Use motd_banner_contents variable in rule banner_etc_motd

jan-cerny · jan-cerny · commit c6997369ef67 · 2026-02-12T09:21:22.000+01:00
Use motd_banner_contents variable in remediations in rule
banner_etc_motd.
diff --git a/controls/ccn_ol9.yml b/controls/ccn_ol9.yml
@@ -627,6 +627,7 @@ controls:
           - login_banner_text=cis_default
           - login_banner_contents=cis_default
           - motd_banner_text=cis_default
+          - motd_banner_contents=cis_default
           - remote_login_banner_text=cis_default
 
     - id: A.11.SEC-OL5
diff --git a/controls/cis_al2023.yml b/controls/cis_al2023.yml
@@ -468,6 +468,7 @@ controls:
       rules:
           - banner_etc_motd
           - motd_banner_text=cis_banners
+          - motd_banner_contents=cis_default
 
     - id: 1.7.2
       title: Ensure local login warning banner is configured properly (Automated)
diff --git a/controls/cis_sle12.yml b/controls/cis_sle12.yml
@@ -457,6 +457,7 @@ controls:
       rules:
           - banner_etc_motd
           - motd_banner_text=cis_banners
+          - motd_banner_contents=cis_default
 
     - id: 1.8.1.2
       title: Ensure local login warning banner is configured properly (Automated)
diff --git a/controls/cis_sle15.yml b/controls/cis_sle15.yml
@@ -455,6 +455,7 @@ controls:
       rules:
           - banner_etc_motd
           - motd_banner_text=cis_banners
+          - motd_banner_contents=cis_default
 
     - id: 1.8.1.2
       title: Ensure local login warning banner is configured properly (Automated)
diff --git a/controls/general_sle15.yml b/controls/general_sle15.yml
@@ -470,6 +470,7 @@ controls:
       rules:
           - banner_etc_motd
           - motd_banner_text=cis_banners
+          - motd_banner_contents=cis_default
 
     - id: SLES-15-151050030
       title: Modify the System Login Banner
diff --git a/controls/general_slmicro5.yml b/controls/general_slmicro5.yml
@@ -269,6 +269,7 @@ controls:
       rules:
           - banner_etc_motd
           - motd_banner_text=cis_banners
+          - motd_banner_contents=cis_default
 
     - id: SLEM-5-SET-08010200
       title: Modify the System Login Banner
diff --git a/controls/std_kylinserver10.yml b/controls/std_kylinserver10.yml
@@ -128,7 +128,8 @@ controls:
       status: automated
       rules:
           - banner_etc_motd
-          - login_banner_text=cis_banners
+          - motd_banner_text=cis_banners
+          - motd_banner_contents=cis_default
 
     - id: 1.15
       title: Ensure sshd PermitRootLogin is disabled (Automated)
diff --git a/controls/std_tencentos4.yml b/controls/std_tencentos4.yml
@@ -114,6 +114,7 @@ controls:
       rules:
           - banner_etc_motd
           - motd_banner_text=cis_banners
+          - motd_banner_contents=cis_default
 
     - id: 1.4.2
       title: Ensure local login warning banner is configured properly
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml
@@ -3,9 +3,9 @@
 # strategy = unknown
 # complexity = low
 # disruption = medium
-{{{ ansible_instantiate_variables("motd_banner_text") }}}
+{{{ ansible_instantiate_variables("motd_banner_contents") }}}
 
 - name: "{{{ rule_title }}} - ensure correct banner"
   ansible.builtin.copy:
     dest: /etc/motd
-    content: '{{{ ansible_deregexify_banner_etc_issue("motd_banner_text") }}}'
+    content: "{{ motd_banner_contents | replace('\\n', '\n') }}\n"
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh
@@ -1,21 +1,4 @@
-# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_almalinux
+# platform = multi_platform_all
 
-{{{ bash_instantiate_variables("motd_banner_text") }}}
-
-# Multiple regexes transform the banner regex into a usable banner
-# 0 - Remove anchors around the banner text
-{{{ bash_deregexify_banner_anchors("motd_banner_text") }}}
-# 1 - Keep only the first banners if there are multiple
-#    (dod_banners contains the long and short banner)
-{{{ bash_deregexify_multiple_banners("motd_banner_text") }}}
-# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
-{{{ bash_deregexify_banner_space("motd_banner_text") }}}
-# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n")
-{{{ bash_deregexify_banner_newline("motd_banner_text", "\\n") }}}
-# 4 - Remove any leftover backslash. (From any parenthesis in the banner, for example).
-{{{ bash_deregexify_banner_backslash("motd_banner_text") }}}
-formatted=$(echo "$motd_banner_text" | fold -sw 80)
-
-cat <<EOF >/etc/motd
-$formatted
-EOF
+motd_banner_contents=$(echo "(bash-populate motd_banner_contents)" | sed 's/\\n/\n/g')
+echo "$motd_banner_contents" > /etc/motd
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/oval/shared.xml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/oval/shared.xml
@@ -15,7 +15,7 @@
       <unix:filepath>/etc/motd</unix:filepath>
   </unix:file_object>
 
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="correct banner in /etc/motd" id="test_banner_etc_motd" version="1">
+  <ind:textfilecontent54_test check="at least one" check_existence="at_least_one_exists" comment="correct banner in /etc/motd" id="test_banner_etc_motd" version="1">
     <ind:object object_ref="object_banner_etc_motd" />
     <ind:state state_ref="state_banner_etc_motd" />
   </ind:textfilecontent54_test>
diff --git a/linux_os/guide/system/accounts/accounts-banners/motd_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/motd_banner_text.var
@@ -1,16 +1,20 @@
 documentation_complete: true
 
-title: 'MotD Banner Verbiage'
+title: Motd Banner Verbiage Regular Expression
 
-description: |-
-    Enter an appropriate login banner for your organization. Please note that new lines must
-    be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\\'.
+description: >-
+    Enter an appropriate login banner regular expression for your organization.
+    Using a regular expression is needed because some profiles (eg. STIG) allow multiple different banners.
+    This regular expression is used only in OVAL checks.
+    In remediations the motd_banner_contents variable is used instead.
+    For information about how to generate banner regular expression for your tailoring files,
+    see: https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions
 
 type: string
 
 operator: equals
 
-interactive: false
+interactive: true
 
 options:
 # CIS doesn't enforce any specific content for login banners, but doesn't allow technical information.
diff --git a/products/anolis23/profiles/standard.profile b/products/anolis23/profiles/standard.profile
@@ -369,7 +369,8 @@ selections:
     ## 4.1-ensure-message-of-the-day-is-configured-properly
     ### Level 1
     - banner_etc_motd
-    - login_banner_text=cis_banners
+    - motd_banner_text=cis_banners
+    - motd_banner_contents=cis_default
 
     ## 4.2-ensure-local-login-warning-banner-is-configured-properly
     ### Level 1
diff --git a/products/anolis8/profiles/standard.profile b/products/anolis8/profiles/standard.profile
@@ -369,7 +369,8 @@ selections:
     ## 4.1-ensure-message-of-the-day-is-configured-properly
     ### Level 1
     - banner_etc_motd
-    - login_banner_text=cis_banners
+    - motd_banner_text=cis_banners
+    - motd_banner_contents=cis_default
 
     ## 4.2-ensure-local-login-warning-banner-is-configured-properly
     ### Level 1
diff --git a/products/openembedded/profiles/expanded.profile b/products/openembedded/profiles/expanded.profile
@@ -112,6 +112,7 @@ selections:
     - service_dovecot_disabled
     - banner_etc_motd
     - motd_banner_text=cis_banners
+    - motd_banner_contents=cis_default
     - banner_etc_issue
     - login_banner_text=cis_banners
     - login_banner_contents=cis_default
diff --git a/products/openembedded/profiles/standard.profile b/products/openembedded/profiles/standard.profile
@@ -107,6 +107,7 @@ selections:
     - service_dovecot_disabled
     - banner_etc_motd
     - motd_banner_text=cis_banners
+    - motd_banner_contents=cis_default
     - banner_etc_issue
     - login_banner_text=cis_banners
     - login_banner_contents=cis_default
diff --git a/products/rhel9/controls/ccn_rhel9.yml b/products/rhel9/controls/ccn_rhel9.yml
@@ -635,6 +635,8 @@ controls:
           - banner_etc_issue
           - banner_etc_issue_net
           - banner_etc_motd
+          - motd_banner_text=cis_banners
+          - motd_banner_contents=cis_default
           - dconf_gnome_banner_enabled
           - dconf_gnome_login_banner_text
           - sshd_enable_warning_banner_net
diff --git a/products/sle15/profiles/pcs-hardening.profile b/products/sle15/profiles/pcs-hardening.profile
@@ -31,6 +31,9 @@ selections:
     - var_password_pam_delay=4000000
     #- login_banner_text=dod_banners
     - login_banner_text=cis_banners
+    - login_banner_contents=cis_default
+    - motd_banner_text=cis_banners
+    - motd_banner_contents=cis_default
     #
     # Note: must configure "var_accounts_authorized_local_users_regex" when
     # "accounts_authorized_local_users" rule is enabled
