Create Warning Banners for All FTP Users

An XCCDF Rule

Description

Edit the vsftpd configuration file, which resides at /etc/vsftpd.conf by default. Add or correct the following configuration options:

banner_file=/etc/issue

Rationale

This setting will cause the system greeting banner to be used for FTP connections as well.

ID: xccdf_org.ssgproject.content_rule_ftp_present_banner
Severity: Medium
References: CCI-000048

SLES-12-030010

CCE-83059-6
Updated: about 1 year ago



# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^banner_file")
# shellcheck disable=SC2059
printf -v formatted_output "%s=%s" "$stripped_key" "/etc/issue"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^banner_file\\>" "/etc/vsftpd.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^banner_file\\>.*/$escaped_formatted_output/gi" "/etc/vsftpd.conf"
else
    if [[ -s "/etc/vsftpd.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/vsftpd.conf" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/vsftpd.conf"
    fi
    cce="CCE-83059-6"
    printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/vsftpd.conf" >> "/etc/vsftpd.conf"
    printf '%s\n' "$formatted_output" >> "/etc/vsftpd.conf"
fi

- name: Service facts
  service_facts: null
  tags:
  - CCE-83059-6
  - DISA-STIG-SLES-12-030010
  - ftp_present_banner  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure banner_file setting
  lineinfile:
    dest: /etc/vsftpd.conf
    line: banner_file=/etc/issue
    regexp: ^\s*banner_file\s*=\s*.*$
    state: present
  register: banner_file_update_result
  when: ansible_facts.services["vsftpd.service"] is defined
  tags:
  - CCE-83059-6
  - DISA-STIG-SLES-12-030010
  - ftp_present_banner
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Restart vsftpd
  systemd:
    name: vsftpd.service
    state: restarted
  when: banner_file_update_result.changed and ansible_facts.services["vsftpd.service"].state
    == "running"
  tags:
  - CCE-83059-6
  - DISA-STIG-SLES-12-030010
  - ftp_present_banner
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Create Warning Banners for All FTP Users

Description

Rationale

Remediation - Shell Script

Remediation - Ansible