From c01bd8c9372d927e97cbe61602d920d408501860 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Wed, 11 Feb 2026 16:41:57 +0100 Subject: [PATCH 01/18] Fix a typo The correct text is "users". --- .../tests/banner_etc_issue_net_cis_recommended.pass.sh | 2 +- .../tests/banner_etc_motd_cis_recommended.pass.sh | 2 +- .../banner_etc_motd/tests/banner_etc_motd_default.pass.sh | 4 ++-- .../system/accounts/accounts-banners/motd_banner_text.var | 6 +++--- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_cis_recommended.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_cis_recommended.pass.sh index a4d328e76565..5d58cbc2588e 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_cis_recommended.pass.sh +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_cis_recommended.pass.sh @@ -2,4 +2,4 @@ # profiles = xccdf_org.ssgproject.content_profile_cis # cis_default banner -echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue.net +echo "Authorized users only. All activity may be monitored and reported." > /etc/issue.net diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_cis_recommended.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_cis_recommended.pass.sh index 1cacc28d7328..049470d872e4 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_cis_recommended.pass.sh +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_cis_recommended.pass.sh @@ -2,4 +2,4 @@ # profiles = xccdf_org.ssgproject.content_profile_cis, xccdf_org.ssgproject.content_profile_cis_server_l1, xccdf_org.ssgproject.content_profile_cis_workstation_l1, xccdf_org.ssgproject.content_profile_cis_workstation_l2 # cis_default banner -echo "Authorized uses only. All activity may be monitored and reported." > /etc/motd +echo "Authorized users only. All activity may be monitored and reported." > /etc/motd diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_default.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_default.pass.sh index 8aeedeb1b322..4b7e6447efc9 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_default.pass.sh +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_default.pass.sh @@ -1,4 +1,4 @@ #!/bin/bash -# default banner from motd_banner_text.var -echo "Authorized uses only. All activity may be monitored and reported." > /etc/motd +# default banner from motd_banner_contents.var +echo "Authorized users only. All activity may be monitored and reported." > /etc/motd diff --git a/linux_os/guide/system/accounts/accounts-banners/motd_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/motd_banner_text.var index 6c7fff79ebc7..a71de22c9c6f 100644 --- a/linux_os/guide/system/accounts/accounts-banners/motd_banner_text.var +++ b/linux_os/guide/system/accounts/accounts-banners/motd_banner_text.var @@ -16,12 +16,12 @@ options: # CIS doesn't enforce any specific content for login banners, but doesn't allow technical information. # There is a generic content in case a remediation is necessary. # How to generate banner, check https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions - cis_banners: ^(Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$ - cis_default: ^Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$ + cis_banners: ^(Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$ + cis_default: ^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$ # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accommodate banners of 1300 characters dod_banners: ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.|I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.)$ dod_default: ^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.$ dod_short: ^I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.$ dss_odaa_default: ^Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times\.[\s\n]+This[\s\n]+is[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system\.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+and[\s\n]+related[\s\n]+equipment[\s\n]+are[\s\n]+intended[\s\n]+for[\s\n]+the[\s\n]+communication,[\s\n]+transmission,[\s\n]+processing,[\s\n]+and[\s\n]+storage[\s\n]+of[\s\n]+official[\s\n]+U\.S\.[\s\n]+Government[\s\n]+or[\s\n]+other[\s\n]+authorized[\s\n]+information[\s\n]+only\.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times[\s\n]+to[\s\n]+ensure[\s\n]+proper[\s\n]+functioning[\s\n]+of[\s\n]+equipment[\s\n]+and[\s\n]+systems[\s\n]+including[\s\n]+security[\s\n]+devices[\s\n]+and[\s\n]+systems,[\s\n]+to[\s\n]+prevent[\s\n]+unauthorized[\s\n]+use[\s\n]+and[\s\n]+violations[\s\n]+of[\s\n]+statutes[\s\n]+and[\s\n]+security[\s\n]+regulations,[\s\n]+to[\s\n]+deter[\s\n]+criminal[\s\n]+activity,[\s\n]+and[\s\n]+for[\s\n]+other[\s\n]+similar[\s\n]+purposes\.[\s\n]+Any[\s\n]+user[\s\n]+of[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+should[\s\n]+be[\s\n]+aware[\s\n]+that[\s\n]+any[\s\n]+information[\s\n]+placed[\s\n]+in[\s\n]+the[\s\n]+system[\s\n]+is[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+not[\s\n]+subject[\s\n]+to[\s\n]+any[\s\n]+expectation[\s\n]+of[\s\n]+privacy\.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+violation[\s\n]+of[\s\n]+criminal[\s\n]+statutes,[\s\n]+this[\s\n]+evidence[\s\n]+and[\s\n]+any[\s\n]+other[\s\n]+related[\s\n]+information,[\s\n]+including[\s\n]+identification[\s\n]+information[\s\n]+about[\s\n]+the[\s\n]+user,[\s\n]+may[\s\n]+be[\s\n]+provided[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials\.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+reveals[\s\n]+violations[\s\n]+of[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+unauthorized[\s\n]+use,[\s\n]+employees[\s\n]+who[\s\n]+violate[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+make[\s\n]+unauthorized[\s\n]+use[\s\n]+of[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+appropriate[\s\n]+disciplinary[\s\n]+action\.[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times\.$ usgcb_default: ^\-\-[\s\n]+WARNING[\s\n]+\-\-[\s\n]+This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only\.[\s\n]+Individuals[\s\n]+using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]+authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]+monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel\.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]+system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]+if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]+system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials\.$ - default: ^Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$ + default: ^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$ From c664a95e122aced58489f67f1f2f284b6e754a99 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Wed, 11 Feb 2026 16:46:44 +0100 Subject: [PATCH 02/18] Introduce new variables These new variables will contain the actual text of the login banner. The variables will be used in multiple rules. They will be used only in remediations, not in OVALs. Using a variable will allow content users to specify the exact login banner text they want to have on the system, in contrast to specifying only regular expressions matching the text. --- .../dconf_login_banner_contents.var | 25 +++++++++++++++++++ .../login_banner_contents.var | 25 +++++++++++++++++++ .../accounts-banners/motd_banner_contents.var | 25 +++++++++++++++++++ .../remote_login_banner_contents.var | 25 +++++++++++++++++++ 4 files changed, 100 insertions(+) create mode 100644 linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_contents.var create mode 100644 linux_os/guide/system/accounts/accounts-banners/login_banner_contents.var create mode 100644 linux_os/guide/system/accounts/accounts-banners/motd_banner_contents.var create mode 100644 linux_os/guide/system/accounts/accounts-banners/remote_login_banner_contents.var diff --git a/linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_contents.var b/linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_contents.var new file mode 100644 index 000000000000..d4f1b4bc0fc5 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_contents.var @@ -0,0 +1,25 @@ +documentation_complete: true + +title: 'Login Banner Verbiage' + +description: >- + Enter an appropriate login banner text for your organization. + This variable is used only in remediations. + In OVAL checks a regular expression specified in the login_banner_text variable is used instead. + Using a regular expression is needed because some profiles (eg. STIG) allow multiple different banners. + +type: string + +operator: equals + +interactive: true + +options: + default: 'Authorized users only. All activity may be monitored and reported.' +# CIS doesn't enforce any specific content for login banners, but doesn't allow technical information. +# There is a generic content in case a remediation is necessary. + cis_default: 'Authorized users only. All activity may be monitored and reported.' + dod_default: 'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.' + dod_short: 'I''ve read & consent to terms in IS user agreem''t.' + dss_odaa_default: 'Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.' + usgcb_default: '-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.' diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_contents.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_contents.var new file mode 100644 index 000000000000..d39a75fd02fd --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_contents.var @@ -0,0 +1,25 @@ +documentation_complete: true + +title: 'Login Banner Verbiage' + +description: >- + Enter an appropriate login banner text for your organization. + This variable is used only in remediations. + In OVAL checks a regular expression specified in the login_banner_text variable is used instead. + Using a regular expression is needed because some profiles (eg. STIG) allow multiple different banners. + +type: string + +operator: equals + +interactive: true + +options: + default: 'Authorized users only. All activity may be monitored and reported.' +# CIS doesn't enforce any specific content for login banners, but doesn't allow technical information. +# There is a generic content in case a remediation is necessary. + cis_default: 'Authorized users only. All activity may be monitored and reported.' + dod_default: 'You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only. By using this IS (which includes any\ndevice attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject\nto routine monitoring, interception, and search, and may be disclosed or used\nfor any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls)\nto protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE\nor CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.' + dod_short: 'I''ve read & consent to terms in IS user agreem''t.' + dss_odaa_default: 'Use of this or any other DoD interest computer system constitutes consent to\nmonitoring at all times. This is a DoD interest computer system. All DoD\ninterest computer systems and related equipment are intended for the\ncommunication, transmission, processing, and storage of official U.S.\nGovernment or other authorized information only. All DoD interest computer\nsystems are subject to monitoring at all times to ensure proper functioning of\nequipment and systems including security devices and systems, to prevent\nunauthorized use and violations of statutes and security regulations, to deter\ncriminal activity, and for other similar purposes. Any user of a DoD interest\ncomputer system should be aware that any information placed in the system is\nsubject to monitoring and is not subject to any expectation of privacy. If\nmonitoring of this or any other DoD interest computer system reveals possible\nevidence of violation of criminal statutes, this evidence and any other related\ninformation, including identification information about the user, may be\nprovided to law enforcement officials. If monitoring of this or any other DoD\ninterest computer systems reveals violations of security regulations or\nunauthorized use, employees who violate security regulations or make\nunauthorized use of DoD interest computer systems are subject to appropriate\ndisciplinary action. Use of this or any other DoD interest computer system\nconstitutes consent to monitoring at all times.' + usgcb_default: '-- WARNING -- This system is for the use of authorized users only. Individuals\nusing this computer system without authority or in excess of their authority\nare subject to having all their activities on this system monitored and\nrecorded by system personnel. Anyone using this system expressly consents to\nsuch monitoring and is advised that if such monitoring reveals possible\nevidence of criminal activity system personal may provide the evidence of such\nmonitoring to law enforcement officials.' diff --git a/linux_os/guide/system/accounts/accounts-banners/motd_banner_contents.var b/linux_os/guide/system/accounts/accounts-banners/motd_banner_contents.var new file mode 100644 index 000000000000..07fab0040f52 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/motd_banner_contents.var @@ -0,0 +1,25 @@ +documentation_complete: true + +title: 'MotD Banner Verbiage' + +description: >- + Enter an appropriate login banner text for your organization. + This variable is used only in remediations. + In OVAL checks a regular expression specified in the login_banner_text variable is used instead. + Using a regular expression is needed because some profiles (eg. STIG) allow multiple different banners. + +type: string + +operator: equals + +interactive: true + +options: + default: 'Authorized users only. All activity may be monitored and reported.' +# CIS doesn't enforce any specific content for login banners, but doesn't allow technical information. +# There is a generic content in case a remediation is necessary. + cis_default: 'Authorized users only. All activity may be monitored and reported.' + dod_default: 'You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only. By using this IS (which includes any\ndevice attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject\nto routine monitoring, interception, and search, and may be disclosed or used\nfor any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls)\nto protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE\nor CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.' + dod_short: 'I''ve read & consent to terms in IS user agreem''t.' + dss_odaa_default: 'Use of this or any other DoD interest computer system constitutes consent to\nmonitoring at all times. This is a DoD interest computer system. All DoD\ninterest computer systems and related equipment are intended for the\ncommunication, transmission, processing, and storage of official U.S.\nGovernment or other authorized information only. All DoD interest computer\nsystems are subject to monitoring at all times to ensure proper functioning of\nequipment and systems including security devices and systems, to prevent\nunauthorized use and violations of statutes and security regulations, to deter\ncriminal activity, and for other similar purposes. Any user of a DoD interest\ncomputer system should be aware that any information placed in the system is\nsubject to monitoring and is not subject to any expectation of privacy. If\nmonitoring of this or any other DoD interest computer system reveals possible\nevidence of violation of criminal statutes, this evidence and any other related\ninformation, including identification information about the user, may be\nprovided to law enforcement officials. If monitoring of this or any other DoD\ninterest computer systems reveals violations of security regulations or\nunauthorized use, employees who violate security regulations or make\nunauthorized use of DoD interest computer systems are subject to appropriate\ndisciplinary action. Use of this or any other DoD interest computer system\nconstitutes consent to monitoring at all times.' + usgcb_default: '-- WARNING -- This system is for the use of authorized users only. Individuals\nusing this computer system without authority or in excess of their authority\nare subject to having all their activities on this system monitored and\nrecorded by system personnel. Anyone using this system expressly consents to\nsuch monitoring and is advised that if such monitoring reveals possible\nevidence of criminal activity system personal may provide the evidence of such\nmonitoring to law enforcement officials.' diff --git a/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_contents.var b/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_contents.var new file mode 100644 index 000000000000..c3d740df9c6f --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_contents.var @@ -0,0 +1,25 @@ +documentation_complete: true + +title: 'Remote Login Banner Verbiage' + +description: >- + Enter an appropriate login banner text for your organization. + This variable is used only in remediations. + In OVAL checks a regular expression specified in the login_banner_text variable is used instead. + Using a regular expression is needed because some profiles (eg. STIG) allow multiple different banners. + +type: string + +operator: equals + +interactive: true + +options: + default: 'Authorized users only. All activity may be monitored and reported.' +# CIS doesn't enforce any specific content for login banners, but doesn't allow technical information. +# There is a generic content in case a remediation is necessary. + cis_default: 'Authorized users only. All activity may be monitored and reported.' + dod_default: 'You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only. By using this IS (which includes any\ndevice attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject\nto routine monitoring, interception, and search, and may be disclosed or used\nfor any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls)\nto protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE\nor CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.' + dod_short: 'I''ve read & consent to terms in IS user agreem''t.' + dss_odaa_default: 'Use of this or any other DoD interest computer system constitutes consent to\nmonitoring at all times. This is a DoD interest computer system. All DoD\ninterest computer systems and related equipment are intended for the\ncommunication, transmission, processing, and storage of official U.S.