jan-cerny
commented
5 years ago The difference could be asterisk instead of dash at the beginning of the paragraphs.
Closed dmason-tesla closed 4 years ago
jan-cerny
commented
5 years ago The difference could be asterisk instead of dash at the beginning of the paragraphs.
dmason-tesla
commented
5 years ago I've tested that prospect, and even with the banner using the exact language and format as the STIG, it still fails (see attached screenies). Ideally, the test for compliance should allow for minor deviations from the suggested banner (e.g., stylistic deviations), passing as long as the required text is there. It should be noted that when I test out the remediation script, I essentially get back the gibberish in the filepath section of the OVAL description, and nothing that resembles the expected DoD banner.
shawndwells
commented
5 years ago On 6/6/19 3:34 PM, D wrote:
I've tested that prospect, and even with the banner using the /exact/ language and format as the STIG, it still fails (see attached screenies). Ideally, the test for compliance should allow for minor deviations from the suggested banner (e.g., stylistic deviations), passing as long as the required text is there. It should be noted that when I test out the remediation script, I essentially get back the gibberish in the filepath section of the OVAL description, and nothing that resembles the expected DoD banner.
Regarding stylistic deviations: Unfortunately we can't. The government banner has to be exactly what is detailed in https://dodcio.defense.gov/Portals/0/Documents/DoDBanner-9May2008-ocr.pdf, including the oddities like no spaces after the dash characters.
DISA has an FAQ on this as well. Warning - loads a word document:
https://iase.disa.mil/Documents/unclass-faq-dod_notice_and_consent_banner.docx
shawndwells
commented
5 years ago P.S. in @dmason-tesla 's screen shot the text is does not exactly match the required text. Looks like multiple line breaks were removed.
Technically DISA's FAQ (the word doc mentioned above) states removing line breaks "should not" have a material impact, but continues on stating that any changes (incl line breaks) require a DoD waiver. For that reason the regex, at least for the US Government banners, requires an exact match (line breaks and all).
dmason-tesla
commented
5 years ago @shawndwells Thanks for the added information on the banner. In light of the information you provided, we modified the banner to match the required text exactly (see attached screenie), and you guessed it, the test still fails.
dmason-tesla
commented
5 years ago @shawndwells Looks like you were spot-on. Realized a missing hyphen (-) in the 5th paragraph for "USG-authorized", fixed it and retested, and sure enough, it passed the test. It should be noted, however, that the guidance provided for the corresponding STIG is misguiding, since, as you've pointed out, it's missing all the correct/expected line breaks for the banner. That is to say, if someone STIG'ing a machine uses the provided guidance, it would result in non-compliance with the STIG.
shawndwells
commented
5 years ago Double checked the guidance in the content, and there was a typo (some dashes had spaces and should not have). Created https://github.com/ComplianceAsCode/content/pull/4389 to fix that.
dmason-tesla
commented
5 years ago @shawndwells Thanks for the quick work on this. It may be worth noting that the remediation shell script does not yield a compliant login banner, if, as you say, even line breaks and spaces render the banner non-compliant and would require a waiver. The current version, as provided in this issue, produces this exactly, which incorrectly still passes the test:
You are accessing a U.S. Government (USG) Information System (IS) that is
provided for USG-authorized use only. By using this IS (which includes any
device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for
purposes including, but not limited to, penetration testing, COMSEC monitoring,
network operations and defense, personnel misconduct (PM), law enforcement
(LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject
to routine monitoring, interception, and search, and may be disclosed or used
for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls)
to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE
or CI investigative searching or monitoring of the content of privileged
communications, or work product, related to personal representation or services
by attorneys, psychotherapists, or clergy, and their assistants. Such
communications and work product are private and confidential. See User
Agreement for details.
It seems, however, this is the only acceptable banner:
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.As such, I'd like to propose the following remediation shell script to replace the current one:
cat << EOF > /etc/issue
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
EOF
Description of problem:
OpenSCAP Version:
SCAP Security Guide Version:
Operating System Version:
Red Hat Enterprise Linux Server release 7.6 (Maipo)Steps to Reproduce:
Add the DoD-approved banner language to /etc/issue
Actual Results:
Expected Results:
Addition Information/Debugging Steps: