanced.profile +++ b/tests/data/profile_stability/rhel9/ccn_advanced.profile @@ -66,6 +66,8 @@ dconf_gnome_disable_user_list dconf_gnome_login_banner_text dconf_gnome_screensaver_idle_delay dconf_gnome_screensaver_lock_delay +dconf_login_banner_contents=cis_default +dconf_login_banner_text=cis_banners directory_permissions_var_log_audit enable_authselect encrypt_partitions @@ -90,7 +92,10 @@ inactivity_timeout_value=5_minutes kernel_module_squashfs_disabled kernel_module_udf_disabled kernel_module_usb-storage_disabled +login_banner_contents=cis_default login_banner_text=cis_banners +motd_banner_contents=cis_default +motd_banner_text=cis_banners mount_option_boot_efi_nosuid mount_option_boot_nodev mount_option_boot_noexec @@ -111,6 +116,7 @@ package_telnet-server_removed package_tftp-server_removed package_usbguard_installed package_vsftpd_removed +remote_login_banner_contents=cis_default remote_login_banner_text=cis_banners selinux_policytype selinux_state diff --git a/tests/data/profile_stability/rhel9/ccn_basic.profile b/tests/data/profile_stability/rhel9/ccn_basic.profile index 00b96ffc1172..b1fb2d97365b 100644 --- a/tests/data/profile_stability/rhel9/ccn_basic.profile +++ b/tests/data/profile_stability/rhel9/ccn_basic.profile @@ -46,6 +46,8 @@ configure_crypto_policy dconf_db_up_to_date dconf_gnome_banner_enabled dconf_gnome_login_banner_text +dconf_login_banner_contents=cis_default +dconf_login_banner_text=cis_banners enable_authselect file_groupowner_grub2_cfg file_groupowner_user_cfg @@ -56,13 +58,17 @@ file_permissions_user_cfg firewalld_loopback_traffic_restricted firewalld_loopback_traffic_trusted grub2_password +login_banner_contents=cis_default login_banner_text=cis_banners +motd_banner_contents=cis_default +motd_banner_text=cis_banners mount_option_boot_efi_nosuid mount_option_boot_nodev mount_option_boot_noexec mount_option_boot_nosuid package_firewalld_installed package_usbguard_installed +remote_login_banner_contents=cis_default remote_login_banner_text=cis_banners service_firewalld_enabled service_nftables_disabled diff --git a/tests/data/profile_stability/rhel9/ccn_intermediate.profile b/tests/data/profile_stability/rhel9/ccn_intermediate.profile index 80b4ea6efe36..6f226054e656 100644 --- a/tests/data/profile_stability/rhel9/ccn_intermediate.profile +++ b/tests/data/profile_stability/rhel9/ccn_intermediate.profile @@ -55,6 +55,8 @@ dconf_gnome_disable_user_list dconf_gnome_login_banner_text dconf_gnome_screensaver_idle_delay dconf_gnome_screensaver_lock_delay +dconf_login_banner_contents=cis_default +dconf_login_banner_text=cis_banners directory_permissions_var_log_audit enable_authselect ensure_root_password_configured @@ -78,7 +80,10 @@ inactivity_timeout_value=5_minutes kernel_module_squashfs_disabled kernel_module_udf_disabled kernel_module_usb-storage_disabled +login_banner_contents=cis_default login_banner_text=cis_banners +motd_banner_contents=cis_default +motd_banner_text=cis_banners mount_option_boot_efi_nosuid mount_option_boot_nodev mount_option_boot_noexec @@ -98,6 +103,7 @@ package_telnet-server_removed package_tftp-server_removed package_usbguard_installed package_vsftpd_removed +remote_login_banner_contents=cis_default remote_login_banner_text=cis_banners selinux_policytype selinux_state diff --git a/tests/data/profile_stability/rhel9/cis.profile b/tests/data/profile_stability/rhel9/cis.profile index 65f2ddc07f7e..c89accc931d2 100644 --- a/tests/data/profile_stability/rhel9/cis.profile +++ b/tests/data/profile_stability/rhel9/cis.profile @@ -128,6 +128,8 @@ dconf_gnome_screensaver_idle_delay dconf_gnome_screensaver_lock_delay dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks +dconf_login_banner_contents=cis_default +dconf_login_banner_text=cis_banners dir_perms_world_writable_sticky_bits directory_permissions_var_log_audit disable_host_auth @@ -254,7 +256,6 @@ kernel_module_squashfs_disabled kernel_module_tipc_disabled kernel_module_udf_disabled kernel_module_usb-storage_disabled -login_banner_text=cis_banners mount_option_dev_shm_nodev mount_option_dev_shm_noexec mount_option_dev_shm_nosuid