mediumsystemverified ✓rollback-safe
Configure login warning banner
banner-dod-consent · RHEL ≥ 8 · 1 impl
Description
The system must display an authorized-use warning banner before granting local or remote access. The banner text is written to /etc/issue, which sshd displays via the Banner directive (see ssh-banner rule). The check verifies that the file contains meaningful warning text, not just the OS default. Customize the text by setting the banner_text variable in rules/rules.d/.
Rationale
A pre-authentication banner establishes the legal basis for monitoring and prosecution of unauthorized access. Without a warning banner, an attacker may claim they were unaware the system was restricted.
Check → Remediate
Checkcommand
if [ ! -s /etc/issue ]; then echo "FAIL: /etc/issue is empty or missing" exit 1 fi # Strip getty escape sequences (\S, \r, \m, \l, etc.) and whitespace textlen=$(sed 's/\\[[:alpha:]]//g' /etc/issue | tr -d '[:space:]' | wc -c) if [ "$textlen" -lt 20 ]; then echo "FAIL: /etc/issue has no meaningful warning text ($textlen chars after stripping escapes)" exit 1 fi echo "OK: /etc/issue contains warning banner ($textlen meaningful chars)"
- expected_exit:
- 0
Remediatefile_content
- path:
- /etc/issue
- content:
- {{ banner_text }}
- owner:
- root
- group:
- root
- mode:
- 0644
Framework references
CIS
rhel9 1.7.2rhel8 1.7.2rhel10 1.7.2
STIG
V-281227 / RHEL-10-700040V-257779V-230227
NIST 800-53
AC-8
Live verification
rhel10:checkrhel8:checkrhel9:check
#banner#compliance#login