Verify Group Ownership of System Login Banner for Remote Connections
Description
To properly set the group owner of /etc/issue.net, run the command:
$ sudo chgrp root /etc/issue.net
Rationale
Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
verbiage used is consistent with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance.
Proper group ownership will ensure that only root user can modify the banner.
Shell script
The following script can be run on the host to remediate the issue.
#!/bin/bash
if getent group "0" >/dev/null 2>&1; then
newgroup="0"
fi
if [[ -z ${newgroup} ]]; then
echo "0 is not a defined group on the system"
exit 1
fi
chgrp $newgroup /etc/issue.net
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: Set the file_groupowner_etc_issue_net_newgroup variable if represented by
gid
set_fact:
file_groupowner_etc_issue_net_newgroup: '0'
tags:
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.8
- configure_strategy
- file_groupowner_etc_issue_net
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/issue.net
stat:
path: /etc/issue.net
register: file_exists
tags:
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.8
- configure_strategy
- file_groupowner_etc_issue_net
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /etc/issue.net
file:
path: /etc/issue.net
group: '{{ file_groupowner_etc_issue_net_newgroup }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.8
- configure_strategy
- file_groupowner_etc_issue_net
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