\nGovernment or other authorized information only. All DoD interest computer\nsystems are subject to monitoring at all times to ensure proper functioning of\nequipment and systems including security devices and systems, to prevent\nunauthorized use and violations of statutes and security regulations, to deter\ncriminal activity, and for other similar purposes. Any user of a DoD interest\ncomputer system should be aware that any information placed in the system is\nsubject to monitoring and is not subject to any expectation of privacy. If\nmonitoring of this or any other DoD interest computer system reveals possible\nevidence of violation of criminal statutes, this evidence and any other related\ninformation, including identification information about the user, may be\nprovided to law enforcement officials. If monitoring of this or any other DoD\ninterest computer systems reveals violations of security regulations or\nunauthorized use, employees who violate security regulations or make\nunauthorized use of DoD interest computer systems are subject to appropriate\ndisciplinary action. Use of this or any other DoD interest computer system\nconstitutes consent to monitoring at all times.' + usgcb_default: '-- WARNING -- This system is for the use of authorized users only. Individuals\nusing this computer system without authority or in excess of their authority\nare subject to having all their activities on this system monitored and\nrecorded by system personnel. Anyone using this system expressly consents to\nsuch monitoring and is advised that if such monitoring reveals possible\nevidence of criminal activity system personal may provide the evidence of such\nmonitoring to law enforcement officials.' From 0337d9fbb01054d36396ac2b957938bac1aa9314 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Wed, 11 Feb 2026 16:55:43 +0100 Subject: [PATCH 03/18] Use login_banner_contents variable in rule banner_etc_issue Use login_banner_contents variable in remediations in rule banner_etc_issue. Also, add test scenarios to test the ability to parametrize the rule with a custom banner text. --- controls/ccn_ol9.yml | 1 + controls/cis_al2023.yml | 1 + controls/cis_sle12.yml | 1 + controls/cis_sle15.yml | 1 + controls/general_sle15.yml | 1 + controls/general_slmicro5.yml | 2 ++ controls/nist_rhcos4.yml | 1 + controls/srg_gpos.yml | 1 + controls/std_kylinserver10.yml | 1 + controls/std_tencentos4.yml | 1 + controls/stig_ol9.yml | 1 + controls/stig_slmicro5.yml | 1 + .../banner_etc_issue/ansible/shared.yml | 6 ++-- .../banner_etc_issue/bash/shared.sh | 28 +++---------------- .../banner_etc_issue_disa_dod_short.fail.sh | 2 +- .../banner_etc_issue_disa_dod_short.pass.sh | 2 +- .../tests/custom_banner.fail.sh | 8 ++++++ .../tests/custom_banner.pass.sh | 8 ++++++ .../accounts-banners/login_banner_text.var | 16 +++++++---- products/anolis23/profiles/standard.profile | 1 + products/anolis8/profiles/standard.profile | 1 + products/fedora/profiles/ospp.profile | 1 + products/ol7/profiles/ncp.profile | 1 + products/ol7/profiles/stig.profile | 1 + products/ol8/profiles/stig.profile | 1 + .../openembedded/profiles/expanded.profile | 1 + .../openembedded/profiles/standard.profile | 1 + products/rhel10/controls/cis_rhel10.yml | 1 + products/rhel8/controls/cis_rhel8.yml | 1 + products/rhel8/controls/stig_rhel8.yml | 1 + products/rhel8/profiles/rht-ccp.profile | 1 + products/rhel9/controls/ccn_rhel9.yml | 1 + products/rhel9/controls/stig_rhel9.yml | 1 + products/rhv4/profiles/rhvh-stig.profile | 1 + products/sle12/profiles/stig.profile | 1 + products/sle15/profiles/stig.profile | 1 + 36 files changed, 65 insertions(+), 35 deletions(-) create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/custom_banner.fail.sh create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/custom_banner.pass.sh diff --git a/controls/ccn_ol9.yml b/controls/ccn_ol9.yml index 9c0756c3efa1..d2496dc37af2 100644 --- a/controls/ccn_ol9.yml +++ b/controls/ccn_ol9.yml @@ -625,6 +625,7 @@ controls: - dconf_gnome_login_banner_text - sshd_enable_warning_banner_net - login_banner_text=cis_default + - login_banner_contents=cis_default - motd_banner_text=cis_default - remote_login_banner_text=cis_default diff --git a/controls/cis_al2023.yml b/controls/cis_al2023.yml index 666a5322499e..af8a7013daf7 100644 --- a/controls/cis_al2023.yml +++ b/controls/cis_al2023.yml @@ -477,6 +477,7 @@ controls: rules: - banner_etc_issue - login_banner_text=cis_banners + - login_banner_contents=cis_default - id: 1.7.3 title: Ensure remote login warning banner is configured properly (Automated) diff --git a/controls/cis_sle12.yml b/controls/cis_sle12.yml index d842d6e6c3c6..57f6f3438318 100644 --- a/controls/cis_sle12.yml +++ b/controls/cis_sle12.yml @@ -467,6 +467,7 @@ controls: rules: - banner_etc_issue - login_banner_text=cis_banners + - login_banner_contents=cis_default - id: 1.8.1.3 title: Ensure remote login warning banner is configured properly (Automated) diff --git a/controls/cis_sle15.yml b/controls/cis_sle15.yml index 97c61f63374e..f785c46e7270 100644 --- a/controls/cis_sle15.yml +++ b/controls/cis_sle15.yml @@ -465,6 +465,7 @@ controls: rules: - banner_etc_issue - login_banner_text=cis_banners + - login_banner_contents=cis_default - id: 1.8.1.3 title: Ensure remote login warning banner is configured properly (Automated) diff --git a/controls/general_sle15.yml b/controls/general_sle15.yml index 73dca83f3e70..9d1f03215c02 100644 --- a/controls/general_sle15.yml +++ b/controls/general_sle15.yml @@ -479,6 +479,7 @@ controls: rules: - banner_etc_issue - login_banner_text=cis_banners + - login_banner_contents=cis_default - id: SLES-15-151050045 title: Modify the System Login Banner for Remote Connections diff --git a/controls/general_slmicro5.yml b/controls/general_slmicro5.yml index 8a83a0b428fb..c63758f12879 100644 --- a/controls/general_slmicro5.yml +++ b/controls/general_slmicro5.yml @@ -278,6 +278,7 @@ controls: rules: - banner_etc_issue - login_banner_text=cis_banners + - login_banner_contents=cis_default - id: SLEM-5-SET-08010300 title: Modify the System Login Banner for Remote Connections @@ -1021,6 +1022,7 @@ controls: rules: - banner_etc_issue - login_banner_text=dod_banners + - login_banner_contents=dod_default - sshd_enable_warning_banner status: automated diff --git a/controls/nist_rhcos4.yml b/controls/nist_rhcos4.yml index 02690cb34dc1..6bee855d39fa 100644 --- a/controls/nist_rhcos4.yml +++ b/controls/nist_rhcos4.yml @@ -1228,6 +1228,7 @@ controls: rules: - banner_etc_issue - login_banner_text=dod_banners + - login_banner_contents=dod_default description: "The information system:\n a. Displays to users [Assignment: organization-defined\ \ system use notification message or banner] before granting access to the system that provides\ \ privacy and security notices consistent with applicable federal laws, Executive Orders, directives,\ diff --git a/controls/srg_gpos.yml b/controls/srg_gpos.yml index 5be978311df7..c44f13af6f94 100644 --- a/controls/srg_gpos.yml +++ b/controls/srg_gpos.yml @@ -26,5 +26,6 @@ controls: - var_accounts_authorized_local_users_regex=rhel9 - var_account_disable_post_pw_expiration=35 - login_banner_text=dod_banners + - login_banner_contents=dod_default - var_authselect_profile=sssd - var_auditd_name_format=stig diff --git a/controls/std_kylinserver10.yml b/controls/std_kylinserver10.yml index 8e101a908189..fbcb9f3e0d81 100644 --- a/controls/std_kylinserver10.yml +++ b/controls/std_kylinserver10.yml @@ -119,6 +119,7 @@ controls: rules: - banner_etc_issue - login_banner_text=cis_banners + - login_banner_contents=cis_default - id: 1.14 title: ensure-message-of-the-day-is-configured-properly diff --git a/controls/std_tencentos4.yml b/controls/std_tencentos4.yml index 06aa7e4656de..7ad7acdc48cd 100644 --- a/controls/std_tencentos4.yml +++ b/controls/std_tencentos4.yml @@ -123,6 +123,7 @@ controls: rules: - banner_etc_issue - login_banner_text=cis_banners + - login_banner_contents=cis_default - id: 1.4.3 title: Ensure remote login warning banner is configured properly diff --git a/controls/stig_ol9.yml b/controls/stig_ol9.yml index 9d8522165fb6..256159f7520f 100644 --- a/controls/stig_ol9.yml +++ b/controls/stig_ol9.yml @@ -53,6 +53,7 @@ controls: rules: - banner_etc_issue - login_banner_text=dod_default + - login_banner_contents=dod_default status: automated - id: OL09-00-000020 diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml index d39b265fff84..dbc58b097ca7 100644 --- a/controls/stig_slmicro5.yml +++ b/controls/stig_slmicro5.yml @@ -36,6 +36,7 @@ controls: rules: - banner_etc_issue - login_banner_text=dod_banners + - login_banner_contents=dod_default status: automated - id: SLEM-05-211025 diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml index 7b15061e7aa4..a43e1b6a25c9 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml @@ -3,13 +3,13 @@ # strategy = unknown # complexity = low # disruption = medium -{{{ ansible_instantiate_variables("login_banner_text") }}} +{{{ ansible_instantiate_variables("login_banner_contents") }}} {{%- if product not in ['sle15', 'slmicro5', 'slmicro6'] -%}} - name: "{{{ rule_title }}} - Ensure Correct Banner" ansible.builtin.copy: dest: /etc/issue - content: '{{{ ansible_deregexify_banner_etc_issue("login_banner_text") }}}' + content: "{{ login_banner_contents | replace('\\n', '\n') }}\n" {{%- else -%}} - name: {{{ rule_title }}} Ensure issue-generator is Installed ansible.builtin.package: @@ -19,7 +19,7 @@ - name: "{{{ rule_title }}} - Ensure Correct Banner" ansible.builtin.copy: dest: /etc/issue.d/99-oscap-setting - content: '{{{ ansible_deregexify_banner_etc_issue("login_banner_text") }}}' + content: "{{ login_banner_contents }}\n" - name: "{{{ rule_title }}} - Restart issue-generator Service on Issue Configuration Change" ansible.builtin.systemd: diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh index 177d34e2a3b7..6d0e75f418fa 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh @@ -1,31 +1,11 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_almalinux +# platform = multi_platform_all -read -r -d '' login_banner_text <<'EOF' || true -(bash-populate login_banner_text) -EOF - -# Multiple regexes transform the banner regex into a usable banner -# 0 - Remove anchors around the banner text -{{{ bash_deregexify_banner_anchors("login_banner_text") }}} -# 1 - Keep only the first banners if there are multiple -# (dod_banners contains the long and short banner) -{{{ bash_deregexify_multiple_banners("login_banner_text") }}} -# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ") -{{{ bash_deregexify_banner_space("login_banner_text") }}} -# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n") -{{{ bash_deregexify_banner_newline("login_banner_text", "\\n") }}} -# 4 - Remove any leftover backslash. (From any parenthesis in the banner, for example). -{{{ bash_deregexify_banner_backslash("login_banner_text") }}} -formatted=$(echo "$login_banner_text" | fold -sw 80) +login_banner_contents=$(echo "(bash-populate login_banner_contents)" | sed 's/\\n/\n/g') {{%- if product not in ['sle15', 'slmicro5', 'slmicro6'] %}} -cat </etc/issue -$formatted -EOF +echo "$login_banner_contents" > /etc/issue {{%- else %}} {{{ bash_package_install("issue-generator") }}} -cat </etc/issue.d/99-oscap-setting -$formatted -EOF +echo "$login_banner_contents" > /etc/issue.d/99-oscap-setting {{{ bash_service_command("restart", "issue-generator") }}} {{%- endif -%}} diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_short.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_short.fail.sh index 2b775d15e0eb..0623faba0be8 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_short.fail.sh +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_short.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# variables = login_banner_text=^I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.$ +# variables = login_banner_text=^I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.$,login_banner_contents=I've read & consent to terms in IS user agreem't. # dod_short banner echo "Hello, how are you" > /etc/issue diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_short.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_short.pass.sh index 3b8a52eed5d8..b3ea66d844d9 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_short.pass.sh +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_short.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# variables = login_banner_text=^I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.$ +# variables = login_banner_text=^I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.$,login_banner_contents=I've read & consent to terms in IS user agreem't. # dod_short banner echo "I've read & consent to terms in IS user agreem't." > /etc/issue diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/custom_banner.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/custom_banner.fail.sh new file mode 100644 index 000000000000..59d30c04fdd1 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/custom_banner.fail.sh @@ -0,0 +1,8 @@ +#!/bin/bash +{{% set ts_custom_banner = "This system is made available by ABCD Inc. exclusively for\nauthorized business use. Use may be monitored for technical or\nregulatory purposes. Do not use this system if you do not consent to\nsuch monitoring.\n\nCe système est mis à disposition par la Société ABCD exclusivement\npour un usage professionnel autorisé. L'utilisation peut faire l'objet\nd'une surveillance pour des raisons techniques ou réglementaires.\nN'utilisez pas ce système si vous n'acceptez pas cette surveillance." %}} +{{% set ts_custom_banner_regex="^This[\s\n]+system[\s\n]+is[\s\n]+made[\s\n]+available[\s\n]+by[\s\n]+ABCD[\s\n]+Inc\.[\s\n]+exclusively[\s\n]+for(?:[\n]+|(?:\\n)+)authorized[\s\n]+business[\s\n]+use\.[\s\n]+Use[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+for[\s\n]+technical[\s\n]+or(?:[\n]+|(?:\\n)+)regulatory[\s\n]+purposes\.[\s\n]+Do[\s\n]+not[\s\n]+use[\s\n]+this[\s\n]+system[\s\n]+if[\s\n]+you[\s\n]+do[\s\n]+not[\s\n]+consent[\s\n]+to(?:[\n]+|(?:\\n)+)such[\s\n]+monitoring\.(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)Ce[\s\n]+système[\s\n]+est[\s\n]+mis[\s\n]+à[\s\n]+disposition[\s\n]+par[\s\n]+la[\s\n]+Société[\s\n]+ABCD[\s\n]+exclusivement(?:[\n]+|(?:\\n)+)pour[\s\n]+un[\s\n]+usage[\s\n]+professionnel[\s\n]+autorisé\.[\s\n]+L'utilisation[\s\n]+peut[\s\n]+faire[\s\n]+l'objet(?:[\n]+|(?:\\n)+)d'une[\s\n]+surveillance[\s\n]+pour[\s\n]+des[\s\n]+raisons[\s\n]+techniques[\s\n]+ou[\s\n]+réglementaires\.(?:[\n]+|(?:\\n)+)N'utilisez[\s\n]+pas[\s\n]+ce[\s\n]+système[\s\n]+si[\s\n]+vous[\s\n]+n'acceptez[\s\n]+pas[\s\n]+cette[\s\n]+surveillance\.$" %}} +# variables = login_banner_contents={{{ ts_custom_banner | replace("\n", "\\n") }}},login_banner_text={{{ ts_custom_banner_regex | replace("\n", "\\n") }}} + +cat > /etc/issue <<'EOF' +This is a test banner. +EOF diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/custom_banner.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/custom_banner.pass.sh new file mode 100644 index 000000000000..4b9bd219e47e --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/custom_banner.pass.sh @@ -0,0 +1,8 @@ +#!/bin/bash +{{% set ts_custom_banner = "This system is made available by ABCD Inc. exclusively for\nauthorized business use. Use may be monitored for technical or\nregulatory purposes. Do not use this system if you do not consent to\nsuch monitoring.\n\nCe système est mis à disposition par la Société ABCD exclusivement\npour un usage professionnel autorisé. L'utilisation peut faire l'objet\nd'une surveillance pour des raisons techniques ou réglementaires.\nN'utilisez pas ce système si vous n'acceptez pas cette surveillance." %}} +{{% set ts_custom_banner_regex="^This[\s\n]+system[\s\n]+is[\s\n]+made[\s\n]+available[\s\n]+by[\s\n]+ABCD[\s\n]+Inc\.[\s\n]+exclusively[\s\n]+for(?:[\n]+|(?:\\n)+)authorized[\s\n]+business[\s\n]+use\.[\s\n]+Use[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+for[\s\n]+technical[\s\n]+or(?:[\n]+|(?:\\n)+)regulatory[\s\n]+purposes\.[\s\n]+Do[\s\n]+not[\s\n]+use[\s\n]+this[\s\n]+system[\s\n]+if[\s\n]+you[\s\n]+do[\s\n]+not[\s\n]+consent[\s\n]+to(?:[\n]+|(?:\\n)+)such[\s\n]+monitoring\.(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)Ce[\s\n]+système[\s\n]+est[\s\n]+mis[\s\n]+à[\s\n]+disposition[\s\n]+par[\s\n]+la[\s\n]+Société[\s\n]+ABCD[\s\n]+exclusivement(?:[\n]+|(?:\\n)+)pour[\s\n]+un[\s\n]+usage[\s\n]+professionnel[\s\n]+autorisé\.[\s\n]+L'utilisation[\s\n]+peut[\s\n]+faire[\s\n]+l'objet(?:[\n]+|(?:\\n)+)d'une[\s\n]+surveillance[\s\n]+pour[\s\n]+des[\s\n]+raisons[\s\n]+techniques[\s\n]+ou[\s\n]+réglementaires\.(?:[\n]+|(?:\\n)+)N'utilisez[\s\n]+pas[\s\n]+ce[\s\n]+système[\s\n]+si[\s\n]+vous[\s\n]+n'acceptez[\s\n]+pas[\s\n]+cette[\s\n]+surveillance\.$" %}} +# variables = login_banner_contents={{{ ts_custom_banner | replace("\n", "\\n") }}},login_banner_text={{{ ts_custom_banner_regex | replace("\n", "\\n") }}} + +cat > /etc/issue <<'EOF' +{{{ ts_custom_banner }}} +EOF diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var index a8a9e9337576..6a44de843411 100644 --- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var +++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var @@ -1,21 +1,25 @@ documentation_complete: true -title: 'Login Banner Verbiage' +title: Login Banner Verbiage Regular Expression -description: |- - Enter an appropriate login banner for your organization. Please note that new lines must - be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\\'. +description: >- + Enter an appropriate login banner regular expression for your organization. + Using a regular expression is needed because some profiles (eg. STIG) allow multiple different banners. + This regular expression is used only in OVAL checks. + In remediations the login_banner_contents variable is used instead. + For information about how to generate banner regular expression for your tailoring files, + see: https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions type: string operator: equals -interactive: false +interactive: true options: # CIS doesn't enforce any specific content for login banners, but doesn't allow technical information. # There is a generic content in case a remediation is necessary. -# How to generate banner, check https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions +# How to generate banner regex: https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions cis_banners: ^(Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$ cis_default: ^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$ # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accommodate banners of 1300 characters diff --git a/products/anolis23/profiles/standard.profile b/products/anolis23/profiles/standard.profile index 2cf3bfda5a31..90470b4d6347 100644 --- a/products/anolis23/profiles/standard.profile +++ b/products/anolis23/profiles/standard.profile @@ -375,6 +375,7 @@ selections: ### Level 1 - banner_etc_issue - login_banner_text=cis_banners + - login_banner_contents=cis_default ## 4.3-ensure-remote-login-warning-banner-is-configured-properly ### Level 1 diff --git a/products/anolis8/profiles/standard.profile b/products/anolis8/profiles/standard.profile index b60cba9e23d0..c6500a487a14 100644 --- a/products/anolis8/profiles/standard.profile +++ b/products/anolis8/profiles/standard.profile @@ -375,6 +375,7 @@ selections: ### Level 1 - banner_etc_issue - login_banner_text=cis_banners + - login_banner_contents=cis_default ## 4.3-ensure-remote-login-warning-banner-is-configured-properly ### Level 1 diff --git a/products/fedora/profiles/ospp.profile b/products/fedora/profiles/ospp.profile index 601f0e2375ec..4abcc1aee72e 100644 --- a/products/fedora/profiles/ospp.profile +++ b/products/fedora/profiles/ospp.profile @@ -103,6 +103,7 @@ selections: - rsyslog_remote_loghost - auditd_audispd_encrypt_sent_records - login_banner_text=usgcb_default + - login_banner_contents=usgcb_default - sshd_enable_warning_banner - banner_etc_issue - sshd_rekey_limit diff --git a/products/ol7/profiles/ncp.profile b/products/ol7/profiles/ncp.profile index 2acb9c798f04..29a30bf9aebd 100644 --- a/products/ol7/profiles/ncp.profile +++ b/products/ol7/profiles/ncp.profile @@ -36,6 +36,7 @@ extends: ospp selections: - installed_OS_is_vendor_supported - login_banner_text=usgcb_default + - login_banner_contents=usgcb_default - inactivity_timeout_value=15_minutes - var_password_pam_minlen=15 - accounts_password_all_shadowed diff --git a/products/ol7/profiles/stig.profile b/products/ol7/profiles/stig.profile index 133832c72af2..39772872a2cc 100644 --- a/products/ol7/profiles/stig.profile +++ b/products/ol7/profiles/stig.profile @@ -8,6 +8,7 @@ description: |- selections: - login_banner_text=dod_banners + - login_banner_contents=dod_default - inactivity_timeout_value=15_minutes - var_screensaver_lock_delay=5_seconds - sshd_idle_timeout_value=10_minutes diff --git a/products/ol8/profiles/stig.profile b/products/ol8/profiles/stig.profile index 9aa7aad5ac4f..2b70b14f26a5 100644 --- a/products/ol8/profiles/stig.profile +++ b/products/ol8/profiles/stig.profile @@ -61,6 +61,7 @@ selections: - var_auditd_disk_full_action=ol8 - var_sssd_certificate_verification_digest_function=sha1 - login_banner_text=dod_banners + - login_banner_contents=dod_default - var_authselect_profile=sssd - var_multiple_time_servers=stig diff --git a/products/openembedded/profiles/expanded.profile b/products/openembedded/profiles/expanded.profile index 13db15a9530b..9e289a1b1782 100644 --- a/products/openembedded/profiles/expanded.profile +++ b/products/openembedded/profiles/expanded.profile @@ -114,6 +114,7 @@ selections: - motd_banner_text=cis_banners - banner_etc_issue - login_banner_text=cis_banners + - login_banner_contents=cis_default - file_groupowner_etc_motd - file_owner_etc_motd - file_permissions_etc_motd diff --git a/products/openembedded/profiles/standard.profile b/products/openembedded/profiles/standard.profile index 37547a454e83..f8ecfa88b693 100644 --- a/products/openembedded/profiles/standard.profile +++ b/products/openembedded/profiles/standard.profile @@ -109,6 +109,7 @@ selections: - motd_banner_text=cis_banners - banner_etc_issue - login_banner_text=cis_banners + - login_banner_contents=cis_default - file_groupowner_etc_motd - file_owner_etc_motd - file_permissions_etc_motd diff --git a/products/rhel10/controls/cis_rhel10.yml b/products/rhel10/controls/cis_rhel10.yml index 8269196f2993..59517fa5921f 100644 --- a/products/rhel10/controls/cis_rhel10.yml +++ b/products/rhel10/controls/cis_rhel10.yml @@ -707,6 +707,7 @@ controls: - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text - login_banner_text=cis_banners + - login_banner_contents=cis_default - id: 1.8.2 title: Ensure GDM disable-user-list is configured (Automated) diff --git a/products/rhel8/controls/cis_rhel8.yml b/products/rhel8/controls/cis_rhel8.yml index cbe5d4d6454e..56fadc235366 100644 --- a/products/rhel8/controls/cis_rhel8.yml +++ b/products/rhel8/controls/cis_rhel8.yml @@ -741,6 +741,7 @@ controls: - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text - login_banner_text=cis_banners + - login_banner_contents=cis_default - id: 1.8.2 title: Ensure GDM disable-user-list is configured (Automated) diff --git a/products/rhel8/controls/stig_rhel8.yml b/products/rhel8/controls/stig_rhel8.yml index a50b9e2e66a3..b8948e8d925c 100644 --- a/products/rhel8/controls/stig_rhel8.yml +++ b/products/rhel8/controls/stig_rhel8.yml @@ -67,6 +67,7 @@ controls: - var_auditd_disk_full_action=rhel8 - var_sssd_certificate_verification_digest_function=sha1 - login_banner_text=dod_banners + - login_banner_contents=dod_default - var_authselect_profile=sssd - var_multiple_time_servers=stig - var_time_service_set_maxpoll=18_hours diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile index 4e67d3893c0c..cff0b644c55a 100644 --- a/products/rhel8/profiles/rht-ccp.profile +++ b/products/rhel8/profiles/rht-ccp.profile @@ -27,6 +27,7 @@ selections: - var_password_pam_difok=3 - var_password_pam_unix_remember=5 - var_accounts_user_umask=077 + - login_banner_contents=usgcb_default - login_banner_text=usgcb_default - partition_for_tmp - partition_for_var diff --git a/products/rhel9/controls/ccn_rhel9.yml b/products/rhel9/controls/ccn_rhel9.yml index 6f0dcc2928f3..e382db0b1e65 100644 --- a/products/rhel9/controls/ccn_rhel9.yml +++ b/products/rhel9/controls/ccn_rhel9.yml @@ -639,6 +639,7 @@ controls: - dconf_gnome_login_banner_text - sshd_enable_warning_banner_net - login_banner_text=cis_banners + - login_banner_contents=cis_default - remote_login_banner_text=cis_banners - id: A.11.SEC-RHEL5 diff --git a/products/rhel9/controls/stig_rhel9.yml b/products/rhel9/controls/stig_rhel9.yml index 39bb4a26a47e..a4c2007a6cff 100644 --- a/products/rhel9/controls/stig_rhel9.yml +++ b/products/rhel9/controls/stig_rhel9.yml @@ -49,6 +49,7 @@ controls: rules: - banner_etc_issue - login_banner_text=dod_banners + - login_banner_contents=dod_default status: automated - id: RHEL-09-211030 diff --git a/products/rhv4/profiles/rhvh-stig.profile b/products/rhv4/profiles/rhvh-stig.profile index ec2dd7bdbfb5..a0c8bc01d309 100644 --- a/products/rhv4/profiles/rhvh-stig.profile +++ b/products/rhv4/profiles/rhvh-stig.profile @@ -17,6 +17,7 @@ description: |- selections: - installed_OS_is_FIPS_certified - login_banner_text=dod_banners + - login_banner_contents=dod_default - inactivity_timeout_value=15_minutes - var_password_pam_minlen=15 - accounts_password_pam_minlen diff --git a/products/sle12/profiles/stig.profile b/products/sle12/profiles/stig.profile index 33b341569721..e3889a4e3f6b 100644 --- a/products/sle12/profiles/stig.profile +++ b/products/sle12/profiles/stig.profile @@ -32,6 +32,7 @@ selections: - var_password_pam_ucredit=1 - var_accounts_maximum_age_login_defs=60 - login_banner_text=dod_banners + - login_banner_contents=dod_default # # Note: must configure "var_accounts_authorized_local_users_regex" when # "accounts_authorized_local_users" rule is enabled diff --git a/products/sle15/profiles/stig.profile b/products/sle15/profiles/stig.profile index e6e28fc03306..302e60006999 100644 --- a/products/sle15/profiles/stig.profile +++ b/products/sle15/profiles/stig.profile @@ -31,6 +31,7 @@ selections: - var_accounts_maximum_age_login_defs=60 - var_password_pam_delay=4000000 - login_banner_text=dod_banners + - login_banner_contents=dod_default # # Note: must configure "var_accounts_authorized_local_users_regex" when # "accounts_authorized_local_users" rule is enabled From f6062eec729f74c2419bd4e2bd8772e4da8d7f94 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Thu, 12 Feb 2026 09:21:22 +0100 Subject: [PATCH 04/18] Use motd_banner_contents variable in rule banner_etc_motd Use motd_banner_contents variable in remediations in rule banner_etc_motd. --- controls/ccn_ol9.yml | 1 + controls/cis_al2023.yml | 1 + controls/cis_sle12.yml | 1 + controls/cis_sle15.yml | 1 + controls/general_sle15.yml | 1 + controls/general_slmicro5.yml | 1 + controls/std_kylinserver10.yml | 3 ++- controls/std_tencentos4.yml | 1 + .../banner_etc_motd/ansible/shared.yml | 4 ++-- .../banner_etc_motd/bash/shared.sh | 23 +++---------------- .../banner_etc_motd/oval/shared.xml | 2 +- .../accounts-banners/motd_banner_text.var | 14 +++++++---- products/anolis23/profiles/standard.profile | 3 ++- products/anolis8/profiles/standard.profile | 3 ++- .../openembedded/profiles/expanded.profile | 1 + .../openembedded/profiles/standard.profile | 1 + products/rhel9/controls/ccn_rhel9.yml | 2 ++ products/sle15/profiles/pcs-hardening.profile | 3 +++ 18 files changed, 35 insertions(+), 31 deletions(-) diff --git a/controls/ccn_ol9.yml b/controls/ccn_ol9.yml index d2496dc37af2..821a5e7b3e73 100644 --- a/controls/ccn_ol9.yml +++ b/controls/ccn_ol9.yml @@ -627,6 +627,7 @@ controls: - login_banner_text=cis_default - login_banner_contents=cis_default - motd_banner_text=cis_default + - motd_banner_contents=cis_default - remote_login_banner_text=cis_default - id: A.11.SEC-OL5 diff --git a/controls/cis_al2023.yml b/controls/cis_al2023.yml index af8a7013daf7..896ecc8c132b 100644 --- a/controls/cis_al2023.yml +++ b/controls/cis_al2023.yml @@ -468,6 +468,7 @@ controls: rules: - banner_etc_motd - motd_banner_text=cis_banners + - motd_banner_contents=cis_default - id: 1.7.2 title: Ensure local login warning banner is configured properly (Automated) diff --git a/controls/cis_sle12.yml b/controls/cis_sle12.yml index 57f6f3438318..2e3265d21970 100644 --- a/controls/cis_sle12.yml +++ b/controls/cis_sle12.yml @@ -457,6 +457,7 @@ controls: rules: - banner_etc_motd - motd_banner_text=cis_banners + - motd_banner_contents=cis_default - id: 1.8.1.2 title: Ensure local login warning banner is configured properly (Automated) diff --git a/controls/cis_sle15.yml b/controls/cis_sle15.yml index f785c46e7270..03efc7f8a40d 100644 --- a/controls/cis_sle15.yml +++ b/controls/cis_sle15.yml @@ -455,6 +455,7 @@ controls: rules: - banner_etc_motd - motd_banner_text=cis_banners + - motd_banner_contents=cis_default - id: 1.8.1.2 title: Ensure local login warning banner is configured properly (Automated) diff --git a/controls/general_sle15.yml b/controls/general_sle15.yml index 9d1f03215c02..9e40d24e3492 100644 --- a/controls/general_sle15.yml +++ b/controls/general_sle15.yml @@ -470,6 +470,7 @@ controls: rules: - banner_etc_motd - motd_banner_text=cis_banners + - motd_banner_contents=cis_default - id: SLES-15-151050030 title: Modify the System Login Banner diff --git a/controls/general_slmicro5.yml b/controls/general_slmicro5.yml index c63758f12879..ede217788fc0 100644 --- a/controls/general_slmicro5.yml +++ b/controls/general_slmicro5.yml @@ -269,6 +269,7 @@ controls: rules: - banner_etc_motd - motd_banner_text=cis_banners + - motd_banner_contents=cis_default - id: SLEM-5-SET-08010200 title: Modify the System Login Banner diff --git a/controls/std_kylinserver10.yml b/controls/std_kylinserver10.yml index fbcb9f3e0d81..785c64550d9e 100644 --- a/controls/std_kylinserver10.yml +++ b/controls/std_kylinserver10.yml @@ -128,7 +128,8 @@ controls: status: automated rules: - banner_etc_motd - - login_banner_text=cis_banners + - motd_banner_text=cis_banners + - motd_banner_contents=cis_default - id: 1.15 title: Ensure sshd PermitRootLogin is disabled (Automated) diff --git a/controls/std_tencentos4.yml b/controls/std_tencentos4.yml index 7ad7acdc48cd..8125bb9a567d 100644 --- a/controls/std_tencentos4.yml +++ b/controls/std_tencentos4.yml @@ -114,6 +114,7 @@ controls: rules: - banner_etc_motd - motd_banner_text=cis_banners + - motd_banner_contents=cis_default - id: 1.4.2 title: Ensure local login warning banner is configured properly diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml index 252618dedd57..8a3cc3128262 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml @@ -3,9 +3,9 @@ # strategy = unknown # complexity = low # disruption = medium -{{{ ansible_instantiate_variables("motd_banner_text") }}} +{{{ ansible_instantiate_variables("motd_banner_contents") }}} - name: "{{{ rule_title }}} - ensure correct banner" ansible.builtin.copy: dest: /etc/motd - content: '{{{ ansible_deregexify_banner_etc_issue("motd_banner_text") }}}' + content: "{{ motd_banner_contents | replace('\\n', '\n') }}\n" diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh index f8f5e59a2420..1f8d36fe3ce6 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh @@ -1,21 +1,4 @@ -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_almalinux +# platform = multi_platform_all -{{{ bash_instantiate_variables("motd_banner_text") }}} - -# Multiple regexes transform the banner regex into a usable banner -# 0 - Remove anchors around the banner text -{{{ bash_deregexify_banner_anchors("motd_banner_text") }}} -# 1 - Keep only the first banners if there are multiple -# (dod_banners contains the long and short banner) -{{{ bash_deregexify_multiple_banners("motd_banner_text") }}} -# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ") -{{{ bash_deregexify_banner_space("motd_banner_text") }}} -# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n") -{{{ bash_deregexify_banner_newline("motd_banner_text", "\\n") }}} -# 4 - Remove any leftover backslash. (From any parenthesis in the banner, for example). -{{{ bash_deregexify_banner_backslash("motd_banner_text") }}} -formatted=$(echo "$motd_banner_text" | fold -sw 80) - -cat </etc/motd -$formatted -EOF +motd_banner_contents=$(echo "(bash-populate motd_banner_contents)" | sed 's/\\n/\n/g') +echo "$motd_banner_contents" > /etc/motd diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/oval/shared.xml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/oval/shared.xml index be13d1d65419..dbfadc63d9ec 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/oval/shared.xml @@ -15,7 +15,7 @@ /etc/motd - + diff --git a/linux_os/guide/system/accounts/accounts-banners/motd_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/motd_banner_text.var index a71de22c9c6f..8b6fdbfc7b2d 100644 --- a/linux_os/guide/system/accounts/accounts-banners/motd_banner_text.var +++ b/linux_os/guide/system/accounts/accounts-banners/motd_banner_text.var @@ -1,16 +1,20 @@ documentation_complete: true -title: 'MotD Banner Verbiage' +title: Motd Banner Verbiage Regular Expression -description: |- - Enter an appropriate login banner for your organization. Please note that new lines must - be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\\'. +description: >- + Enter an appropriate login banner regular expression for your organization. + Using a regular expression is needed because some profiles (eg. STIG) allow multiple different banners. + This regular expression is used only in OVAL checks. + In remediations the motd_banner_contents variable is used instead. + For information about how to generate banner regular expression for your tailoring files, + see: https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions type: string operator: equals -interactive: false +interactive: true options: # CIS doesn't enforce any specific content for login banners, but doesn't allow technical information. diff --git a/products/anolis23/profiles/standard.profile b/products/anolis23/profiles/standard.profile index 90470b4d6347..69e8d39628fc 100644 --- a/products/anolis23/profiles/standard.profile +++ b/products/anolis23/profiles/standard.profile @@ -369,7 +369,8 @@ selections: ## 4.1-ensure-message-of-the-day-is-configured-properly ### Level 1 - banner_etc_motd - - login_banner_text=cis_banners + - motd_banner_text=cis_banners + - motd_banner_contents=cis_default ## 4.2-ensure-local-login-warning-banner-is-configured-properly ### Level 1 diff --git a/products/anolis8/profiles/standard.profile b/products/anolis8/profiles/standard.profile index c6500a487a14..91f13490b1ab 100644 --- a/products/anolis8/profiles/standard.profile +++ b/products/anolis8/profiles/standard.profile @@ -369,7 +369,8 @@ selections: ## 4.1-ensure-message-of-the-day-is-configured-properly ### Level 1 - banner_etc_motd - - login_banner_text=cis_banners + - motd_banner_text=cis_banners + - motd_banner_contents=cis_default ## 4.2-ensure-local-login-warning-banner-is-configured-properly ### Level 1 diff --git a/products/openembedded/profiles/expanded.profile b/products/openembedded/profiles/expanded.profile index 9e289a1b1782..a43e6745f40c 100644 --- a/products/openembedded/profiles/expanded.profile +++ b/products/openembedded/profiles/expanded.profile @@ -112,6 +112,7 @@ selections: - service_dovecot_disabled - banner_etc_motd - motd_banner_text=cis_banners + - motd_banner_contents=cis_default - banner_etc_issue - login_banner_text=cis_banners - login_banner_contents=cis_default diff --git a/products/openembedded/profiles/standard.profile b/products/openembedded/profiles/standard.profile index f8ecfa88b693..d183617a264b 100644 --- a/products/openembedded/profiles/standard.profile +++ b/products/openembedded/profiles/standard.profile @@ -107,6 +107,7 @@ selections: - service_dovecot_disabled - banner_etc_motd - motd_banner_text=cis_banners + - motd_banner_contents=cis_default - banner_etc_issue - login_banner_text=cis_banners - login_banner_contents=cis_default diff --git a/products/rhel9/controls/ccn_rhel9.yml b/products/rhel9/controls/ccn_rhel9.yml index e382db0b1e65..bc97d06e8ddc 100644 --- a/products/rhel9/controls/ccn_rhel9.yml +++ b/products/rhel9/controls/ccn_rhel9.yml @@ -635,6 +635,8 @@ controls: - banner_etc_issue - banner_etc_issue_net - banner_etc_motd + - motd_banner_text=cis_banners + - motd_banner_contents=cis_default - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text - sshd_enable_warning_banner_net diff --git a/products/sle15/profiles/pcs-hardening.profile b/products/sle15/profiles/pcs-hardening.profile index 69da010c6d09..31bccccc320d 100644 --- a/products/sle15/profiles/pcs-hardening.profile +++ b/products/sle15/profiles/pcs-hardening.profile @@ -31,6 +31,9 @@ selections: - var_password_pam_delay=4000000 #- login_banner_text=dod_banners - login_banner_text=cis_banners + - login_banner_contents=cis_default + - motd_banner_text=cis_banners + - motd_banner_contents=cis_default # # Note: must configure "var_accounts_authorized_local_users_regex" when # "accounts_authorized_local_users" rule is enabled From eb7fda8e25c0b0a4455db971b9505cd713d222b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Thu, 12 Feb 2026 09:57:17 +0100 Subject: [PATCH 05/18] Use remote_login_banner_contents variable in rule banner_etc_issue_net Use remote_login_banner_contents variable in remediations in rule banner_etc_issue_net. Also, add test scenarios to test the ability to parametrize the rule with a custom banner text. --- controls/ccn_ol9.yml | 1 + controls/cis_al2023.yml | 1 + controls/cis_sle12.yml | 1 + controls/cis_sle15.yml | 1 + controls/general_sle15.yml | 1 + controls/general_slmicro5.yml | 1 + controls/std_tencentos4.yml | 1 + controls/stig_ubuntu2204.yml | 1 + controls/stig_ubuntu2404.yml | 1 + .../banner_etc_issue_net/ansible/shared.yml | 4 ++-- .../banner_etc_issue_net/bash/shared.sh | 21 ++----------------- .../banner_etc_issue_net_mingetty.fail.sh | 4 ++++ .../tests/banner_etc_issue_net_osid.fail.sh | 4 ++++ .../banner_etc_issue_net_recommended.pass.sh | 5 +++++ .../remote_login_banner_text.var | 15 +++++++------ products/rhel9/controls/ccn_rhel9.yml | 1 + 16 files changed, 36 insertions(+), 27 deletions(-) create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_mingetty.fail.sh create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_osid.fail.sh create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_recommended.pass.sh diff --git a/controls/ccn_ol9.yml b/controls/ccn_ol9.yml index 821a5e7b3e73..d274c0dde947 100644 --- a/controls/ccn_ol9.yml +++ b/controls/ccn_ol9.yml @@ -629,6 +629,7 @@ controls: - motd_banner_text=cis_default - motd_banner_contents=cis_default - remote_login_banner_text=cis_default + - remote_login_banner_contents=cis_default - id: A.11.SEC-OL5 title: Network Acess to the System is Controlled diff --git a/controls/cis_al2023.yml b/controls/cis_al2023.yml index 896ecc8c132b..ffb74aa0621b 100644 --- a/controls/cis_al2023.yml +++ b/controls/cis_al2023.yml @@ -488,6 +488,7 @@ controls: rules: - banner_etc_issue_net - remote_login_banner_text=cis_banners + - remote_login_banner_contents=cis_default - id: 1.7.4 title: Ensure permissions on /etc/motd are configured (Automated) diff --git a/controls/cis_sle12.yml b/controls/cis_sle12.yml index 2e3265d21970..2c7f33e98b97 100644 --- a/controls/cis_sle12.yml +++ b/controls/cis_sle12.yml @@ -479,6 +479,7 @@ controls: rules: - banner_etc_issue_net - remote_login_banner_text=cis_banners + - remote_login_banner_contents=cis_default - id: 1.8.1.4 title: Ensure permissions on /etc/motd are configured (Automated) diff --git a/controls/cis_sle15.yml b/controls/cis_sle15.yml index 03efc7f8a40d..758d8e25f95f 100644 --- a/controls/cis_sle15.yml +++ b/controls/cis_sle15.yml @@ -477,6 +477,7 @@ controls: rules: - banner_etc_issue_net - remote_login_banner_text=cis_banners + - remote_login_banner_contents=cis_default - id: 1.8.1.4 title: Ensure permissions on /etc/motd are configured (Automated) diff --git a/controls/general_sle15.yml b/controls/general_sle15.yml index 9e40d24e3492..e34454eff10a 100644 --- a/controls/general_sle15.yml +++ b/controls/general_sle15.yml @@ -490,6 +490,7 @@ controls: rules: - banner_etc_issue_net - remote_login_banner_text=cis_banners + - remote_login_banner_contents=cis_default - id: SLES-15-151050060 title: Configure access to the Message of the Day Banner diff --git a/controls/general_slmicro5.yml b/controls/general_slmicro5.yml index ede217788fc0..ac887def5ee4 100644 --- a/controls/general_slmicro5.yml +++ b/controls/general_slmicro5.yml @@ -289,6 +289,7 @@ controls: rules: - banner_etc_issue_net - remote_login_banner_text=cis_banners + - remote_login_banner_contents=cis_default - id: SLEM-5-SET-08010400 title: Verify Ownership and Permissions of/on Message of the Day Banner diff --git a/controls/std_tencentos4.yml b/controls/std_tencentos4.yml index 8125bb9a567d..b08775cbce91 100644 --- a/controls/std_tencentos4.yml +++ b/controls/std_tencentos4.yml @@ -134,6 +134,7 @@ controls: rules: - banner_etc_issue_net - remote_login_banner_text=cis_banners + - remote_login_banner_contents=cis_default - id: 1.4.4 title: Ensure permissions on /etc/motd are configured diff --git a/controls/stig_ubuntu2204.yml b/controls/stig_ubuntu2204.yml index f22733c254ee..6251689f0600 100644 --- a/controls/stig_ubuntu2204.yml +++ b/controls/stig_ubuntu2204.yml @@ -551,6 +551,7 @@ controls: - medium rules: - remote_login_banner_text=dod_banners + - remote_login_banner_contents=dod_default - sshd_enable_warning_banner_net - banner_etc_issue_net status: automated diff --git a/controls/stig_ubuntu2404.yml b/controls/stig_ubuntu2404.yml index cb85dc34866e..a27f10e6eb21 100644 --- a/controls/stig_ubuntu2404.yml +++ b/controls/stig_ubuntu2404.yml @@ -441,6 +441,7 @@ controls: - medium rules: - remote_login_banner_text=dod_banners + - remote_login_banner_contents=dod_default - sshd_enable_warning_banner_net - banner_etc_issue_net status: automated diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/ansible/shared.yml index 828a9a9a0c2d..4a880dccde17 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/ansible/shared.yml @@ -3,9 +3,9 @@ # strategy = unknown # complexity = low # disruption = medium -{{{ ansible_instantiate_variables("remote_login_banner_text") }}} +{{{ ansible_instantiate_variables("remote_login_banner_contents") }}} - name: "{{{ rule_title }}} - ensure correct banner" ansible.builtin.copy: dest: /etc/issue.net - content: '{{{ ansible_deregexify_banner_etc_issue("remote_login_banner_text") }}}' + content: "{{ remote_login_banner_contents | replace('\\n', '\n') }}\n" diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/bash/shared.sh index 52eda0b4a9b6..bef6be11259b 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/bash/shared.sh @@ -1,21 +1,4 @@ # platform = multi_platform_all -{{{ bash_instantiate_variables("remote_login_banner_text") }}} - -# Multiple regexes transform the banner regex into a usable banner -# 0 - Remove anchors around the banner text -{{{ bash_deregexify_banner_anchors("remote_login_banner_text") }}} -# 1 - Keep only the first banners if there are multiple -# (dod_banners contains the long and short banner) -{{{ bash_deregexify_multiple_banners("remote_login_banner_text") }}} -# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ") -{{{ bash_deregexify_banner_space("remote_login_banner_text") }}} -# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n") -{{{ bash_deregexify_banner_newline("remote_login_banner_text", "\\n") }}} -# 4 - Remove any leftover backslash. (From any parenthesis in the banner, for example). -{{{ bash_deregexify_banner_backslash("remote_login_banner_text") }}} -formatted=$(echo "$remote_login_banner_text" | fold -sw 80) - -cat </etc/issue.net -$formatted -EOF +remote_login_banner_contents=$(echo "(bash-populate remote_login_banner_contents)" | sed 's/\\n/\n/g') +echo "$remote_login_banner_contents" > /etc/issue.net diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_mingetty.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_mingetty.fail.sh new file mode 100644 index 000000000000..4730f4332b42 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_mingetty.fail.sh @@ -0,0 +1,4 @@ +#!/bin/bash +# variables = remote_login_banner_text=^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$,remote_login_banner_contents=Authorized users only. All activity may be monitored and reported. + +echo "System name \s version \s " > /etc/issue.net diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_osid.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_osid.fail.sh new file mode 100644 index 000000000000..c579e36e5942 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_osid.fail.sh @@ -0,0 +1,4 @@ +#!/bin/bash +# variables = remote_login_banner_text=^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$,remote_login_banner_contents=Authorized users only. All activity may be monitored and reported. + +echo "This system is rhel." > /etc/issue.net diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_recommended.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_recommended.pass.sh new file mode 100644 index 000000000000..a78e272e8d67 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_recommended.pass.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# variables = remote_login_banner_text=^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$,remote_login_banner_contents=Authorized users only. All activity may be monitored and reported. + +# cis_default banner +echo "Authorized users only. All activity may be monitored and reported." > /etc/issue.net diff --git a/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_text.var index 5f64f4f4af63..283b0d964c7f 100644 --- a/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_text.var +++ b/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_text.var @@ -1,17 +1,20 @@ documentation_complete: true -title: 'Remote Login Banner Verbiage' +title: Remote Login Banner Verbiage Regular Expression -description: |- - Enter an appropriate login banner for your organization. Please note that new lines must - be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\\'. +description: >- + Enter an appropriate login banner regular expression for your organization. + Using a regular expression is needed because some profiles (eg. STIG) allow multiple different banners. + This regular expression is used only in OVAL checks. + In remediations the motd_banner_contents variable is used instead. + For information about how to generate banner regular expression for your tailoring files, + see: https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions type: string operator: equals -interactive: false - +interactive: true options: # CIS doesn't enforce any specific content for login banners, but doesn't allow technical information. diff --git a/products/rhel9/controls/ccn_rhel9.yml b/products/rhel9/controls/ccn_rhel9.yml index bc97d06e8ddc..e7b12492f8fb 100644 --- a/products/rhel9/controls/ccn_rhel9.yml +++ b/products/rhel9/controls/ccn_rhel9.yml @@ -643,6 +643,7 @@ controls: - login_banner_text=cis_banners - login_banner_contents=cis_default - remote_login_banner_text=cis_banners + - remote_login_banner_contents=cis_default - id: A.11.SEC-RHEL5 title: Network Acess to the System is Controlled From c3f3cced8a9d8217f997272913f9e05d3ca71eac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Thu, 12 Feb 2026 10:29:43 +0100 Subject: [PATCH 06/18] Use dconf_login_banner_contents variable in rule dconf_gnome_login_banner_text Use dconf_login_banner_contents variable in remediations in rule dconf_gnome_login_banner_text. --- controls/ccn_ol9.yml | 1 + controls/cis_almalinux9.yml | 1 + controls/cis_debian12.yml | 1 + controls/cis_fedora.yml | 1 + controls/cis_sle12.yml | 1 + controls/cis_sle15.yml | 1 + controls/cis_ubuntu2204.yml | 1 + controls/cis_ubuntu2404.yml | 1 + controls/general_sle15.yml | 1 + controls/stig_ol9.yml | 1 + controls/stig_ubuntu2204.yml | 1 + controls/stig_ubuntu2404.yml | 1 + .../ansible/shared.yml | 4 +-- .../bash/shared.sh | 21 ++---------- .../bash/ubuntu.sh | 23 ++----------- .../tests/correct_value_stig.pass.sh | 34 +++++++++++++++++-- .../tests/correct_value_stig_wrong_db.fail.sh | 34 +++++++++++++++++-- .../tests/missing_value_stig.fail.sh | 4 +-- .../tests/wrapped_banner.fail.sh | 4 +-- .../tests/wrong_value.fail.sh | 4 +-- .../tests/wrong_value_stig.fail.sh | 4 +-- products/fedora/profiles/ospp.profile | 1 + products/ol7/profiles/ncp.profile | 1 + products/ol7/profiles/stig.profile | 1 + products/ol8/profiles/stig.profile | 1 + products/rhel10/controls/cis_rhel10.yml | 2 +- products/rhel8/controls/cis_rhel8.yml | 2 +- products/rhel8/controls/stig_rhel8.yml | 1 + products/rhel9/controls/ccn_rhel9.yml | 1 + products/rhel9/controls/cis_rhel9.yml | 1 + products/rhel9/controls/stig_rhel9.yml | 1 + products/sle12/profiles/stig.profile | 1 + products/sle15/profiles/stig.profile | 1 + 33 files changed, 101 insertions(+), 57 deletions(-) diff --git a/controls/ccn_ol9.yml b/controls/ccn_ol9.yml index d274c0dde947..e7cbe628f541 100644 --- a/controls/ccn_ol9.yml +++ b/controls/ccn_ol9.yml @@ -623,6 +623,7 @@ controls: - banner_etc_motd - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text + - dconf_login_banner_contents=cis_default - sshd_enable_warning_banner_net - login_banner_text=cis_default - login_banner_contents=cis_default diff --git a/controls/cis_almalinux9.yml b/controls/cis_almalinux9.yml index 29fa4bd9b124..4a91ea6f6d9f 100644 --- a/controls/cis_almalinux9.yml +++ b/controls/cis_almalinux9.yml @@ -692,6 +692,7 @@ controls: - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text - login_banner_text=cis_banners + - dconf_login_banner_contents=cis_default - id: 1.8.3 title: Ensure GDM disable-user-list option is enabled (Automated) diff --git a/controls/cis_debian12.yml b/controls/cis_debian12.yml index 8e0208f77309..5885306303f2 100644 --- a/controls/cis_debian12.yml +++ b/controls/cis_debian12.yml @@ -541,6 +541,7 @@ controls: - l1_workstation rules: - login_banner_text=cis_default + - dconf_login_banner_contents=cis_default - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text status: automated diff --git a/controls/cis_fedora.yml b/controls/cis_fedora.yml index 3f76e1c78eb6..0d843c36fd44 100644 --- a/controls/cis_fedora.yml +++ b/controls/cis_fedora.yml @@ -711,6 +711,7 @@ controls: - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text - login_banner_text=cis_banners + - dconf_login_banner_contents=cis_default - id: 1.8.2 title: Ensure GDM disable-user-list is configured (Automated) diff --git a/controls/cis_sle12.yml b/controls/cis_sle12.yml index 2c7f33e98b97..38be815e97a2 100644 --- a/controls/cis_sle12.yml +++ b/controls/cis_sle12.yml @@ -539,6 +539,7 @@ controls: - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text - login_banner_text=cis_default + - dconf_login_banner_contents=cis_default - id: 2.1.1 title: Ensure xinetd is not installed (Automated) diff --git a/controls/cis_sle15.yml b/controls/cis_sle15.yml index 758d8e25f95f..4d7c269cc099 100644 --- a/controls/cis_sle15.yml +++ b/controls/cis_sle15.yml @@ -536,6 +536,7 @@ controls: - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text - login_banner_text=cis_default + - dconf_login_banner_contents=cis_default - id: 2.1.1 title: Ensure xinetd is not installed (Automated) diff --git a/controls/cis_ubuntu2204.yml b/controls/cis_ubuntu2204.yml index 84f3287f32ee..e0cfbb361f0c 100644 --- a/controls/cis_ubuntu2204.yml +++ b/controls/cis_ubuntu2204.yml @@ -529,6 +529,7 @@ controls: - l1_workstation rules: - login_banner_text=cis_default + - dconf_login_banner_contents=cis_default - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text status: automated diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index 58c756c81c9d..9c18ee8621ce 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -562,6 +562,7 @@ controls: - l1_workstation rules: - login_banner_text=cis_default + - dconf_login_banner_contents=cis_default - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text status: automated diff --git a/controls/general_sle15.yml b/controls/general_sle15.yml index e34454eff10a..1acede4d2700 100644 --- a/controls/general_sle15.yml +++ b/controls/general_sle15.yml @@ -539,6 +539,7 @@ controls: - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text - login_banner_text=cis_default + - dconf_login_banner_contents=cis_default - id: SLES-15-151200135 title: Disable the GDM Login User List diff --git a/controls/stig_ol9.yml b/controls/stig_ol9.yml index 256159f7520f..ca87ad32731c 100644 --- a/controls/stig_ol9.yml +++ b/controls/stig_ol9.yml @@ -1974,6 +1974,7 @@ controls: rules: - dconf_gnome_login_banner_text - login_banner_text=dod_default + - dconf_login_banner_contents=cis_default - id: OL09-00-002122 levels: diff --git a/controls/stig_ubuntu2204.yml b/controls/stig_ubuntu2204.yml index 6251689f0600..851d2f664d0c 100644 --- a/controls/stig_ubuntu2204.yml +++ b/controls/stig_ubuntu2204.yml @@ -655,6 +655,7 @@ controls: - medium rules: - login_banner_text=dod_banners + - dconf_login_banner_contents=dod_default - dconf_gnome_login_banner_text status: automated diff --git a/controls/stig_ubuntu2404.yml b/controls/stig_ubuntu2404.yml index a27f10e6eb21..28abfae075c7 100644 --- a/controls/stig_ubuntu2404.yml +++ b/controls/stig_ubuntu2404.yml @@ -463,6 +463,7 @@ controls: - medium rules: - login_banner_text=dod_banners + - dconf_login_banner_contents=dod_default - dconf_gnome_login_banner_text status: automated diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml index 33d95980ded9..38bd849f78c4 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = unknown # complexity = low # disruption = medium -{{{ ansible_instantiate_variables("login_banner_text") }}} +{{{ ansible_instantiate_variables("dconf_login_banner_contents") }}} - name: "{{{ rule_title }}}" ansible.builtin.file: @@ -32,7 +32,7 @@ dest: /etc/dconf/db/{{{ dconf_gdm_dir }}}/00-security-settings section: org/gnome/login-screen option: banner-message-text - value: '{{{ ansible_deregexify_banner_dconf_gnome("login_banner_text") }}}' + value: '''{{ dconf_login_banner_contents }}''' create: yes no_extra_spaces: yes register: result_ini diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh index 930d5fe18189..c686cbe1dbf3 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh @@ -1,22 +1,5 @@ # platform = multi_platform_all -login_banner_text='(bash-populate login_banner_text)' - -# Multiple regexes transform the banner regex into a usable banner -# 0 - Remove anchors around the banner text -{{{ bash_deregexify_banner_anchors("login_banner_text") }}} -# 1 - Keep only the first banners if there are multiple -# (dod_banners contains the long and short banner) -{{{ bash_deregexify_multiple_banners("login_banner_text") }}} -# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ") -{{{ bash_deregexify_banner_space("login_banner_text") }}} -# 3 - Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*") -{{{ bash_deregexify_banner_newline("login_banner_text", "(n)*") }}} -# 4 - Remove any leftover backslash. (From any parenthesis in the banner, for example). -{{{ bash_deregexify_banner_backslash("login_banner_text") }}} -# 5 - Removes the newline "token." (Transforms them into newline escape sequences "\n"). -# ( Needs to be done after 4, otherwise the escapce sequence will become just "n". -{{{ bash_deregexify_banner_newline_token("login_banner_text")}}} - -{{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${login_banner_text}'", dconf_gdm_dir, "00-security-settings", rule_id=rule_id) }}} +dconf_login_banner_contents=$(echo "(bash-populate dconf_login_banner_contents)" ) +{{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${dconf_login_banner_contents}'", dconf_gdm_dir, "00-security-settings", rule_id=rule_id) }}} {{{ bash_dconf_lock("org/gnome/login-screen", "banner-message-text", dconf_gdm_dir, "00-security-settings-lock") }}} diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/ubuntu.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/ubuntu.sh index 57e577df79b9..4d38311e4e43 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/ubuntu.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/ubuntu.sh @@ -1,28 +1,11 @@ # platform = multi_platform_ubuntu -{{{ bash_instantiate_variables("login_banner_text") }}} - -# Multiple regexes transform the banner regex into a usable banner -# 0 - Remove anchors around the banner text -{{{ bash_deregexify_banner_anchors("login_banner_text") }}} -# 1 - Keep only the first banners if there are multiple -# (dod_banners contains the long and short banner) -{{{ bash_deregexify_multiple_banners("login_banner_text") }}} -# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ") -{{{ bash_deregexify_banner_space("login_banner_text") }}} -# 3 - Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*") -{{{ bash_deregexify_banner_newline("login_banner_text", "(n)*") }}} -# 4 - Remove any leftover backslash. (From any parenthesis in the banner, for example). -{{{ bash_deregexify_banner_backslash("login_banner_text") }}} -# 5 - Removes the newline "token." (Transforms them into newline escape sequences "\n"). -# ( Needs to be done after 4, otherwise the escapce sequence will become just "n". -{{{ bash_deregexify_banner_newline_token("login_banner_text")}}} - {{{ bash_enable_dconf_user_profile(profile="user", database="local") }}} {{{ bash_enable_dconf_user_profile(profile="gdm", database="gdm") }}} +dconf_login_banner_contents=$(echo "(bash-populate dconf_login_banner_contents)" ) # Will do both approach, since we plan to migrate to checks over dconf db. That way, future updates of the tool # will pass the check even if we decide to check only for the dconf db path. -{{{ set_config_file("/etc/gdm3/greeter.dconf-defaults", "banner-message-text", value="'${login_banner_text}'", create='no', insert_after="\[org/gnome/login-screen\]", insert_before="", separator="=", separator_regex="", prefix_regex="^\s*", rule_id=rule_id) }}} -{{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${login_banner_text}'", dconf_gdm_dir, "00-security-settings", rule_id=rule_id) }}} +{{{ set_config_file("/etc/gdm3/greeter.dconf-defaults", "banner-message-text", value="'${dconf_login_banner_contents}'", create='no', insert_after="\[org/gnome/login-screen\]", insert_before="", separator="=", separator_regex="", prefix_regex="^\s*", rule_id=rule_id) }}} +{{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${dconf_login_banner_contents}'", dconf_gdm_dir, "00-security-settings", rule_id=rule_id) }}} # No need to use dconf update, since bash_dconf_settings does that already diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh index 6ff96441acd3..c2caa11732c3 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh @@ -7,11 +7,39 @@ source $SHARED/dconf_test_functions.sh install_dconf_and_gdm_if_needed -login_banner_text="(^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.