From f3837e672c45e341da3f0d4425627a96104a6983 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 8 Sep 2020 13:25:45 +0200
Subject: [PATCH 1/6] introduce variable
---
.../obsolete/tftp/tftpd_secure_directory.var | 14 ++++++++++++++
.../obsolete/tftp/tftpd_uses_secure_mode/rule.yml | 7 +++----
2 files changed, 17 insertions(+), 4 deletions(-)
create mode 100644 linux_os/guide/services/obsolete/tftp/tftpd_secure_directory.var
diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_secure_directory.var b/linux_os/guide/services/obsolete/tftp/tftpd_secure_directory.var
new file mode 100644
index 0000000000..6a5e29caa4
--- /dev/null
+++ b/linux_os/guide/services/obsolete/tftp/tftpd_secure_directory.var
@@ -0,0 +1,14 @@
+documentation_complete: true
+
+title: 'TFTP server secure directory'
+
+description: "Specify the directory which is used by TFTP server as a root directory when running in secure mode."
+
+type: string
+
+operator: equals
+
+interactive: true
+
+options:
+ default: /var/lib/tftpboot
diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml
index ed64b15bef..10b8ab3a2b 100644
--- a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml
+++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml
@@ -8,8 +8,8 @@ description: |-
If running the <tt>tftp</tt> service is necessary, it should be configured
to change its root directory at startup. To do so, ensure
<tt>/etc/xinetd.d/tftp</tt> includes <tt>-s</tt> as a command line argument, as shown in
- the following example (which is also the default):
- <pre>server_args = -s /var/lib/tftpboot</pre>
+ the following example:
+ <pre>server_args = -s {{{ sub_var_value("tftpd_secure_directory") }}}</pre>
rationale: |-
Using the <tt>-s</tt> option causes the TFTP service to only serve files from the
@@ -33,7 +33,6 @@ references:
srg@rhel6: SRG-OS-999999
disa: CCI-000366
nist: CM-6(b),AC-6,CM-7(a)
-
nist-csf: PR.AC-3,PR.AC-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4
srg: SRG-OS-000480-GPOS-00227
stigid@rhel7: RHEL-07-040720
@@ -56,4 +55,4 @@ ocil: |-
The output should indicate the <tt>server_args</tt> variable is configured
with the <tt>-s</tt> flag, matching the example below:
<pre>$ grep "server_args" /etc/xinetd.d/tftp
- server_args = -s /var/lib/tftpboot</pre>
+ server_args = -s {{{ sub_var_value("tftpd_secure_directory") }}}</pre>
From bd3d3f90681f505ceff934e9d4c4d618bbc07474 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 8 Sep 2020 13:26:06 +0200
Subject: [PATCH 2/6] update oval
---
.../tftp/tftpd_uses_secure_mode/oval/shared.xml | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml
index 363b499afa..9f42fcd043 100644
--- a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml
+++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml
@@ -17,10 +17,18 @@
</definition>
<ind:textfilecontent54_test check="all" comment="tftpd secure mode" id="test_tftpd_uses_secure_mode" version="1">
<ind:object object_ref="object_tftpd_uses_secure_mode" />
+ <ind:state state_ref="state_tftpd_uses_secure_mode" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_tftpd_uses_secure_mode" version="1">
<ind:filepath>/etc/xinetd.d/tftp</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*server_args[\s]+=.*[\s]+\-s[\s]+.+$</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*server_args[\s]+=[\s]+.*?-s[\s]+([/\.\w]+).*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_state id="state_tftpd_uses_secure_mode" version="1">
+ <ind:subexpression datatype="int" operation="equals" var_check="all"
+ var_ref="tftpd_secure_directory" />
+ </ind:textfilecontent54_state>
+
+ <external_variable comment="TFTP server secure directory" datatype="string" id="tftpd_secure_directory" version="1" />
</def-group>
From 2a1e67365de4ea7b78ace2fb730b7192d9cb8a43 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 8 Sep 2020 13:26:26 +0200
Subject: [PATCH 3/6] update bash remediation
---
.../tftp/tftpd_uses_secure_mode/bash/shared.sh | 14 ++++++++++++++
1 file changed, 14 insertions(+)
create mode 100644 linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh
diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh
new file mode 100644
index 0000000000..491d8e90d6
--- /dev/null
+++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# platform = Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 6,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,WRLinux 1019
+
+. /usr/share/scap-security-guide/remediation_functions
+
+{{{ bash_instantiate_variables ("tftpd_secure_directory") }}}
+
+if grep -q 'server_args' /etc/xinetd.d/tftp; then
