From b31cd46c180bb12d7ab2dffa3486a32e8353b91c Mon Sep 17 00:00:00 2001
From: Dmitriy Rabotyagov <dmitriy.rabotyagov@cleura.com>
Date: Thu, 26 Oct 2023 10:25:27 +0200
Subject: [PATCH] Disable dynamic motd message

Right now default cloud images of Ubuntu does contain dynamic MOTD
by default, that takes around extra 0.4 sec for establishing connection.

Disabiling MOTD should improve responsivness of hosts and speedup
ansible execution as well.

With that we're keeping static MOTD that has no impact on connection
speed.

Change-Id: Iaf25f6f444055cefd60dd2e3b4d5579f2a6fcdb1
---
 defaults/main.yml        | 2 ++
 tasks/rhel7stig/sshd.yml | 8 ++++++++
 vars/main.yml            | 4 ++++
 3 files changed, 14 insertions(+)

diff --git a/defaults/main.yml b/defaults/main.yml
index 8b97d8c0..13ab53fe 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -334,6 +334,8 @@ security_sshd_disallow_host_based_auth: yes                  # V-71959
 security_sshd_cipher_list: 'aes128-ctr,aes192-ctr,aes256-ctr' # V-72221
 # Specify a text file to be displayed as the banner/MOTD for all sessions.
 security_sshd_banner_file: /etc/motd                         # V-71861 / V-72225
+# Disable dynamic MOTD banner that is provided by /run/motd.dynamic
+security_sshd_dynamic_banner_disable: True
 # Set the interval for max session length and the number of intervals to allow.
 security_sshd_client_alive_interval: 600                     # V-72237
 security_sshd_client_alive_count_max: 0                      # V-72241
diff --git a/tasks/rhel7stig/sshd.yml b/tasks/rhel7stig/sshd.yml
index 72e7b722..2832be0a 100644
--- a/tasks/rhel7stig/sshd.yml
+++ b/tasks/rhel7stig/sshd.yml
@@ -148,3 +148,11 @@
     - medium
     - sshd
     - V-72257
+
+- name: Remove motd from pam.d
+  lineinfile:
+    path: /etc/pam.d/sshd
+    regexp: '^(#\s)?(session\s*optional\s*pam_motd.so.*)$'
+    line: '{{ (security_sshd_dynamic_banner_disable | bool) | ternary("# \2", "\2") }}'
+    backrefs: yes
+  when: security_sshd_dynamic_banner_disable | bool
diff --git a/vars/main.yml b/vars/main.yml
index 4eb1d867..9342b76d 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -430,3 +430,7 @@ sshd_settings_rhel7:
     value: "yes"
     enabled: "{{ security_sshd_enable_strict_modes | bool }}"
     stig_id: V-72263
+  - name: PrintMotd
+    value: "{{ (security_sshd_dynamic_banner_disable | bool) | ternary('yes', 'no') }}"
+    enabled: true
+    stig_id: V-71861