Skip to content

Enable SSH Warning Banner

An XCCDF Rule

Description

To enable the warning banner and ensure it is consistent across the system, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:

Banner /etc/issue.net
Another section contains information on how to create an appropriate system-wide warning banner.

Rationale

The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.

ID
xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net
Severity
Medium
References
Updated



Remediation - Ansible

- name: Find sshd_config included files
  shell: |-
    included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*Include\s*//i' | sed -e 's|^[^/]|/etc/ssh/&|')
    [[ -n $included_files ]] && ls $included_files || true
  register: sshd_config_included_files
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Find the include keyword, extract from the line the glob expression representing included files.
# And if it is a relative path prepend '/etc/ssh/'
included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*include\s*//I' | sed -e 's|^[^/]|/etc/ssh/&|')