False-positive with banner_etc_issue Rule

[dmason-tesla]

Description of problem:

System login banner is defined correctly in /etc/issue,
but oscap still reports the rule as failed.

OpenSCAP Version:

Name        : openscap
Version     : 1.2.17
Release     : 2.el7
Architecture: x86_64
Install Date: Wed 05 Jun 2019 02:13:49 PM UTC
Group       : System Environment/Libraries
Size        : 64536323
License     : LGPLv2+
Signature   : RSA/SHA256, Thu 23 Aug 2018 09:13:47 AM UTC, Key ID 199e2f91fd431d51
Source RPM  : openscap-1.2.17-2.el7.src.rpm
Build Date  : Thu 23 Aug 2018 08:46:27 AM UTC
Build Host  : x86-039.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.

SCAP Security Guide Version:

Name        : scap-security-guide
Version     : 0.1.40
Release     : 13.el7_6
Architecture: noarch
Install Date: Wed 05 Jun 2019 02:13:51 PM UTC
Group       : System Environment/Base
Size        : 74773210
License     : BSD-3-Clause
Signature   : RSA/SHA256, Thu 11 Apr 2019 01:20:26 PM UTC, Key ID 199e2f91fd431d51
Source RPM  : scap-security-guide-0.1.40-13.el7_6.src.rpm
Build Date  : Thu 11 Apr 2019 01:15:35 PM UTC
Build Host  : ppc-055.build.eng.bos.redhat.com
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.

Operating System Version:

Red Hat Enterprise Linux Server release 7.6 (Maipo)

Steps to Reproduce:

1. Add the DoD-approved banner language to /etc/issue

cat << EOF | sed 's/^[[:space:]]*//g' > /etc/issue
        You are accessing a U.S. Government (USG) Information System (IS) that is
        provided for USG-authorized use only. By using this IS (which includes any
        device attached to this IS), you consent to the following conditions:

        * The USG routinely intercepts and monitors communications on this IS for
        purposes including, but not limited to, penetration testing, COMSEC
        monitoring, network operations and defense, personnel misconduct (PM),
        law enforcement (LE), and counterintelligence (CI) investigations.

        * At any time, the USG may inspect and seize data stored on this IS.

        * Communications using, or data stored on, this IS are not private, are
        subject to routine monitoring, interception, and search, and may be
        disclosed or used for any USG authorized purpose.

        * This IS includes security measures (e.g., authentication and access
        controls) to protect USG interests--not for your personal benefit or privacy.

        * Notwithstanding the above, using this IS does not constitute consent to
        PM, LE or CI investigative searching or monitoring of the content of
        privileged communications, or work product, related to personal
        representation or services by attorneys, psychotherapists, or clergy, and
        their assistants. Such communications and work product are private and
        confidential. See User Agreement for details.
EOF

2. Run oscap

date=$(/bin/date +%Y-%m%d) ; profile='stig-rhel7-disa' ; oscap xccdf eval --fetch-remote-resources --oval-results --profile ${profile} --export-variables --report report.${profile}.${date}.html --results results.${profile}.${date}.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

Actual Results:

Title   Modify the System Login Banner
Rule    banner_etc_issue
Ident   CCE-27303-7
Result  fail

Expected Results:

Title   Modify the System Login Banner
Rule    banner_etc_issue
Ident   CCE-27303-7
Result  pass

Addition Information/Debugging Steps:

[jan-cerny]

The difference could be asterisk instead of dash at the beginning of the paragraphs.

[dmason-tesla]

I've tested that prospect, and even with the banner using the exact language and format as the STIG, it still fails (see attached screenies). Ideally, the test for compliance should allow for minor deviations from the suggested banner (e.g., stylistic deviations), passing as long as the required text is there. It should be noted that when I test out the remediation script, I essentially get back the gibberish in the filepath section of the OVAL description, and nothing that resembles the expected DoD banner.

[shawndwells]

On 6/6/19 3:34 PM, D wrote: I've tested that prospect, and even with the banner using the /exact/ language and format as the STIG, it still fails (see attached screenies). Ideally, the test for compliance should allow for minor deviations from the suggested banner (e.g., stylistic deviations), passing as long as the required text is there. It should be noted that when I test out the remediation script, I essentially get back the gibberish in the filepath section of the OVAL description, and nothing that resembles the expected DoD banner.

Regarding stylistic deviations: Unfortunately we can't. The government banner has to be *exactly* what is detailed in https://dodcio.defense.gov/Portals/0/Documents/DoDBanner-9May2008-ocr.pdf, including the oddities like no spaces after the dash characters. DISA has an FAQ on this as well. Warning - loads a word document: https://iase.disa.mil/Documents/unclass-faq-dod_notice_and_consent_banner.docx

[shawndwells]

P.S. in @dmason-tesla 's screen shot the text is does not exactly match the required text. Looks like multiple line breaks were removed.

Technically DISA's FAQ (the word doc mentioned above) states removing line breaks "should not" have a material impact, but continues on stating that any changes (incl line breaks) require a DoD waiver. For that reason the regex, at least for the US Government banners, requires an exact match (line breaks and all).

[dmason-tesla]

@shawndwells Thanks for the added information on the banner. In light of the information you provided, we modified the banner to match the required text exactly (see attached screenie), and you guessed it, the test still fails.

[dmason-tesla]

@shawndwells Looks like you were spot-on. Realized a missing hyphen (-) in the 5th paragraph for "USG-authorized", fixed it and retested, and sure enough, it passed the test. It should be noted, however, that the guidance provided for the corresponding STIG is misguiding, since, as you've pointed out, it's missing all the correct/expected line breaks for the banner. That is to say, if someone STIG'ing a machine uses the provided guidance, it would result in non-compliance with the STIG.

[shawndwells]

Double checked the guidance in the content, and there was a typo (some dashes had spaces and should not have). Created #4389 to fix that.

[dmason-tesla]

@shawndwells Thanks for the quick work on this. It may be worth noting that the remediation shell script does not yield a compliant login banner, if, as you say, even line breaks and spaces render the banner non-compliant and would require a waiver. The current version, as provided in this issue, produces this exactly, which incorrectly still passes the test:

You are accessing a U.S. Government (USG) Information System (IS) that is
provided for USG-authorized use only. By using this IS (which includes any
device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS for
purposes including, but not limited to, penetration testing, COMSEC monitoring,
network operations and defense, personnel misconduct (PM), law enforcement
(LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private, are subject
to routine monitoring, interception, and search, and may be disclosed or used
for any USG-authorized purpose.

-This IS includes security measures (e.g., authentication and access controls)
to protect USG interests--not for your personal benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent to PM, LE
or CI investigative searching or monitoring of the content of privileged
communications, or work product, related to personal representation or services
by attorneys, psychotherapists, or clergy, and their assistants. Such
communications and work product are private and confidential. See User
Agreement for details.

It seems, however, this is the only acceptable banner:

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.

By using this IS (which includes any device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.

-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

As such, I'd like to propose the following remediation shell script to replace the current one:

cat << EOF > /etc/issue
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.

By using this IS (which includes any device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.

-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
EOF