Blame SOURCES/scap-security-guide-0.1.50-simplify_login_banner.patch

247868
From fb5fe8c7dea9c83558b9e4fd7d2235caff6bd4db Mon Sep 17 00:00:00 2001
247868
From: Marek Haicman <mhaicman@redhat.com>
247868
Date: Wed, 4 Dec 2019 15:11:39 +0100
247868
Subject: [PATCH 01/27] Create macro to translate text to banner text.
247868
247868
With banner texts having every whitespace replaced with more complex regular
247868
expression, it's not really readable in that form. This macro should provide
247868
way to write human readable text in source, and get machine readable text
247868
as the output.
247868
---
247868
 .../var_web_login_banner_text.var             | 15 ++++++---------
247868
 .../banner_etc_issue/bash/shared.sh           |  2 +-
247868
 ...disa_dod_default_banner_no_newline.fail.sh | 19 +++++++++++++++++++
247868
 .../accounts-banners/login_banner_text.var    | 12 ++++++------
247868
 shared/macros.jinja                           |  4 ++++
247868
 ssg/build_yaml.py                             |  2 +-
247868
 6 files changed, 37 insertions(+), 17 deletions(-)
247868
 create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_default_banner_no_newline.fail.sh
247868
247868
diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
247868
index 61ebea65f3..72a728659b 100644
247868
--- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
247868
+++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
247868
@@ -4,7 +4,7 @@ title: 'Web Login Banner Verbiage'
247868
 
247868
 description: |-
247868
     Enter an appropriate login banner for your organization. Please note that new lines must
247868
-    be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\'.
247868
+    be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\\'.
247868
 
247868
 type: string
247868
 
247868
@@ -13,11 +13,8 @@ operator: equals
247868
 interactive: false
247868
 
247868
 options:
247868
-    dod_banners: ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.|I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t.)$
247868
-    dod_default: You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.
247868
-    dod_short: I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t.
247868
-    dss_odaa_default: "[\\s\\n]+Use[\\s\\n]+of[\\s\\n]+this[\\s\\n]+or[\\s\\n]+any[\\s\\n]+other[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system[\\s\\n]+constitutes[\\s\\n]+consent[\\s\\n]+to[\\s\\n]+monitoring[\\s\\n]+at[\\s\\n]+all[\\s\\n]+times.[\\s\\n]+This[\\s\\n]+is[\\s\\n]+a[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system.[\\s\\n]+All[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+systems[\\s\\n]+and[\\s\\n]+related[\\s\\n]+equipment[\\s\\n]+are[\\s\\n]+intended[\\s\\n]+for[\\s\\n]+the[\\s\\n]+communication,[\\s\\n]+transmission,[\\s\\n]+processing,[\\s\\n]+and[\\s\\n]+storage[\\s\\n]+of[\\s\\n]+official[\\s\\n]+U.S.[\\s\\n]+Government[\\s\\n]+or[\\s\\n]+other[\\s\\n]+authorized[\\s\\n]+information[\\s\\n]+only.[\\s\\n]+All[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+systems[\\s\\n]+are[\\s\\n]+subject[\\s\\n]+to[\\s\\n]+monitoring[\\s\\n]+at[\\s\\n]+all[\\s\\n]+times[\\s\\n]+to[\\s\\n]+ensure[\\s\\n]+proper[\\s\\n]+functioning[\\s\\n]+of[\\\
247868
-        s\\n]+equipment[\\s\\n]+and[\\s\\n]+systems[\\s\\n]+including[\\s\\n]+security[\\s\\n]+devices[\\s\\n]+and[\\s\\n]+systems,[\\s\\n]+to[\\s\\n]+prevent[\\s\\n]+unauthorized[\\s\\n]+use[\\s\\n]+and[\\s\\n]+violations[\\s\\n]+of[\\s\\n]+statutes[\\s\\n]+and[\\s\\n]+security[\\s\\n]+regulations,[\\s\\n]+to[\\s\\n]+deter[\\s\\n]+criminal[\\s\\n]+activity,[\\s\\n]+and[\\s\\n]+for[\\s\\n]+other[\\s\\n]+similar[\\s\\n]+purposes.[\\s\\n]+Any[\\s\\n]+user[\\s\\n]+of[\\s\\n]+a[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system[\\s\\n]+should[\\s\\n]+be[\\s\\n]+aware[\\s\\n]+that[\\s\\n]+any[\\s\\n]+information[\\s\\n]+placed[\\s\\n]+in[\\s\\n]+the[\\s\\n]+system[\\s\\n]+is[\\s\\n]+subject[\\s\\n]+to[\\s\\n]+monitoring[\\s\\n]+and[\\s\\n]+is[\\s\\n]+not[\\s\\n]+subject[\\s\\n]+to[\\s\\n]+any[\\s\\n]+expectation[\\s\\n]+of[\\s\\n]+privacy.[\\s\\n]+If[\\s\\n]+monitoring[\\s\\n]+of[\\s\\n]+this[\\s\\n]+or[\\s\\n]+any[\\s\\n]+other[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system[\\\
247868
-        s\\n]+reveals[\\s\\n]+possible[\\s\\n]+evidence[\\s\\n]+of[\\s\\n]+violation[\\s\\n]+of[\\s\\n]+criminal[\\s\\n]+statutes,[\\s\\n]+this[\\s\\n]+evidence[\\s\\n]+and[\\s\\n]+any[\\s\\n]+other[\\s\\n]+related[\\s\\n]+information,[\\s\\n]+including[\\s\\n]+identification[\\s\\n]+information[\\s\\n]+about[\\s\\n]+the[\\s\\n]+user,[\\s\\n]+may[\\s\\n]+be[\\s\\n]+provided[\\s\\n]+to[\\s\\n]+law[\\s\\n]+enforcement[\\s\\n]+officials.[\\s\\n]+If[\\s\\n]+monitoring[\\s\\n]+of[\\s\\n]+this[\\s\\n]+or[\\s\\n]+any[\\s\\n]+other[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+systems[\\s\\n]+reveals[\\s\\n]+violations[\\s\\n]+of[\\s\\n]+security[\\s\\n]+regulations[\\s\\n]+or[\\s\\n]+unauthorized[\\s\\n]+use,[\\s\\n]+employees[\\s\\n]+who[\\s\\n]+violate[\\s\\n]+security[\\s\\n]+regulations[\\s\\n]+or[\\s\\n]+make[\\s\\n]+unauthorized[\\s\\n]+use[\\s\\n]+of[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+systems[\\s\\n]+are[\\s\\n]+subject[\\s\\n]+to[\\s\\n]+appropriate[\\s\\n]+disciplinary[\\\
247868
-        s\\n]+action.[\\s\\n]+Use[\\s\\n]+of[\\s\\n]+this[\\s\\n]+or[\\s\\n]+any[\\s\\n]+other[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system[\\s\\n]+constitutes[\\s\\n]+consent[\\s\\n]+to[\\s\\n]+monitoring[\\s\\n]+at[\\s\\n]+all[\\s\\n]+times."
247868
-    usgcb_default: --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials.
247868
+    dod_banners: {{{ banner_flexibler(banner_text="^(You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.|I\\'ve read \& consent to terms in IS user agreem\\'t.)$") }}}
247868
+    dod_default: {{{ banner_flexibler(banner_text="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.") }}}
247868
+    dod_short: {{{ banner_flexibler(banner_text="I\\'ve read \& consent to terms in IS user agreem\\'t.") }}}
247868
+    dss_odaa_default: {{{ banner_flexibler(banner_text="Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}}
247868
+    usgcb_default: {{{ banner_flexibler(banner_text="-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}}
247868
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
247868
index 9617934e4f..54bc576551 100644
247868
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
247868
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
247868
@@ -3,7 +3,7 @@
247868
 populate login_banner_text
247868
 
247868
 # There was a regular-expression matching various banners, needs to be expanded
247868
-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/[^-]- /\n\n-/g;s/(n)\**//g')
247868
+expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/\[n\]+/\n/g')
247868
 formatted=$(echo "$expanded" | fold -sw 80)
247868
 
247868
 cat <<EOF >/etc/issue
247868
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_default_banner_no_newline.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_default_banner_no_newline.fail.sh
247868
new file mode 100644
247868
index 0000000000..00121bae96
247868
--- /dev/null
247868
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_default_banner_no_newline.fail.sh
247868
@@ -0,0 +1,19 @@
247868
+#!/bin/bash
247868
+#
247868
+# profiles = xccdf_org.ssgproject.content_profile_stig
247868
+
247868
+# dod_default banner
247868
+echo "You are accessing a U.S. Government (USG) Information System (IS) that is 
247868
+provided for USG-authorized use only. By using this IS (which includes any 
247868
+device attached to this IS), you consent to the following conditions:-The USG routinely intercepts and monitors communications on this IS for 
247868
+purposes including, but not limited to, penetration testing, COMSEC monitoring, 
247868
+network operations and defense, personnel misconduct (PM), law enforcement 
247868
+(LE), and counterintelligence (CI) investigations.-At any time, the USG may inspect and seize data stored on this IS.-Communications using, or data stored on, this IS are not private, are subject 
247868
+to routine monitoring, interception, and search, and may be disclosed or used 
247868
+for any USG-authorized purpose.-This IS includes security measures (e.g., authentication and access controls) 
247868
+to protect USG interests--not for your personal benefit or privacy.-Notwithstanding the above, using this IS does not constitute consent to PM, LE 
247868
+or CI investigative searching or monitoring of the content of privileged 
247868
+communications, or work product, related to personal representation or services 
247868
+by attorneys, psychotherapists, or clergy, and their assistants. Such 
247868
+communications and work product are private and confidential. See User 
247868
+Agreement for details." > /etc/issue
247868
diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
247868
index f3a4795bce..0c398bee9c 100644
247868
--- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
247868
+++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
247868
@@ -4,7 +4,7 @@ title: 'Login Banner Verbiage'
247868
 
247868
 description: |-
247868
     Enter an appropriate login banner for your organization. Please note that new lines must
247868
-    be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\'.
247868
+    be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\\'.
247868
 
247868
 type: string
247868
 
247868
@@ -14,8 +14,8 @@ interactive: false
247868
 
247868
 options:
247868
 # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accomodate banners of 1300 characters
247868
-    dod_banners: (^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.$|^I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)
247868
-    dod_default: You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.
247868
-    dod_short: I(\\\')*(\')*ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t.
247868
-    dss_odaa_default: Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times.[\s\n]+This[\s\n]+is[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+and[\s\n]+related[\s\n]+equipment[\s\n]+are[\s\n]+intended[\s\n]+for[\s\n]+the[\s\n]+communication,[\s\n]+transmission,[\s\n]+processing,[\s\n]+and[\s\n]+storage[\s\n]+of[\s\n]+official[\s\n]+U.S.[\s\n]+Government[\s\n]+or[\s\n]+other[\s\n]+authorized[\s\n]+information[\s\n]+only.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times[\s\n]+to[\s\n]+ensure[\s\n]+proper[\s\n]+functioning[\s\n]+of[\s\n]+equipment[\s\n]+and[\s\n]+systems[\s\n]+including[\s\n]+security[\s\n]+devices[\s\n]+and[\s\n]+systems,[\s\n]+to[\s\n]+prevent[\s\n]+unauthorized[\s\n]+use[\s\n]+and[\s\n]+violations[\s\n]+of[\s\n]+statutes[\s\n]+and[\s\n]+security[\s\n]+regulations,[\s\n]+to[\s\n]+deter[\s\n]+criminal[\s\n]+activity,[\s\n]+and[\s\n]+for[\s\n]+other[\s\n]+similar[\s\n]+purposes.[\s\n]+Any[\s\n]+user[\s\n]+of[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+should[\s\n]+be[\s\n]+aware[\s\n]+that[\s\n]+any[\s\n]+information[\s\n]+placed[\s\n]+in[\s\n]+the[\s\n]+system[\s\n]+is[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+not[\s\n]+subject[\s\n]+to[\s\n]+any[\s\n]+expectation[\s\n]+of[\s\n]+privacy.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+violation[\s\n]+of[\s\n]+criminal[\s\n]+statutes,[\s\n]+this[\s\n]+evidence[\s\n]+and[\s\n]+any[\s\n]+other[\s\n]+related[\s\n]+information,[\s\n]+including[\s\n]+identification[\s\n]+information[\s\n]+about[\s\n]+the[\s\n]+user,[\s\n]+may[\s\n]+be[\s\n]+provided[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+reveals[\s\n]+violations[\s\n]+of[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+unauthorized[\s\n]+use,[\s\n]+employees[\s\n]+who[\s\n]+violate[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+make[\s\n]+unauthorized[\s\n]+use[\s\n]+of[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+appropriate[\s\n]+disciplinary[\s\n]+action.[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times.
247868
-    usgcb_default: --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials.
247868
+    dod_banners: {{{ banner_flexibler(banner_text="^(You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.|I\\'ve read \& consent to terms in IS user agreem\\'t.)$") }}}
247868
+    dod_default: {{{ banner_flexibler(banner_text="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.") }}}
247868
+    dod_short: {{{ banner_flexibler(banner_text="I\\'ve read \& consent to terms in IS user agreem\\'t.") }}}
247868
+    dss_odaa_default: {{{ banner_flexibler(banner_text="Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}}
247868
+    usgcb_default: {{{ banner_flexibler(banner_text="-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}}
247868
diff --git a/shared/macros.jinja b/shared/macros.jinja
247868
index 8a25acc937..3c617040bf 100644
247868
--- a/shared/macros.jinja
247868
+++ b/shared/macros.jinja
247868
@@ -657,3 +657,7 @@ openssl()
247868
 )
247868
 
247868
 {{%- endmacro %}}
247868
+
247868
+{{% macro banner_flexibler(banner_text) -%}}
247868
+{{{ banner_text|replace("\n", "BFLMPSVZ")|replace(" ", "[\s\\n]+")|replace("BFLMPSVZ", "[\\n]+") }}}
247868
+{{% endmacro %}}
247868
diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py
247868
index 357d0e8d99..700e496246 100644
247868
--- a/ssg/build_yaml.py
247868
+++ b/ssg/build_yaml.py
247868
@@ -327,7 +327,7 @@ def __init__(self, id_):
247868
 
247868
     @staticmethod
247868
     def from_yaml(yaml_file, env_yaml=None):
247868
-        yaml_contents = open_and_expand(yaml_file, env_yaml)
247868
+        yaml_contents = open_and_macro_expand(yaml_file, env_yaml)
247868
         if yaml_contents is None:
247868
             return None
247868
 
247868
247868
From 23185944dd5db08cfee599c62717f1b0f23df683 Mon Sep 17 00:00:00 2001
247868
From: Watson Sato <wsato@redhat.com>
247868
Date: Thu, 27 Feb 2020 18:03:37 +0100
247868
Subject: [PATCH 02/27] Fix stripping of short banner from dod_banners
247868
247868
Format of dod_banners changed a bit, and stripping of tailing
247868
short dod banner got broken.
247868
247868
Goal of dod_banners is to check for either long or shord DoD, but
247868
default to remediating with the long banner.
247868
---
247868
 .../accounts/accounts-banners/banner_etc_issue/bash/shared.sh   | 2 +-
247868
 .../dconf_gnome_login_banner_text/bash/shared.sh                | 2 +-
247868
 2 files changed, 2 insertions(+), 2 deletions(-)
247868
247868
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
247868
index 54bc576551..1b2052a658 100644
247868
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
247868
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
247868
@@ -3,7 +3,7 @@
247868
 populate login_banner_text
247868
 
247868
 # There was a regular-expression matching various banners, needs to be expanded
247868
-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/\[n\]+/\n/g')
247868
+expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/\[n\]+/\n/g')
247868
 formatted=$(echo "$expanded" | fold -sw 80)
247868
 
247868
 cat <<EOF >/etc/issue
247868
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
247868
index 1614098c8c..bc6a31bc74 100644
247868
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
247868
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
247868
@@ -2,7 +2,7 @@
247868
 . /usr/share/scap-security-guide/remediation_functions
247868
 populate login_banner_text
247868
 
247868
-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
247868
+expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
247868
 
247868
 {{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}}
247868
 {{{ bash_dconf_lock("org/gnome/login-screen", "banner-message-text", "gdm.d", "00-security-settings-lock") }}}
247868
247868
From ed7a96bc41d31ceeeb6b75b2a9565521f4f3eda5 Mon Sep 17 00:00:00 2001
247868
From: Watson Sato <wsato@redhat.com>
247868
Date: Mon, 2 Mar 2020 17:31:49 +0100
247868
Subject: [PATCH 03/27] Fix test scenarios for OSPP profile
247868
247868
OSPP profile doesn't select banner_etc_issue
247868
---
247868
 ...banner_etc_issue_ospp_usbcg_banner.fail.sh |  2 +-
247868
 ...banner_etc_issue_ospp_usbcg_banner.pass.sh | 30 +++++++++++++------
247868
 2 files changed, 22 insertions(+), 10 deletions(-)
247868
247868
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.fail.sh
247868
index db0b72089c..0f962279be 100644
247868
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.fail.sh
247868
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.fail.sh
247868
@@ -1,5 +1,5 @@
247868
 #!/bin/bash
247868
 #
247868
-# profiles = xccdf_org.ssgproject.content_profile_ospp
247868
+# profiles = xccdf_org.ssgproject.content_profile_stig
247868
 
247868
 echo "This is not the expected banner" > /etc/issue
247868
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.pass.sh
247868
index d36b3a146b..9bb0319323 100644
247868
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.pass.sh
247868
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.pass.sh
247868
@@ -1,12 +1,24 @@
247868
 #!/bin/bash
247868
 #
247868
-# profiles = xccdf_org.ssgproject.content_profile_ospp
247868
+# profiles = xccdf_org.ssgproject.content_profile_stig
247868
 
247868
-# usgcb_default banner
247868
-echo "-- WARNING -- This system is for the use of authorized users only. Individuals 
247868
-using this computer system without authority or in excess of their authority 
247868
-are subject to having all their activities on this system monitored and 
247868
-recorded by system personnel. Anyone using this system expressly consents to 
247868
-such monitoring and is advised that if such monitoring reveals possible 
247868
-evidence of criminal activity system personal may provide the evidence of such 
247868
-monitoring to law enforcement officials." > /etc/issue
247868
+# dod_banners banner
247868
+echo "You are accessing a U.S. Government (USG) Information System (IS) that is
247868
+provided for USG-authorized use only. By using this IS (which includes any
247868
+device attached to this IS), you consent to the following conditions:
247868
+-The USG routinely intercepts and monitors communications on this IS for
247868
+purposes including, but not limited to, penetration testing, COMSEC monitoring,
247868
+network operations and defense, personnel misconduct (PM), law enforcement
247868
+(LE), and counterintelligence (CI) investigations.
247868
+-At any time, the USG may inspect and seize data stored on this IS.
247868
+-Communications using, or data stored on, this IS are not private, are subject
247868
+to routine monitoring, interception, and search, and may be disclosed or used
247868
+for any USG-authorized purpose.
247868
+-This IS includes security measures (e.g., authentication and access controls)
247868
+to protect USG interests--not for your personal benefit or privacy.
247868
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE
247868
+or CI investigative searching or monitoring of the content of privileged
247868
+communications, or work product, related to personal representation or services
247868
+by attorneys, psychotherapists, or clergy, and their assistants. Such
247868
+communications and work product are private and confidential. See User
247868
+Agreement for details." > /etc/issue
247868
247868
From c0e947ab378de0c3c45b1a0be0b3f7a239c3d6f4 Mon Sep 17 00:00:00 2001
247868
From: Watson Sato <wsato@redhat.com>
247868
Date: Tue, 3 Mar 2020 10:26:40 +0100
247868
Subject: [PATCH 04/27] Update test scenario metadata for banner tests
247868
247868
---
247868
 .../dconf_gnome_login_banner_text/tests/correct_value.pass.sh   | 1 +
247868
 .../tests/correct_value_stig.pass.sh                            | 2 +-
247868
 .../tests/missing_value_stig.fail.sh                            | 2 +-
247868
 .../dconf_gnome_login_banner_text/tests/wrong_value.fail.sh     | 1 +
247868
 .../tests/wrong_value_stig.fail.sh                              | 2 +-
247868
 5 files changed, 5 insertions(+), 3 deletions(-)
247868
247868
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value.pass.sh
247868
index 2c92fcbeb8..230a8b0a22 100644
247868
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value.pass.sh
247868
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value.pass.sh
247868
@@ -1,4 +1,5 @@
247868
 #!/bin/bash
247868
+# platform = Red Hat Enterprise Linux 7
247868
 # profiles = xccdf_org.ssgproject.content_profile_ncp
247868
 
247868
 source $SHARED/dconf_test_functions.sh
247868
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh
247868
index 8a142b740e..d59f9071f0 100644
247868
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh
247868
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh
247868
@@ -1,5 +1,5 @@
247868
 #!/bin/bash
247868
-# platform = Red Hat Enterprise Linux 7
247868
+# platform = Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8
247868
 # profiles = xccdf_org.ssgproject.content_profile_stig
247868
 
247868
 source $SHARED/dconf_test_functions.sh
247868
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh
247868
index 1fea01471e..9638681130 100644
247868
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh
247868
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh
247868
@@ -1,5 +1,5 @@
247868
 #!/bin/bash
247868
-# platform = Red Hat Enterprise Linux 7
247868
+# platform = Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8
247868
 # profiles = xccdf_org.ssgproject.content_profile_stig
247868
 
247868
 source $SHARED/dconf_test_functions.sh
247868
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh
247868
index af4ea0ab82..7f7123a8be 100644
247868
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh
247868
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh
247868
@@ -1,4 +1,5 @@
247868
 #!/bin/bash
247868
+# platform = Red Hat Enterprise Linux 7
247868
 # profiles = xccdf_org.ssgproject.content_profile_ncp
247868
 
247868
 source $SHARED/dconf_test_functions.sh
247868
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh
247868
index e0f43ec001..cd65f885a2 100644
247868
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh
247868
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh
247868
@@ -1,5 +1,5 @@
247868
 #!/bin/bash
247868
-# platform = Red Hat Enterprise Linux 7
247868
+# platform = Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8
247868
 # profiles = xccdf_org.ssgproject.content_profile_stig
247868
 
247868
 source $SHARED/dconf_test_functions.sh
247868
247868
From 12f6616d83a23de27ebca932710a8128474068ff Mon Sep 17 00:00:00 2001
247868
From: Watson Sato <wsato@redhat.com>
247868
Date: Tue, 3 Mar 2020 10:28:07 +0100
247868
Subject: [PATCH 05/27] Fix text of banners, remove space after dash
247868
247868
Per DISA STIG reference, there is no space after the list items.
247868
---
247868
 .../dconf_gnome_login_banner_text/bash/shared.sh                | 2 +-
247868
 .../tests/correct_value_stig.pass.sh                            | 2 +-
247868
 2 files changed, 2 insertions(+), 2 deletions(-)
247868
247868
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
247868
index bc6a31bc74..d9dca1bef9 100644
247868
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
247868
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
247868
@@ -2,7 +2,7 @@
247868
 . /usr/share/scap-security-guide/remediation_functions
247868
 populate login_banner_text
247868
 
247868
-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
247868
+expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
247868
 
247868
 {{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}}
247868
 {{{ bash_dconf_lock("org/gnome/login-screen", "banner-message-text", "gdm.d", "00-security-settings-lock") }}}
247868
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh
247868
index d59f9071f0..dca4b8e99b 100644
247868
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh
247868
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh
247868
@@ -6,7 +6,7 @@ source $SHARED/dconf_test_functions.sh
247868
 
247868
 install_dconf_and_gdm_if_needed
247868
 
247868
-login_banner_text="(^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.$|^I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)"
247868
+login_banner_text="(^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.$|^I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)"
247868
 expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
247868
 
247868
 clean_dconf_settings
247868
247868
From b09ddb6a040c980ccf1c55d3f4fe700953195d77 Mon Sep 17 00:00:00 2001
247868
From: Watson Sato <wsato@redhat.com>
247868
Date: Tue, 3 Mar 2020 11:01:25 +0100
247868
Subject: [PATCH 06/27] Make banner compatible with console and dconf
247868
247868
The banner in /etc/issue is expected to have actual newlines, while the
247868
banner in /etc/dconf/db/gdm.d/ is expected to have the escape sequence
247868
'\n'.
247868
247868
This commit transforms the newline from the input banner into a regex
247868
that matches either the newline or the escape sequence.
247868
247868
During remediation, each rule will replace the regular expression for
247868
the correct "version" of the newline.
247868
---
247868
 .../accounts/accounts-banners/banner_etc_issue/bash/shared.sh   | 2 +-
247868
 .../dconf_gnome_login_banner_text/bash/shared.sh                | 2 +-
247868
 shared/macros.jinja                                             | 2 +-
247868
 3 files changed, 3 insertions(+), 3 deletions(-)
247868
247868
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
247868
index 1b2052a658..fcaaa2c794 100644
247868
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
247868
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
247868
@@ -3,7 +3,7 @@
247868
 populate login_banner_text
247868
 
247868
 # There was a regular-expression matching various banners, needs to be expanded
247868
-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/\[n\]+/\n/g')
247868
+expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/\n/g;s/\\//g;')
247868
 formatted=$(echo "$expanded" | fold -sw 80)
247868
 
247868
 cat <<EOF >/etc/issue
247868
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
247868
index d9dca1bef9..2b51e7c94c 100644
247868
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
247868
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
247868
@@ -2,7 +2,7 @@
247868
 . /usr/share/scap-security-guide/remediation_functions
247868
 populate login_banner_text
247868
 
247868
-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
247868
+expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/(n)\*/g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
247868
 
247868
 {{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}}
247868
 {{{ bash_dconf_lock("org/gnome/login-screen", "banner-message-text", "gdm.d", "00-security-settings-lock") }}}
247868
diff --git a/shared/macros.jinja b/shared/macros.jinja
247868
index 3c617040bf..b178088f0c 100644
247868
--- a/shared/macros.jinja
247868
+++ b/shared/macros.jinja
247868
@@ -659,5 +659,5 @@ openssl()
247868
 {{%- endmacro %}}
247868
 
247868
 {{% macro banner_flexibler(banner_text) -%}}
247868
-{{{ banner_text|replace("\n", "BFLMPSVZ")|replace(" ", "[\s\\n]+")|replace("BFLMPSVZ", "[\\n]+") }}}
247868
+{{{ banner_text|replace("\n", "BFLMPSVZ")|replace(" ", "[\s\\n]+")|replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)") }}}
247868
 {{% endmacro %}}
247868
247868
From fc6fe07f12faac1023b65551eaa82dc50e12303b Mon Sep 17 00:00:00 2001
247868
From: Watson Sato <wsato@redhat.com>
247868
Date: Tue, 3 Mar 2020 12:46:30 +0100
247868
Subject: [PATCH 07/27] Simplify banner remediation regexes
247868
247868
Remove unneded sed's for single quote (\x27)
247868
---
247868
 .../accounts/accounts-banners/banner_etc_issue/bash/shared.sh   | 2 +-
247868
 .../dconf_gnome_login_banner_text/bash/shared.sh                | 2 +-
247868
 2 files changed, 2 insertions(+), 2 deletions(-)
247868
247868
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
247868
index fcaaa2c794..5d079e9271 100644
247868
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
247868
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
247868
@@ -3,7 +3,7 @@
247868
 populate login_banner_text
247868
 
247868
 # There was a regular-expression matching various banners, needs to be expanded
247868
-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/\n/g;s/\\//g;')
247868
+expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/\n/g;s/\\//g;')
247868
 formatted=$(echo "$expanded" | fold -sw 80)
247868
 
247868
 cat <<EOF >/etc/issue
247868
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
247868
index 2b51e7c94c..568942e892 100644
247868
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
247868
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
247868
@@ -2,7 +2,7 @@
247868
 . /usr/share/scap-security-guide/remediation_functions
247868
 populate login_banner_text
247868
 
247868
-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/(n)\*/g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
247868
+expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/(n)\*/g;s/\\//g;s/(n)\*/\\n/g;')
247868
 
247868
 {{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}}
247868
 {{{ bash_dconf_lock("org/gnome/login-screen", "banner-message-text", "gdm.d", "00-security-settings-lock") }}}
247868
247868
From f94f4ba5a5d650c5ae50f83d59b7464e7f785b9d Mon Sep 17 00:00:00 2001
247868
From: Watson Sato <wsato@redhat.com>
247868
Date: Tue, 3 Mar 2020 12:48:10 +0100
247868
Subject: [PATCH 08/27] Document what the regexes do in the banner
247868
247868
---
247868
 .../accounts-banners/banner_etc_issue/bash/shared.sh      | 7 ++++++-
247868
 .../dconf_gnome_login_banner_text/bash/shared.sh          | 8 ++++++++
247868
 2 files changed, 14 insertions(+), 1 deletion(-)
247868
247868
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
247868
index 5d079e9271..07b88bf039 100644
247868
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
247868
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
247868
@@ -2,7 +2,12 @@
247868
 . /usr/share/scap-security-guide/remediation_functions
247868
 populate login_banner_text
247868
 
247868
-# There was a regular-expression matching various banners, needs to be expanded
247868
+# Multiple regexes transform the banner regex into a usable banner
247868
+# 1 - Keep only the first banners if there are multiple, and remove wrapping regex syntax.
247868
+#    (dod_banners contains the long and shor banner)
247868
+# 2- Add spaces ' '. (Transforms regex for "space or newline" into a " ")
247868
+# 3- Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n")
247868
+# 4- Remove any leftover backslash. (From any parethesis in the banner, for example).
247868
 expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/\n/g;s/\\//g;')
247868
 formatted=$(echo "$expanded" | fold -sw 80)
247868
 
247868
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
247868
index 568942e892..658205bd2c 100644
247868
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
247868
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
247868
@@ -2,6 +2,14 @@
247868
 . /usr/share/scap-security-guide/remediation_functions
247868
 populate login_banner_text
247868
 
247868
+# Multiple regexes transform the banner regex into a usable banner
247868
+# 1 - Keep only the first banners if there are multiple, and remove wrapping regex syntax.
247868
+#    (dod_banners contains the long and shor banner)
247868
+# 2- Add spaces ' '. (Transforms regex for "space or newline" into a " ")
247868
+# 3- Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*")
247868
+# 4- Remove any leftover backslash. (From any parethesis in the banner, for example).
247868
+# 5- Removes the newline "token." (Transforms them into newline escape sequences "\n").
247868
+#    ( Needs to be done after 4, otherwise the escapce sequence will become just "n".
247868
 expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/(n)\*/g;s/\\//g;s/(n)\*/\\n/g;')
247868
 
247868
 {{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}}
247868
247868
From b7545c3ab81758f89e034fdab7f2c573f287d770 Mon Sep 17 00:00:00 2001
247868
From: Watson Sato <wsato@redhat.com>
247868
Date: Tue, 3 Mar 2020 12:49:02 +0100
247868
Subject: [PATCH 09/27] Add rule to check dconf banner
247868
247868
The STIG profile sets the banner, and checks whether it is enabled for
247868
dconf, but never checked the banner text.
247868
---
247868
 rhel8/profiles/stig.profile | 1 +
247868
 1 file changed, 1 insertion(+)
247868
247868
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
247868
index 7eb1869a3c..f315df7d06 100644
247868
--- a/rhel8/profiles/stig.profile
247868
+++ b/rhel8/profiles/stig.profile
247868
@@ -21,6 +21,7 @@ extends: ospp
247868
     - login_banner_text=dod_banners
247868
     - dconf_db_up_to_date
247868
     - dconf_gnome_banner_enabled
247868
+    - dconf_gnome_login_banner_text
247868
     - banner_etc_issue
247868
     - accounts_password_set_min_life_existing
247868
     - accounts_password_set_max_life_existing
247868
247868
From 21ae88f72c1c9a324041637b0f52eea6b90fb03f Mon Sep 17 00:00:00 2001
247868
From: Watson Sato <wsato@redhat.com>
247868
Date: Fri, 6 Mar 2020 15:37:46 +0100
247868
Subject: [PATCH 10/27] Fix Ansible for dconf banner-message-text lock
247868
247868
---
247868
 .../dconf_gnome_login_banner_text/ansible/shared.yml          | 4 ++--
247868
 1 file changed, 2 insertions(+), 2 deletions(-)
247868
247868
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml
247868
index 6946c9ddf7..303f505968 100644
247868
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml
247868
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml
247868
@@ -38,7 +38,7 @@
247868
 - name: "Prevent user modification of the GNOME3 Login Warning Banner Text"
247868
   lineinfile:
247868
     path: '/etc/dconf/db/gdm.d/locks/00-security-settings-lock'
247868
-    regexp: '^org/gnome/login-screen/banner-message-text$'
247868
-    line: 'org/gnome/login-screen/banner-message-text'
247868
+    regexp: '^/org/gnome/login-screen/banner-message-text$'
247868
+    line: '/org/gnome/login-screen/banner-message-text'
247868
     create: yes
247868
     state: present
247868
247868
From 54ec93ae3254c726b8313646419fa9f1a9fbbcb5 Mon Sep 17 00:00:00 2001
247868
From: Watson Sato <wsato@redhat.com>
247868
Date: Fri, 6 Mar 2020 15:58:38 +0100
247868
Subject: [PATCH 11/27] Fix banner regex stripping for Ansible
247868
247868
Do similar regex stripping as done in Bash remediaiton.
247868
The triple single quotes is necessary for the jinja template expansion
247868
to add the banner wrapped in single quotes.
247868
---
247868
 .../dconf_gnome_login_banner_text/ansible/shared.yml           | 3 ++-
247868
 1 file changed, 2 insertions(+), 1 deletion(-)
247868
247868
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml
247868
index 303f505968..5d5e92530a 100644
247868
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml
247868
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml
247868
@@ -32,8 +32,9 @@
247868
     dest: /etc/dconf/db/gdm.d/00-security-settings
247868
     section: org/gnome/login-screen
247868
     option: banner-message-text
247868
-    value: '{{ login_banner_text }}'
247868
+    value: '''{{ login_banner_text | regex_replace("\^\((.*)\|.*$", "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", "(n)\*") | regex_replace("\\", "") | regex_replace("\(n\)\*", "\\n") }}'''
247868
     create: yes
247868
+    no_extra_spaces: yes
247868
 
247868
 - name: "Prevent user modification of the GNOME3 Login Warning Banner Text"
247868
   lineinfile:
247868
247868
From a4755e87a66ad8b47f22444bde9a2e48c6f33aca Mon Sep 17 00:00:00 2001
247868
From: Watson Sato <wsato@redhat.com>
247868
Date: Fri, 6 Mar 2020 16:09:50 +0100
247868
Subject: [PATCH 12/27] Add Ansible remediation for banner_etc_issue
247868
247868
---
247868
 .../banner_etc_issue/ansible/shared.yml              | 12 ++++++++++++
247868
 1 file changed, 12 insertions(+)
247868
 create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
247868
247868
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
247868
new file mode 100644
247868
index 0000000000..e136304020
247868
--- /dev/null
247868
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
247868
@@ -0,0 +1,12 @@
247868
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
247868
+# reboot = false
247868
+# strategy = unknown
247868
+# complexity = low
247868
+# disruption = medium
247868
+- (xccdf-var login_banner_text)
247868
+
247868
+- name: "{{{ rule_title }}}"
247868
+  lineinfile:
247868
+    dest: /etc/issue
247868
+    line: '{{ login_banner_text | regex_replace("\^\((.*)\|.*$", "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", "\n") | regex_replace("\\", "") | wordwrap() }}'
247868
+    create: yes
247868
247868
From ac5d4b7482f4dc673f8f5d8dbbc95c42700bb251 Mon Sep 17 00:00:00 2001
247868
From: Watson Sato <wsato@redhat.com>
247868
Date: Fri, 6 Mar 2020 16:52:09 +0100
247868
Subject: [PATCH 13/27] Update reference RHEL8 STIG profile
247868
247868
---
247868
 tests/data/profile_stability/rhel8/stig.profile | 1 +
247868
 1 file changed, 1 insertion(+)
247868
247868
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
247868
index 843267d589..381cf54b3a 100644
247868
--- a/tests/data/profile_stability/rhel8/stig.profile
247868
+++ b/tests/data/profile_stability/rhel8/stig.profile
247868
@@ -84,6 +84,7 @@ selections:
247868
 - coredump_disable_storage
247868
 - dconf_db_up_to_date
247868
 - dconf_gnome_banner_enabled
247868
+- dconf_gnome_login_banner_text
247868
 - disable_ctrlaltdel_burstaction
247868
 - disable_ctrlaltdel_reboot
247868
 - disable_host_auth
247868
247868
From 6b27221e857cefe7efaa04f4491c506ea0cb096c Mon Sep 17 00:00:00 2001
247868
From: Watson Sato <wsato@redhat.com>
247868
Date: Sat, 7 Mar 2020 13:12:28 +0100
247868
Subject: [PATCH 14/27] Move bash banner deregexification to macros
247868
247868
This aims to increase maintenability and readability.
247868
Every step in the deregexification is a separate macro.
247868
The macros 'bash_deregexify_banner_etc_issue' and
247868
'bash_deregexify_banner_dconf_gnome' build upon the basic steps.
247868
---
247868
 .../banner_etc_issue/bash/shared.sh           |  9 ++++---
247868
 .../bash/shared.sh                            | 10 +++++---
247868
 shared/macros-bash.jinja                      | 25 +++++++++++++++++++
247868
 3 files changed, 38 insertions(+), 6 deletions(-)
247868
247868
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
247868
index 07b88bf039..119413005e 100644
247868
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
247868
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
247868
@@ -4,12 +4,15 @@ populate login_banner_text
247868
 
247868
 # Multiple regexes transform the banner regex into a usable banner
247868
 # 1 - Keep only the first banners if there are multiple, and remove wrapping regex syntax.
247868
-#    (dod_banners contains the long and shor banner)
247868
+#    (dod_banners contains the long and short banner)
247868
+{{{ bash_deregexify_multiple_banners("login_banner_text") }}}
247868
 # 2- Add spaces ' '. (Transforms regex for "space or newline" into a " ")
247868
+{{{ bash_deregexify_banner_space("login_banner_text") }}}
247868
 # 3- Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n")
247868
+{{{ bash_deregexify_banner_newline("login_banner_text", "\\n") }}}
247868
 # 4- Remove any leftover backslash. (From any parethesis in the banner, for example).
247868
-expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/\n/g;s/\\//g;')
247868
-formatted=$(echo "$expanded" | fold -sw 80)
247868
+{{{ bash_deregexify_banner_backslash("login_banner_text") }}}
247868
+formatted=$(echo "$login_banner_text" | fold -sw 80)
247868
 
247868
 cat <<EOF >/etc/issue
247868
 $formatted
247868
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
247868
index 658205bd2c..4011932790 100644
247868
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
247868
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
247868
@@ -4,13 +4,17 @@ populate login_banner_text
247868
 
247868
 # Multiple regexes transform the banner regex into a usable banner
247868
 # 1 - Keep only the first banners if there are multiple, and remove wrapping regex syntax.
247868
-#    (dod_banners contains the long and shor banner)
247868
+#    (dod_banners contains the long and short banner)
247868
+{{{ bash_deregexify_multiple_banners("login_banner_text") }}}
247868
 # 2- Add spaces ' '. (Transforms regex for "space or newline" into a " ")
247868
+{{{ bash_deregexify_banner_space("login_banner_text") }}}
247868
 # 3- Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*")
247868
+{{{ bash_deregexify_banner_newline("login_banner_text", "(n)*") }}}
247868
 # 4- Remove any leftover backslash. (From any parethesis in the banner, for example).
247868
+{{{ bash_deregexify_banner_backslash("login_banner_text") }}}
247868
 # 5- Removes the newline "token." (Transforms them into newline escape sequences "\n").
247868
 #    ( Needs to be done after 4, otherwise the escapce sequence will become just "n".
247868
-expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/(n)\*/g;s/\\//g;s/(n)\*/\\n/g;')
247868
+{{{ bash_deregexify_banner_newline_token("login_banner_text")}}}
247868
 
247868
-{{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}}
247868
+{{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${login_banner_text}'", "gdm.d", "00-security-settings") }}}
247868
 {{{ bash_dconf_lock("org/gnome/login-screen", "banner-message-text", "gdm.d", "00-security-settings-lock") }}}
247868
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
247868
index 2756cc0c00..6d72684c6d 100644
247868
--- a/shared/macros-bash.jinja
247868
+++ b/shared/macros-bash.jinja
247868
@@ -521,3 +521,28 @@ cat << 'EOF' > {{{ filepath }}}
247868
 {{{ contents|trim() }}}
247868
 EOF
247868
 {{%- endmacro %}}
247868
+
247868
+{{# Strips multibanner regex and keeps only the first banner #}}
247868
+{{% macro bash_deregexify_multiple_banners(banner_var_name) -%}}
247868
+{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/\^(\(.*\)|.*$/\1/g')
247868
+{{%- endmacro %}}
247868
+
247868
+{{# Strips whitespace or newline regex #}}
247868
+{{% macro bash_deregexify_banner_space(banner_var_name) -%}}
247868
+{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/\[\\s\\n\]+/ /g')
247868
+{{%- endmacro %}}
247868
+
247868
+{{# Strips newline or newline escape sequence regex #}}
247868
+{{% macro bash_deregexify_banner_newline(banner_var_name, newline) -%}}
247868
+{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/(?:\[\\n\]+|(?:\\n)+)/{{{ newline }}}/g')
247868
+{{%- endmacro %}}
247868
+
247868
+{{# Strips newline token for a newline escape sequence regex #}}
247868
+{{% macro bash_deregexify_banner_newline_token(banner_var_name) -%}}
247868
+{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/(n)\*/\\n/g')
247868
+{{%- endmacro %}}
247868
+
247868
+{{# Strips backslash regex #}}
247868
+{{% macro bash_deregexify_banner_backslash(banner_var_name) -%}}
247868
+{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/\\//g')
247868
+{{%- endmacro %}}
247868
247868
From 4e2f96de31ed24c5e58ffc8da07b689a461d385f Mon Sep 17 00:00:00 2001
247868
From: Watson Sato <wsato@redhat.com>
247868
Date: Sat, 7 Mar 2020 14:04:40 +0100
247868
Subject: [PATCH 15/27] Move ansible banner deregexification to macros
247868
247868
This aims to increase maintenability and readability.
247868
Every step in the deregexification is a separate macro.
247868
The macros 'ansible_deregexify_banner_etc_issue' and
247868
'ansible_deregexify_banner_dconf_gnome' build upon the basic steps.
247868
---
247868
 .../banner_etc_issue/ansible/shared.yml       |  2 +-
247868
 .../ansible/shared.yml                        |  2 +-
247868
 shared/macros-ansible.jinja                   | 54 +++++++++++++++++++
247868
 3 files changed, 56 insertions(+), 2 deletions(-)
247868
247868
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
247868
index e136304020..42c19194e4 100644
247868
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
247868
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
247868
@@ -8,5 +8,5 @@
247868
 - name: "{{{ rule_title }}}"
247868
   lineinfile:
247868
     dest: /etc/issue
247868
-    line: '{{ login_banner_text | regex_replace("\^\((.*)\|.*$", "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", "\n") | regex_replace("\\", "") | wordwrap() }}'
247868
+    line: '{{{ ansible_deregexify_banner_etc_issue("login_banner_text") }}}'
247868
     create: yes
247868
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml
247868
index 5d5e92530a..40cce05fbc 100644
247868
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml
247868
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml
247868
@@ -32,7 +32,7 @@
247868
     dest: /etc/dconf/db/gdm.d/00-security-settings
247868
     section: org/gnome/login-screen
247868
     option: banner-message-text
247868
-    value: '''{{ login_banner_text | regex_replace("\^\((.*)\|.*$", "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", "(n)\*") | regex_replace("\\", "") | regex_replace("\(n\)\*", "\\n") }}'''
247868
+    value: '{{{ ansible_deregexify_banner_dconf_gnome("login_banner_text") }}}'
247868
     create: yes
247868
     no_extra_spaces: yes
247868
 
247868
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
247868
index 0d023553a7..5deb7ceb80 100644
247868
--- a/shared/macros-ansible.jinja
247868
+++ b/shared/macros-ansible.jinja
247868
@@ -217,3 +217,57 @@
247868
         {{{ contents|trim()|indent(8) }}}
247868
     force: yes
247868
 {{%- endmacro %}}
247868
+
247868
+{{#
247868
+  Formats a banner regex for use in /etc/issue
247868
+  Parameters:
247868
+    - banner_var_name - name of ansible variable with the banner regex
247868
+#}}
247868
+{{% macro ansible_deregexify_banner_etc_issue(banner_var_name) -%}}
247868
+{{ {{{ banner_var_name }}} |
247868
+{{{ ansible_deregexify_multiple_banners() }}} |
247868
+{{{ ansible_deregexify_banner_space() }}} |
247868
+{{{ ansible_deregexify_banner_newline("\\n") }}} |
247868
+{{{ ansible_deregexify_banner_backslash() }}} |
247868
+wordwrap() }}
247868
+{{%- endmacro %}}
247868
+
247868
+{{#
247868
+  Formats a banner regex for use in dconf
247868
+  Parameters:
247868
+    - banner_var_name - name of ansible variable with the banner regex
247868
+#}}
247868
+{{% macro ansible_deregexify_banner_dconf_gnome(banner_var_name) -%}}
247868
+''{{ {{{ banner_var_name }}} |
247868
+{{{ ansible_deregexify_multiple_banners() }}} |
247868
+{{{ ansible_deregexify_banner_space() }}} |
247868
+{{{ ansible_deregexify_banner_newline("(n)*") }}} |
247868
+{{{ ansible_deregexify_banner_backslash() }}} |
247868
+{{{ ansible_deregexify_banner_newline_token()}}} }}''
247868
+{{%- endmacro %}}
247868
+
247868
+    line: '{{ login_banner_text | | regex_replace("\\", "") | wordwrap() }}'
247868
+{{# Strips multibanner regex and keeps only the first banner #}}
247868
+{{% macro ansible_deregexify_multiple_banners() -%}}
247868
+regex_replace("\^\((.*)\|.*$", "\1")
247868
+{{%- endmacro %}}
247868
+
247868
+{{# Strips whitespace or newline regex #}}
247868
+{{% macro ansible_deregexify_banner_space() -%}}
247868
+regex_replace("\[\\s\\n\]\+"," ")
247868
+{{%- endmacro %}}
247868
+
247868
+{{# Strips newline or newline escape sequence regex #}}
247868
+{{% macro ansible_deregexify_banner_newline(newline) -%}}
247868
+regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", "{{{ newline }}}")
247868
+{{%- endmacro %}}
247868
+
247868
+{{# Strips newline token for a newline escape sequence regex #}}
247868
+{{% macro ansible_deregexify_banner_newline_token() -%}}
247868
+regex_replace("\(n\)\*", "\\n")
247868
+{{%- endmacro %}}
247868
+
247868
+{{# Strips backslash regex #}}
247868
+{{% macro ansible_deregexify_banner_backslash() -%}}
247868
+regex_replace("\\", "")
247868
+{{%- endmacro %}}
247868
247868
From 890e79ea0a9eff8cab05d8ef06e96900d95b2617 Mon Sep 17 00:00:00 2001
247868
From: Watson Sato <wsato@redhat.com>
247868
Date: Sun, 8 Mar 2020 10:58:12 +0100
247868
Subject: [PATCH 16/27] Move the DoD banners into jinja variables
247868
247868
The variables are used to easily combine them in the regex for the
247868
"multiple banners allowed regex".
247868
Lets avoid repeating ourselves.
247868
---
247868
 .../httpd_secure_content/var_web_login_banner_text.var   | 9 ++++++---
247868
 .../accounts/accounts-banners/login_banner_text.var      | 9 ++++++---
247868
 2 files changed, 12 insertions(+), 6 deletions(-)
247868
247868
diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
247868
index 72a728659b..96b6ac8e71 100644
247868
--- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
247868
+++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
247868
@@ -12,9 +12,12 @@ operator: equals
247868
 
247868
 interactive: false
247868
 
247868
+{{% set var_dod_default = "You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}}
247868
+{{% set var_dod_short = "I\\'ve read \& consent to terms in IS user agreem\\'t." %}}
247868
+
247868
 options:
247868
-    dod_banners: {{{ banner_flexibler(banner_text="^(You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.|I\\'ve read \& consent to terms in IS user agreem\\'t.)$") }}}
247868
-    dod_default: {{{ banner_flexibler(banner_text="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.") }}}
247868
-    dod_short: {{{ banner_flexibler(banner_text="I\\'ve read \& consent to terms in IS user agreem\\'t.") }}}
247868
+    dod_banners: {{{ banner_flexibler("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}}
247868
+    dod_default: {{{ banner_flexibler(var_dod_default) }}}
247868
+    dod_short: {{{ banner_flexibler(var_dod_short) }}}
247868
     dss_odaa_default: {{{ banner_flexibler(banner_text="Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}}
247868
     usgcb_default: {{{ banner_flexibler(banner_text="-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}}
247868
diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
247868
index 0c398bee9c..400a4299e6 100644
247868
--- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
247868
+++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
247868
@@ -12,10 +12,13 @@ operator: equals
247868
 
247868
 interactive: false
247868
 
247868
+{{% set var_dod_default="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}}
247868
+{{% set var_dod_short = "I\\'ve read \& consent to terms in IS user agreem\\'t." %}}
247868
+
247868
 options:
247868
 # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accomodate banners of 1300 characters
247868
-    dod_banners: {{{ banner_flexibler(banner_text="^(You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.|I\\'ve read \& consent to terms in IS user agreem\\'t.)$") }}}
247868
-    dod_default: {{{ banner_flexibler(banner_text="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.") }}}
247868
-    dod_short: {{{ banner_flexibler(banner_text="I\\'ve read \& consent to terms in IS user agreem\\'t.") }}}
247868
+    dod_banners: {{{ banner_flexibler("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}}
247868
+    dod_default: {{{ banner_flexibler(var_dod_default) }}}
247868
+    dod_short: {{{ banner_flexibler(var_dod_short) }}}
247868
     dss_odaa_default: {{{ banner_flexibler(banner_text="Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}}
247868
     usgcb_default: {{{ banner_flexibler(banner_text="-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}}
247868
247868
From f17b39f5a55f92ae4d0e4e03cbd26dd55137b083 Mon Sep 17 00:00:00 2001
247868
From: Watson Sato <wsato@redhat.com>
247868
Date: Sun, 8 Mar 2020 11:14:09 +0100
247868
Subject: [PATCH 17/27] Remove unecessary escapping in short banner
247868
247868
---
247868
 .../httpd_secure_content/var_web_login_banner_text.var          | 2 +-
247868
 .../system/accounts/accounts-banners/login_banner_text.var      | 2 +-
247868
 2 files changed, 2 insertions(+), 2 deletions(-)
247868
247868
diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
247868
index 96b6ac8e71..c98d2441cf 100644
247868
--- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
247868
+++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
247868
@@ -13,7 +13,7 @@ operator: equals
247868
 interactive: false
247868
 
247868
 {{% set var_dod_default = "You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}}
247868
-{{% set var_dod_short = "I\\'ve read \& consent to terms in IS user agreem\\'t." %}}
247868
+{{% set var_dod_short = "I've read & consent to terms in IS user agreem't." %}}
247868
 
247868
 options:
247868
     dod_banners: {{{ banner_flexibler("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}}
247868
diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
247868
index 400a4299e6..fc65772554 100644
247868
--- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
247868
+++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
247868
@@ -13,7 +13,7 @@ operator: equals
247868
 interactive: false
247868
 
247868
 {{% set var_dod_default="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}}
247868
-{{% set var_dod_short = "I\\'ve read \& consent to terms in IS user agreem\\'t." %}}
247868
+{{% set var_dod_short = "I've read & consent to terms in IS user agreem't." %}}
247868
 
247868
 options:
247868
 # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accomodate banners of 1300 characters
247868
247868
From bb2dcd9212bb6e83c53bfb9df10bc7e236dec722 Mon Sep 17 00:00:00 2001
247868
From: Watson Sato <wsato@redhat.com>
247868
Date: Sun, 8 Mar 2020 15:23:31 +0100
247868
Subject: [PATCH 18/27] Add utility to regexify a login banner
247868
247868
Moved the banner_flexibler macro to python code, and renamed to
247868
banner_regexify, to be aligned with Ansible and Bash counter parts
247868
"deregexify".
247868
247868
The utility will make it easy to add you own login banner on a tailoring
247868
file, or via SCAP Workbench.
247868
---
247868
 .../var_web_login_banner_text.var             | 10 +++----
247868
 .../accounts-banners/login_banner_text.var    | 10 +++----
247868
 shared/macros.jinja                           |  4 ---
247868
 ssg/jinja.py                                  |  3 +-
247868
 ssg/utils.py                                  |  3 ++
247868
 utils/regexify_banner.py                      | 29 +++++++++++++++++++
247868
 6 files changed, 44 insertions(+), 15 deletions(-)
247868
 create mode 100644 utils/regexify_banner.py
247868
247868
diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
247868
index c98d2441cf..d3f72cbd97 100644
247868
--- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
247868
+++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
247868
@@ -16,8 +16,8 @@ interactive: false
247868
 {{% set var_dod_short = "I've read & consent to terms in IS user agreem't." %}}
247868
 
247868
 options:
247868
-    dod_banners: {{{ banner_flexibler("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}}
247868
-    dod_default: {{{ banner_flexibler(var_dod_default) }}}
247868
-    dod_short: {{{ banner_flexibler(var_dod_short) }}}
247868
-    dss_odaa_default: {{{ banner_flexibler(banner_text="Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}}
247868
-    usgcb_default: {{{ banner_flexibler(banner_text="-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}}
247868
+    dod_banners: {{{ banner_regexify("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}}
247868
+    dod_default: {{{ banner_regexify(var_dod_default) }}}
247868
+    dod_short: {{{ banner_regexify(var_dod_short) }}}
247868
+    dss_odaa_default: {{{ banner_regexify("Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}}
247868
+    usgcb_default: {{{ banner_regexify("-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}}
247868
diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
247868
index fc65772554..f6eab9bf33 100644
247868
--- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
247868
+++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
247868
@@ -17,8 +17,8 @@ interactive: false
247868
 
247868
 options:
247868
 # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accomodate banners of 1300 characters
247868
-    dod_banners: {{{ banner_flexibler("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}}
247868
-    dod_default: {{{ banner_flexibler(var_dod_default) }}}
247868
-    dod_short: {{{ banner_flexibler(var_dod_short) }}}
247868
-    dss_odaa_default: {{{ banner_flexibler(banner_text="Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}}
247868
-    usgcb_default: {{{ banner_flexibler(banner_text="-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}}
247868
+    dod_banners: {{{ banner_regexify("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}}
247868
+    dod_default: {{{ banner_regexify(var_dod_default) }}}
247868
+    dod_short: {{{ banner_regexify(var_dod_short) }}}
247868
+    dss_odaa_default: {{{ banner_regexify("Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}}
247868
+    usgcb_default: {{{ banner_regexify("-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}}
247868
diff --git a/shared/macros.jinja b/shared/macros.jinja
247868
index b178088f0c..8a25acc937 100644
247868
--- a/shared/macros.jinja
247868
+++ b/shared/macros.jinja
247868
@@ -657,7 +657,3 @@ openssl()
247868
 )
247868
 
247868
 {{%- endmacro %}}
247868
-
247868
-{{% macro banner_flexibler(banner_text) -%}}
247868
-{{{ banner_text|replace("\n", "BFLMPSVZ")|replace(" ", "[\s\\n]+")|replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)") }}}
247868
-{{% endmacro %}}
247868
diff --git a/ssg/jinja.py b/ssg/jinja.py
247868
index 700466b8c3..471fbf4140 100644
247868
--- a/ssg/jinja.py
247868
+++ b/ssg/jinja.py
247868
@@ -10,7 +10,7 @@
247868
                         JINJA_MACROS_BASH_DEFINITIONS,
247868
                         JINJA_MACROS_OVAL_DEFINITIONS,
247868
                         )
247868
-from .utils import required_key, prodtype_to_name, name_to_platform, prodtype_to_platform
247868
+from .utils import required_key, prodtype_to_name, name_to_platform, prodtype_to_platform, banner_regexify
247868
 
247868
 
247868
 class MacroError(RuntimeError):
247868
@@ -112,6 +112,7 @@ def add_python_functions(substitutions_dict):
247868
     substitutions_dict['prodtype_to_name'] = prodtype_to_name
247868
     substitutions_dict['name_to_platform'] = name_to_platform
247868
     substitutions_dict['prodtype_to_platform'] = prodtype_to_platform
247868
+    substitutions_dict['banner_regexify'] = banner_regexify
247868
     substitutions_dict['raise'] = raise_exception
247868
 
247868
 
247868
diff --git a/ssg/utils.py b/ssg/utils.py
247868
index 16b1aebe33..3823e02a2d 100644
247868
--- a/ssg/utils.py
247868
+++ b/ssg/utils.py
247868
@@ -248,3 +248,6 @@ def mkdir_p(path):
247868
             pass
247868
         else:
247868
             raise
247868
+
247868
+def banner_regexify(banner_text):
247868
+    return banner_text.replace("\n", "BFLMPSVZ").replace(" ", "[\s\\n]+").replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)")
247868
diff --git a/utils/regexify_banner.py b/utils/regexify_banner.py
247868
new file mode 100644
247868
index 0000000000..7bdf69b702
247868
--- /dev/null
247868
+++ b/utils/regexify_banner.py
247868
@@ -0,0 +1,29 @@
247868
+import argparse
247868
+import ssg.utils
247868
+
247868
+def parse_args():
247868
+    p = argparse.ArgumentParser()
247868
+    p.add_argument("--output", help="Path to output regexified banner")
247868
+    p.add_argument("input", help="Path to file with banner to regexify")
247868
+
247868
+    return p.parse_args()
247868
+
247868
+
247868
+def main():
247868
+
247868
+    args = parse_args()
247868
+    with open(args.input, "r") as file_in:
247868
+        # rstrip is used to remove newline at the end of file
247868
+        banner_text = file_in.read().rstrip()
247868
+
247868
+    banner_regex = ssg.utils.banner_regexify(banner_text)
247868
+
247868
+    if args.output:
247868
+        with open(args.output, "w") as file_out:
247868
+            file_out.write(banner_regex)
247868
+    else:
247868
+        print(banner_regex)
247868
+
247868
+
247868
+if __name__ == "__main__":
247868
+    main()
247868
247868
From 5c81e70d14ee90877630610bf0a2215199a3e491 Mon Sep 17 00:00:00 2001
247868
From: Watson Sato <wsato@redhat.com>
247868
Date: Sun, 8 Mar 2020 15:31:12 +0100
247868
Subject: [PATCH 19/27] Move the macro to be a Jinja2 filter
247868
247868
This is done so that we can apply banner_regexify indvidually in each
247868
banner of dod_banners.
247868
---
247868
 .../httpd_secure_content/var_web_login_banner_text.var | 10 +++++-----
247868
 .../accounts/accounts-banners/login_banner_text.var    | 10 +++++-----
247868
 ssg/jinja.py                                           |  2 +-
247868
 3 files changed, 11 insertions(+), 11 deletions(-)
247868
247868
diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
247868
index d3f72cbd97..e990f0cb23 100644
247868
--- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
247868
+++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
247868
@@ -16,8 +16,8 @@ interactive: false
247868
 {{% set var_dod_short = "I've read & consent to terms in IS user agreem't." %}}
247868
 
247868
 options:
247868
-    dod_banners: {{{ banner_regexify("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}}
247868
-    dod_default: {{{ banner_regexify(var_dod_default) }}}
247868
-    dod_short: {{{ banner_regexify(var_dod_short) }}}
247868
-    dss_odaa_default: {{{ banner_regexify("Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}}
247868
-    usgcb_default: {{{ banner_regexify("-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}}
247868
+    dod_banners: {{{ "^(" ~ var_dod_default|banner_regexify ~ "|" ~ var_dod_short|banner_regexify ~ ")$" }}}
247868
+    dod_default: {{{ var_dod_default|banner_regexify }}}
247868
+    dod_short: {{{ var_dod_short|banner_regexify }}}
247868
+    dss_odaa_default: {{{ "Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times."|banner_regexify }}}
247868
+    usgcb_default: {{{ "-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials."|banner_regexify }}}
247868
diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
247868
index f6eab9bf33..e059174cb5 100644
247868
--- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
247868
+++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
247868
@@ -17,8 +17,8 @@ interactive: false
247868
 
247868
 options:
247868
 # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accomodate banners of 1300 characters
247868
-    dod_banners: {{{ banner_regexify("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}}
247868
-    dod_default: {{{ banner_regexify(var_dod_default) }}}
247868
-    dod_short: {{{ banner_regexify(var_dod_short) }}}
247868
-    dss_odaa_default: {{{ banner_regexify("Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}}
247868
-    usgcb_default: {{{ banner_regexify("-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}}
247868
+    dod_banners: {{{ "^(" ~ var_dod_default|banner_regexify ~ "|" ~ var_dod_short|banner_regexify ~ ")$" }}}
247868
+    dod_default: {{{ var_dod_default|banner_regexify }}}
247868
+    dod_short: {{{ var_dod_short|banner_regexify }}}
247868
+    dss_odaa_default: {{{ "Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times."|banner_regexify }}}
247868
+    usgcb_default: {{{ "-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials."|banner_regexify }}}
247868
diff --git a/ssg/jinja.py b/ssg/jinja.py
247868
index 471fbf4140..e779466838 100644
247868
--- a/ssg/jinja.py
247868
+++ b/ssg/jinja.py
247868
@@ -71,6 +71,7 @@ def _get_jinja_environment(substitutions_dict):
247868
             loader=AbsolutePathFileSystemLoader(),
247868
             bytecode_cache=bytecode_cache
247868
         )
247868
+        _get_jinja_environment.env.filters['banner_regexify'] = banner_regexify
247868
 
247868
     return _get_jinja_environment.env
247868
 
247868
@@ -112,7 +113,6 @@ def add_python_functions(substitutions_dict):
247868
     substitutions_dict['prodtype_to_name'] = prodtype_to_name
247868
     substitutions_dict['name_to_platform'] = name_to_platform
247868
     substitutions_dict['prodtype_to_platform'] = prodtype_to_platform
247868
-    substitutions_dict['banner_regexify'] = banner_regexify
247868
     substitutions_dict['raise'] = raise_exception
247868
 
247868
 
247868
247868
From d416cb9e78842767f08d9c38d9ea0b79b05f00dd Mon Sep 17 00:00:00 2001
247868
From: Watson Sato <wsato@redhat.com>
247868
Date: Sun, 8 Mar 2020 15:53:07 +0100
247868
Subject: [PATCH 20/27] Automatically escape regex unsafe chars in banner
247868
247868
Let the banner_regexify filter escape regex unsafe chars, no need for
247868
manual escaping.
247868
---
247868
 .../httpd_secure_content/var_web_login_banner_text.var       | 2 +-
247868
 .../system/accounts/accounts-banners/login_banner_text.var   | 2 +-
247868
 ssg/utils.py                                                 | 5 +++++
247868
 3 files changed, 7 insertions(+), 2 deletions(-)
247868
247868
diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
247868
index e990f0cb23..e59cdc0782 100644
247868
--- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
247868
+++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
247868
@@ -12,7 +12,7 @@ operator: equals
247868
 
247868
 interactive: false
247868
 
247868
-{{% set var_dod_default = "You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}}
247868
+{{% set var_dod_default = "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}}
247868
 {{% set var_dod_short = "I've read & consent to terms in IS user agreem't." %}}
247868
 
247868
 options:
247868
diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
247868
index e059174cb5..1c6a39f481 100644
247868
--- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
247868
+++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
247868
@@ -12,7 +12,7 @@ operator: equals
247868
 
247868
 interactive: false
247868
 
247868
-{{% set var_dod_default="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}}
247868
+{{% set var_dod_default="You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}}
247868
 {{% set var_dod_short = "I've read & consent to terms in IS user agreem't." %}}
247868
 
247868
 options:
247868
diff --git a/ssg/utils.py b/ssg/utils.py
247868
index 3823e02a2d..7584e38a16 100644
247868
--- a/ssg/utils.py
247868
+++ b/ssg/utils.py
247868
@@ -250,4 +250,9 @@ def mkdir_p(path):
247868
             raise
247868
 
247868
 def banner_regexify(banner_text):
247868
+    # We could use re.escape(), but it escapes too many characters, including plain white space.
247868
+    # In python 3.7 the set of charaters escaped by re.escape is reasonable, so lets mimic it.
247868
+    # See https://docs.python.org/3/library/re.html#re.sub
247868
+    # '!', '"', '%', "'", ',', '/', ':', ';', '<', '=', '>', '@', and "`" are not escaped.
247868
+    banner_text = re.sub(r"([#$&*+-.^`|~:()])", r"\\\1", banner_text)
247868
     return banner_text.replace("\n", "BFLMPSVZ").replace(" ", "[\s\\n]+").replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)")
247868
247868
From 35e962ce5c5c28d29d120723715d64dcbd567197 Mon Sep 17 00:00:00 2001
247868
From: Watson Sato <wsato@redhat.com>
247868
Date: Sun, 8 Mar 2020 17:00:26 +0100
247868
Subject: [PATCH 21/27] Document the new macros, filter and utility
247868
247868
---
247868
 docs/manual/developer_guide.adoc | 26 ++++++++++++++++++++++++++
247868
 1 file changed, 26 insertions(+)
247868
247868
diff --git a/docs/manual/developer_guide.adoc b/docs/manual/developer_guide.adoc
247868
index 76c1c10218..739a6a823c 100644
247868
--- a/docs/manual/developer_guide.adoc
247868
+++ b/docs/manual/developer_guide.adoc
247868
@@ -752,6 +752,14 @@ $ ./build-scripts/profile_tool.py sub --profile1 rhel7/profiles/ospp.profile --p
247868
 
247868
 This will result in a new YAML profile containing exclusive rules to the profile pointed by the --profile1 option.
247868
 
247868
+=== Generating login banner regular expressions
247868
+
247868
+Rules like `banner_etc_issue` and `dconf_gnome_login_banner_text` will check for configuration of login banners and remediate them. Both rules source the banner text from the same variable `login_banner_text`, and the banner texts need to be in the form of a regular expression.
247868
+There are a few utilities you can use to transform your text into the appropriate regular expression:
247868
+
247868
+When adding a new banner directly to the `login_banner_text`, use the custom Jinja filter `banner_regexify`. +
247868
+If customizing content via SCAP Workbench, or directly writing your tailoring XML, use `utils/regexify_banner.py` to generate the appropriate regular expression.
247868
+
247868
 == Contributing with XCCDFs, OVALs and remediations
247868
 
247868
 There are three main types of content in the project, they are rules, defined using the XCCDF standard, checks, usually written in link:https://oval.mitre.org/language/about/[OVAL] format, and remediations, that can be executed on ansible, bash, anaconda installer, puppet and ignition.
247868
@@ -1279,6 +1287,8 @@ Jinja macros for Ansible content are located in `/shared/macros-ansible.jinja`.
247868
 - `ansible_sshd_set` -- set a parameter in the sshd configuration
247868
 - `ansible_etc_profile_set` -- ensure a command gets executed or a variable gets set in /etc/profile or /etc/profile.d
247868
 - `ansible_tmux_set` -- set a command in tmux configuration
247868
+- `ansible_deregexify_banner_etc_issue` -- Formats a banner regex for use in /etc/issue
247868
+- `ansible_deregexify_banner_dconf_gnome` -- Formats a banner regex for use in dconf
247868
 
247868
 They also include several low-level macros:
247868
 
247868
@@ -1289,6 +1299,14 @@ They also include several low-level macros:
247868
 - `ansible_set_config_file` -- for configuration files; set the given configuration value and ensure no conflicting values
247868
 - `ansible_set_config_file_dir` -- for configuration files and files in configuration directories; set the given configuration value and ensure no conflicting values
247868
 
247868
+Low level macros to make login banner regular expressions usable in Ansible remediations
247868
+
247868
+- `ansible_deregexify_multiple_banners` -- Strips multibanner regex and keeps only the first banner
247868
+- `ansible_deregexify_banner_space` -- Strips whitespace or newline regex
247868
+- `ansible_deregexify_banner_newline` -- Strips newline or newline escape sequence regex
247868
+- `ansible_deregexify_banner_newline_token` -- Strips newline token for a newline escape sequence regex
247868
+- `ansible_deregexify_banner_backslash` - Strips backslash regex
247868
+
247868
 When `msg` is absent from any of the above macros, rule title will be substituted instead.
247868
 
247868
 Whenever possible, please reuse the macros and form high-level simplifications.
247868
@@ -1348,6 +1366,14 @@ Available low-level Jinja macros that can be used in Bash remediations:
247868
 - `die` - Function to terminate the remediation
247868
 - `set_config_file` - Add an entry to a text configuration file
247868
 
247868
+Low level macros to make login banner regular expressions usable in Bash remediations
247868
+
247868
+- `bash_deregexify_multiple_banners` - Strips multibanner regex and keeps only the first banner
247868
+- `bash_deregexify_banner_space` - Strips whitespace or newline regex
247868
+- `bash_deregexify_banner_newline` - Strips newline or newline escape sequence regex
247868
+- `bash_deregexify_banner_newline_token` - Strips newline token for a newline escape sequence regex
247868
+- `bash_deregexify_banner_backslash` - Strips backslash regex
247868
+
247868
 === Templating
247868
 
247868
 Writing OVAL checks, Bash, or any other content can be tedious work. For
247868
247868
From ad5526d6704299cfd01c818fa8a79e3587b90cb5 Mon Sep 17 00:00:00 2001
247868
From: Watson Sato <wsato@redhat.com>
247868
Date: Sun, 8 Mar 2020 17:56:44 +0100
247868
Subject: [PATCH 22/27] Code style fixes
247868
247868
---
247868
 ssg/jinja.py             | 7 ++++++-
247868
 ssg/utils.py             | 5 ++++-
247868
 utils/regexify_banner.py | 1 +
247868
 3 files changed, 11 insertions(+), 2 deletions(-)
247868
247868
diff --git a/ssg/jinja.py b/ssg/jinja.py
247868
index e779466838..e014768e2b 100644
247868
--- a/ssg/jinja.py
247868
+++ b/ssg/jinja.py
247868
@@ -10,7 +10,12 @@
247868
                         JINJA_MACROS_BASH_DEFINITIONS,
247868
                         JINJA_MACROS_OVAL_DEFINITIONS,
247868
                         )
247868
-from .utils import required_key, prodtype_to_name, name_to_platform, prodtype_to_platform, banner_regexify
247868
+from .utils import (required_key,
247868
+                    prodtype_to_name,
247868
+                    name_to_platform,
247868
+                    prodtype_to_platform,
247868
+                    banner_regexify
247868
+                    )
247868
 
247868
 
247868
 class MacroError(RuntimeError):
247868
diff --git a/ssg/utils.py b/ssg/utils.py
247868
index 7584e38a16..472ac73b81 100644
247868
--- a/ssg/utils.py
247868
+++ b/ssg/utils.py
247868
@@ -249,10 +249,13 @@ def mkdir_p(path):
247868
         else:
247868
             raise
247868
 
247868
+
247868
 def banner_regexify(banner_text):
247868
     # We could use re.escape(), but it escapes too many characters, including plain white space.
247868
     # In python 3.7 the set of charaters escaped by re.escape is reasonable, so lets mimic it.
247868
     # See https://docs.python.org/3/library/re.html#re.sub
247868
     # '!', '"', '%', "'", ',', '/', ':', ';', '<', '=', '>', '@', and "`" are not escaped.
247868
     banner_text = re.sub(r"([#$&*+-.^`|~:()])", r"\\\1", banner_text)
247868
-    return banner_text.replace("\n", "BFLMPSVZ").replace(" ", "[\s\\n]+").replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)")
247868
+    banner_text = banner_text.replace("\n", "BFLMPSVZ")
247868
+    banner_text = banner_text.replace(" ", "[\\s\\n]+")
247868
+    return banner_text.replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)")
247868
diff --git a/utils/regexify_banner.py b/utils/regexify_banner.py
247868
index 7bdf69b702..c794c02a37 100644
247868
--- a/utils/regexify_banner.py
247868
+++ b/utils/regexify_banner.py
247868
@@ -1,6 +1,7 @@
247868
 import argparse
247868
 import ssg.utils
247868
 
247868
+
247868
 def parse_args():
247868
     p = argparse.ArgumentParser()
247868
     p.add_argument("--output", help="Path to output regexified banner")
247868
247868
From 86439fed8f2d431da76bd613c87b38c4eda6457b Mon Sep 17 00:00:00 2001
247868
From: Watson Sato <wsato@redhat.com>
247868
Date: Wed, 11 Mar 2020 13:44:02 +0100
247868
Subject: [PATCH 23/27] regexify_banner.py: Set x permission and shebang
247868
247868
---
247868
 utils/regexify_banner.py | 1 +
247868
 1 file changed, 1 insertion(+)
247868
 mode change 100644 => 100755 utils/regexify_banner.py
247868
247868
diff --git a/utils/regexify_banner.py b/utils/regexify_banner.py
247868
old mode 100644
247868
new mode 100755
247868
index c794c02a37..15584693bf
247868
--- a/utils/regexify_banner.py
247868
+++ b/utils/regexify_banner.py
247868
@@ -1,3 +1,4 @@
247868
+#!/usr/bin/env python
247868
 import argparse
247868
 import ssg.utils
247868
 
247868
247868
From 556018017f7fbb2d7707aaf673ecd9d4edb53aae Mon Sep 17 00:00:00 2001
247868
From: Watson Sato <wsato@redhat.com>
247868
Date: Wed, 11 Mar 2020 14:16:03 +0100
247868
Subject: [PATCH 24/27] The whole /etc/issue file should be evaluated
247868
247868
Added test scenario where the banner is followed by an
247868
extraneous line. This caused the rule to pass unexpectedly.
247868
247868
Updated OVAL check to consider the all lines of /etc/issue the object to
247868
be evaluated and compared against a state.
247868
Also updated Bash remediation to not add extra newline at the end, and
247868
Asnbile remediation to remove any extraneous line in /etc/issue
247868
---
247868
 .../banner_etc_issue/ansible/shared.yml       |  7 ++++-
247868
 .../banner_etc_issue/bash/shared.sh           |  2 --
247868
 .../banner_etc_issue/oval/shared.xml          |  8 ++++-
247868
 ...ner_etc_issue_disa_with_extra_line.fail.sh | 30 +++++++++++++++++++
247868
 4 files changed, 43 insertions(+), 4 deletions(-)
247868
 create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_with_extra_line.fail.sh
247868
247868
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
247868
index 42c19194e4..21f0925268 100644
247868
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
247868
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
247868
@@ -5,7 +5,12 @@
247868
 # disruption = medium
247868
 - (xccdf-var login_banner_text)
247868
 
247868
-- name: "{{{ rule_title }}}"
247868
+- name: "{{{ rule_title }}} - remove incorrect banner"
247868
+  file:
247868
+    state: absent
247868
+    path: /etc/issue
247868
+
247868
+- name: "{{{ rule_title }}} - add correct banner"
247868
   lineinfile:
247868
     dest: /etc/issue
247868
     line: '{{{ ansible_deregexify_banner_etc_issue("login_banner_text") }}}'
247868
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
247868
index 119413005e..1a0c11f569 100644
247868
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
247868
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
247868
@@ -17,5 +17,3 @@ formatted=$(echo "$login_banner_text" | fold -sw 80)
247868
 cat <<EOF >/etc/issue
247868
 $formatted
247868
 EOF
247868
-
247868
-printf "\n" >> /etc/issue
247868
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/oval/shared.xml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/oval/shared.xml
247868
index 3317251d41..032c65b340 100644
247868
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/oval/shared.xml
247868
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/oval/shared.xml
247868
@@ -12,14 +12,20 @@
247868
 
247868
   <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="correct banner in /etc/issue" id="test_banner_etc_issue" version="1">
247868
     <ind:object object_ref="object_banner_etc_issue" />
247868
+    <ind:state state_ref="state_banner_etc_issue" />
247868
   </ind:textfilecontent54_test>
247868
 
247868
   <ind:textfilecontent54_object id="object_banner_etc_issue" version="1">
247868
+    <ind:behaviors singleline="true" multiline="false" />
247868
     <ind:filepath>/etc/issue</ind:filepath>
247868
-    <ind:pattern var_ref="login_banner_text" operation="pattern match" />
247868
+    <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
247868
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
247868
   </ind:textfilecontent54_object>
247868
 
247868
+  <ind:textfilecontent54_state id="state_banner_etc_issue" version="1">
247868
+    <ind:subexpression datatype="string" var_ref="login_banner_text" operation="pattern match" />
247868
+  </ind:textfilecontent54_state>
247868
+
247868
   <external_variable comment="warning banner text variable" datatype="string" id="login_banner_text" version="1" />
247868
 
247868
 </def-group>
247868
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_with_extra_line.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_with_extra_line.fail.sh
247868
new file mode 100644
247868
index 0000000000..dfa48bd61a
247868
--- /dev/null
247868
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_with_extra_line.fail.sh
247868
@@ -0,0 +1,30 @@
247868
+#!/bin/bash
247868
+#
247868
+# profiles = xccdf_org.ssgproject.content_profile_stig
247868
+
247868
+# dod_default|dod_short banner
247868
+echo "You are accessing a U.S. Government (USG) Information System (IS) that is 
247868
+provided for USG-authorized use only. By using this IS (which includes any 
247868
+device attached to this IS), you consent to the following conditions:
247868
+
247868
+-The USG routinely intercepts and monitors communications on this IS for 
247868
+purposes including, but not limited to, penetration testing, COMSEC monitoring, 
247868
+network operations and defense, personnel misconduct (PM), law enforcement 
247868
+(LE), and counterintelligence (CI) investigations.
247868
+
247868
+-At any time, the USG may inspect and seize data stored on this IS.
247868
+
247868
+-Communications using, or data stored on, this IS are not private, are subject 
247868
+to routine monitoring, interception, and search, and may be disclosed or used 
247868
+for any USG-authorized purpose.
247868
+
247868
+-This IS includes security measures (e.g., authentication and access controls) 
247868
+to protect USG interests--not for your personal benefit or privacy.
247868
+
247868
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE 
247868
+or CI investigative searching or monitoring of the content of privileged 
247868
+communications, or work product, related to personal representation or services 
247868
+by attorneys, psychotherapists, or clergy, and their assistants. Such 
247868
+communications and work product are private and confidential. See User 
247868
+Agreement for details.
247868
+Extra line at end." > /etc/issue
247868
247868
From 488c5259595032f25dd98d45c1b38a65ed248647 Mon Sep 17 00:00:00 2001
247868
From: Watson Sato <wsato@redhat.com>
247868
Date: Wed, 11 Mar 2020 18:52:37 +0100
247868
Subject: [PATCH 25/27] Wrap banner text with regex anchors
247868
247868
We need to be sure that the whole banners matches the banner variable.
247868
This commit includes a test scenario that reproduces the issue.
247868
247868
All the harness around banners have been updated, regexify, deregexify
247868
and utility.
247868
---
247868
 .../var_web_login_banner_text.var                |  8 ++++----
247868
 .../banner_etc_issue/bash/shared.sh              | 10 ++++++----
247868
 .../dconf_gnome_login_banner_text/bash/shared.sh | 12 +++++++-----
247868
 .../tests/wrapped_banner.fail.sh                 | 16 ++++++++++++++++
247868
 .../accounts-banners/login_banner_text.var       |  8 ++++----
247868
 shared/macros-ansible.jinja                      | 10 ++++++++--
247868
 shared/macros-bash.jinja                         |  7 ++++++-
247868
 ssg/jinja.py                                     |  4 +++-
247868
 ssg/utils.py                                     |  3 +++
247868
 utils/regexify_banner.py                         |  1 +
247868
 10 files changed, 58 insertions(+), 21 deletions(-)
247868
 create mode 100644 linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh
247868
247868
diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
247868
index e59cdc0782..dc10e8c3cf 100644
247868
--- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
247868
+++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var
247868
@@ -17,7 +17,7 @@ interactive: false
247868
 
247868
 options:
247868
     dod_banners: {{{ "^(" ~ var_dod_default|banner_regexify ~ "|" ~ var_dod_short|banner_regexify ~ ")$" }}}
247868
-    dod_default: {{{ var_dod_default|banner_regexify }}}
247868
-    dod_short: {{{ var_dod_short|banner_regexify }}}
247868
-    dss_odaa_default: {{{ "Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times."|banner_regexify }}}
247868
-    usgcb_default: {{{ "-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials."|banner_regexify }}}
247868
+    dod_default: {{{ var_dod_default|banner_regexify|banner_anchor_wrap }}}
247868
+    dod_short: {{{ var_dod_short|banner_regexify|banner_anchor_wrap }}}
247868
+    dss_odaa_default: {{{ "Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times."|banner_regexify|banner_anchor_wrap }}}
247868
+    usgcb_default: {{{ "-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials."|banner_regexify|banner_anchor_wrap }}}
247868
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
247868
index 1a0c11f569..30449d5e9d 100644
247868
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
247868
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
247868
@@ -3,14 +3,16 @@
247868
 populate login_banner_text
247868
 
247868
 # Multiple regexes transform the banner regex into a usable banner
247868
-# 1 - Keep only the first banners if there are multiple, and remove wrapping regex syntax.
247868
+# 0 - Remove anchors around the banner text
247868
+{{{ bash_deregexify_banner_anchors("login_banner_text") }}}
247868
+# 1 - Keep only the first banners if there are multiple
247868
 #    (dod_banners contains the long and short banner)
247868
 {{{ bash_deregexify_multiple_banners("login_banner_text") }}}
247868
-# 2- Add spaces ' '. (Transforms regex for "space or newline" into a " ")
247868
+# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
247868
 {{{ bash_deregexify_banner_space("login_banner_text") }}}
247868
-# 3- Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n")
247868
+# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n")
247868
 {{{ bash_deregexify_banner_newline("login_banner_text", "\\n") }}}
247868
-# 4- Remove any leftover backslash. (From any parethesis in the banner, for example).
247868
+# 4 - Remove any leftover backslash. (From any parethesis in the banner, for example).
247868
 {{{ bash_deregexify_banner_backslash("login_banner_text") }}}
247868
 formatted=$(echo "$login_banner_text" | fold -sw 80)
247868
 
247868
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
247868
index 4011932790..85ddd893c6 100644
247868
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
247868
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
247868
@@ -3,16 +3,18 @@
247868
 populate login_banner_text
247868
 
247868
 # Multiple regexes transform the banner regex into a usable banner
247868
-# 1 - Keep only the first banners if there are multiple, and remove wrapping regex syntax.
247868
+# 0 - Remove anchors around the banner text
247868
+{{{ bash_deregexify_banner_anchors("login_banner_text") }}}
247868
+# 1 - Keep only the first banners if there are multiple
247868
 #    (dod_banners contains the long and short banner)
247868
 {{{ bash_deregexify_multiple_banners("login_banner_text") }}}
247868
-# 2- Add spaces ' '. (Transforms regex for "space or newline" into a " ")
247868
+# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
247868
 {{{ bash_deregexify_banner_space("login_banner_text") }}}
247868
-# 3- Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*")
247868
+# 3 - Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*")
247868
 {{{ bash_deregexify_banner_newline("login_banner_text", "(n)*") }}}
247868
-# 4- Remove any leftover backslash. (From any parethesis in the banner, for example).
247868
+# 4 - Remove any leftover backslash. (From any parethesis in the banner, for example).
247868
 {{{ bash_deregexify_banner_backslash("login_banner_text") }}}
247868
-# 5- Removes the newline "token." (Transforms them into newline escape sequences "\n").
247868
+# 5 - Removes the newline "token." (Transforms them into newline escape sequences "\n").
247868
 #    ( Needs to be done after 4, otherwise the escapce sequence will become just "n".
247868
 {{{ bash_deregexify_banner_newline_token("login_banner_text")}}}
247868
 
247868
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh
247868
new file mode 100644
247868
index 0000000000..1c6b9a23af
247868
--- /dev/null
247868
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh
247868
@@ -0,0 +1,16 @@
247868
+#!/bin/bash
247868
+# platform = Red Hat Enterprise Linux 7
247868
+# profiles = xccdf_org.ssgproject.content_profile_ncp
247868
+
247868
+source $SHARED/dconf_test_functions.sh
247868
+
247868
+install_dconf_and_gdm_if_needed
247868
+
247868
+login_banner_text="Some text before --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. And some after."
247868
+expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
247868
+
247868
+clean_dconf_settings
247868
+add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'${expanded}'" "gdm.d" "00-security-settings"
247868
+add_dconf_lock "org/gnome/login-screen" "banner-message-text" "gdm.d" "00-security-settings-lock"
247868
+
247868
+dconf update
247868
diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
247868
index 1c6a39f481..d00782f380 100644
247868
--- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
247868
+++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var
247868
@@ -18,7 +18,7 @@ interactive: false
247868
 options:
247868
 # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accomodate banners of 1300 characters
247868
     dod_banners: {{{ "^(" ~ var_dod_default|banner_regexify ~ "|" ~ var_dod_short|banner_regexify ~ ")$" }}}
247868
-    dod_default: {{{ var_dod_default|banner_regexify }}}
247868
-    dod_short: {{{ var_dod_short|banner_regexify }}}
247868
-    dss_odaa_default: {{{ "Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times."|banner_regexify }}}
247868
-    usgcb_default: {{{ "-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials."|banner_regexify }}}
247868
+    dod_default: {{{ var_dod_default|banner_regexify|banner_anchor_wrap }}}
247868
+    dod_short: {{{ var_dod_short|banner_regexify|banner_anchor_wrap }}}
247868
+    dss_odaa_default: {{{ "Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times."|banner_regexify|banner_anchor_wrap }}}
247868
+    usgcb_default: {{{ "-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials."|banner_regexify|banner_anchor_wrap }}}
247868
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
247868
index 5deb7ceb80..11fb79a4d9 100644
247868
--- a/shared/macros-ansible.jinja
247868
+++ b/shared/macros-ansible.jinja
247868
@@ -225,6 +225,7 @@
247868
 #}}
247868
 {{% macro ansible_deregexify_banner_etc_issue(banner_var_name) -%}}
247868
 {{ {{{ banner_var_name }}} |
247868
+{{{ ansible_deregexify_banner_anchors() }}} |
247868
 {{{ ansible_deregexify_multiple_banners() }}} |
247868
 {{{ ansible_deregexify_banner_space() }}} |
247868
 {{{ ansible_deregexify_banner_newline("\\n") }}} |
247868
@@ -239,6 +240,7 @@ wordwrap() }}
247868
 #}}
247868
 {{% macro ansible_deregexify_banner_dconf_gnome(banner_var_name) -%}}
247868
 ''{{ {{{ banner_var_name }}} |
247868
+{{{ ansible_deregexify_banner_anchors() }}} |
247868
 {{{ ansible_deregexify_multiple_banners() }}} |
247868
 {{{ ansible_deregexify_banner_space() }}} |
247868
 {{{ ansible_deregexify_banner_newline("(n)*") }}} |
247868
@@ -246,10 +248,14 @@ wordwrap() }}
247868
 {{{ ansible_deregexify_banner_newline_token()}}} }}''
247868
 {{%- endmacro %}}
247868
 
247868
-    line: '{{ login_banner_text | | regex_replace("\\", "") | wordwrap() }}'
247868
+{{# Strips anchors around the banner #}}
247868
+{{% macro ansible_deregexify_banner_anchors() -%}}
247868
+regex_replace("^\^(.*)\$$", "\1")
247868
+{{%- endmacro %}}
247868
+
247868
 {{# Strips multibanner regex and keeps only the first banner #}}
247868
 {{% macro ansible_deregexify_multiple_banners() -%}}
247868
-regex_replace("\^\((.*)\|.*$", "\1")
247868
+regex_replace("\((.*)\|.*$", "\1")
247868
 {{%- endmacro %}}
247868
 
247868
 {{# Strips whitespace or newline regex #}}
247868
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
247868
index 6d72684c6d..03b381c3ca 100644
247868
--- a/shared/macros-bash.jinja
247868
+++ b/shared/macros-bash.jinja
247868
@@ -522,9 +522,14 @@ cat << 'EOF' > {{{ filepath }}}
247868
 EOF
247868
 {{%- endmacro %}}
247868
 
247868
+{{# Strips anchors regex around the banner text #}}
247868
+{{% macro bash_deregexify_banner_anchors(banner_var_name) -%}}
247868
+{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/^\^\(.*\)\$$/\1/g')
247868
+{{%- endmacro %}}
247868
+
247868
 {{# Strips multibanner regex and keeps only the first banner #}}
247868
 {{% macro bash_deregexify_multiple_banners(banner_var_name) -%}}
247868
-{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/\^(\(.*\)|.*$/\1/g')
247868
+{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/(\(.*\)|.*$/\1/g')
247868
 {{%- endmacro %}}
247868
 
247868
 {{# Strips whitespace or newline regex #}}
247868
diff --git a/ssg/jinja.py b/ssg/jinja.py
247868
index e014768e2b..da3e403a1b 100644
247868
--- a/ssg/jinja.py
247868
+++ b/ssg/jinja.py
247868
@@ -14,7 +14,8 @@
247868
                     prodtype_to_name,
247868
                     name_to_platform,
247868
                     prodtype_to_platform,
247868
-                    banner_regexify
247868
+                    banner_regexify,
247868
+                    banner_anchor_wrap
247868
                     )
247868
 
247868
 
247868
@@ -77,6 +78,7 @@ def _get_jinja_environment(substitutions_dict):
247868
             bytecode_cache=bytecode_cache
247868
         )
247868
         _get_jinja_environment.env.filters['banner_regexify'] = banner_regexify
247868
+        _get_jinja_environment.env.filters['banner_anchor_wrap'] = banner_anchor_wrap
247868
 
247868
     return _get_jinja_environment.env
247868
 
247868
diff --git a/ssg/utils.py b/ssg/utils.py
247868
index 472ac73b81..9b437d5556 100644
247868
--- a/ssg/utils.py
247868
+++ b/ssg/utils.py
247868
@@ -259,3 +259,6 @@ def banner_regexify(banner_text):
247868
     banner_text = banner_text.replace("\n", "BFLMPSVZ")
247868
     banner_text = banner_text.replace(" ", "[\\s\\n]+")
247868
     return banner_text.replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)")
247868
+
247868
+def banner_anchor_wrap(banner_text):
247868
+    return "^" + banner_text + "$"
247868
diff --git a/utils/regexify_banner.py b/utils/regexify_banner.py
247868
index 15584693bf..c17213d66d 100755
247868
--- a/utils/regexify_banner.py
247868
+++ b/utils/regexify_banner.py
247868
@@ -19,6 +19,7 @@ def main():
247868
         banner_text = file_in.read().rstrip()
247868
 
247868
     banner_regex = ssg.utils.banner_regexify(banner_text)
247868
+    banner_regex = ssg.utils.banner_anchor_wrap(banner_text)
247868
 
247868
     if args.output:
247868
         with open(args.output, "w") as file_out:
247868
247868
From d30eb89a68ae536707b8535c47eba4a422e2f252 Mon Sep 17 00:00:00 2001
247868
From: Watson Sato <wsato@redhat.com>
247868
Date: Thu, 12 Mar 2020 13:27:22 +0100
247868
Subject: [PATCH 26/27] Fix call of banner_anchor_wrap
247868
247868
---
247868
 utils/regexify_banner.py | 2 +-
247868
 1 file changed, 1 insertion(+), 1 deletion(-)
247868
247868
diff --git a/utils/regexify_banner.py b/utils/regexify_banner.py
247868
index c17213d66d..16ec4ba6ef 100755
247868
--- a/utils/regexify_banner.py
247868
+++ b/utils/regexify_banner.py
247868
@@ -19,7 +19,7 @@ def main():
247868
         banner_text = file_in.read().rstrip()
247868
 
247868
     banner_regex = ssg.utils.banner_regexify(banner_text)
247868
-    banner_regex = ssg.utils.banner_anchor_wrap(banner_text)
247868
+    banner_regex = ssg.utils.banner_anchor_wrap(banner_regex)
247868
 
247868
     if args.output:
247868
         with open(args.output, "w") as file_out:
247868
247868
From 90280f39e8548f2a7a22d1e328de72bc1b756099 Mon Sep 17 00:00:00 2001
247868
From: Watson Sato <wsato@redhat.com>
247868
Date: Thu, 12 Mar 2020 16:09:25 +0100
247868
Subject: [PATCH 27/27] Fix multiple banner regex stripping
247868
247868
Anchor the opening parenthesis to beginning of banner, and add anchord
247868
closing parenthesis to pattern.
247868
---
247868
 shared/macros-ansible.jinja | 2 +-
247868
 shared/macros-bash.jinja    | 2 +-
247868
 2 files changed, 2 insertions(+), 2 deletions(-)
247868
247868
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
247868
index 11fb79a4d9..b020246ef2 100644
247868
--- a/shared/macros-ansible.jinja
247868
+++ b/shared/macros-ansible.jinja
247868
@@ -255,7 +255,7 @@ regex_replace("^\^(.*)\$$", "\1")
247868
 
247868
 {{# Strips multibanner regex and keeps only the first banner #}}
247868
 {{% macro ansible_deregexify_multiple_banners() -%}}
247868
-regex_replace("\((.*)\|.*$", "\1")
247868
+regex_replace("^\((.*)\|.*\)$", "\1")
247868
 {{%- endmacro %}}
247868
 
247868
 {{# Strips whitespace or newline regex #}}
247868
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
247868
index 03b381c3ca..bc6c6f6486 100644
247868
--- a/shared/macros-bash.jinja
247868
+++ b/shared/macros-bash.jinja
247868
@@ -529,7 +529,7 @@ EOF
247868
 
247868
 {{# Strips multibanner regex and keeps only the first banner #}}
247868
 {{% macro bash_deregexify_multiple_banners(banner_var_name) -%}}
247868
-{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/(\(.*\)|.*$/\1/g')
247868
+{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/^(\(.*\)|.*)$/\1/g')
247868
 {{%- endmacro %}}
247868
 
247868
 {{# Strips whitespace or newline regex #}}