diff --git a/tests/data/profile_stability/rhel9/cis_server_l1.profile b/tests/data/profile_stability/rhel9/cis_server_l1.profile index ac83e2c0a321..d40f3e2d8255 100644 --- a/tests/data/profile_stability/rhel9/cis_server_l1.profile +++ b/tests/data/profile_stability/rhel9/cis_server_l1.profile @@ -57,6 +57,8 @@ dconf_gnome_screensaver_idle_delay dconf_gnome_screensaver_lock_delay dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks +dconf_login_banner_contents=cis_default +dconf_login_banner_text=cis_banners dir_perms_world_writable_sticky_bits disable_host_auth enable_authselect @@ -165,7 +167,6 @@ kernel_module_hfs_disabled kernel_module_hfsplus_disabled kernel_module_jffs2_disabled kernel_module_usb-storage_disabled -login_banner_text=cis_banners mount_option_dev_shm_nodev mount_option_dev_shm_noexec mount_option_dev_shm_nosuid diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile index fb685c741479..17ffd016a562 100644 --- a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile +++ b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile @@ -55,6 +55,8 @@ dconf_gnome_screensaver_idle_delay dconf_gnome_screensaver_lock_delay dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks +dconf_login_banner_contents=cis_default +dconf_login_banner_text=cis_banners dir_perms_world_writable_sticky_bits disable_host_auth enable_authselect @@ -162,7 +164,6 @@ kernel_module_freevxfs_disabled kernel_module_hfs_disabled kernel_module_hfsplus_disabled kernel_module_jffs2_disabled -login_banner_text=cis_banners mount_option_dev_shm_nodev mount_option_dev_shm_noexec mount_option_dev_shm_nosuid diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile index 3fc4bebf0c4a..68a56c55311d 100644 --- a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile +++ b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile @@ -128,6 +128,8 @@ dconf_gnome_screensaver_idle_delay dconf_gnome_screensaver_lock_delay dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks +dconf_login_banner_contents=cis_default +dconf_login_banner_text=cis_banners dir_perms_world_writable_sticky_bits directory_permissions_var_log_audit disable_host_auth @@ -254,7 +256,6 @@ kernel_module_squashfs_disabled kernel_module_tipc_disabled kernel_module_udf_disabled kernel_module_usb-storage_disabled -login_banner_text=cis_banners mount_option_dev_shm_nodev mount_option_dev_shm_noexec mount_option_dev_shm_nosuid diff --git a/tests/data/profile_stability/rhel9/stig.profile b/tests/data/profile_stability/rhel9/stig.profile index 17ec849e8914..54b834b2cfd3 100644 --- a/tests/data/profile_stability/rhel9/stig.profile +++ b/tests/data/profile_stability/rhel9/stig.profile @@ -170,6 +170,8 @@ dconf_gnome_screensaver_lock_enabled dconf_gnome_screensaver_mode_blank dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks +dconf_login_banner_contents=dod_default +dconf_login_banner_text=dod_banners dir_group_ownership_library_dirs dir_ownership_library_dirs dir_permissions_library_dirs @@ -304,6 +306,7 @@ kernel_module_sctp_disabled kernel_module_tipc_disabled kernel_module_usb-storage_disabled libreswan_approved_tunnels +login_banner_contents=dod_default login_banner_text=dod_banners logind_session_timeout mount_option_boot_efi_nosuid diff --git a/tests/data/profile_stability/rhel9/stig_gui.profile b/tests/data/profile_stability/rhel9/stig_gui.profile index 35aef8879876..70e9b9c0914b 100644 --- a/tests/data/profile_stability/rhel9/stig_gui.profile +++ b/tests/data/profile_stability/rhel9/stig_gui.profile @@ -170,6 +170,8 @@ dconf_gnome_screensaver_lock_enabled dconf_gnome_screensaver_mode_blank dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks +dconf_login_banner_contents=dod_default +dconf_login_banner_text=dod_banners dir_group_ownership_library_dirs dir_ownership_library_dirs dir_permissions_library_dirs @@ -304,6 +306,7 @@ kernel_module_sctp_disabled kernel_module_tipc_disabled kernel_module_usb-storage_disabled libreswan_approved_tunnels +login_banner_contents=dod_default login_banner_text=dod_banners mount_option_boot_efi_nosuid mount_option_boot_nodev