8.5 Check that the Banner Setting for telnet is Null

Information

The BANNER variable in the file /etc/default/telnetd can be used to display text before the telnet login prompt. Traditionally, it has been used to display the OS level of the target system.

Rationale:

The warning banner provides information that can be used in reconnaissance for an attack. By default, this file is distributed with the BANNER variable set to null. It is not necessary to create a separate warning banner for telnet if a warning is set in the /etc/issue file. As telnet is an insecure protocol, it should be disabled and all remote administrative/user connections take place by Secure Shell.

Solution

Perform the following to implement the recommended state:

# cd /etc/default

# awk '/^BANNER=/ { $1 = 'BANNER=' }; { print }' telnetd > telnetd.CIS

# mv telnetd.CIS telnetd

See Also

https://workbench.cisecurity.org/benchmarks/4777

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1

Plugin: Unix

Control ID: fcad52a8e8c777e111fa6a9faacc05f6449745c9bfc2a19eaad9c1950a995d81