+ sed -i -E "s;^([[:blank:]]*server_args[[:blank:]]+=[[:blank:]]+.*?)(-s[[:blank:]]+[[:graph:]]+)*(.*)$;\1 -s $tftpd_secure_directory \3;" /etc/xinetd.d/tftp
+else
+ echo "server_args = -s $tftpd_secure_directory" >> /etc/xinetd.d/tftp
+fi
+
+
From 649880f746bd80cb3e6a9ae3908ce422e03c1690 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 8 Sep 2020 13:26:43 +0200
Subject: [PATCH 4/6] add tests
---
.../tftp/tftpd_uses_secure_mode/tests/correct.pass.sh | 9 +++++++++
.../tftpd_uses_secure_mode/tests/line_missing.fail.sh | 7 +++++++
.../tftp/tftpd_uses_secure_mode/tests/wrong.fail.sh | 9 +++++++++
3 files changed, 25 insertions(+)
create mode 100644 linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/correct.pass.sh
create mode 100644 linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/line_missing.fail.sh
create mode 100644 linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/wrong.fail.sh
diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/correct.pass.sh b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/correct.pass.sh
new file mode 100644
index 0000000000..392e68740f
--- /dev/null
+++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/correct.pass.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+yum -y install tftp-server
+
+if grep -q 'server_args' /etc/xinetd.d/tftp; then
+ sed -i 's/.*server_args.*/server_args = -s \/var\/lib\/tftpboot/' /etc/xinetd.d/tftp
+else
+ echo "server_args = -s /var/lib/tftpboot" >> /etc/xinetd.d/tftp
+fi
diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/line_missing.fail.sh b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/line_missing.fail.sh
new file mode 100644
index 0000000000..a342248240
--- /dev/null
+++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/line_missing.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+yum -y install tftp-server
+
+if grep -q 'server_args' /etc/xinetd.d/tftp; then
+ sed -i '/.*server_args.*/d' /etc/xinetd.d/tftp
+fi
diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/wrong.fail.sh b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/wrong.fail.sh
new file mode 100644
index 0000000000..d9a9b4b622
--- /dev/null
+++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/wrong.fail.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+yum -y install tftp-server
+
+if grep -q 'server_args' /etc/xinetd.d/tftp; then
+ sed -i 's/.*server_args.*/server_args = --something/' /etc/xinetd.d/tftp
+else
+ echo "server_args = --something" >> /etc/xinetd.d/tftp
+fi
From 57554f1ba9fb7464c808f00d4bd26475451243b9 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 8 Sep 2020 13:27:03 +0200
Subject: [PATCH 5/6] add ansible remediation
---
.../tftpd_uses_secure_mode/ansible/shared.yml | 31 +++++++++++++++++++
1 file changed, 31 insertions(+)
create mode 100644 linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml
diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml
new file mode 100644
index 0000000000..9f5bdea58e
--- /dev/null
+++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml
@@ -0,0 +1,31 @@
+# platform = Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 6,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,WRLinux 1019
+# reboot = false
+# complexity = low
+# strategy = configure
+# disruption = low
+
+{{{ ansible_instantiate_variables("tftpd_secure_directory") }}}
+
+- name: "Find out if the file exists and contains the line configuring server arguments"
+ find:
+ path: "/etc/xinetd.d"
+ patterns: "tftp"
+ contains: '^[\s]+server_args.*$'
+ register: tftpd_secure_config_line
+
+- name: "Ensure that TFTP server is configured to start with secure directory"
+ lineinfile:
+ path: "/etc/xinetd.d/tftp"
+ regexp: '^[\s]*(server_args[\s]+=[\s]+.*?)(-s[\s]+[/\.\w]+)*(.*)$'
+ line: '\1 -s {{ tftpd_secure_directory }} \3'
+ state: present
+ backrefs: true
+ when: tftpd_secure_config_line is defined and tftpd_secure_config_line.matched > 0
+
+- name: "Insert correct config line to start TFTP server with secure directory"
+ lineinfile:
+ path: "/etc/xinetd.d/tftp"
+ line: "server_args = -s {{ tftpd_secure_directory }}"
+ state: present
+ create: true
+ when: tftpd_secure_config_line is defined and tftpd_secure_config_line.matched == 0
From df97d24f0cfd1a182925d1ddf0d72a02caa943bf Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 9 Sep 2020 09:36:25 +0200
Subject: [PATCH 6/6] rename variable
---
.../obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml | 6 +++---
.../obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh | 6 +++---
.../obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml | 4 ++--
.../services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml | 4 ++--
..._secure_directory.var => var_tftpd_secure_directory.var} | 0
5 files changed, 10 insertions(+), 10 deletions(-)
rename linux_os/guide/services/obsolete/tftp/{tftpd_secure_directory.var => var_tftpd_secure_directory.var} (100%)
diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml
index 9f5bdea58e..604491357e 100644
--- a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml
+++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml
@@ -4,7 +4,7 @@
# strategy = configure
# disruption = low
-{{{ ansible_instantiate_variables("tftpd_secure_directory") }}}
+{{{ ansible_instantiate_variables("var_tftpd_secure_directory") }}}
- name: "Find out if the file exists and contains the line configuring server arguments"
find:
@@ -17,7 +17,7 @@
lineinfile:
path: "/etc/xinetd.d/tftp"
regexp: '^[\s]*(server_args[\s]+=[\s]+.*?)(-s[\s]+[/\.\w]+)*(.*)$'
- line: '\1 -s {{ tftpd_secure_directory }} \3'
+ line: '\1 -s {{ var_tftpd_secure_directory }} \3'
state: present
backrefs: true
when: tftpd_secure_config_line is defined and tftpd_secure_config_line.matched > 0
@@ -25,7 +25,7 @@
- name: "Insert correct config line to start TFTP server with secure directory"
lineinfile:
path: "/etc/xinetd.d/tftp"
- line: "server_args = -s {{ tftpd_secure_directory }}"
+ line: "server_args = -s {{ var_tftpd_secure_directory }}"
state: present
create: true
when: tftpd_secure_config_line is defined and tftpd_secure_config_line.matched == 0
diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh
index 491d8e90d6..3f0881a320 100644
--- a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh
+++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh
@@ -3,12 +3,12 @@
. /usr/share/scap-security-guide/remediation_functions
-{{{ bash_instantiate_variables ("tftpd_secure_directory") }}}
+{{{ bash_instantiate_variables ("var_tftpd_secure_directory") }}}
if grep -q 'server_args' /etc/xinetd.d/tftp; then
- sed -i -E "s;^([[:blank:]]*server_args[[:blank:]]+=[[:blank:]]+.*?)(-s[[:blank:]]+[[:graph:]]+)*(.*)$;\1 -s $tftpd_secure_directory \3;" /etc/xinetd.d/tftp
+ sed -i -E "s;^([[:blank:]]*server_args[[:blank:]]+=[[:blank:]]+.*?)(-s[[:blank:]]+[[:graph:]]+)*(.*)$;\1 -s $var_tftpd_secure_directory \3;" /etc/xinetd.d/tftp
else
- echo "server_args = -s $tftpd_secure_directory" >> /etc/xinetd.d/tftp
+ echo "server_args = -s $var_tftpd_secure_directory" >> /etc/xinetd.d/tftp
fi
diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml
index 9f42fcd043..2268a49467 100644
--- a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml
+++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml
@@ -27,8 +27,8 @@
<ind:textfilecontent54_state id="state_tftpd_uses_secure_mode" version="1">
<ind:subexpression datatype="int" operation="equals" var_check="all"
- var_ref="tftpd_secure_directory" />
+ var_ref="var_tftpd_secure_directory" />
</ind:textfilecontent54_state>
- <external_variable comment="TFTP server secure directory" datatype="string" id="tftpd_secure_directory" version="1" />
+ <external_variable comment="TFTP server secure directory" datatype="string" id="var_tftpd_secure_directory" version="1" />
</def-group>
diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml
index 10b8ab3a2b..002e78535e 100644
--- a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml
+++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml
@@ -9,7 +9,7 @@ description: |-
to change its root directory at startup. To do so, ensure
<tt>/etc/xinetd.d/tftp</tt> includes <tt>-s</tt> as a command line argument, as shown in
the following example:
- <pre>server_args = -s {{{ sub_var_value("tftpd_secure_directory") }}}</pre>
+ <pre>server_args = -s {{{ sub_var_value("var_tftpd_secure_directory") }}}</pre>
rationale: |-
Using the <tt>-s</tt> option causes the TFTP service to only serve files from the
@@ -55,4 +55,4 @@ ocil: |-
The output should indicate the <tt>server_args</tt> variable is configured
with the <tt>-s</tt> flag, matching the example below:
<pre>$ grep "server_args" /etc/xinetd.d/tftp
- server_args = -s {{{ sub_var_value("tftpd_secure_directory") }}}</pre>
+ server_args = -s {{{ sub_var_value("var_tftpd_secure_directory") }}}</pre>
diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_secure_directory.var b/linux_os/guide/services/obsolete/tftp/var_tftpd_secure_directory.var
similarity index 100%
rename from linux_os/guide/services/obsolete/tftp/tftpd_secure_directory.var
rename to linux_os/guide/services/obsolete/tftp/var_tftpd_secure_directory.var