$|^I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)" -expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') +login_banner_contents=$(cat <<'EOF' +You are accessing a U.S. Government (USG) Information System (IS) that is +provided for USG-authorized use only. By using this IS (which includes any +device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for +purposes including, but not limited to, penetration testing, COMSEC monitoring, +network operations and defense, personnel misconduct (PM), law enforcement +(LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject +to routine monitoring, interception, and search, and may be disclosed or used +for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) +to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE +or CI investigative searching or monitoring of the content of privileged +communications, or work product, related to personal representation or services +by attorneys, psychotherapists, or clergy, and their assistants. Such +communications and work product are private and confidential. See User +Agreement for details. +EOF +) + +# replace two subsequent newlines with a \n\n and single newlines with a space +login_banner_text_escaped=$(printf '%s' "$login_banner_contents" | sed ':a;N;$!ba;s/\n\n/\\n\\n/g;s/\n/ /g') clean_dconf_settings -add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'${expanded}'" "{{{ dconf_gdm_dir }}}" "00-security-settings" +add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'${login_banner_text_escaped}'" "{{{ dconf_gdm_dir }}}" "00-security-settings" add_dconf_lock "org/gnome/login-screen" "banner-message-text" "{{{ dconf_gdm_dir }}}" "00-security-settings-lock" dconf update diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig_wrong_db.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig_wrong_db.fail.sh index 9969fcc6f0d2..c8077d767d35 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig_wrong_db.fail.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig_wrong_db.fail.sh @@ -7,11 +7,39 @@ source $SHARED/dconf_test_functions.sh install_dconf_and_gdm_if_needed -login_banner_text="(^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.$|^I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)" -expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') +login_banner_contents=$(cat <<'EOF' +You are accessing a U.S. Government (USG) Information System (IS) that is +provided for USG-authorized use only. By using this IS (which includes any +device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for +purposes including, but not limited to, penetration testing, COMSEC monitoring, +network operations and defense, personnel misconduct (PM), law enforcement +(LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject +to routine monitoring, interception, and search, and may be disclosed or used +for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) +to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE +or CI investigative searching or monitoring of the content of privileged +communications, or work product, related to personal representation or services +by attorneys, psychotherapists, or clergy, and their assistants. Such +communications and work product are private and confidential. See User +Agreement for details. +EOF +) + +# replace two subsequent newlines with a \n\n and single newlines with a space +login_banner_text_escaped=$(printf '%s' "$login_banner_contents" | sed ':a;N;$!ba;s/\n\n/\\n\\n/g;s/\n/ /g') clean_dconf_settings -add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'${expanded}'" "dummy.d" "00-security-settings" +add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'${login_banner_text_escaped}'" "dummy.d" "00-security-settings" add_dconf_lock "org/gnome/login-screen" "banner-message-text" "dummy.d" "00-security-settings-lock" dconf update diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh index c316d7c8f74b..56eb33cd1061 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh @@ -7,8 +7,8 @@ source $SHARED/dconf_test_functions.sh install_dconf_and_gdm_if_needed -# login_banner_text="(^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.$|^I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)" -# expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') +# login_banner_contents="(^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.$|^I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)" +# expanded=$(echo "$login_banner_contents" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') clean_dconf_settings add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "{{{ dconf_gdm_dir }}}" "00-security-settings" diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh index 38b8ee45b0a8..87167c0f5d13 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh @@ -7,8 +7,8 @@ source $SHARED/dconf_test_functions.sh install_dconf_and_gdm_if_needed -login_banner_text="Some text before --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. And some after." -expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') +login_banner_contents="Some text before --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. And some after." +expanded=$(echo "$login_banner_contents" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') clean_dconf_settings add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'${expanded}'" "{{{ dconf_gdm_dir }}}" "00-security-settings" diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh index 6a3b00b8cafa..577d3a876327 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh @@ -7,8 +7,8 @@ source $SHARED/dconf_test_functions.sh install_dconf_and_gdm_if_needed -login_banner_text="Wrong Banner Text" -expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') +login_banner_contents="Wrong Banner Text" +expanded=$(echo "$login_banner_contents" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') clean_dconf_settings add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'${expanded}'" "{{{ dconf_gdm_dir }}}" "00-security-settings" diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh index 7c7d4c073e3d..1c04437538a8 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh @@ -3,8 +3,8 @@ # profiles = xccdf_org.ssgproject.content_profile_stig # packages = dconf,gdm -login_banner_text="Wrong Banner Text" -expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') +login_banner_contents="Wrong Banner Text" +expanded=$(echo "$login_banner_contents" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') {{% if 'ubuntu' not in product %}} source $SHARED/dconf_test_functions.sh diff --git a/products/fedora/profiles/ospp.profile b/products/fedora/profiles/ospp.profile index 4abcc1aee72e..ff3439776a9f 100644 --- a/products/fedora/profiles/ospp.profile +++ b/products/fedora/profiles/ospp.profile @@ -109,6 +109,7 @@ selections: - sshd_rekey_limit - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text + - dconf_login_banner_contents=usgcb_default - audit_rules_login_events_faillock - audit_rules_login_events_lastlog - audit_rules_login_events_tallylog diff --git a/products/ol7/profiles/ncp.profile b/products/ol7/profiles/ncp.profile index 29a30bf9aebd..e406ea135f70 100644 --- a/products/ol7/profiles/ncp.profile +++ b/products/ol7/profiles/ncp.profile @@ -324,6 +324,7 @@ selections: - dconf_gnome_disable_wifi_notification - dconf_gnome_enable_smartcard_auth - dconf_gnome_login_banner_text + - dconf_login_banner_contents=usgcb_default - dconf_gnome_login_retries - dconf_gnome_remote_access_credential_prompt - dconf_gnome_remote_access_encryption diff --git a/products/ol7/profiles/stig.profile b/products/ol7/profiles/stig.profile index 39772872a2cc..5cbc5b525139 100644 --- a/products/ol7/profiles/stig.profile +++ b/products/ol7/profiles/stig.profile @@ -55,6 +55,7 @@ selections: - dconf_db_up_to_date - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text + - dconf_login_banner_contents=dod_default - banner_etc_issue - dconf_gnome_screensaver_lock_enabled - dconf_gnome_screensaver_lock_locked diff --git a/products/ol8/profiles/stig.profile b/products/ol8/profiles/stig.profile index 2b70b14f26a5..7c3da3f6dc74 100644 --- a/products/ol8/profiles/stig.profile +++ b/products/ol8/profiles/stig.profile @@ -62,6 +62,7 @@ selections: - var_sssd_certificate_verification_digest_function=sha1 - login_banner_text=dod_banners - login_banner_contents=dod_default + - dconf_login_banner_contents=dod_default - var_authselect_profile=sssd - var_multiple_time_servers=stig diff --git a/products/rhel10/controls/cis_rhel10.yml b/products/rhel10/controls/cis_rhel10.yml index 59517fa5921f..db17e6686fdc 100644 --- a/products/rhel10/controls/cis_rhel10.yml +++ b/products/rhel10/controls/cis_rhel10.yml @@ -707,7 +707,7 @@ controls: - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text - login_banner_text=cis_banners - - login_banner_contents=cis_default + - dconf_login_banner_contents=cis_default - id: 1.8.2 title: Ensure GDM disable-user-list is configured (Automated) diff --git a/products/rhel8/controls/cis_rhel8.yml b/products/rhel8/controls/cis_rhel8.yml index 56fadc235366..d80ea036960e 100644 --- a/products/rhel8/controls/cis_rhel8.yml +++ b/products/rhel8/controls/cis_rhel8.yml @@ -741,7 +741,7 @@ controls: - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text - login_banner_text=cis_banners - - login_banner_contents=cis_default + - dconf_login_banner_contents=cis_default - id: 1.8.2 title: Ensure GDM disable-user-list is configured (Automated) diff --git a/products/rhel8/controls/stig_rhel8.yml b/products/rhel8/controls/stig_rhel8.yml index b8948e8d925c..05c2c0b4efe2 100644 --- a/products/rhel8/controls/stig_rhel8.yml +++ b/products/rhel8/controls/stig_rhel8.yml @@ -68,6 +68,7 @@ controls: - var_sssd_certificate_verification_digest_function=sha1 - login_banner_text=dod_banners - login_banner_contents=dod_default + - dconf_login_banner_contents=dod_default - var_authselect_profile=sssd - var_multiple_time_servers=stig - var_time_service_set_maxpoll=18_hours diff --git a/products/rhel9/controls/ccn_rhel9.yml b/products/rhel9/controls/ccn_rhel9.yml index e7b12492f8fb..e70cf04c787f 100644 --- a/products/rhel9/controls/ccn_rhel9.yml +++ b/products/rhel9/controls/ccn_rhel9.yml @@ -639,6 +639,7 @@ controls: - motd_banner_contents=cis_default - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text + - dconf_login_banner_contents=cis_default - sshd_enable_warning_banner_net - login_banner_text=cis_banners - login_banner_contents=cis_default diff --git a/products/rhel9/controls/cis_rhel9.yml b/products/rhel9/controls/cis_rhel9.yml index f73fbd1f6d79..1878a8587286 100644 --- a/products/rhel9/controls/cis_rhel9.yml +++ b/products/rhel9/controls/cis_rhel9.yml @@ -691,6 +691,7 @@ controls: - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text - login_banner_text=cis_banners + - login_banner_contents=cis_default - id: 1.8.3 title: Ensure GDM disable-user-list option is enabled (Automated) diff --git a/products/rhel9/controls/stig_rhel9.yml b/products/rhel9/controls/stig_rhel9.yml index a4c2007a6cff..bdbdc60ca911 100644 --- a/products/rhel9/controls/stig_rhel9.yml +++ b/products/rhel9/controls/stig_rhel9.yml @@ -25,6 +25,7 @@ controls: - medium rules: - dconf_gnome_login_banner_text + - dconf_login_banner_contents=dod_default - id: RHEL-09-211010 levels: - high diff --git a/products/sle12/profiles/stig.profile b/products/sle12/profiles/stig.profile index e3889a4e3f6b..ae7d6d6ddbd3 100644 --- a/products/sle12/profiles/stig.profile +++ b/products/sle12/profiles/stig.profile @@ -33,6 +33,7 @@ selections: - var_accounts_maximum_age_login_defs=60 - login_banner_text=dod_banners - login_banner_contents=dod_default + - dconf_login_banner_contents=dod_default # # Note: must configure "var_accounts_authorized_local_users_regex" when # "accounts_authorized_local_users" rule is enabled diff --git a/products/sle15/profiles/stig.profile b/products/sle15/profiles/stig.profile index 302e60006999..b5e8a254ca99 100644 --- a/products/sle15/profiles/stig.profile +++ b/products/sle15/profiles/stig.profile @@ -32,6 +32,7 @@ selections: - var_password_pam_delay=4000000 - login_banner_text=dod_banners - login_banner_contents=dod_default + - dconf_login_banner_contents=dod_default # # Note: must configure "var_accounts_authorized_local_users_regex" when # "accounts_authorized_local_users" rule is enabled From 80432ffb5becceeae1938e9e5e8db0a721c19012 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Thu, 12 Feb 2026 10:45:09 +0100 Subject: [PATCH 07/18] Update profile stability test --- tests/data/profile_stability/rhel10/cis.profile | 1 + tests/data/profile_stability/rhel10/cis_server_l1.profile | 1 + .../data/profile_stability/rhel10/cis_workstation_l1.profile | 1 + .../data/profile_stability/rhel10/cis_workstation_l2.profile | 1 + tests/data/profile_stability/rhel10/stig.profile | 1 + tests/data/profile_stability/rhel10/stig_gui.profile | 1 + tests/data/profile_stability/rhel8/cis.profile | 1 + tests/data/profile_stability/rhel8/cis_server_l1.profile | 1 + .../data/profile_stability/rhel8/cis_workstation_l1.profile | 1 + .../data/profile_stability/rhel8/cis_workstation_l2.profile | 1 + tests/data/profile_stability/rhel8/rht-ccp.profile | 1 + tests/data/profile_stability/rhel8/stig.profile | 2 ++ tests/data/profile_stability/rhel8/stig_gui.profile | 2 ++ tests/data/profile_stability/rhel9/ccn_advanced.profile | 5 +++++ tests/data/profile_stability/rhel9/ccn_basic.profile | 5 +++++ tests/data/profile_stability/rhel9/ccn_intermediate.profile | 5 +++++ tests/data/profile_stability/rhel9/cis.profile | 1 + tests/data/profile_stability/rhel9/cis_server_l1.profile | 1 + .../data/profile_stability/rhel9/cis_workstation_l1.profile | 1 + .../data/profile_stability/rhel9/cis_workstation_l2.profile | 1 + tests/data/profile_stability/rhel9/stig.profile | 2 ++ tests/data/profile_stability/rhel9/stig_gui.profile | 2 ++ 22 files changed, 38 insertions(+) diff --git a/tests/data/profile_stability/rhel10/cis.profile b/tests/data/profile_stability/rhel10/cis.profile index acb21b876b66..99a6bcc79e3a 100644 --- a/tests/data/profile_stability/rhel10/cis.profile +++ b/tests/data/profile_stability/rhel10/cis.profile @@ -140,6 +140,7 @@ dconf_gnome_screensaver_idle_delay dconf_gnome_screensaver_lock_delay dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks +dconf_login_banner_contents=cis_default dir_perms_world_writable_sticky_bits directory_groupowner_sshd_config_d directory_owner_sshd_config_d diff --git a/tests/data/profile_stability/rhel10/cis_server_l1.profile b/tests/data/profile_stability/rhel10/cis_server_l1.profile index 1a8d4a413244..2571f6cef0c6 100644 --- a/tests/data/profile_stability/rhel10/cis_server_l1.profile +++ b/tests/data/profile_stability/rhel10/cis_server_l1.profile @@ -63,6 +63,7 @@ dconf_gnome_screensaver_idle_delay dconf_gnome_screensaver_lock_delay dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks +dconf_login_banner_contents=cis_default dir_perms_world_writable_sticky_bits directory_groupowner_sshd_config_d directory_owner_sshd_config_d diff --git a/tests/data/profile_stability/rhel10/cis_workstation_l1.profile b/tests/data/profile_stability/rhel10/cis_workstation_l1.profile index 63186a34c258..4b40bbb2cfbe 100644 --- a/tests/data/profile_stability/rhel10/cis_workstation_l1.profile +++ b/tests/data/profile_stability/rhel10/cis_workstation_l1.profile @@ -61,6 +61,7 @@ dconf_gnome_screensaver_idle_delay dconf_gnome_screensaver_lock_delay dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks +dconf_login_banner_contents=cis_default dir_perms_world_writable_sticky_bits directory_groupowner_sshd_config_d directory_owner_sshd_config_d diff --git a/tests/data/profile_stability/rhel10/cis_workstation_l2.profile b/tests/data/profile_stability/rhel10/cis_workstation_l2.profile index 221ffac17557..a51f507c86aa 100644 --- a/tests/data/profile_stability/rhel10/cis_workstation_l2.profile +++ b/tests/data/profile_stability/rhel10/cis_workstation_l2.profile @@ -140,6 +140,7 @@ dconf_gnome_screensaver_idle_delay dconf_gnome_screensaver_lock_delay dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks +dconf_login_banner_contents=cis_default dir_perms_world_writable_sticky_bits directory_groupowner_sshd_config_d directory_owner_sshd_config_d diff --git a/tests/data/profile_stability/rhel10/stig.profile b/tests/data/profile_stability/rhel10/stig.profile index d9709ad69bbf..dd157f79d28e 100644 --- a/tests/data/profile_stability/rhel10/stig.profile +++ b/tests/data/profile_stability/rhel10/stig.profile @@ -318,6 +318,7 @@ kernel_module_sctp_disabled kernel_module_tipc_disabled kernel_module_usb-storage_disabled libreswan_approved_tunnels +login_banner_contents=dod_default login_banner_text=dod_banners logind_session_timeout mount_option_boot_nodev diff --git a/tests/data/profile_stability/rhel10/stig_gui.profile b/tests/data/profile_stability/rhel10/stig_gui.profile index e5632d66dad0..22c29b3b1a40 100644 --- a/tests/data/profile_stability/rhel10/stig_gui.profile +++ b/tests/data/profile_stability/rhel10/stig_gui.profile @@ -318,6 +318,7 @@ kernel_module_sctp_disabled kernel_module_tipc_disabled kernel_module_usb-storage_disabled libreswan_approved_tunnels +login_banner_contents=dod_default login_banner_text=dod_banners mount_option_boot_nodev mount_option_boot_nosuid diff --git a/tests/data/profile_stability/rhel8/cis.profile b/tests/data/profile_stability/rhel8/cis.profile index 40ef7718866d..1a486017ff77 100644 --- a/tests/data/profile_stability/rhel8/cis.profile +++ b/tests/data/profile_stability/rhel8/cis.profile @@ -130,6 +130,7 @@ dconf_gnome_screensaver_idle_delay dconf_gnome_screensaver_lock_delay dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks +dconf_login_banner_contents=cis_default dir_perms_world_writable_sticky_bits directory_permissions_var_log_audit disable_host_auth diff --git a/tests/data/profile_stability/rhel8/cis_server_l1.profile b/tests/data/profile_stability/rhel8/cis_server_l1.profile index c186914d253b..3adcc4a679d7 100644 --- a/tests/data/profile_stability/rhel8/cis_server_l1.profile +++ b/tests/data/profile_stability/rhel8/cis_server_l1.profile @@ -63,6 +63,7 @@ dconf_gnome_screensaver_idle_delay dconf_gnome_screensaver_lock_delay dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks +dconf_login_banner_contents=cis_default dir_perms_world_writable_sticky_bits disable_host_auth disable_users_coredumps diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile index f53d2e0dd714..ab02f8230153 100644 --- a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile +++ b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile @@ -61,6 +61,7 @@ dconf_gnome_screensaver_idle_delay dconf_gnome_screensaver_lock_delay dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks +dconf_login_banner_contents=cis_default dir_perms_world_writable_sticky_bits disable_host_auth disable_users_coredumps diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile index f43c7d9ea9b5..6a1bd6cd5eed 100644 --- a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile +++ b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile @@ -130,6 +130,7 @@ dconf_gnome_screensaver_idle_delay dconf_gnome_screensaver_lock_delay dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks +dconf_login_banner_contents=cis_default dir_perms_world_writable_sticky_bits directory_permissions_var_log_audit disable_host_auth diff --git a/tests/data/profile_stability/rhel8/rht-ccp.profile b/tests/data/profile_stability/rhel8/rht-ccp.profile index 6d06160f5770..4faa19a2b5ec 100644 --- a/tests/data/profile_stability/rhel8/rht-ccp.profile +++ b/tests/data/profile_stability/rhel8/rht-ccp.profile @@ -41,6 +41,7 @@ firewalld_sshd_port_enabled grub2_password kernel_module_dccp_disabled kernel_module_sctp_disabled +login_banner_contents=usgcb_default login_banner_text=usgcb_default no_empty_passwords no_shelllogin_for_systemaccounts diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index a07eb83d2943..a0355b22cead 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -154,6 +154,7 @@ dconf_gnome_screensaver_lock_enabled dconf_gnome_screensaver_lock_locked dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks +dconf_login_banner_contents=dod_default dir_group_ownership_library_dirs dir_ownership_library_dirs dir_permissions_library_dirs @@ -225,6 +226,7 @@ kernel_module_sctp_disabled kernel_module_tipc_disabled kernel_module_usb-storage_disabled kernel_module_uvcvideo_disabled +login_banner_contents=dod_default login_banner_text=dod_banners logind_session_timeout mount_option_boot_efi_nosuid diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile index 52f48890ab39..f4740e88e209 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -154,6 +154,7 @@ dconf_gnome_screensaver_lock_enabled dconf_gnome_screensaver_lock_locked dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks +dconf_login_banner_contents=dod_default dir_group_ownership_library_dirs dir_ownership_library_dirs dir_permissions_library_dirs @@ -225,6 +226,7 @@ kernel_module_sctp_disabled kernel_module_tipc_disabled kernel_module_usb-storage_disabled kernel_module_uvcvideo_disabled +login_banner_contents=dod_default login_banner_text=dod_banners mount_option_boot_efi_nosuid mount_option_boot_nosuid diff --git a/tests/data/profile_stability/rhel9/ccn_advanced.profile b/tests/data/profile_stability/rhel9/ccn_advanced.profile index 00b9660909b3..2438f8526fb3 100644 --- a/tests/data/profile_stability/rhel9/ccn_advanced.profile +++ b/tests/data/profile_stability/rhel9/ccn_advanced.profile @@ -66,6 +66,7 @@ dconf_gnome_disable_user_list dconf_gnome_login_banner_text dconf_gnome_screensaver_idle_delay dconf_gnome_screensaver_lock_delay +dconf_login_banner_contents=cis_default directory_permissions_var_log_audit enable_authselect encrypt_partitions @@ -90,7 +91,10 @@ inactivity_timeout_value=5_minutes kernel_module_squashfs_disabled kernel_module_udf_disabled kernel_module_usb-storage_disabled +login_banner_contents=cis_default login_banner_text=cis_banners +motd_banner_contents=cis_default +motd_banner_text=cis_banners mount_option_boot_efi_nosuid mount_option_boot_nodev mount_option_boot_noexec @@ -111,6 +115,7 @@ package_telnet-server_removed package_tftp-server_removed package_usbguard_installed package_vsftpd_removed +remote_login_banner_contents=cis_default remote_login_banner_text=cis_banners selinux_policytype selinux_state diff --git a/tests/data/profile_stability/rhel9/ccn_basic.profile b/tests/data/profile_stability/rhel9/ccn_basic.profile index 00b96ffc1172..8b798198a18d 100644 --- a/tests/data/profile_stability/rhel9/ccn_basic.profile +++ b/tests/data/profile_stability/rhel9/ccn_basic.profile @@ -46,6 +46,7 @@ configure_crypto_policy dconf_db_up_to_date dconf_gnome_banner_enabled dconf_gnome_login_banner_text +dconf_login_banner_contents=cis_default enable_authselect file_groupowner_grub2_cfg file_groupowner_user_cfg @@ -56,13 +57,17 @@ file_permissions_user_cfg firewalld_loopback_traffic_restricted firewalld_loopback_traffic_trusted grub2_password +login_banner_contents=cis_default login_banner_text=cis_banners +motd_banner_contents=cis_default +motd_banner_text=cis_banners mount_option_boot_efi_nosuid mount_option_boot_nodev mount_option_boot_noexec mount_option_boot_nosuid package_firewalld_installed package_usbguard_installed +remote_login_banner_contents=cis_default remote_login_banner_text=cis_banners service_firewalld_enabled service_nftables_disabled diff --git a/tests/data/profile_stability/rhel9/ccn_intermediate.profile b/tests/data/profile_stability/rhel9/ccn_intermediate.profile index 80b4ea6efe36..a807fc079047 100644 --- a/tests/data/profile_stability/rhel9/ccn_intermediate.profile +++ b/tests/data/profile_stability/rhel9/ccn_intermediate.profile @@ -55,6 +55,7 @@ dconf_gnome_disable_user_list dconf_gnome_login_banner_text dconf_gnome_screensaver_idle_delay dconf_gnome_screensaver_lock_delay +dconf_login_banner_contents=cis_default directory_permissions_var_log_audit enable_authselect ensure_root_password_configured @@ -78,7 +79,10 @@ inactivity_timeout_value=5_minutes kernel_module_squashfs_disabled kernel_module_udf_disabled kernel_module_usb-storage_disabled +login_banner_contents=cis_default login_banner_text=cis_banners +motd_banner_contents=cis_default +motd_banner_text=cis_banners mount_option_boot_efi_nosuid mount_option_boot_nodev mount_option_boot_noexec @@ -98,6 +102,7 @@ package_telnet-server_removed package_tftp-server_removed package_usbguard_installed package_vsftpd_removed +remote_login_banner_contents=cis_default remote_login_banner_text=cis_banners selinux_policytype selinux_state diff --git a/tests/data/profile_stability/rhel9/cis.profile b/tests/data/profile_stability/rhel9/cis.profile index 65f2ddc07f7e..80d8bf1fe71d 100644 --- a/tests/data/profile_stability/rhel9/cis.profile +++ b/tests/data/profile_stability/rhel9/cis.profile @@ -254,6 +254,7 @@ kernel_module_squashfs_disabled kernel_module_tipc_disabled kernel_module_udf_disabled kernel_module_usb-storage_disabled +login_banner_contents=cis_default login_banner_text=cis_banners mount_option_dev_shm_nodev mount_option_dev_shm_noexec diff --git a/tests/data/profile_stability/rhel9/cis_server_l1.profile b/tests/data/profile_stability/rhel9/cis_server_l1.profile index ac83e2c0a321..b0fe97a998ef 100644 --- a/tests/data/profile_stability/rhel9/cis_server_l1.profile +++ b/tests/data/profile_stability/rhel9/cis_server_l1.profile @@ -165,6 +165,7 @@ kernel_module_hfs_disabled kernel_module_hfsplus_disabled kernel_module_jffs2_disabled kernel_module_usb-storage_disabled +login_banner_contents=cis_default login_banner_text=cis_banners mount_option_dev_shm_nodev mount_option_dev_shm_noexec diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile index fb685c741479..79ff5989d0a0 100644 --- a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile +++ b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile @@ -162,6 +162,7 @@ kernel_module_freevxfs_disabled kernel_module_hfs_disabled kernel_module_hfsplus_disabled kernel_module_jffs2_disabled +login_banner_contents=cis_default login_banner_text=cis_banners mount_option_dev_shm_nodev mount_option_dev_shm_noexec diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile index 3fc4bebf0c4a..3db1a26a5d2f 100644 --- a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile +++ b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile @@ -254,6 +254,7 @@ kernel_module_squashfs_disabled kernel_module_tipc_disabled kernel_module_udf_disabled kernel_module_usb-storage_disabled +login_banner_contents=cis_default login_banner_text=cis_banners mount_option_dev_shm_nodev mount_option_dev_shm_noexec diff --git a/tests/data/profile_stability/rhel9/stig.profile b/tests/data/profile_stability/rhel9/stig.profile index 17ec849e8914..99cd9fc08002 100644 --- a/tests/data/profile_stability/rhel9/stig.profile +++ b/tests/data/profile_stability/rhel9/stig.profile @@ -170,6 +170,7 @@ dconf_gnome_screensaver_lock_enabled dconf_gnome_screensaver_mode_blank dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks +dconf_login_banner_contents=dod_default dir_group_ownership_library_dirs dir_ownership_library_dirs dir_permissions_library_dirs @@ -304,6 +305,7 @@ kernel_module_sctp_disabled kernel_module_tipc_disabled kernel_module_usb-storage_disabled libreswan_approved_tunnels +login_banner_contents=dod_default login_banner_text=dod_banners logind_session_timeout mount_option_boot_efi_nosuid diff --git a/tests/data/profile_stability/rhel9/stig_gui.profile b/tests/data/profile_stability/rhel9/stig_gui.profile index 35aef8879876..10ebb282a93e 100644 --- a/tests/data/profile_stability/rhel9/stig_gui.profile +++ b/tests/data/profile_stability/rhel9/stig_gui.profile @@ -170,6 +170,7 @@ dconf_gnome_screensaver_lock_enabled dconf_gnome_screensaver_mode_blank dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks +dconf_login_banner_contents=dod_default dir_group_ownership_library_dirs dir_ownership_library_dirs dir_permissions_library_dirs @@ -304,6 +305,7 @@ kernel_module_sctp_disabled kernel_module_tipc_disabled kernel_module_usb-storage_disabled libreswan_approved_tunnels +login_banner_contents=dod_default login_banner_text=dod_banners mount_option_boot_efi_nosuid mount_option_boot_nodev From 74c3dc69cf529ef4ee120b54bbc41b6faccb9be8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Thu, 12 Feb 2026 11:06:21 +0100 Subject: [PATCH 08/18] Fix yamllint problems - trailing spaces --- products/sle15/profiles/pcs-hardening.profile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/products/sle15/profiles/pcs-hardening.profile b/products/sle15/profiles/pcs-hardening.profile index 31bccccc320d..0bfc746d362c 100644 --- a/products/sle15/profiles/pcs-hardening.profile +++ b/products/sle15/profiles/pcs-hardening.profile @@ -5,7 +5,7 @@ metadata: SMEs: - esampson -reference: +reference: title: 'Public Cloud Hardening for SUSE Linux Enterprise 15' @@ -413,7 +413,7 @@ selections: #- package_net-snmp_removed #- package_telnet_removed #- package_telnet-server_removed - #### OTHER + #### OTHER #### can't do at image build time #- accounts_authorized_local_users #- accounts_max_concurrent_login_sessions From 4e31c114cd2daf9ba7701da9e814b81cec2fab96 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 16 Feb 2026 09:31:36 +0100 Subject: [PATCH 09/18] Fixed wrong value Change cis_default to dod_default for dconf_login_banner_contents because this is a STIG control, not CIS. --- controls/stig_ol9.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/stig_ol9.yml b/controls/stig_ol9.yml index ca87ad32731c..3174c8d1a62b 100644 --- a/controls/stig_ol9.yml +++ b/controls/stig_ol9.yml @@ -1974,7 +1974,7 @@ controls: rules: - dconf_gnome_login_banner_text - login_banner_text=dod_default - - dconf_login_banner_contents=cis_default + - dconf_login_banner_contents=dod_default - id: OL09-00-002122 levels: From 73b5466b2b1c604e072a8784245748805141fda2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 16 Feb 2026 09:32:47 +0100 Subject: [PATCH 10/18] Use multi_platform_all in Ansible remediation --- .../accounts-banners/banner_etc_issue/ansible/shared.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml index a43e1b6a25c9..4136c8e028dc 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_slmicro,multi_platform_almalinux +# platform = multi_platform_all # reboot = false # strategy = unknown # complexity = low From f579995ea243335f22fd8deeca2aef6650d80944 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 16 Feb 2026 09:33:25 +0100 Subject: [PATCH 11/18] Fix typos --- .../tests/banner_etc_issue_cis_recommended.pass.sh | 2 +- .../accounts-banners/remote_login_banner_contents.var | 2 +- .../accounts-banners/remote_login_banner_text.var | 8 ++++---- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_cis_recommended.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_cis_recommended.pass.sh index bc0f5a7a0872..ce541f31864c 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_cis_recommended.pass.sh +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_cis_recommended.pass.sh @@ -2,4 +2,4 @@ # profiles = xccdf_org.ssgproject.content_profile_cis, xccdf_org.ssgproject.content_profile_cis_server_l1, xccdf_org.ssgproject.content_profile_cis_workstation_l1, xccdf_org.ssgproject.content_profile_cis_workstation_l2 # cis_default banner -echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue +echo "Authorized users only. All activity may be monitored and reported." > /etc/issue diff --git a/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_contents.var b/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_contents.var index c3d740df9c6f..d2b77661b666 100644 --- a/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_contents.var +++ b/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_contents.var @@ -5,7 +5,7 @@ title: 'Remote Login Banner Verbiage' description: >- Enter an appropriate login banner text for your organization. This variable is used only in remediations. - In OVAL checks a regular expression specified in the login_banner_text variable is used instead. + In OVAL checks a regular expression specified in the remote_login_banner_text variable is used instead. Using a regular expression is needed because some profiles (eg. STIG) allow multiple different banners. type: string diff --git a/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_text.var index 283b0d964c7f..a4e24de44962 100644 --- a/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_text.var +++ b/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_text.var @@ -6,7 +6,7 @@ description: >- Enter an appropriate login banner regular expression for your organization. Using a regular expression is needed because some profiles (eg. STIG) allow multiple different banners. This regular expression is used only in OVAL checks. - In remediations the motd_banner_contents variable is used instead. + In remediations the remote_login_banner_contents variable is used instead. For information about how to generate banner regular expression for your tailoring files, see: https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions @@ -20,12 +20,12 @@ options: # CIS doesn't enforce any specific content for login banners, but doesn't allow technical information. # There is a generic content in case a remediation is necessary. # How to generate banner, check https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions - cis_banners: ^(Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$ - cis_default: ^Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$ + cis_banners: ^(Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$ + cis_default: ^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$ # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accommodate banners of 1300 characters dod_banners: ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.|I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.)$ dod_default: ^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.$ dod_short: ^I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.$ dss_odaa_default: ^Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times\.[\s\n]+This[\s\n]+is[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system\.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+and[\s\n]+related[\s\n]+equipment[\s\n]+are[\s\n]+intended[\s\n]+for[\s\n]+the[\s\n]+communication,[\s\n]+transmission,[\s\n]+processing,[\s\n]+and[\s\n]+storage[\s\n]+of[\s\n]+official[\s\n]+U\.S\.[\s\n]+Government[\s\n]+or[\s\n]+other[\s\n]+authorized[\s\n]+information[\s\n]+only\.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times[\s\n]+to[\s\n]+ensure[\s\n]+proper[\s\n]+functioning[\s\n]+of[\s\n]+equipment[\s\n]+and[\s\n]+systems[\s\n]+including[\s\n]+security[\s\n]+devices[\s\n]+and[\s\n]+systems,[\s\n]+to[\s\n]+prevent[\s\n]+unauthorized[\s\n]+use[\s\n]+and[\s\n]+violations[\s\n]+of[\s\n]+statutes[\s\n]+and[\s\n]+security[\s\n]+regulations,[\s\n]+to[\s\n]+deter[\s\n]+criminal[\s\n]+activity,[\s\n]+and[\s\n]+for[\s\n]+other[\s\n]+similar[\s\n]+purposes\.[\s\n]+Any[\s\n]+user[\s\n]+of[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+should[\s\n]+be[\s\n]+aware[\s\n]+that[\s\n]+any[\s\n]+information[\s\n]+placed[\s\n]+in[\s\n]+the[\s\n]+system[\s\n]+is[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+not[\s\n]+subject[\s\n]+to[\s\n]+any[\s\n]+expectation[\s\n]+of[\s\n]+privacy\.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+violation[\s\n]+of[\s\n]+criminal[\s\n]+statutes,[\s\n]+this[\s\n]+evidence[\s\n]+and[\s\n]+any[\s\n]+other[\s\n]+related[\s\n]+information,[\s\n]+including[\s\n]+identification[\s\n]+information[\s\n]+about[\s\n]+the[\s\n]+user,[\s\n]+may[\s\n]+be[\s\n]+provided[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials\.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+reveals[\s\n]+violations[\s\n]+of[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+unauthorized[\s\n]+use,[\s\n]+employees[\s\n]+who[\s\n]+violate[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+make[\s\n]+unauthorized[\s\n]+use[\s\n]+of[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+appropriate[\s\n]+disciplinary[\s\n]+action\.[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times\.$ usgcb_default: ^\-\-[\s\n]+WARNING[\s\n]+\-\-[\s\n]+This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only\.[\s\n]+Individuals[\s\n]+using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]+authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]+monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel\.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]+system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]+if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]+system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials\.$ - default: ^Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$ + default: ^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$ From 8a2c6baf9333d88c973ce2d38623f4180749bde8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 16 Feb 2026 09:33:45 +0100 Subject: [PATCH 12/18] Rename variable Renamed local variable from login_banner_contents to dconf_login_banner_contents since this test is for a dconf rule --- .../tests/wrapped_banner.fail.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh index 87167c0f5d13..28b573bc3a9a 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh @@ -7,8 +7,8 @@ source $SHARED/dconf_test_functions.sh install_dconf_and_gdm_if_needed -login_banner_contents="Some text before --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. And some after." -expanded=$(echo "$login_banner_contents" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') +dconf_login_banner_contents="Some text before --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. And some after." +expanded=$(echo "$dconf_login_banner_contents" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') clean_dconf_settings add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'${expanded}'" "{{{ dconf_gdm_dir }}}" "00-security-settings" From e8a2d756adfaa9191542692481447d9caac45140 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Tue, 24 Feb 2026 09:51:47 +0100 Subject: [PATCH 13/18] Fix variable selections in SAP profile There was a duplicate selection for the login_banner_text variable. The _contents variables were missing. --- products/sle15/profiles/pcs-hardening-sap.profile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/products/sle15/profiles/pcs-hardening-sap.profile b/products/sle15/profiles/pcs-hardening-sap.profile index 63231a2b3b34..207b0dfa6543 100644 --- a/products/sle15/profiles/pcs-hardening-sap.profile +++ b/products/sle15/profiles/pcs-hardening-sap.profile @@ -24,8 +24,9 @@ selections: - var_apparmor_mode=complain - motd_banner_text=cis_banners - login_banner_text=cis_banners + - login_banner_contents=cis_default - remote_login_banner_text=cis_banners - - login_banner_text=cis_default + - remote_login_banner_contents=cis_default - var_multiple_time_servers=suse - var_multiple_time_pools=suse - var_postfix_inet_interfaces=loopback-only From 9fcb22d36f57c904d99580ea7d036787d8814446 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Tue, 24 Feb 2026 11:17:14 +0100 Subject: [PATCH 14/18] Separate variable in rule dconf_gnome_login_banner_text The rule `dconf_gnome_login_banner_text` shared variable `login_banner_text` with other rules. Some CIS profiles recommend a different text for Dconf login banner than for other banners. Therefore we will create a special variable for this rule and we will use it instead of the variable `login_banner_text`. The new variable name is `dconf_login_banner_text` and it was created by copying the variable `login_banner_text`. --- controls/ccn_ol9.yml | 1 + controls/cis_almalinux9.yml | 2 +- controls/cis_debian12.yml | 2 +- controls/cis_fedora.yml | 2 +- controls/cis_sle12.yml | 2 +- controls/cis_sle15.yml | 2 +- controls/cis_ubuntu2204.yml | 2 +- controls/stig_ubuntu2404.yml | 2 +- .../dconf_login_banner_text.var | 31 +++++++++++++++++++ .../oval/shared.xml | 4 +-- .../oval/ubuntu.xml | 4 +-- .../tests/ubuntu_correct_value.pass.sh | 2 +- .../ubuntu_correct_value_defaults.pass.sh | 2 +- .../tests/ubuntu_wrong_value.fail.sh | 2 +- .../tests/ubuntu_wrong_value_defaults.fail.sh | 2 +- products/fedora/profiles/ospp.profile | 1 + products/ol7/profiles/ncp.profile | 1 + products/ol7/profiles/stig.profile | 1 + products/ol8/profiles/stig.profile | 1 + products/rhel10/controls/cis_rhel10.yml | 2 +- products/rhel8/controls/cis_rhel8.yml | 2 +- products/rhel8/controls/stig_rhel8.yml | 1 + products/rhel9/controls/ccn_rhel9.yml | 1 + products/rhel9/controls/stig_rhel9.yml | 1 + products/sle12/profiles/stig.profile | 1 + products/sle15/profiles/stig.profile | 1 + .../data/profile_stability/rhel10/cis.profile | 2 +- .../rhel10/cis_server_l1.profile | 2 +- .../rhel10/cis_workstation_l1.profile | 2 +- .../rhel10/cis_workstation_l2.profile | 2 +- .../data/profile_stability/rhel8/cis.profile | 2 +- .../rhel8/cis_server_l1.profile | 2 +- .../rhel8/cis_workstation_l1.profile | 2 +- .../rhel8/cis_workstation_l2.profile | 2 +- .../data/profile_stability/rhel8/stig.profile | 1 + .../profile_stability/rhel8/stig_gui.profile | 1 + .../rhel9/ccn_advanced.profile | 1 + .../profile_stability/rhel9/ccn_basic.profile | 1 + .../rhel9/ccn_intermediate.profile | 1 + .../data/profile_stability/rhel9/stig.profile | 1 + .../profile_stability/rhel9/stig_gui.profile | 1 + 41 files changed, 73 insertions(+), 25 deletions(-) create mode 100644 linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_text.var diff --git a/controls/ccn_ol9.yml b/controls/ccn_ol9.yml index e7cbe628f541..c065f65c5eb2 100644 --- a/controls/ccn_ol9.yml +++ b/controls/ccn_ol9.yml @@ -623,6 +623,7 @@ controls: - banner_etc_motd - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text + - dconf_login_banner_text=cis_default - dconf_login_banner_contents=cis_default - sshd_enable_warning_banner_net - login_banner_text=cis_default diff --git a/controls/cis_almalinux9.yml b/controls/cis_almalinux9.yml index 4a91ea6f6d9f..6d7189ce2877 100644 --- a/controls/cis_almalinux9.yml +++ b/controls/cis_almalinux9.yml @@ -691,7 +691,7 @@ controls: rules: - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text - - login_banner_text=cis_banners + - dconf_login_banner_text=cis_banners - dconf_login_banner_contents=cis_default - id: 1.8.3 diff --git a/controls/cis_debian12.yml b/controls/cis_debian12.yml index 5885306303f2..6ffb09b7dda3 100644 --- a/controls/cis_debian12.yml +++ b/controls/cis_debian12.yml @@ -540,7 +540,7 @@ controls: - l1_server - l1_workstation rules: - - login_banner_text=cis_default + - dconf_login_banner_text=cis_default - dconf_login_banner_contents=cis_default - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text diff --git a/controls/cis_fedora.yml b/controls/cis_fedora.yml index 0d843c36fd44..8821c83a893d 100644 --- a/controls/cis_fedora.yml +++ b/controls/cis_fedora.yml @@ -710,7 +710,7 @@ controls: rules: - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text - - login_banner_text=cis_banners + - dconf_login_banner_text=cis_banners - dconf_login_banner_contents=cis_default - id: 1.8.2 diff --git a/controls/cis_sle12.yml b/controls/cis_sle12.yml index 38be815e97a2..3e4d682ce3e6 100644 --- a/controls/cis_sle12.yml +++ b/controls/cis_sle12.yml @@ -538,7 +538,7 @@ controls: - dconf_gnome_disable_user_list - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text - - login_banner_text=cis_default + - dconf_login_banner_text=cis_default - dconf_login_banner_contents=cis_default - id: 2.1.1 diff --git a/controls/cis_sle15.yml b/controls/cis_sle15.yml index 4d7c269cc099..bf92b28d52f3 100644 --- a/controls/cis_sle15.yml +++ b/controls/cis_sle15.yml @@ -535,7 +535,7 @@ controls: - enable_dconf_user_profile - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text - - login_banner_text=cis_default + - dconf_login_banner_text=cis_default - dconf_login_banner_contents=cis_default - id: 2.1.1 diff --git a/controls/cis_ubuntu2204.yml b/controls/cis_ubuntu2204.yml index e0cfbb361f0c..997016fd1e97 100644 --- a/controls/cis_ubuntu2204.yml +++ b/controls/cis_ubuntu2204.yml @@ -528,7 +528,7 @@ controls: - l1_server - l1_workstation rules: - - login_banner_text=cis_default + - dconf_login_banner_text=cis_default - dconf_login_banner_contents=cis_default - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text diff --git a/controls/stig_ubuntu2404.yml b/controls/stig_ubuntu2404.yml index 28abfae075c7..47c7e37b5d3c 100644 --- a/controls/stig_ubuntu2404.yml +++ b/controls/stig_ubuntu2404.yml @@ -462,7 +462,7 @@ controls: levels: - medium rules: - - login_banner_text=dod_banners + - dconf_login_banner_text=dod_banners - dconf_login_banner_contents=dod_default - dconf_gnome_login_banner_text status: automated diff --git a/linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_text.var new file mode 100644 index 000000000000..6a44de843411 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_text.var @@ -0,0 +1,31 @@ +documentation_complete: true + +title: Login Banner Verbiage Regular Expression + +description: >- + Enter an appropriate login banner regular expression for your organization. + Using a regular expression is needed because some profiles (eg. STIG) allow multiple different banners. + This regular expression is used only in OVAL checks. + In remediations the login_banner_contents variable is used instead. + For information about how to generate banner regular expression for your tailoring files, + see: https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions + +type: string + +operator: equals + +interactive: true + +options: +# CIS doesn't enforce any specific content for login banners, but doesn't allow technical information. +# There is a generic content in case a remediation is necessary. +# How to generate banner regex: https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions + cis_banners: ^(Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$ + cis_default: ^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$ +# First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accommodate banners of 1300 characters + dod_banners: ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.|I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.)$ + dod_default: ^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.$ + dod_short: ^I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.$ + dss_odaa_default: ^Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times\.[\s\n]+This[\s\n]+is[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system\.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+and[\s\n]+related[\s\n]+equipment[\s\n]+are[\s\n]+intended[\s\n]+for[\s\n]+the[\s\n]+communication,[\s\n]+transmission,[\s\n]+processing,[\s\n]+and[\s\n]+storage[\s\n]+of[\s\n]+official[\s\n]+U\.S\.[\s\n]+Government[\s\n]+or[\s\n]+other[\s\n]+authorized[\s\n]+information[\s\n]+only\.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times[\s\n]+to[\s\n]+ensure[\s\n]+proper[\s\n]+functioning[\s\n]+of[\s\n]+equipment[\s\n]+and[\s\n]+systems[\s\n]+including[\s\n]+security[\s\n]+devices[\s\n]+and[\s\n]+systems,[\s\n]+to[\s\n]+prevent[\s\n]+unauthorized[\s\n]+use[\s\n]+and[\s\n]+violations[\s\n]+of[\s\n]+statutes[\s\n]+and[\s\n]+security[\s\n]+regulations,[\s\n]+to[\s\n]+deter[\s\n]+criminal[\s\n]+activity,[\s\n]+and[\s\n]+for[\s\n]+other[\s\n]+similar[\s\n]+purposes\.[\s\n]+Any[\s\n]+user[\s\n]+of[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+should[\s\n]+be[\s\n]+aware[\s\n]+that[\s\n]+any[\s\n]+information[\s\n]+placed[\s\n]+in[\s\n]+the[\s\n]+system[\s\n]+is[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+not[\s\n]+subject[\s\n]+to[\s\n]+any[\s\n]+expectation[\s\n]+of[\s\n]+privacy\.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+violation[\s\n]+of[\s\n]+criminal[\s\n]+statutes,[\s\n]+this[\s\n]+evidence[\s\n]+and[\s\n]+any[\s\n]+other[\s\n]+related[\s\n]+information,[\s\n]+including[\s\n]+identification[\s\n]+information[\s\n]+about[\s\n]+the[\s\n]+user,[\s\n]+may[\s\n]+be[\s\n]+provided[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials\.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+reveals[\s\n]+violations[\s\n]+of[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+unauthorized[\s\n]+use,[\s\n]+employees[\s\n]+who[\s\n]+violate[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+make[\s\n]+unauthorized[\s\n]+use[\s\n]+of[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+appropriate[\s\n]+disciplinary[\s\n]+action\.[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times\.$ + usgcb_default: ^\-\-[\s\n]+WARNING[\s\n]+\-\-[\s\n]+This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only\.[\s\n]+Individuals[\s\n]+using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]+authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]+monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel\.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]+system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]+if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]+system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials\.$ + default: ^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$ diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/oval/shared.xml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/oval/shared.xml index 0a6b6a9c829f..4b957be47881 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/oval/shared.xml @@ -39,9 +39,9 @@ - + - + diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/oval/ubuntu.xml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/oval/ubuntu.xml index 3baac57772f3..208572acae53 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/oval/ubuntu.xml +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/oval/ubuntu.xml @@ -37,9 +37,9 @@ - + - + diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_correct_value.pass.sh index 9b0d6ebb73f3..8d3f075bdb73 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_correct_value.pass.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_correct_value.pass.sh @@ -1,7 +1,7 @@ #!/bin/bash # platform = multi_platform_ubuntu # packages = gdm3 -# variables = login_banner_text=Authorized users only. All activity may be monitored and reported. +# variables = dconf_login_banner_text=Authorized users only. All activity may be monitored and reported. source $SHARED/dconf_test_functions.sh clean_dconf_settings diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_correct_value_defaults.pass.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_correct_value_defaults.pass.sh index 2ffb8ec5fb19..380397ebba55 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_correct_value_defaults.pass.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_correct_value_defaults.pass.sh @@ -1,7 +1,7 @@ #!/bin/bash # platform = multi_platform_ubuntu # packages = gdm3 -# variables = login_banner_text=Authorized users only. All activity may be monitored and reported. +# variables = dconf_login_banner_text=Authorized users only. All activity may be monitored and reported. source $SHARED/dconf_test_functions.sh clean_dconf_settings diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_wrong_value.fail.sh index cf9bb8d31b34..e013ae2dd447 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_wrong_value.fail.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_wrong_value.fail.sh @@ -1,7 +1,7 @@ #!/bin/bash # platform = multi_platform_ubuntu # packages = gdm3 -# variables = login_banner_text=default +# variables = dconf_login_banner_text=default source $SHARED/dconf_test_functions.sh clean_dconf_settings diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_wrong_value_defaults.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_wrong_value_defaults.fail.sh index 07e8cacfd78a..51ac9ff10ab7 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_wrong_value_defaults.fail.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_wrong_value_defaults.fail.sh @@ -1,7 +1,7 @@ #!/bin/bash # platform = multi_platform_ubuntu # packages = gdm3 -# variables = login_banner_text=default +# variables = dconf_login_banner_text=default source $SHARED/dconf_test_functions.sh clean_dconf_settings diff --git a/products/fedora/profiles/ospp.profile b/products/fedora/profiles/ospp.profile index ff3439776a9f..ea79c4506a7e 100644 --- a/products/fedora/profiles/ospp.profile +++ b/products/fedora/profiles/ospp.profile @@ -109,6 +109,7 @@ selections: - sshd_rekey_limit - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text + - dconf_login_banner_text=usgcb_default - dconf_login_banner_contents=usgcb_default - audit_rules_login_events_faillock - audit_rules_login_events_lastlog diff --git a/products/ol7/profiles/ncp.profile b/products/ol7/profiles/ncp.profile index e406ea135f70..426901de8641 100644 --- a/products/ol7/profiles/ncp.profile +++ b/products/ol7/profiles/ncp.profile @@ -324,6 +324,7 @@ selections: - dconf_gnome_disable_wifi_notification - dconf_gnome_enable_smartcard_auth - dconf_gnome_login_banner_text + - dconf_login_banner_text=usgcb_default - dconf_login_banner_contents=usgcb_default - dconf_gnome_login_retries - dconf_gnome_remote_access_credential_prompt diff --git a/products/ol7/profiles/stig.profile b/products/ol7/profiles/stig.profile index 5cbc5b525139..27085939d81a 100644 --- a/products/ol7/profiles/stig.profile +++ b/products/ol7/profiles/stig.profile @@ -55,6 +55,7 @@ selections: - dconf_db_up_to_date - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text + - dconf_login_banner_text=dod_default - dconf_login_banner_contents=dod_default - banner_etc_issue - dconf_gnome_screensaver_lock_enabled diff --git a/products/ol8/profiles/stig.profile b/products/ol8/profiles/stig.profile index 7c3da3f6dc74..622bfa8a1e6b 100644 --- a/products/ol8/profiles/stig.profile +++ b/products/ol8/profiles/stig.profile @@ -62,6 +62,7 @@ selections: - var_sssd_certificate_verification_digest_function=sha1 - login_banner_text=dod_banners - login_banner_contents=dod_default + - dconf_login_banner_text=dod_banners - dconf_login_banner_contents=dod_default - var_authselect_profile=sssd - var_multiple_time_servers=stig diff --git a/products/rhel10/controls/cis_rhel10.yml b/products/rhel10/controls/cis_rhel10.yml index db17e6686fdc..7f699bed4f29 100644 --- a/products/rhel10/controls/cis_rhel10.yml +++ b/products/rhel10/controls/cis_rhel10.yml @@ -706,7 +706,7 @@ controls: rules: - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text - - login_banner_text=cis_banners + - dconf_login_banner_text=cis_banners - dconf_login_banner_contents=cis_default - id: 1.8.2 diff --git a/products/rhel8/controls/cis_rhel8.yml b/products/rhel8/controls/cis_rhel8.yml index d80ea036960e..68f020aa956b 100644 --- a/products/rhel8/controls/cis_rhel8.yml +++ b/products/rhel8/controls/cis_rhel8.yml @@ -740,7 +740,7 @@ controls: rules: - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text - - login_banner_text=cis_banners + - dconf_login_banner_text=cis_banners - dconf_login_banner_contents=cis_default - id: 1.8.2 diff --git a/products/rhel8/controls/stig_rhel8.yml b/products/rhel8/controls/stig_rhel8.yml index 05c2c0b4efe2..4c2de6146d37 100644 --- a/products/rhel8/controls/stig_rhel8.yml +++ b/products/rhel8/controls/stig_rhel8.yml @@ -68,6 +68,7 @@ controls: - var_sssd_certificate_verification_digest_function=sha1 - login_banner_text=dod_banners - login_banner_contents=dod_default + - dconf_login_banner_text=dod_banners - dconf_login_banner_contents=dod_default - var_authselect_profile=sssd - var_multiple_time_servers=stig diff --git a/products/rhel9/controls/ccn_rhel9.yml b/products/rhel9/controls/ccn_rhel9.yml index e70cf04c787f..84a168b77395 100644 --- a/products/rhel9/controls/ccn_rhel9.yml +++ b/products/rhel9/controls/ccn_rhel9.yml @@ -639,6 +639,7 @@ controls: - motd_banner_contents=cis_default - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text + - dconf_login_banner_text=cis_banners - dconf_login_banner_contents=cis_default - sshd_enable_warning_banner_net - login_banner_text=cis_banners diff --git a/products/rhel9/controls/stig_rhel9.yml b/products/rhel9/controls/stig_rhel9.yml index bdbdc60ca911..554496291306 100644 --- a/products/rhel9/controls/stig_rhel9.yml +++ b/products/rhel9/controls/stig_rhel9.yml @@ -25,6 +25,7 @@ controls: - medium rules: - dconf_gnome_login_banner_text + - dconf_login_banner_text=dod_banners - dconf_login_banner_contents=dod_default - id: RHEL-09-211010 levels: diff --git a/products/sle12/profiles/stig.profile b/products/sle12/profiles/stig.profile index ae7d6d6ddbd3..54f62c322a2f 100644 --- a/products/sle12/profiles/stig.profile +++ b/products/sle12/profiles/stig.profile @@ -33,6 +33,7 @@ selections: - var_accounts_maximum_age_login_defs=60 - login_banner_text=dod_banners - login_banner_contents=dod_default + - dconf_login_banner_text=dod_banners - dconf_login_banner_contents=dod_default # # Note: must configure "var_accounts_authorized_local_users_regex" when diff --git a/products/sle15/profiles/stig.profile b/products/sle15/profiles/stig.profile index b5e8a254ca99..37233d8004c5 100644 --- a/products/sle15/profiles/stig.profile +++ b/products/sle15/profiles/stig.profile @@ -32,6 +32,7 @@ selections: - var_password_pam_delay=4000000 - login_banner_text=dod_banners - login_banner_contents=dod_default + - dconf_login_banner_text=dod_banners - dconf_login_banner_contents=dod_default # # Note: must configure "var_accounts_authorized_local_users_regex" when diff --git a/tests/data/profile_stability/rhel10/cis.profile b/tests/data/profile_stability/rhel10/cis.profile index 99a6bcc79e3a..703560adda42 100644 --- a/tests/data/profile_stability/rhel10/cis.profile +++ b/tests/data/profile_stability/rhel10/cis.profile @@ -141,6 +141,7 @@ dconf_gnome_screensaver_lock_delay dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks dconf_login_banner_contents=cis_default +dconf_login_banner_text=cis_banners dir_perms_world_writable_sticky_bits directory_groupowner_sshd_config_d directory_owner_sshd_config_d @@ -286,7 +287,6 @@ kernel_module_squashfs_disabled kernel_module_tipc_disabled kernel_module_udf_disabled kernel_module_usb-storage_disabled -login_banner_text=cis_banners mount_option_dev_shm_nodev mount_option_dev_shm_noexec mount_option_dev_shm_nosuid diff --git a/tests/data/profile_stability/rhel10/cis_server_l1.profile b/tests/data/profile_stability/rhel10/cis_server_l1.profile index 2571f6cef0c6..c8adbcf11520 100644 --- a/tests/data/profile_stability/rhel10/cis_server_l1.profile +++ b/tests/data/profile_stability/rhel10/cis_server_l1.profile @@ -64,6 +64,7 @@ dconf_gnome_screensaver_lock_delay dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks dconf_login_banner_contents=cis_default +dconf_login_banner_text=cis_banners dir_perms_world_writable_sticky_bits directory_groupowner_sshd_config_d directory_owner_sshd_config_d @@ -193,7 +194,6 @@ kernel_module_rds_disabled kernel_module_sctp_disabled kernel_module_tipc_disabled kernel_module_usb-storage_disabled -login_banner_text=cis_banners mount_option_dev_shm_nodev mount_option_dev_shm_noexec mount_option_dev_shm_nosuid diff --git a/tests/data/profile_stability/rhel10/cis_workstation_l1.profile b/tests/data/profile_stability/rhel10/cis_workstation_l1.profile index 4b40bbb2cfbe..5feb1df7b612 100644 --- a/tests/data/profile_stability/rhel10/cis_workstation_l1.profile +++ b/tests/data/profile_stability/rhel10/cis_workstation_l1.profile @@ -62,6 +62,7 @@ dconf_gnome_screensaver_lock_delay dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks dconf_login_banner_contents=cis_default +dconf_login_banner_text=cis_banners dir_perms_world_writable_sticky_bits directory_groupowner_sshd_config_d directory_owner_sshd_config_d @@ -189,7 +190,6 @@ kernel_module_jffs2_disabled kernel_module_rds_disabled kernel_module_sctp_disabled kernel_module_tipc_disabled -login_banner_text=cis_banners mount_option_dev_shm_nodev mount_option_dev_shm_noexec mount_option_dev_shm_nosuid diff --git a/tests/data/profile_stability/rhel10/cis_workstation_l2.profile b/tests/data/profile_stability/rhel10/cis_workstation_l2.profile index a51f507c86aa..43ecd6581e9d 100644 --- a/tests/data/profile_stability/rhel10/cis_workstation_l2.profile +++ b/tests/data/profile_stability/rhel10/cis_workstation_l2.profile @@ -141,6 +141,7 @@ dconf_gnome_screensaver_lock_delay dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks dconf_login_banner_contents=cis_default +dconf_login_banner_text=cis_banners dir_perms_world_writable_sticky_bits directory_groupowner_sshd_config_d directory_owner_sshd_config_d @@ -286,7 +287,6 @@ kernel_module_squashfs_disabled kernel_module_tipc_disabled kernel_module_udf_disabled kernel_module_usb-storage_disabled -login_banner_text=cis_banners mount_option_dev_shm_nodev mount_option_dev_shm_noexec mount_option_dev_shm_nosuid diff --git a/tests/data/profile_stability/rhel8/cis.profile b/tests/data/profile_stability/rhel8/cis.profile index 1a486017ff77..9e30070d1b8f 100644 --- a/tests/data/profile_stability/rhel8/cis.profile +++ b/tests/data/profile_stability/rhel8/cis.profile @@ -131,6 +131,7 @@ dconf_gnome_screensaver_lock_delay dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks dconf_login_banner_contents=cis_default +dconf_login_banner_text=cis_banners dir_perms_world_writable_sticky_bits directory_permissions_var_log_audit disable_host_auth @@ -284,7 +285,6 @@ kernel_module_squashfs_disabled kernel_module_tipc_disabled kernel_module_udf_disabled kernel_module_usb-storage_disabled -login_banner_text=cis_banners mount_option_dev_shm_nodev mount_option_dev_shm_noexec mount_option_dev_shm_nosuid diff --git a/tests/data/profile_stability/rhel8/cis_server_l1.profile b/tests/data/profile_stability/rhel8/cis_server_l1.profile index 3adcc4a679d7..747124962916 100644 --- a/tests/data/profile_stability/rhel8/cis_server_l1.profile +++ b/tests/data/profile_stability/rhel8/cis_server_l1.profile @@ -64,6 +64,7 @@ dconf_gnome_screensaver_lock_delay dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks dconf_login_banner_contents=cis_default +dconf_login_banner_text=cis_banners dir_perms_world_writable_sticky_bits disable_host_auth disable_users_coredumps @@ -201,7 +202,6 @@ kernel_module_rds_disabled kernel_module_sctp_disabled kernel_module_tipc_disabled kernel_module_usb-storage_disabled -login_banner_text=cis_banners mount_option_dev_shm_nodev mount_option_dev_shm_noexec mount_option_dev_shm_nosuid diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile index ab02f8230153..c6dcbe89a610 100644 --- a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile +++ b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile @@ -62,6 +62,7 @@ dconf_gnome_screensaver_lock_delay dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks dconf_login_banner_contents=cis_default +dconf_login_banner_text=cis_banners dir_perms_world_writable_sticky_bits disable_host_auth disable_users_coredumps @@ -198,7 +199,6 @@ kernel_module_jffs2_disabled kernel_module_rds_disabled kernel_module_sctp_disabled kernel_module_tipc_disabled -login_banner_text=cis_banners mount_option_dev_shm_nodev mount_option_dev_shm_noexec mount_option_dev_shm_nosuid diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile index 6a1bd6cd5eed..1aeeb3681d3e 100644 --- a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile +++ b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile @@ -131,6 +131,7 @@ dconf_gnome_screensaver_lock_delay dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks dconf_login_banner_contents=cis_default +dconf_login_banner_text=cis_banners dir_perms_world_writable_sticky_bits directory_permissions_var_log_audit disable_host_auth @@ -284,7 +285,6 @@ kernel_module_squashfs_disabled kernel_module_tipc_disabled kernel_module_udf_disabled kernel_module_usb-storage_disabled -login_banner_text=cis_banners mount_option_dev_shm_nodev mount_option_dev_shm_noexec mount_option_dev_shm_nosuid diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index a0355b22cead..e6e3561e18a8 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -155,6 +155,7 @@ dconf_gnome_screensaver_lock_locked dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks dconf_login_banner_contents=dod_default +dconf_login_banner_text=dod_banners dir_group_ownership_library_dirs dir_ownership_library_dirs dir_permissions_library_dirs diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile index f4740e88e209..79544c850455 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -155,6 +155,7 @@ dconf_gnome_screensaver_lock_locked dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks dconf_login_banner_contents=dod_default +dconf_login_banner_text=dod_banners dir_group_ownership_library_dirs dir_ownership_library_dirs dir_permissions_library_dirs diff --git a/tests/data/profile_stability/rhel9/ccn_advanced.profile b/tests/data/profile_stability/rhel9/ccn_advanced.profile index 2438f8526fb3..5a07e93c9a1c 100644 --- a/tests/data/profile_stability/rhel9/ccn_advanced.profile +++ b/tests/data/profile_stability/rhel9/ccn_advanced.profile @@ -67,6 +67,7 @@ dconf_gnome_login_banner_text dconf_gnome_screensaver_idle_delay dconf_gnome_screensaver_lock_delay dconf_login_banner_contents=cis_default +dconf_login_banner_text=cis_banners directory_permissions_var_log_audit enable_authselect encrypt_partitions diff --git a/tests/data/profile_stability/rhel9/ccn_basic.profile b/tests/data/profile_stability/rhel9/ccn_basic.profile index 8b798198a18d..b1fb2d97365b 100644 --- a/tests/data/profile_stability/rhel9/ccn_basic.profile +++ b/tests/data/profile_stability/rhel9/ccn_basic.profile @@ -47,6 +47,7 @@ dconf_db_up_to_date dconf_gnome_banner_enabled dconf_gnome_login_banner_text dconf_login_banner_contents=cis_default +dconf_login_banner_text=cis_banners enable_authselect file_groupowner_grub2_cfg file_groupowner_user_cfg diff --git a/tests/data/profile_stability/rhel9/ccn_intermediate.profile b/tests/data/profile_stability/rhel9/ccn_intermediate.profile index a807fc079047..6f226054e656 100644 --- a/tests/data/profile_stability/rhel9/ccn_intermediate.profile +++ b/tests/data/profile_stability/rhel9/ccn_intermediate.profile @@ -56,6 +56,7 @@ dconf_gnome_login_banner_text dconf_gnome_screensaver_idle_delay dconf_gnome_screensaver_lock_delay dconf_login_banner_contents=cis_default +dconf_login_banner_text=cis_banners directory_permissions_var_log_audit enable_authselect ensure_root_password_configured diff --git a/tests/data/profile_stability/rhel9/stig.profile b/tests/data/profile_stability/rhel9/stig.profile index 99cd9fc08002..54b834b2cfd3 100644 --- a/tests/data/profile_stability/rhel9/stig.profile +++ b/tests/data/profile_stability/rhel9/stig.profile @@ -171,6 +171,7 @@ dconf_gnome_screensaver_mode_blank dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks dconf_login_banner_contents=dod_default +dconf_login_banner_text=dod_banners dir_group_ownership_library_dirs dir_ownership_library_dirs dir_permissions_library_dirs diff --git a/tests/data/profile_stability/rhel9/stig_gui.profile b/tests/data/profile_stability/rhel9/stig_gui.profile index 10ebb282a93e..70e9b9c0914b 100644 --- a/tests/data/profile_stability/rhel9/stig_gui.profile +++ b/tests/data/profile_stability/rhel9/stig_gui.profile @@ -171,6 +171,7 @@ dconf_gnome_screensaver_mode_blank dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks dconf_login_banner_contents=dod_default +dconf_login_banner_text=dod_banners dir_group_ownership_library_dirs dir_ownership_library_dirs dir_permissions_library_dirs From 82d5b8cb49d95a1c247e4c91811306fcce748a4d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Tue, 24 Feb 2026 11:35:52 +0100 Subject: [PATCH 15/18] Align Dconf GDM banner text with CIS CIS Benchmarks aren't consistent in the wording of the recommended login banner. In most CIS requirements, the text starts with "Authorized users". But, in "Ensure GDM login banner is configured" requirement recommends "Authorized uses". --- .../accounts-banners/dconf_login_banner_contents.var | 2 +- .../accounts/accounts-banners/dconf_login_banner_text.var | 8 +++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_contents.var b/linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_contents.var index d4f1b4bc0fc5..bd366b4da215 100644 --- a/linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_contents.var +++ b/linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_contents.var @@ -18,7 +18,7 @@ options: default: 'Authorized users only. All activity may be monitored and reported.' # CIS doesn't enforce any specific content for login banners, but doesn't allow technical information. # There is a generic content in case a remediation is necessary. - cis_default: 'Authorized users only. All activity may be monitored and reported.' + cis_default: 'Authorized uses only. All activity may be monitored and reported.' dod_default: 'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.' dod_short: 'I''ve read & consent to terms in IS user agreem''t.' dss_odaa_default: 'Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.' diff --git a/linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_text.var index 6a44de843411..0f838c065d56 100644 --- a/linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_text.var +++ b/linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_text.var @@ -1,6 +1,6 @@ documentation_complete: true -title: Login Banner Verbiage Regular Expression +title: Dconf GDM Login Banner Verbiage Regular Expression description: >- Enter an appropriate login banner regular expression for your organization. @@ -20,8 +20,10 @@ options: # CIS doesn't enforce any specific content for login banners, but doesn't allow technical information. # There is a generic content in case a remediation is necessary. # How to generate banner regex: https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions - cis_banners: ^(Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$ - cis_default: ^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$ +# CIS recommends to use "Authorized uses only" for Dconf GDM requirements which is +# different text that in other login banners where CIS recommends "Authorized users only". + cis_banners: ^(Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$ + cis_default: ^Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$ # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accommodate banners of 1300 characters dod_banners: ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.|I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.)$ dod_default: ^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.$ From 3a15fdeca4521130c129c7af0cc05eeb47fc550b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Tue, 24 Feb 2026 11:44:54 +0100 Subject: [PATCH 16/18] Remove trailing space --- products/sle15/profiles/pcs-hardening-sap.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/products/sle15/profiles/pcs-hardening-sap.profile b/products/sle15/profiles/pcs-hardening-sap.profile index 207b0dfa6543..22c9e487becf 100644 --- a/products/sle15/profiles/pcs-hardening-sap.profile +++ b/products/sle15/profiles/pcs-hardening-sap.profile @@ -5,7 +5,7 @@ metadata: SMEs: - esampson -reference: +reference: title: 'Hardening for Public Cloud Image of SUSE Linux Enterprise Server (SLES) for SAP Applications 15' From 9fba127e4443de563bbcfbff61543ad0f8c054c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Wed, 25 Feb 2026 15:12:34 +0100 Subject: [PATCH 17/18] Fix variable selections for rule dconf_gnome_login_banner_text --- controls/cis_ubuntu2404.yml | 2 +- controls/general_sle15.yml | 2 +- controls/stig_ol9.yml | 2 +- controls/stig_ubuntu2204.yml | 2 +- products/rhel9/controls/cis_rhel9.yml | 4 ++-- tests/data/profile_stability/rhel9/cis.profile | 4 ++-- tests/data/profile_stability/rhel9/cis_server_l1.profile | 4 ++-- tests/data/profile_stability/rhel9/cis_workstation_l1.profile | 4 ++-- tests/data/profile_stability/rhel9/cis_workstation_l2.profile | 4 ++-- 9 files changed, 14 insertions(+), 14 deletions(-) diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index 9c18ee8621ce..d4e1dfde39c3 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -561,7 +561,7 @@ controls: - l1_server - l1_workstation rules: - - login_banner_text=cis_default + - dconf_login_banner_text=cis_default - dconf_login_banner_contents=cis_default - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text diff --git a/controls/general_sle15.yml b/controls/general_sle15.yml index 1acede4d2700..f637cbbd87d4 100644 --- a/controls/general_sle15.yml +++ b/controls/general_sle15.yml @@ -538,7 +538,7 @@ controls: rules: - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text - - login_banner_text=cis_default + - dconf_login_banner_text=cis_default - dconf_login_banner_contents=cis_default - id: SLES-15-151200135 diff --git a/controls/stig_ol9.yml b/controls/stig_ol9.yml index 3174c8d1a62b..1e0f2d1511f8 100644 --- a/controls/stig_ol9.yml +++ b/controls/stig_ol9.yml @@ -1973,7 +1973,7 @@ controls: or remote access to the system via a graphical user logon. rules: - dconf_gnome_login_banner_text - - login_banner_text=dod_default + - dconf_login_banner_text=dod_default - dconf_login_banner_contents=dod_default - id: OL09-00-002122 diff --git a/controls/stig_ubuntu2204.yml b/controls/stig_ubuntu2204.yml index 851d2f664d0c..c830866ac571 100644 --- a/controls/stig_ubuntu2204.yml +++ b/controls/stig_ubuntu2204.yml @@ -654,7 +654,7 @@ controls: levels: - medium rules: - - login_banner_text=dod_banners + - dconf_login_banner_text=dod_banners - dconf_login_banner_contents=dod_default - dconf_gnome_login_banner_text status: automated diff --git a/products/rhel9/controls/cis_rhel9.yml b/products/rhel9/controls/cis_rhel9.yml index 1878a8587286..cdcf1807ad14 100644 --- a/products/rhel9/controls/cis_rhel9.yml +++ b/products/rhel9/controls/cis_rhel9.yml @@ -690,8 +690,8 @@ controls: rules: - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text - - login_banner_text=cis_banners - - login_banner_contents=cis_default + - dconf_login_banner_text=cis_banners + - dconf_login_banner_contents=cis_default - id: 1.8.3 title: Ensure GDM disable-user-list option is enabled (Automated) diff --git a/tests/data/profile_stability/rhel9/cis.profile b/tests/data/profile_stability/rhel9/cis.profile index 80d8bf1fe71d..c89accc931d2 100644 --- a/tests/data/profile_stability/rhel9/cis.profile +++ b/tests/data/profile_stability/rhel9/cis.profile @@ -128,6 +128,8 @@ dconf_gnome_screensaver_idle_delay dconf_gnome_screensaver_lock_delay dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks +dconf_login_banner_contents=cis_default +dconf_login_banner_text=cis_banners dir_perms_world_writable_sticky_bits directory_permissions_var_log_audit disable_host_auth @@ -254,8 +256,6 @@ kernel_module_squashfs_disabled kernel_module_tipc_disabled kernel_module_udf_disabled kernel_module_usb-storage_disabled -login_banner_contents=cis_default -login_banner_text=cis_banners mount_option_dev_shm_nodev mount_option_dev_shm_noexec mount_option_dev_shm_nosuid diff --git a/tests/data/profile_stability/rhel9/cis_server_l1.profile b/tests/data/profile_stability/rhel9/cis_server_l1.profile index b0fe97a998ef..d40f3e2d8255 100644 --- a/tests/data/profile_stability/rhel9/cis_server_l1.profile +++ b/tests/data/profile_stability/rhel9/cis_server_l1.profile @@ -57,6 +57,8 @@ dconf_gnome_screensaver_idle_delay dconf_gnome_screensaver_lock_delay dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks +dconf_login_banner_contents=cis_default +dconf_login_banner_text=cis_banners dir_perms_world_writable_sticky_bits disable_host_auth enable_authselect @@ -165,8 +167,6 @@ kernel_module_hfs_disabled kernel_module_hfsplus_disabled kernel_module_jffs2_disabled kernel_module_usb-storage_disabled -login_banner_contents=cis_default -login_banner_text=cis_banners mount_option_dev_shm_nodev mount_option_dev_shm_noexec mount_option_dev_shm_nosuid diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile index 79ff5989d0a0..17ffd016a562 100644 --- a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile +++ b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile @@ -55,6 +55,8 @@ dconf_gnome_screensaver_idle_delay dconf_gnome_screensaver_lock_delay dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks +dconf_login_banner_contents=cis_default +dconf_login_banner_text=cis_banners dir_perms_world_writable_sticky_bits disable_host_auth enable_authselect @@ -162,8 +164,6 @@ kernel_module_freevxfs_disabled kernel_module_hfs_disabled kernel_module_hfsplus_disabled kernel_module_jffs2_disabled -login_banner_contents=cis_default -login_banner_text=cis_banners mount_option_dev_shm_nodev mount_option_dev_shm_noexec mount_option_dev_shm_nosuid diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile index 3db1a26a5d2f..68a56c55311d 100644 --- a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile +++ b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile @@ -128,6 +128,8 @@ dconf_gnome_screensaver_idle_delay dconf_gnome_screensaver_lock_delay dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks +dconf_login_banner_contents=cis_default +dconf_login_banner_text=cis_banners dir_perms_world_writable_sticky_bits directory_permissions_var_log_audit disable_host_auth @@ -254,8 +256,6 @@ kernel_module_squashfs_disabled kernel_module_tipc_disabled kernel_module_udf_disabled kernel_module_usb-storage_disabled -login_banner_contents=cis_default -login_banner_text=cis_banners mount_option_dev_shm_nodev mount_option_dev_shm_noexec mount_option_dev_shm_nosuid From ffe160a6e6a12e5332a12c17f60777b89e604182 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Wed, 25 Feb 2026 15:13:04 +0100 Subject: [PATCH 18/18] Fix SUSE content to be aligned with RHEL content --- .../accounts-banners/banner_etc_issue/ansible/shared.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml index 4136c8e028dc..c1f5e665bf57 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml @@ -19,7 +19,7 @@ - name: "{{{ rule_title }}} - Ensure Correct Banner" ansible.builtin.copy: dest: /etc/issue.d/99-oscap-setting - content: "{{ login_banner_contents }}\n" + content: "{{ login_banner_contents | replace('\\n', '\n') }}\n" - name: "{{{ rule_title }}} - Restart issue-generator Service on Issue Configuration Change" ansible.builtin.systemd: