On 1/21/15 10:16 AM, Gerwin Krist | LinQhost Internet Services wrote:
Because we would like to have 2 different issue files (different
content): tty and ssh.
But guess I have to make a patch then for internal use :-)
/etc/issue.net is the banner file used by telnet (ref:
http://linux.die.net/man/5/issue.net). Since telnet is antiquated
(arguably banned by some agencies), there really isn't a reason to check
its contents. Nothing should be using it.
/etc/issue is used to display banners prior to display of the login
prompt (ref: http://linux.die.net/man/5/issue). Within SSG, we have
rules (such as sshd_enable_warning_banner) that tells services to use
/etc/issue. The XCCDF rule banner_etc_issue then makes sure appropriate
banner text is set.
With all that said, SSG has purposefully been setup to support multiple
configurations against a particular requirement. To support
/etc/issue.net properly:
- A new OVAL for banner_etc_issue_net would need to be created;
- The various XCCDF service rules (such as sshd_enable_warning_banner)
must be updated (description and OCIL tags);
- The various OVAL service rules will need conditional logic ("if sshd
configured for /etc/issue, check /etc/issue; elif sshd configured for
/etc/issue.net, check /etc/issue.net).
- Create associated remediation scripts;
IMHO patches would be welcome to extend support to those who are still
using /etc/issue.net. However this wouldn't be a blocker or considered
imperative given that deployments should have moved off /etc/issue.net
by now.
--
SCAP Security Guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/
