We used to have to keep out banners under /etc/issue for the console, and /etc/issue.net for remote access. Would it be okay to make this rule deal with either one?
diff --git a/shared/oval/sshd_enable_warning_banner.xml b/shared/oval/sshd_enable_warning_banner.xml index 0bd8d32..ace8b75 100644 --- a/shared/oval/sshd_enable_warning_banner.xml +++ b/shared/oval/sshd_enable_warning_banner.xml @@ -25,7 +25,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_sshd_banner_set" version="2"> ind:filepath/etc/ssh/sshd_config</ind:filepath> - <ind:pattern operation="pattern match">^[\s]*(?i)Banner(?-i)[\s]+/etc/issue[\s]*(?:|(?:#.*))?$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*(?i)Banner(?-i)[\s]+/etc/issue(.net){0,1}[\s]*(?:|(?:#.*))?$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> </def-group>
Hi,
Did you get any response on this one? Only allowing /etc/issue is not workable when using both console and ssh logins. The console login is accepting escape cookies the ssh version not.
On 08/01/2014 10:38 PM, Jeremiah Jahn wrote:
We used to have to keep out banners under /etc/issue for the console, and /etc/issue.net for remote access. Would it be okay to make this rule deal with either one?
diff --git a/shared/oval/sshd_enable_warning_banner.xml b/shared/oval/sshd_enable_warning_banner.xml index 0bd8d32..ace8b75 100644 --- a/shared/oval/sshd_enable_warning_banner.xml +++ b/shared/oval/sshd_enable_warning_banner.xml @@ -25,7 +25,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_sshd_banner_set" version="2"> ind:filepath/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern
match">^[\s]*(?i)Banner(?-i)[\s]+/etc/issue[\s]*(?:|(?:#.*))?$</ind:pattern>
- <ind:pattern operation="pattern
match">^[\s]*(?i)Banner(?-i)[\s]+/etc/issue(.net){0,1}[\s]*(?:|(?:#.*))?$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
</def-group>
Nope, I don't think I ever did. I'm assuming the principles are so overwhelmed, given the current amount of activity, that the thing to do would be submit your own patch that splits these things up into two pieces. I got sucked into a different project right now, otherwise, that's what I'd probably do. Now that everything is on github, it's a lot easier.
On Wed, Jan 21, 2015 at 2:09 AM, Gerwin Krist | LinQhost Internet Services gerwin@linqhost.nl wrote:
Hi,
Did you get any response on this one? Only allowing /etc/issue is not workable when using both console and ssh logins. The console login is accepting escape cookies the ssh version not.
On 08/01/2014 10:38 PM, Jeremiah Jahn wrote:
We used to have to keep out banners under /etc/issue for the console, and /etc/issue.net for remote access. Would it be okay to make this rule deal with either one?
diff --git a/shared/oval/sshd_enable_warning_banner.xml b/shared/oval/sshd_enable_warning_banner.xml index 0bd8d32..ace8b75 100644 --- a/shared/oval/sshd_enable_warning_banner.xml +++ b/shared/oval/sshd_enable_warning_banner.xml @@ -25,7 +25,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_sshd_banner_set" version="2"> ind:filepath/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern
match">^[\s]*(?i)Banner(?-i)[\s]+/etc/issue[\s]*(?:|(?:#.*))?$</ind:pattern>
- <ind:pattern operation="pattern
match">^[\s]*(?i)Banner(?-i)[\s]+/etc/issue(.net){0,1}[\s]*(?:|(?:#.*))?$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
</def-group>
Just read this thread.
I may be missing something here, but why are you using issue.net for SSH banners?
On Wed, Jan 21, 2015 at 7:36 AM, Jeremiah Jahn < jeremiah@goodinassociates.com> wrote:
Nope, I don't think I ever did. I'm assuming the principles are so overwhelmed, given the current amount of activity, that the thing to do would be submit your own patch that splits these things up into two pieces. I got sucked into a different project right now, otherwise, that's what I'd probably do. Now that everything is on github, it's a lot easier.
On Wed, Jan 21, 2015 at 2:09 AM, Gerwin Krist | LinQhost Internet Services gerwin@linqhost.nl wrote:
Hi,
Did you get any response on this one? Only allowing /etc/issue is not workable when using both console and ssh logins. The console login is accepting escape
cookies
the ssh version not.
On 08/01/2014 10:38 PM, Jeremiah Jahn wrote:
We used to have to keep out banners under /etc/issue for the console, and /etc/issue.net for remote access. Would it be okay to make this rule deal with either one?
diff --git a/shared/oval/sshd_enable_warning_banner.xml b/shared/oval/sshd_enable_warning_banner.xml index 0bd8d32..ace8b75 100644 --- a/shared/oval/sshd_enable_warning_banner.xml +++ b/shared/oval/sshd_enable_warning_banner.xml @@ -25,7 +25,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_sshd_banner_set" version="2"> ind:filepath/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern
match">^[\s]*(?i)Banner(?-i)[\s]+/etc/issue[\s]*(?:|(?:#.*))?$</ind:pattern>
- <ind:pattern operation="pattern
match">^[\s]*(?i)Banner(?-i)[\s]+/etc/issue(.net){0,1}[\s]*(?:|(?:#.*))?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
</def-group>
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
This may not be the best long term approach, but I've always symlinked /etc/motd and /etc/issue.net against /etc/issue to solve this annoying problem...
Cheers -chris On Jan 21, 2015 7:03 AM, "Gabe Alford" redhatrises@gmail.com wrote:
Just read this thread.
I may be missing something here, but why are you using issue.net for SSH banners?
On Wed, Jan 21, 2015 at 7:36 AM, Jeremiah Jahn < jeremiah@goodinassociates.com> wrote:
Nope, I don't think I ever did. I'm assuming the principles are so overwhelmed, given the current amount of activity, that the thing to do would be submit your own patch that splits these things up into two pieces. I got sucked into a different project right now, otherwise, that's what I'd probably do. Now that everything is on github, it's a lot easier.
On Wed, Jan 21, 2015 at 2:09 AM, Gerwin Krist | LinQhost Internet Services gerwin@linqhost.nl wrote:
Hi,
Did you get any response on this one? Only allowing /etc/issue is not workable when using both console and ssh logins. The console login is accepting escape
cookies
the ssh version not.
On 08/01/2014 10:38 PM, Jeremiah Jahn wrote:
We used to have to keep out banners under /etc/issue for the console, and /etc/issue.net for remote access. Would it be okay to make this rule deal with either one?
diff --git a/shared/oval/sshd_enable_warning_banner.xml b/shared/oval/sshd_enable_warning_banner.xml index 0bd8d32..ace8b75 100644 --- a/shared/oval/sshd_enable_warning_banner.xml +++ b/shared/oval/sshd_enable_warning_banner.xml @@ -25,7 +25,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_sshd_banner_set" version="2"> ind:filepath/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern
match">^[\s]*(?i)Banner(?-i)[\s]+/etc/issue[\s]*(?:|(?:#.*))?$</ind:pattern>
- <ind:pattern operation="pattern
match">^[\s]*(?i)Banner(?-i)[\s]+/etc/issue(.net){0,1}[\s]*(?:|(?:#.*))?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
</def-group>
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
Because we would like to have 2 different issue files (different content): tty and ssh. But guess I have to make a patch then for internal use :-)
- Gerwin
On 01/21/2015 04:02 PM, Gabe Alford wrote:
Just read this thread.
I may be missing something here, but why are you using issue.net http://issue.net for SSH banners?
On Wed, Jan 21, 2015 at 7:36 AM, Jeremiah Jahn <jeremiah@goodinassociates.com mailto:jeremiah@goodinassociates.com> wrote:
Nope, I don't think I ever did. I'm assuming the principles are so overwhelmed, given the current amount of activity, that the thing to do would be submit your own patch that splits these things up into two pieces. I got sucked into a different project right now, otherwise, that's what I'd probably do. Now that everything is on github, it's a lot easier. On Wed, Jan 21, 2015 at 2:09 AM, Gerwin Krist | LinQhost Internet Services <gerwin@linqhost.nl <mailto:gerwin@linqhost.nl>> wrote: > Hi, > > Did you get any response on this one? Only allowing /etc/issue is not > workable when using > both console and ssh logins. The console login is accepting escape cookies > the ssh version > not. > > > On 08/01/2014 10:38 PM, Jeremiah Jahn wrote: >> >> We used to have to keep out banners under /etc/issue for the console, >> and /etc/issue.net <http://issue.net> for remote access. >> Would it be okay to make this rule deal with either one? >> >> diff --git a/shared/oval/sshd_enable_warning_banner.xml >> b/shared/oval/sshd_enable_warning_banner.xml >> index 0bd8d32..ace8b75 100644 >> --- a/shared/oval/sshd_enable_warning_banner.xml >> +++ b/shared/oval/sshd_enable_warning_banner.xml >> @@ -25,7 +25,7 @@ >> </ind:textfilecontent54_test> >> <ind:textfilecontent54_object id="obj_sshd_banner_set" version="2"> >> <ind:filepath>/etc/ssh/sshd_config</ind:filepath> >> - <ind:pattern operation="pattern >> >> match">^[\s]*(?i)Banner(?-i)[\s]+/etc/issue[\s]*(?:|(?:#.*))?$</ind:pattern> >> + <ind:pattern operation="pattern >> >> match">^[\s]*(?i)Banner(?-i)[\s]+/etc/issue(.net){0,1}[\s]*(?:|(?:#.*))?$</ind:pattern> >> <ind:instance datatype="int">1</ind:instance> >> </ind:textfilecontent54_object> >> </def-group> > > -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org <mailto:scap-security-guide@lists.fedorahosted.org> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
Same boat here. Plus CIS treats issue and issue.net distinctly. It refers to /etc/issue /etc/issue.net and /etc/motd in it's audit instructions.
https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_... Section 8.1 for example.
On Wed, Jan 21, 2015 at 9:16 AM, Gerwin Krist | LinQhost Internet Services gerwin@linqhost.nl wrote:
Because we would like to have 2 different issue files (different content): tty and ssh. But guess I have to make a patch then for internal use :-)
- Gerwin
On 01/21/2015 04:02 PM, Gabe Alford wrote:
Just read this thread.
I may be missing something here, but why are you using issue.net for SSH banners?
On Wed, Jan 21, 2015 at 7:36 AM, Jeremiah Jahn jeremiah@goodinassociates.com wrote:
Nope, I don't think I ever did. I'm assuming the principles are so overwhelmed, given the current amount of activity, that the thing to do would be submit your own patch that splits these things up into two pieces. I got sucked into a different project right now, otherwise, that's what I'd probably do. Now that everything is on github, it's a lot easier.
On Wed, Jan 21, 2015 at 2:09 AM, Gerwin Krist | LinQhost Internet Services gerwin@linqhost.nl wrote:
Hi,
Did you get any response on this one? Only allowing /etc/issue is not workable when using both console and ssh logins. The console login is accepting escape cookies the ssh version not.
On 08/01/2014 10:38 PM, Jeremiah Jahn wrote:
We used to have to keep out banners under /etc/issue for the console, and /etc/issue.net for remote access. Would it be okay to make this rule deal with either one?
diff --git a/shared/oval/sshd_enable_warning_banner.xml b/shared/oval/sshd_enable_warning_banner.xml index 0bd8d32..ace8b75 100644 --- a/shared/oval/sshd_enable_warning_banner.xml +++ b/shared/oval/sshd_enable_warning_banner.xml @@ -25,7 +25,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_sshd_banner_set" version="2"> ind:filepath/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern
match">^[\s]*(?i)Banner(?-i)[\s]+/etc/issue[\s]*(?:|(?:#.*))?$</ind:pattern>
- <ind:pattern operation="pattern
match">^[\s]*(?i)Banner(?-i)[\s]+/etc/issue(.net){0,1}[\s]*(?:|(?:#.*))?$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
</def-group>
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
Thanks. So we should add a check to banner_etc_issue.xml for issue.net and either a separate check for motd or add to banner_etc_issue.xml.
On Wed, Jan 21, 2015 at 9:16 AM, Jeremiah Jahn < jeremiah@goodinassociates.com> wrote:
Same boat here. Plus CIS treats issue and issue.net distinctly. It refers to /etc/issue /etc/issue.net and /etc/motd in it's audit instructions.
https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_... Section 8.1 for example.
On Wed, Jan 21, 2015 at 9:16 AM, Gerwin Krist | LinQhost Internet Services gerwin@linqhost.nl wrote:
Because we would like to have 2 different issue files (different
content):
tty and ssh. But guess I have to make a patch then for internal use :-)
- Gerwin
On 01/21/2015 04:02 PM, Gabe Alford wrote:
Just read this thread.
I may be missing something here, but why are you using issue.net for SSH banners?
On Wed, Jan 21, 2015 at 7:36 AM, Jeremiah Jahn jeremiah@goodinassociates.com wrote:
Nope, I don't think I ever did. I'm assuming the principles are so overwhelmed, given the current amount of activity, that the thing to do would be submit your own patch that splits these things up into two pieces. I got sucked into a different project right now, otherwise, that's what I'd probably do. Now that everything is on github, it's a lot easier.
On Wed, Jan 21, 2015 at 2:09 AM, Gerwin Krist | LinQhost Internet Services gerwin@linqhost.nl wrote:
Hi,
Did you get any response on this one? Only allowing /etc/issue is not workable when using both console and ssh logins. The console login is accepting escape cookies the ssh version not.
On 08/01/2014 10:38 PM, Jeremiah Jahn wrote:
We used to have to keep out banners under /etc/issue for the console, and /etc/issue.net for remote access. Would it be okay to make this rule deal with either one?
diff --git a/shared/oval/sshd_enable_warning_banner.xml b/shared/oval/sshd_enable_warning_banner.xml index 0bd8d32..ace8b75 100644 --- a/shared/oval/sshd_enable_warning_banner.xml +++ b/shared/oval/sshd_enable_warning_banner.xml @@ -25,7 +25,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_sshd_banner_set"
version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern
match">^[\s]*(?i)Banner(?-i)[\s]+/etc/issue[\s]*(?:|(?:#.*))?$</ind:pattern>
- <ind:pattern operation="pattern
match">^[\s]*(?i)Banner(?-i)[\s]+/etc/issue(.net){0,1}[\s]*(?:|(?:#.*))?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
</def-group>
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
On 1/21/15 10:16 AM, Gerwin Krist | LinQhost Internet Services wrote:
Because we would like to have 2 different issue files (different content): tty and ssh. But guess I have to make a patch then for internal use :-)
/etc/issue.net is the banner file used by telnet (ref: http://linux.die.net/man/5/issue.net). Since telnet is antiquated (arguably banned by some agencies), there really isn't a reason to check its contents. Nothing should be using it.
/etc/issue is used to display banners prior to display of the login prompt (ref: http://linux.die.net/man/5/issue). Within SSG, we have rules (such as sshd_enable_warning_banner) that tells services to use /etc/issue. The XCCDF rule banner_etc_issue then makes sure appropriate banner text is set.
With all that said, SSG has purposefully been setup to support multiple configurations against a particular requirement. To support /etc/issue.net properly: - A new OVAL for banner_etc_issue_net would need to be created; - The various XCCDF service rules (such as sshd_enable_warning_banner) must be updated (description and OCIL tags); - The various OVAL service rules will need conditional logic ("if sshd configured for /etc/issue, check /etc/issue; elif sshd configured for /etc/issue.net, check /etc/issue.net). - Create associated remediation scripts;
IMHO patches would be welcome to extend support to those who are still using /etc/issue.net. However this wouldn't be a blocker or considered imperative given that deployments should have moved off /etc/issue.net by now.
Obviously issue.net was originally created for telnet, but seems to have been sucked into sshd as well. Which makes since. Showing differing instructions for remote login vs. local logins should probably always be possible, point being, I think we will always have issue.net, even without telnet, esp if CIS keeps referring to it and suggesting it as it's prefered remediation for 6.2.14. I agree that it's probably not a show stopper or imperative.
On Wed, Jan 21, 2015 at 11:31 AM, Shawn Wells shawn@redhat.com wrote:
On 1/21/15 10:16 AM, Gerwin Krist | LinQhost Internet Services wrote:
Because we would like to have 2 different issue files (different content): tty and ssh. But guess I have to make a patch then for internal use :-)
/etc/issue.net is the banner file used by telnet (ref: http://linux.die.net/man/5/issue.net). Since telnet is antiquated (arguably banned by some agencies), there really isn't a reason to check its contents. Nothing should be using it.
/etc/issue is used to display banners prior to display of the login prompt (ref: http://linux.die.net/man/5/issue). Within SSG, we have rules (such as sshd_enable_warning_banner) that tells services to use /etc/issue. The XCCDF rule banner_etc_issue then makes sure appropriate banner text is set.
With all that said, SSG has purposefully been setup to support multiple configurations against a particular requirement. To support /etc/issue.net properly:
- A new OVAL for banner_etc_issue_net would need to be created;
- The various XCCDF service rules (such as sshd_enable_warning_banner) must
be updated (description and OCIL tags);
- The various OVAL service rules will need conditional logic ("if sshd
configured for /etc/issue, check /etc/issue; elif sshd configured for /etc/issue.net, check /etc/issue.net).
- Create associated remediation scripts;
IMHO patches would be welcome to extend support to those who are still using /etc/issue.net. However this wouldn't be a blocker or considered imperative given that deployments should have moved off /etc/issue.net by now.
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
scap-security-guide@lists.fedorahosted.org