Enable SSH Warning Banner

Classification:

compliance

Framework:

Control:

Description

To enable the warning banner and ensure it is consistent across the system, add or correct the following line in

/etc/ssh/sshd_config:

Banner /etc/issue.net

Another section contains information on how to create an appropriate system-wide warning banner.

Rationale

The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if [ -e "/etc/ssh/sshd\_config" ] ; then
 
 LC\_ALL=C sed -i "/^\s\*Banner\s\+/Id" "/etc/ssh/sshd\_config"
else
 touch "/etc/ssh/sshd\_config"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd\_config"

cp "/etc/ssh/sshd\_config" "/etc/ssh/sshd\_config.bak"
# Insert before the line matching the regex '^Match'.
line\_number="$(LC\_ALL=C grep -n "^Match" "/etc/ssh/sshd\_config.bak" | LC\_ALL=C sed 's/:.\*//g')"
if [ -z "$line\_number" ]; then
 # There was no match of '^Match', insert at
 # the end of the file.
 printf '%s\n' "Banner /etc/issue.net" >> "/etc/ssh/sshd\_config"
else
 head -n "$(( line\_number - 1 ))" "/etc/ssh/sshd\_config.bak" > "/etc/ssh/sshd\_config"
 printf '%s\n' "Banner /etc/issue.net" >> "/etc/ssh/sshd\_config"
 tail -n "+$(( line\_number ))" "/etc/ssh/sshd\_config.bak" >> "/etc/ssh/sshd\_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd\_config.bak"

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Enable SSH Warning Banner
 block:

 - name: Check for duplicate values
 lineinfile:
 path: /etc/ssh/sshd\_config
 create: false
 regexp: (?i)^\s\*Banner\s+
 state: absent
 check\_mode: true
 changed\_when: false
 register: dupes

 - name: Deduplicate values from /etc/ssh/sshd\_config
 lineinfile:
 path: /etc/ssh/sshd\_config
 create: false
 regexp: (?i)^\s\*Banner\s+
 state: absent
 when: dupes.found is defined and dupes.found > 1

 - name: Insert correct line to /etc/ssh/sshd\_config
 lineinfile:
 path: /etc/ssh/sshd\_config
 create: true
 regexp: (?i)^\s\*Banner\s+
 line: Banner /etc/issue.net
 state: present
 insertbefore: ^[#\s]\*Match
 validate: /usr/sbin/sshd -t -f %s
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CJIS-5.5.6
 - DISA-STIG-UBTU-20-010038
 - NIST-800-171-3.1.9
 - NIST-800-53-AC-17(a)
 - NIST-800-53-AC-8(a)
 - NIST-800-53-AC-8(c)
 - NIST-800-53-CM-6(a)
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy
 - sshd\_enable\_warning\_banner\_net