Verify ownership of System Login Banner for Remote Connections

Docs > Datadog Security > OOTB Rules > Verify ownership of System Login Banner for Remote Connections

Description

To properly set the owner of /etc/issue.net, run the command:

$ sudo chown root /etc/issue.net

Rationale

Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

Proper ownership will ensure that only root user can modify the banner.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

#!/bin/bash

if id "0" >/dev/null 2>&1; then
  newown="0"
fi
if [[ -z ${newown} ]]; then
  echo "0 is not a defined user on the system"
  exit 1
fi
chown $newown /etc/issue.net

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Set the file_owner_etc_issue_net_newown variable if represented by uid
  set_fact:
    file_owner_etc_issue_net_newown: '0'
  tags:
  - PCI-DSSv4-1.2
  - PCI-DSSv4-1.2.8
  - configure_strategy
  - file_owner_etc_issue_net
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Test for existence /etc/issue.net
  stat:
    path: /etc/issue.net
  register: file_exists
  tags:
  - PCI-DSSv4-1.2
  - PCI-DSSv4-1.2.8
  - configure_strategy
  - file_owner_etc_issue_net
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Ensure owner on /etc/issue.net
  file:
    path: /etc/issue.net
    owner: '{{ file_owner_etc_issue_net_newown }}'
  when: file_exists.stat is defined and file_exists.stat.exists
  tags:
  - PCI-DSSv4-1.2
  - PCI-DSSv4-1.2.8
  - configure_strategy
  - file_owner_etc_issue_net
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed