Create CIS rules for login banners

RHEL 8 CIS Benchmark v3.0.0 and RHEL 9 CIS Benchmark v2.0.0 in sections 1.7.1, 1.7.2 and 1.7.3 require to configure login banners. Currently, these requirements are covered in our content by rules `banner_etc_motd`, `banner_etc_issue` and `banner_etc_issue_net`. However, these rules don't exactly align with the CIS requirements. The rules require an exact banner text that can only differ in white space but must be the same. But, the CIS requirements allow custom banner texts with local policy. Moreover, they require not displaying versions and kernels in the banner text, which isn't checked in our rules. Although applying our rules makes the system compliant, many configurations that comply with CIS will not pass the scan. We will replace these rules with new rules that are better aligned with CIS and will pass with custom banners. The new rules are very similar and therefore a new template `cis_banner` has been created to share code among them. Resolves: https://issues.redhat.com/browse/RHEL-59133
ComplianceAsCode · Oct 4, 2024 · b3ac6c3 · b3ac6c3
1 parent 3568eae
commit b3ac6c3
Show file tree

Hide file tree

Showing 31 changed files with 320 additions and 67 deletions.
diff --git a/components/pam.yml b/components/pam.yml
@@ -107,8 +107,11 @@ rules:
 - authconfig_config_files_symlinks
 - banner_etc_gdm_banner
 - banner_etc_issue
+- banner_etc_issue_cis
 - banner_etc_issue_net
+- banner_etc_issue_net_cis
 - banner_etc_motd
+- banner_etc_motd_cis
 - configure_bashrc_exec_tmux
 - configure_bashrc_tmux
 - configure_opensc_card_drivers

diff --git a/controls/cis_rhel10.yml b/controls/cis_rhel10.yml
@@ -620,8 +620,8 @@ controls:
       - l1_workstation
     status: automated
     rules:
-      - banner_etc_motd
-      - motd_banner_text=cis_banners
+      - banner_etc_motd_cis
+      - cis_banner_text=cis
 
   - id: 1.7.2
     title: Ensure local login warning banner is configured properly (Automated)
@@ -630,8 +630,8 @@ controls:
       - l1_workstation
     status: automated
     rules:
-      - banner_etc_issue
-      - login_banner_text=cis_banners
+      - banner_etc_issue_cis
+      - cis_banner_text=cis
 
   - id: 1.7.3
     title: Ensure remote login warning banner is configured properly (Automated)
@@ -640,8 +640,8 @@ controls:
       - l1_workstation
     status: automated
     rules:
-      - banner_etc_issue_net
-      - remote_login_banner_text=cis_banners
+      - banner_etc_issue_net_cis
+      - cis_banner_text=cis
 
   - id: 1.7.4
     title: Ensure access to /etc/motd is configured (Automated)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
@@ -579,8 +579,8 @@ controls:
       - l1_workstation
     status: automated
     rules:
-      - banner_etc_motd
-      - motd_banner_text=cis_banners
+      - banner_etc_motd_cis
+      - cis_banner_text=cis
 
   - id: 1.7.2
     title: Ensure local login warning banner is configured properly (Automated)
@@ -589,8 +589,8 @@ controls:
       - l1_workstation
     status: automated
     rules:
-      - banner_etc_issue
-      - login_banner_text=cis_banners
+      - banner_etc_issue_cis
+      - cis_banner_text=cis
 
   - id: 1.7.3
     title: Ensure remote login warning banner is configured properly (Automated)
@@ -599,8 +599,8 @@ controls:
       - l1_workstation
     status: automated
     rules:
-      - banner_etc_issue_net
-      - remote_login_banner_text=cis_banners
+      - banner_etc_issue_net_cis
+      - cis_banner_text=cis
 
   - id: 1.7.4
     title: Ensure access to /etc/motd is configured (Automated)

diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml
@@ -617,8 +617,8 @@ controls:
       - l1_workstation
     status: automated
     rules:
-      - banner_etc_motd
-      - motd_banner_text=cis_banners
+      - banner_etc_motd_cis
+      - cis_banner_text=cis
 
   - id: 1.7.2
     title: Ensure local login warning banner is configured properly (Automated)
@@ -627,8 +627,8 @@ controls:
       - l1_workstation
     status: automated
     rules:
-      - banner_etc_issue
-      - login_banner_text=cis_banners
+      - banner_etc_issue_cis
+      - cis_banner_text=cis
 
   - id: 1.7.3
     title: Ensure remote login warning banner is configured properly (Automated)
@@ -637,8 +637,8 @@ controls:
       - l1_workstation
     status: automated
     rules:
-      - banner_etc_issue_net
-      - remote_login_banner_text=cis_banners
+      - banner_etc_issue_net_cis
+      - cis_banner_text=cis
 
   - id: 1.7.4
     title: Ensure access to /etc/motd is configured (Automated)

diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md
@@ -205,6 +205,20 @@
 
 -   Languages: OVAL
 
+#### cis_banner
+-   Verify that the contents of a login banner in the given `filepath` complies
+    with CIS requirements.
+
+-   Parameters:
+
+    -   **filepath** - Path to the login banner file, eg. `/etc/motd`.
+
+    -   **banner_must_be_set** - If set to `"true"`, the rule will fail if no
+        banner is configured in that file. Otherwise, the rule will pass if
+        the banner isn't configured.
+
+- Languages: Ansible, Bash, OVAL
+
 #### coreos_kernel_option
 -   Checks that `argument=value` pair is present in the kernel arguments.
     Note that this applies to Red Hat CoreOS.

diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_cis/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_cis/rule.yml
@@ -0,0 +1,41 @@
+documentation_complete: true
+
+title: Ensure Local Login Warning Banner Is Configured Properly
+
+description: |-
+    To configure the system local login warning banner edit the <tt>/etc/issue</tt> file.
+    The contents of this file is displayed to users prior to login to local terminals.
+    Replace the default text with a message compliant with the local site policy.
+    The message should not contain information about operating system version,
+    release, kernel version or patch level.
+
+    The recommended banner text can be tailored in the XCCDF Value <tt>xccdf_org.ssgproject.content_value_cis_banner_text</tt>:
+    <pre>
+    {{{ xccdf_value("cis_banner_text") }}}
+    </pre>
+
+rationale: |-
+    Warning messages inform users who are attempting to login to the system of their legal
+    status regarding the system and must include the name of the organization that owns
+    the system and any monitoring policies that are in place. Displaying OS and patch level
+    information in login banners also has the side effect of providing detailed system
+    information to attackers attempting to target specific exploits of a system. Authorized
+    users can easily get this information by running the <tt>uname -a</tt> command once they
+    have logged in.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-86160-9
+    cce@rhel9: CCE-86142-7
+    cce@rhel10: CCE-86165-8
+
+{{{ ocil_cis_banner("/etc/issue") }}}
+
+platform: machine
+
+template:
+    name: cis_banner
+    vars:
+        filepath: /etc/issue
+        banner_must_be_set: "true"
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net_cis/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net_cis/rule.yml
@@ -0,0 +1,41 @@
+documentation_complete: true
+
+title: Ensure Remote Login Warning Banner Is Configured Properly
+
+description: |-
+    To configure the system remote login warning banner edit the <tt>/etc/issue.net</tt> file.
+    The contents of this file is displayed to users prior to login from remote connections.
+    Replace the default text with a message compliant with the local site policy.
+    The message should not contain information about operating system version,
+    release, kernel version or patch level.
+
+    The recommended banner text can be tailored in the XCCDF Value <tt>xccdf_org.ssgproject.content_value_cis_banner_text</tt>:
+    <pre>
+    {{{ xccdf_value("cis_banner_text") }}}
+    </pre>
+
+rationale: |-
+    Warning messages inform users who are attempting to login to the system of their legal
+    status regarding the system and must include the name of the organization that owns
+    the system and any monitoring policies that are in place. Displaying OS and patch level
+    information in login banners also has the side effect of providing detailed system
+    information to attackers attempting to target specific exploits of a system. Authorized
+    users can easily get this information by running the <tt>uname -a</tt> command once they
+    have logged in.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-86167-4
+    cce@rhel9: CCE-86143-5
+    cce@rhel10: CCE-86169-0
+
+{{{ ocil_cis_banner("/etc/issue.net") }}}
+
+platform: machine
+
+template:
+    name: cis_banner
+    vars:
+        filepath: /etc/issue.net
+        banner_must_be_set: "true"
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd_cis/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd_cis/rule.yml
@@ -0,0 +1,40 @@
+documentation_complete: true
+
+title: Ensure Message Of The Day Is Configured Properly
+
+description: |-
+    To configure the system message of the day banner edit the <tt>/etc/motd</tt> file.
+    Replace the default text with a message compliant with the local site policy.
+    The message should not contain information about operating system version,
+    release, kernel version or patch level.
+
+    The recommended banner text can be tailored in the XCCDF Value <tt>xccdf_org.ssgproject.content_value_cis_banner_text</tt>:
+    <pre>
+    {{{ xccdf_value("cis_banner_text") }}}
+    </pre>
+
+rationale: |-
+    Warning messages inform users who are attempting to login to the system of their legal
+    status regarding the system and must include the name of the organization that owns
+    the system and any monitoring policies that are in place. Displaying OS and patch level
+    information in login banners also has the side effect of providing detailed system
+    information to attackers attempting to target specific exploits of a system. Authorized
+    users can easily get this information by running the <tt>uname -a</tt> command once they
+    have logged in.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-86145-0
+    cce@rhel9: CCE-86141-9
+    cce@rhel10: CCE-86150-0
+
+{{{ ocil_cis_banner("/etc/motd") }}}
+
+platform: machine
+
+template:
+    name: cis_banner
+    vars:
+        filepath: /etc/motd
+        banner_must_be_set: "false"
diff --git a/linux_os/guide/system/accounts/accounts-banners/cis_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/cis_banner_text.var
@@ -0,0 +1,16 @@
+documentation_complete: true
+
+title: 'CIS Login Banner Verbiage'
+
+description: |-
+    Enter an appropriate login banner for your organization according to the local policy.
+
+type: string
+
+operator: equals
+
+interactive: true
+
+options:
+    default: "Authorized users only. All activity may be monitored and reported."
+    cis: "Authorized users only. All activity may be monitored and reported."
diff --git a/shared/macros/10-ocil.jinja b/shared/macros/10-ocil.jinja
@@ -1282,3 +1282,19 @@ oc describe rolebinding.rbac
 If these results show users with privileged access that do not require that access, this is a finding.
 {{%- endmacro %}}
 
+{{#
+OCIL macro to check CIS requirements on command line warning banners.
+The macro provides both check and clause.
+
+:param filepath: filepath to be checked
+:type filepath: str
+#}}
+
+{{%- macro ocil_cis_banner(filepath) -%}}
+ocil_clause: any results are returned
+
+ocil: |-
+    Run the following command and verify no results are returned:
+
+    $ grep -E -i "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" {{{ filepath }}}
+{{%- endmacro %}}
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -1,12 +1,3 @@
-CCE-86141-9
-CCE-86142-7
-CCE-86143-5
-CCE-86145-0
-CCE-86150-0
-CCE-86160-9
-CCE-86165-8
-CCE-86167-4
-CCE-86169-0
 CCE-86170-8
 CCE-86178-1
 CCE-86179-9

diff --git a/shared/templates/cis_banner/ansible.template b/shared/templates/cis_banner/ansible.template
@@ -0,0 +1,12 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ ansible_instantiate_variables("cis_banner_text") }}}
+
+- name: {{{ rule_title }}} - Copy using inline content
+  ansible.builtin.copy:
+    content: "{{ cis_banner_text }}"
+    dest: {{{ FILEPATH }}}
diff --git a/shared/templates/cis_banner/bash.template b/shared/templates/cis_banner/bash.template
@@ -0,0 +1,7 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+{{{ bash_instantiate_variables("cis_banner_text") }}}
+echo "$cis_banner_text" > "{{{ FILEPATH }}}"
diff --git a/shared/templates/cis_banner/oval.template b/shared/templates/cis_banner/oval.template
@@ -0,0 +1,37 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    {{{ oval_metadata("Check that " + FILEPATH + " does not contain OS and version information") }}}
+    <criteria operator="AND" comment="check">
+      {{% if BANNER_MUST_BE_SET == "true" %}}
+      <criterion comment="Check {{{ FILEPATH }}} contains a banner" test_ref="test_{{{ rule_id }}}_file_nonempty" />
+      {{% endif %}}
+      <criterion comment="Check {{{ FILEPATH }}} does not contain OS and version information" test_ref="test_{{{ rule_id }}}" />
+    </criteria>
+  </definition>
+
+{{% if BANNER_MUST_BE_SET == "true" %}}
+  <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists"
+  comment="Check that the given object does not exist"
+  id="test_{{{ rule_id }}}_file_nonempty" version="1">
+    <ind:object object_ref="obj_{{{ rule_id }}}_file_nonempty" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_{{{ rule_id }}}_file_nonempty" version="1">
+    <ind:filepath>{{{ FILEPATH }}}</ind:filepath>
+    <ind:pattern operation="pattern match">^.+$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+{{% endif %}}
+
+  <ind:textfilecontent54_test check="all" check_existence="none_exist"
+  comment="Check that the given object does not exist"
+  id="test_{{{ rule_id }}}" version="1">
+    <ind:object object_ref="obj_{{{ rule_id }}}" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1">
+    <ind:filepath>{{{ FILEPATH }}}</ind:filepath>
+    <ind:pattern operation="pattern match">(\\v|\\r|\\m|\\s|{{{ product }}})</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+</def-group>
diff --git a/shared/templates/cis_banner/template.py b/shared/templates/cis_banner/template.py
@@ -0,0 +1,3 @@
+
+def preprocess(data, lang):
+    return data
diff --git a/shared/templates/cis_banner/template.yml b/shared/templates/cis_banner/template.yml
@@ -0,0 +1,4 @@
+supported_languages:
+  - ansible
+  - bash
+  - oval
diff --git a/shared/templates/cis_banner/tests/cis_banner.pass.sh b/shared/templates/cis_banner/tests/cis_banner.pass.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+echo "Authorized users only. All activity may be monitored and reported." > {{{ FILEPATH }}}
diff --git a/shared/templates/cis_banner/tests/custom_banner.pass.sh b/shared/templates/cis_banner/tests/custom_banner.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+cat > "{{{ FILEPATH }}}" <<ENDOFILE
+Important message: You are watched!
+All your actions are recorded and reported to your boss immediately.
+ENDOFILE
diff --git a/shared/templates/cis_banner/tests/dne.fail.sh b/shared/templates/cis_banner/tests/dne.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+{{% if BANNER_MUST_BE_SET != "true" %}}
+# platform = Not Applicable
+{{% else %}}
+rm -rf "{{{ FILEPATH }}}"
+{{% endif %}}
diff --git a/shared/templates/cis_banner/tests/dne.pass.sh b/shared/templates/cis_banner/tests/dne.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+{{% if BANNER_MUST_BE_SET == "true" %}}
+# platform = Not Applicable
+{{% else %}}
+rm -rf "{{{ FILEPATH }}}"
+{{% endif %}}