tripleo

Allow custom ssh warning banner

Bug #1640306 reported by Luke Hinds
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Medium
Luke Hinds
tripleo ocata-3 "ocata-3"

Bug Description

Security compliance standards require that a SSH Banner Text is used [1]

To enable the warning banner and ensure it is consistent across the system, add or correct the following line in /etc/ssh/sshd_config:

    Banner /etc/issue

Where `/etc/issue` would be the actual Banner text.

This will allow operators to set the relevant banner text on the overcloud nodes.

[1] https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-03-06/finding/V-38615

See original description
Luke Hinds (lhinds)
Changed in tripleo:
assignee: nobody → Luke Hinds (lhinds)
Luke Hinds (lhinds)
description: updated
Luke Hinds (lhinds)
Changed in tripleo:
importance: High → Medium
Luke Hinds (lhinds)
Changed in tripleo:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (master)

Fix proposed to branch: master
Review: https://review.openstack.org/408637

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.openstack.org/408638

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/408637
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=5a1764acf7623ee04d8610793f418ab1d4e2226e
Submitter: Jenkins
Branch: master

commit 5a1764acf7623ee04d8610793f418ab1d4e2226e
Author: Luke Hinds <email address hidden>
Date: Thu Dec 8 12:46:40 2016 +0000

    Adds ability to populate SSH Banner text

    A puppet manifest to allow the toggle of 'Banner' in sshd_config
    and enable population of an SSH login banner needed for security
    compliance such as DISA STIG

    If `Bannertext` is set as a parameter, the `Banner` key within
    sshd_config is toggled to `/etc/issue` and the content is copied
    into the `/etc/issue` file

    Change-Id: Ie9f8afdfa9930428f06c9669fedb460dc1064d5e
    Closes-Bug: #1640306

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/408638
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=73f58792f90942be1e2dc0ef67eac0a47d9aba18
Submitter: Jenkins
Branch: master

commit 73f58792f90942be1e2dc0ef67eac0a47d9aba18
Author: Luke Hinds <email address hidden>
Date: Thu Dec 8 13:12:53 2016 +0000

    Adds SSH Banner text into sshd_config

    Allow use of ooo template to populate banner text into /etc/issue

    Change-Id: If5b2da9415f10652a0a64503b2da4b63d1018640
    Depends-On: Ie9f8afdfa9930428f06c9669fedb460dc1064d5e
    Closes-Bug: #1640306

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 6.2.0

This issue was fixed in the openstack/puppet-tripleo 6.2.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 6.0.0.0rc1

This issue was fixed in the openstack/tripleo-heat-templates 6.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/492152

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/newton)

Reviewed: https://review.openstack.org/492152
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=4692bb30fcf39a98d36c35b3b24ae8ca72b4cacb
Submitter: Jenkins
Branch: stable/newton

commit 4692bb30fcf39a98d36c35b3b24ae8ca72b4cacb
Author: Luke Hinds <email address hidden>
Date: Thu Dec 8 13:12:53 2016 +0000

    Adds SSH Banner text into sshd_config

    Allow use of ooo template to populate banner text into /etc/issue

    Change-Id: If5b2da9415f10652a0a64503b2da4b63d1018640
    Closes-Bug: #1640306
    (cherry picked from commit 73f58792f90942be1e2dc0ef67eac0a47d9aba18)

tags: added: in-stable-newton
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 5.3.1

This issue was fixed in the openstack/tripleo-heat-templates 5.3.1 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.