We used to have to keep out banners under /etc/issue for the console, and /etc/issue.net for remote access. Would it be okay to make this rule deal with either one?
diff --git a/shared/oval/sshd_enable_warning_banner.xml b/shared/oval/sshd_enable_warning_banner.xml index 0bd8d32..ace8b75 100644 --- a/shared/oval/sshd_enable_warning_banner.xml +++ b/shared/oval/sshd_enable_warning_banner.xml @@ -25,7 +25,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_sshd_banner_set" version="2"> ind:filepath/etc/ssh/sshd_config</ind:filepath> - <ind:pattern operation="pattern match">^[\s]*(?i)Banner(?-i)[\s]+/etc/issue[\s]*(?:|(?:#.*))?$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*(?i)Banner(?-i)[\s]+/etc/issue(.net){0,1}[\s]*(?:|(?:#.*))?$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> </def-group>