Verify Group Ownership of System Login Banner for Remote Connections

Description

To properly set the group owner of /etc/issue.net, run the command:

$ sudo chgrp root /etc/issue.net

Rationale

Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

Proper group ownership will ensure that only root user can modify the banner.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

#!/bin/bash

if getent group "0" >/dev/null 2>&1; then
  newgroup="0"
fi
if [[ -z ${newgroup} ]]; then
  echo "0 is not a defined group on the system"
  exit 1
fi
chgrp $newgroup /etc/issue.net

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Set the file_groupowner_etc_issue_net_newgroup variable if represented by
    gid
  set_fact:
    file_groupowner_etc_issue_net_newgroup: '0'
  tags:
  - PCI-DSSv4-1.2
  - PCI-DSSv4-1.2.8
  - configure_strategy
  - file_groupowner_etc_issue_net
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Test for existence /etc/issue.net
  stat:
    path: /etc/issue.net
  register: file_exists
  tags:
  - PCI-DSSv4-1.2
  - PCI-DSSv4-1.2.8
  - configure_strategy
  - file_groupowner_etc_issue_net
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Ensure group owner on /etc/issue.net
  file:
    path: /etc/issue.net
    group: '{{ file_groupowner_etc_issue_net_newgroup }}'
  when: file_exists.stat is defined and file_exists.stat.exists
  tags:
  - PCI-DSSv4-1.2
  - PCI-DSSv4-1.2.8
  - configure_strategy
  - file_groupowner_etc_issue_net
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed