Configure interactive logon message
This is also covers the following CIS items
* CIS 1.7.1.5 Ensure permissions on /etc/issue are configured (Scored)
Change-Id: If8c237ff4db7e9ab7ee244278d28f632e73ecb56
Related-Prod: PROD-19166
diff --git a/README.rst b/README.rst
index 2492aaf..2246e35 100644
--- a/README.rst
+++ b/README.rst
@@ -822,6 +822,30 @@
bash:
preserve_history: true
+Login banner message
+~~~~~~~~~~~~~~~~~~~~
+
+/etc/issue is a text file which contains a message or system
+identification to be printed before the login prompt. It may contain
+various @char and \char sequences, if supported by the getty-type
+program employed on the system.
+
+Setting logon banner message is easy:
+
+.. code-block:: yaml
+
+ liunx:
+ system:
+ banner:
+ enabled: true
+ contents: |
+ UNAUTHORIZED ACCESS TO THIS SYSTEM IS PROHIBITED
+
+ You must have explicit, authorized permission to access or configure this
+ device. Unauthorized attempts and actions to access or use this system may
+ result in civil and/or criminal penalties.
+ All activities performed on this system are logged and monitored.
+
Message of the day
~~~~~~~~~~~~~~~~~~
diff --git a/linux/map.jinja b/linux/map.jinja
index d5c957b..3973c7f 100644
--- a/linux/map.jinja
+++ b/linux/map.jinja
@@ -85,6 +85,12 @@
},
}, grain='os_family', merge=salt['pillar.get']('linux:system')) %}
+{% set banner = salt['grains.filter_by']({
+ 'BaseDefaults': {
+ 'enabled': false,
+ },
+}, grain='os_family', merge=salt['pillar.get']('linux:system:banner'), base='BaseDefaults') %}
+
{% set auth = salt['grains.filter_by']({
'Arch': {
'enabled': false,
diff --git a/linux/system/banner.sls b/linux/system/banner.sls
new file mode 100644
index 0000000..6e283f5
--- /dev/null
+++ b/linux/system/banner.sls
@@ -0,0 +1,10 @@
+{%- from "linux/map.jinja" import banner with context %}
+
+{%- if banner.get('enabled', False) %}
+/etc/issue:
+ file.managed:
+ - user: root
+ - group: root
+ - mode: 644
+ - contents_pillar: linux:system:banner:contents
+{%- endif %}
diff --git a/linux/system/init.sls b/linux/system/init.sls
index 8594d48..c1b13e4 100644
--- a/linux/system/init.sls
+++ b/linux/system/init.sls
@@ -114,3 +114,6 @@
{%- if system.auth is defined %}
- linux.system.auth
{%- endif %}
+{%- if system.banner is defined %}
+- linux.system.banner
+{%- endif %}
diff --git a/tests/pillar/system_banner.sls b/tests/pillar/system_banner.sls
new file mode 100644
index 0000000..6c9ca6a
--- /dev/null
+++ b/tests/pillar/system_banner.sls
@@ -0,0 +1,10 @@
+linux:
+ system:
+ enabled: true
+ banner:
+ enabled: true
+ contents: |
+ ================= WARNING =================
+ This is tcpcloud network.
+ Unauthorized access is strictly prohibited.
+ ===========================================