documentation_complete: true

title: 'Enable SSH Warning Banner'

description: |-
    To enable the warning banner and ensure it is consistent
    across the system, add or correct the following line in
    {{{ sshd_config_file() }}}
    <pre>Banner /etc/issue</pre>
    Another section contains information on how to create an
    appropriate system-wide warning banner.

rationale: |-
    The warning message reinforces policy awareness during the logon process and
    facilitates possible legal action against attackers. Alternatively, systems
    whose ownership should not be obvious should ensure usage of a banner that does
    not provide easy attribution.

severity: medium

identifiers:
    cce@rhel8: CCE-80905-3
    cce@rhel9: CCE-90807-9
    cce@rhel10: CCE-86539-4
    cce@sle12: CCE-83066-1
    cce@sle15: CCE-83263-4
    cce@sle16: CCE-96021-1
    cce@slmicro5: CCE-93642-7
    cce@slmicro6: CCE-94626-9

references:
    cis-csc: 1,12,15,16
    cis@sle12: 5.2.18
    cis@sle15: 5.2.18
    cjis: 5.5.6
    cobit5: DSS05.04,DSS05.10,DSS06.10
    cui: 3.1.9
    hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
    isa-62443-2009: 4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9
    isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.5,SR 1.7,SR 1.8,SR 1.9'
    iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3
    nist: AC-8(a),AC-8(c),AC-17(a),CM-6(a)
    nist-csf: PR.AC-7
    ospp: FTA_TAB.1
    pcidss: Req-2.2.4
    srg: SRG-OS-000023-GPOS-00006,SRG-OS-000228-GPOS-00088
    stigid@ol7: OL07-00-040170
    stigid@ol8: OL08-00-010040
    stigid@sle12: SLES-12-030050
    stigid@sle15: SLES-15-010040

{{{ complete_ocil_entry_sshd_option(default="no", option="Banner", value="/etc/issue") }}}

fixtext: |-
    Configure {{{ full_name }}} to display the Standard Mandatory Notice and Consent Banner before granting access to the system via the ssh.

    Edit the "/etc/ssh/sshd_config" file to uncomment the banner keyword and configure it to point to a file that will contain the logon banner (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor).
    An example configuration line is:

    Banner /etc/issue

srg_requirement: '{{{ full_name }}} must display the Standard Mandatory Notice and Consent Banner before granting local or remote access to the system via a ssh logon.'

{{% if 'ubuntu' not in product %}}
conflicts:
    - sshd_enable_warning_banner_net
{{% endif %}}

template:
    name: sshd_lineinfile
    vars:
        parameter: Banner
        value: /etc/issue
        datatype: string