Ensure Message Of The Day Is Configured Properly
An XCCDF Rule
Description
To configure the system message of the day banner edit the /etc/motd file.
Replace the default text with a message compliant with the local site policy.
The message should not contain information about operating system version,
release, kernel version or patch level.
The recommended banner text can be tailored in the XCCDF Value xccdf_org.ssgproject.content_value_cis_banner_text:
Rationale
Warning messages inform users who are attempting to login to the system of their legal
status regarding the system and must include the name of the organization that owns
the system and any monitoring policies that are in place. Displaying OS and patch level
information in login banners also has the side effect of providing detailed system
information to attackers attempting to target specific exploits of a system. Authorized
users can easily get this information by running the uname -a command once they
have logged in.
- ID
- xccdf_org.ssgproject.content_rule_banner_etc_motd_cis
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-86145-0
- banner_etc_motd_cis
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then
cis_banner_text='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_cis_banner_text" use="legacy"/>'
echo "$cis_banner_text" > "/etc/motd"