Ensure Message Of The Day Is Configured Properly
Description
To configure the system message of the day banner edit the /etc/motd
file.
Replace the default text with a message compliant with the local site policy.
The message should not contain information about operating system version,
release, kernel version or patch level.
The recommended banner text can be tailored in the XCCDF Value xccdf_org.ssgproject.content_value_cis_banner_text
:
Authorized users only. All activity may be monitored and reported.
Rationale
Warning messages inform users who are attempting to login to the system of their legal
status regarding the system and must include the name of the organization that owns
the system and any monitoring policies that are in place. Displaying OS and patch level
information in login banners also has the side effect of providing detailed system
information to attackers attempting to target specific exploits of a system. Authorized
users can easily get this information by running the uname -a
command once they
have logged in.
Shell script
The following script can be run on the host to remediate the issue.
#!/bin/bash
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then
cis_banner_text='Authorized users only. All activity may be monitored and reported.'
echo "$cis_banner_text" > "/etc/motd"
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-86145-0
- banner_etc_motd_cis
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: XCCDF Value cis_banner_text # promote to variable
set_fact:
cis_banner_text: !!str Authorized users only. All activity may be monitored and reported.
tags:
- always
- name: Ensure Message Of The Day Is Configured Properly - Copy using inline content
ansible.builtin.copy:
content: '{{ cis_banner_text }}'
dest: /etc/motd
when: '"kernel" in ansible_facts.packages'
tags:
- CCE-86145-0
- banner_etc_motd_cis
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy