{"description": "To enable the warning banner and ensure it is consistent\nacross the system, add or correct the following line in\n\n\n<tt>/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</tt>:\n\n<pre>Banner /etc/issue</pre>\nAnother section contains information on how to create an\nappropriate system-wide warning banner.", "rationale": "The warning message reinforces policy awareness during the logon process and\nfacilitates possible legal action against attackers. Alternatively, systems\nwhose ownership should not be obvious should ensure usage of a banner that does\nnot provide easy attribution.", "severity": "medium", "references": {"cis-csc": ["1", "12", "15", "16"], "cjis": ["5.5.6"], "cobit5": ["DSS05.04", "DSS05.10", "DSS06.10"], "cui": ["3.1.9"], "hipaa": ["164.308(a)(4)(i)", "164.308(b)(1)", "164.308(b)(3)", "164.310(b)", "164.312(e)(1)", "164.312(e)(2)(ii)"], "isa-62443-2009": ["4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.2", "SR 1.5", "SR 1.7", "SR 1.8", "SR 1.9"], "iso27001-2013": ["A.18.1.4", "A.9.2.1", "A.9.2.4", "A.9.3.1", "A.9.4.2", "A.9.4.3"], "nist": ["AC-8(a)", "AC-8(c)", "AC-17(a)", "CM-6(a)"], "nist-csf": ["PR.AC-7"], "ospp": ["FTA_TAB.1"], "pcidss": ["Req-2.2.4"], "srg": ["SRG-OS-000023-GPOS-00006", "SRG-OS-000228-GPOS-00088"], "ism": ["0484"]}, "control_references": {"ism": ["0484"]}, "components": [], "identifiers": {}, "ocil_clause": "the required value is not set", "ocil": "To determine how the SSH daemon's <tt>Banner</tt> option is set, run the following command:\n\n<pre>$ sudo grep -i Banner /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</pre>\n\n\nIf a line indicating <tt>/etc/issue</tt> is returned, then the required value is set.\n", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to display the Standard Mandatory Notice and Consent Banner before granting access to the system via the ssh.\n\nEdit the \"/etc/ssh/sshd_config\" file to uncomment the banner keyword and configure it to point to a file that will contain the logon banner (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor).\nAn example configuration line is:\n\nBanner /etc/issue", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must display the Standard Mandatory Notice and Consent Banner before granting local or remote access to the system via a ssh logon.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a SSH logon.", "vuldiscussion": "The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.", "checktext": "Verify that any SSH connection to the operating system displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the system.\n\nCheck for the location of the banner file currently being used with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2&gt;&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*banner'\n\nbanner /etc/issue\n\nIf the line is commented out or if the file is missing, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via ssh.\n\nEdit the \"etc/ssh/sshd_config\" file or a file in \"/etc/ssh/sshd_config.d\" to uncomment the banner keyword and configure it to point to a file that will contain the logon banner (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor).\n\nAn example configuration line is:\n\nBanner /etc/issue"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Enable SSH Warning Banner", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml", "template": {"name": "sshd_lineinfile", "vars": {"parameter": "Banner", "value": "/etc/issue", "datatype": "string"}, "backends": {}}}