Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stig changes #214

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Stig changes #214

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a3341f6
audit and inspec changes
Oct 3, 2023
bd59779
history of changes done to produce the latest VMTA stig hardened image
Oct 3, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 23 additions & 10 deletions controls/SV-204393.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,33 +1,46 @@
control 'SV-204393' do
title "The Red Hat Enterprise Linux operating system must display the Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent
Banner before granting local or remote access to the system via a graphical user logon."
desc "Display of a standardized and approved use notification before granting access to the operating system
title 'The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent
Banner before granting local or remote access to the system via a graphical user logon.'
desc 'Display of a standardized and approved use notification before granting access to the operating system
ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive
Orders, directives, policies, regulations, standards, and guidance.
System use notifications are required only for access via logon interfaces with human users and are not required
when such human interfaces do not exist.
The banner must be formatted in accordance with applicable #{input('org_name')[:acronym]} policy. Use the following verbiage for operating
The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating
systems that can accommodate banners of 1300 characters:
\"#{input('banner_message_text_gui')}\" "
desc 'check',"Verify the operating system displays the Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner before
"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to,
penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement
(LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception,
and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for
your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or
monitoring of the content of privileged communications, or work product, related to personal representation or
services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are
private and confidential. See User Agreement for details."'
desc 'check', 'Verify the operating system displays the Standard Mandatory DoD Notice and Consent Banner before
granting access to the operating system via a graphical user logon.
Note: If the system does not have GNOME installed, this requirement is Not Applicable.
Check to see if the operating system displays a banner at the logon screen with the following command:
# grep banner-message-enable /etc/dconf/db/local.d/*
banner-message-enable=true
If \"banner-message-enable\" is set to \"false\" or is missing, this is a finding."
desc 'fix', "Configure the operating system to display the Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner before
If "banner-message-enable" is set to "false" or is missing, this is a finding.'
desc 'fix', 'Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before
granting access to the system.
Note: If the system does not have GNOME installed, this requirement is Not Applicable.
Create a database to contain the system-wide graphical user logon settings (if it does not already exist) with the
following command:
# touch /etc/dconf/db/local.d/01-banner-message
Add the following line to the [org/gnome/login-screen] section of the \"/etc/dconf/db/local.d/01-banner-message\":
Add the following line to the [org/gnome/login-screen] section of the "/etc/dconf/db/local.d/01-banner-message":
[org/gnome/login-screen]
banner-message-enable=true
Update the system databases:
# dconf update
Users must log out and back in again before the system-wide settings take effect."
Users must log out and back in again before the system-wide settings take effect.'
impact 0.5
tag legacy: ['V-71859', 'SV-86483']
tag severity: 'medium'
Expand Down
66 changes: 51 additions & 15 deletions controls/SV-204394.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,35 +1,71 @@
control 'SV-204394' do
title "The Red Hat Enterprise Linux operating system must display the approved Standard Mandatory #{input('org_name')[:acronym]} Notice and
Consent Banner before granting local or remote access to the system via a graphical user logon."
desc "Display of a standardized and approved use notification before granting access to the operating system
title 'The Red Hat Enterprise Linux operating system must display the approved Standard Mandatory DoD Notice and
Consent Banner before granting local or remote access to the system via a graphical user logon.'
desc 'Display of a standardized and approved use notification before granting access to the operating system
ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive
Orders, directives, policies, regulations, standards, and guidance.
System use notifications are required only for access via logon interfaces with human users and are not required
when such human interfaces do not exist.
The banner must be formatted in accordance with applicable #{input('org_name')[:acronym]} policy.
\"#{input('banner_message_text_gui')}\" "
desc 'check', "Verify the operating system displays the approved Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner
The banner must be formatted in accordance with applicable DoD policy.
"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to,
penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement
(LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception,
and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for
your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or
monitoring of the content of privileged communications, or work product, related to personal representation or
services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are
private and confidential. See User Agreement for details."'
desc 'check', %q(Verify the operating system displays the approved Standard Mandatory DoD Notice and Consent Banner
before granting access to the operating system via a graphical user logon.
Note: If the system does not have a Graphical User Interface installed, this requirement is Not Applicable.
Check that the operating system displays the exact approved Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner text
Check that the operating system displays the exact approved Standard Mandatory DoD Notice and Consent Banner text
with the command:
# grep banner-message-text /etc/dconf/db/local.d/*
banner-message-text='#{input('banner_message_text_gui')}'
Note: The \"\\n \" characters are for formatting only. They will not be displayed on the Graphical User Interface.
If the banner does not match the approved Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent Banner, this is a finding."
desc 'fix', "Configure the operating system to display the approved Standard Mandatory #{input('org_name')[:acronym]} Notice and Consent
banner-message-text=
'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy
using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG
routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration
testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and
counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this
IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring,
interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security
measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or
privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative
searching or monitoring of the content of privileged communications, or work product, related to personal
representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and
work product are private and confidential. See User Agreement for details. '
Note: The "\n " characters are for formatting only. They will not be displayed on the Graphical User Interface.
If the banner does not match the approved Standard Mandatory DoD Notice and Consent Banner, this is a finding.)
desc 'fix', %q(Configure the operating system to display the approved Standard Mandatory DoD Notice and Consent
Banner before granting access to the system.
Note: If the system does not have a Graphical User Interface installed, this requirement is Not Applicable.
Create a database to contain the system-wide graphical user logon settings (if it does not already exist) with the
following command:
# touch /etc/dconf/db/local.d/01-banner-message
Add the following line to the [org/gnome/login-screen] section of the \"/etc/dconf/db/local.d/01-banner-message\":
Add the following line to the [org/gnome/login-screen] section of the "/etc/dconf/db/local.d/01-banner-message":
[org/gnome/login-screen]
banner-message-enable=true
banner-message-text='#{input('banner_message_text_gui')}'
Note: The \"\\n \" characters are for formatting only. They will not be displayed on the Graphical User Interface.
banner-message-text='You are accessing a U.S. Government (USG) Information System (IS) that is provided for
USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the
following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including,
but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct
(PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and
seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to
routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS
includes security measures (e.g., authentication and access controls) to protect USG interests--not for your
personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI
investigative searching or monitoring of the content of privileged communications, or work product, related to
personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such
communications and work product are private and confidential. See User Agreement for details. '
Note: The "\n " characters are for formatting only. They will not be displayed on the Graphical User Interface.
Run the following command to update the database:
# dconf update"
# dconf update)
impact 0.5
tag legacy: ['V-71861', 'SV-86485']
tag severity: 'medium'
Expand Down
Loading
Loading