openstack/ansible-hardening
Code Issues Proposed changes

Merge "Make login banner customizable"

Browse Source
This commit is contained in:
Jenkins 2017-04-06 13:30:32 +00:00 committed by Gerrit Code Review
commit 6f524798fc
7 changed files with 53 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
defaults/main.yml
View File

@ -564,6 +564,15 @@ security_rhel7_session_timeout: 600 # V-72223
security_rhel7_enable_chrony: yes # V-72269
# Restrict mail relaying.
security_rhel7_restrict_mail_relaying: yes # V-72297
# Deploy a login banner. # V-72225 / V-71863
security_login_banner_text: |
------------------------------------------------------------------------------
* WARNING *
* You are accessing a secured system and your actions will be logged along *
* with identifying information. Disconnect immediately if you are not an *
* authorized user of this system. *
------------------------------------------------------------------------------
## Packages (packages)
# Remove packages from the system as required by the STIG. Set any of these

25
doc/metadata/rhel7/V-71861.rst
View File

@ -1,9 +1,28 @@
---
id: V-71861
status: implemented
tag: sshd
tag: graphical
---
This control is implemented by the tasks for another control:
The security role configures a login banner for graphical logins using
``dconf``. Deployers can opt out of this change by setting the following
Ansible variable:
* :ref:`stig-V-72225`
.. code-block:: yaml
security_enable_graphical_login_message: no
The message is customized by setting another Ansible variable:
.. code-block:: yaml
security_enable_graphical_login_message_text: >
You are accessing a secured system and your actions will be logged along
with identifying information. Disconnect immediately if you are not an
authorized user of this system.
.. note::
The space available for the graphical banner is relatively short. Deployers
should limit the length of their graphical login banners to the shortest
length possible.

7
doc/metadata/rhel7/V-71863.rst
View File

@ -4,6 +4,7 @@ status: implemented
tag: misc
---
The STIG requires a standardized login banner for all command line user logins.
The security role deploys a default banner from ``files/login_banner.txt`` to
``/etc/issue`` on the system.
The security role already deploys a login banner for console logins with tasks
from another STIG:
* :ref:`stig-V-V-7225`

13
doc/metadata/rhel7/V-72225.rst
View File

@ -15,5 +15,14 @@ following Ansible variable:
security_sshd_banner_file: /etc/motd
The text of the banner file is configurable by editing
``files/login_banner.txt`` in the security role.
The message is customized with the following Ansible variable:
.. code-block:: yaml
security_login_banner_text: |
------------------------------------------------------------------------------
* WARNING *
* You are accessing a secured system and your actions will be logged along *
* with identifying information. Disconnect immediately if you are not an *
* authorized user of this system. *
------------------------------------------------------------------------------

6
releasenotes/notes/customizable-login-banner-string-d8d5ae874e8e49f3.yaml Normal file
View File

@ -0,0 +1,6 @@
---
features:
- |
Deployers can provide a customized login banner via a new Ansible variable:
``security_login_banner_text``. This banner text is used for non-graphical
logins, which includes console and ssh logins.

9
tasks/rhel7stig/misc.yml
View File

@ -406,12 +406,3 @@
- high
- misc
- V-72313
- name: V-71863 - Display a login banner for console prompts
copy:
src: login_banner.txt
dest: /etc/issue.net
tags:
- medium
- misc
- V-71863

2
tasks/rhel7stig/sshd.yml
View File

@ -30,7 +30,7 @@
- name: Copy login warning banner
copy:
src: login_banner.txt
content: "{{ security_login_banner_text }}"
dest: "{{ security_sshd_banner_file }}"
owner: root
group: root