From f3837e672c45e341da3f0d4425627a96104a6983 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 8 Sep 2020 13:25:45 +0200 Subject: [PATCH 1/6] introduce variable --- .../obsolete/tftp/tftpd_secure_directory.var | 14 ++++++++++++++ .../obsolete/tftp/tftpd_uses_secure_mode/rule.yml | 7 +++---- 2 files changed, 17 insertions(+), 4 deletions(-) create mode 100644 linux_os/guide/services/obsolete/tftp/tftpd_secure_directory.var diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_secure_directory.var b/linux_os/guide/services/obsolete/tftp/tftpd_secure_directory.var new file mode 100644 index 0000000000..6a5e29caa4 --- /dev/null +++ b/linux_os/guide/services/obsolete/tftp/tftpd_secure_directory.var @@ -0,0 +1,14 @@ +documentation_complete: true + +title: 'TFTP server secure directory' + +description: "Specify the directory which is used by TFTP server as a root directory when running in secure mode." + +type: string + +operator: equals + +interactive: true + +options: + default: /var/lib/tftpboot diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml index ed64b15bef..10b8ab3a2b 100644 --- a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml +++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml @@ -8,8 +8,8 @@ description: |- If running the tftp service is necessary, it should be configured to change its root directory at startup. To do so, ensure /etc/xinetd.d/tftp includes -s as a command line argument, as shown in - the following example (which is also the default): - 
server_args = -s /var/lib/tftpboot
+ the following example: + 
server_args = -s {{{ sub_var_value("tftpd_secure_directory") }}}
rationale: |- Using the -s option causes the TFTP service to only serve files from the @@ -33,7 +33,6 @@ references: srg@rhel6: SRG-OS-999999 disa: CCI-000366 nist: CM-6(b),AC-6,CM-7(a) - nist-csf: PR.AC-3,PR.AC-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: RHEL-07-040720 @@ -56,4 +55,4 @@ ocil: |- The output should indicate the server_args variable is configured with the -s flag, matching the example below: 
$ grep "server_args" /etc/xinetd.d/tftp
-    server_args = -s /var/lib/tftpboot
+ server_args = -s {{{ sub_var_value("tftpd_secure_directory") }}} From bd3d3f90681f505ceff934e9d4c4d618bbc07474 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 8 Sep 2020 13:26:06 +0200 Subject: [PATCH 2/6] update oval --- .../tftp/tftpd_uses_secure_mode/oval/shared.xml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml index 363b499afa..9f42fcd043 100644 --- a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml +++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml @@ -17,10 +17,18 @@ + /etc/xinetd.d/tftp - ^[\s]*server_args[\s]+=.*[\s]+\-s[\s]+.+$ + ^[\s]*server_args[\s]+=[\s]+.*?-s[\s]+([/\.\w]+).*$ 1 + + + + + + From 2a1e67365de4ea7b78ace2fb730b7192d9cb8a43 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 8 Sep 2020 13:26:26 +0200 Subject: [PATCH 3/6] update bash remediation --- .../tftp/tftpd_uses_secure_mode/bash/shared.sh | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh new file mode 100644 index 0000000000..491d8e90d6 --- /dev/null +++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh @@ -0,0 +1,14 @@ +#!/bin/bash +# platform = Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 6,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,WRLinux 1019 + +. /usr/share/scap-security-guide/remediation_functions + +{{{ bash_instantiate_variables ("tftpd_secure_directory") }}} + +if grep -q 'server_args' /etc/xinetd.d/tftp; then + sed -i -E "s;^([[:blank:]]*server_args[[:blank:]]+=[[:blank:]]+.*?)(-s[[:blank:]]+[[:graph:]]+)*(.*)$;\1 -s $tftpd_secure_directory \3;" /etc/xinetd.d/tftp +else + echo "server_args = -s $tftpd_secure_directory" >> /etc/xinetd.d/tftp +fi + + From 649880f746bd80cb3e6a9ae3908ce422e03c1690 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 8 Sep 2020 13:26:43 +0200 Subject: [PATCH 4/6] add tests --- .../tftp/tftpd_uses_secure_mode/tests/correct.pass.sh | 9 +++++++++ .../tftpd_uses_secure_mode/tests/line_missing.fail.sh | 7 +++++++ .../tftp/tftpd_uses_secure_mode/tests/wrong.fail.sh | 9 +++++++++ 3 files changed, 25 insertions(+) create mode 100644 linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/correct.pass.sh create mode 100644 linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/line_missing.fail.sh create mode 100644 linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/wrong.fail.sh diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/correct.pass.sh b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/correct.pass.sh new file mode 100644 index 0000000000..392e68740f --- /dev/null +++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/correct.pass.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +yum -y install tftp-server + +if grep -q 'server_args' /etc/xinetd.d/tftp; then + sed -i 's/.*server_args.*/server_args = -s \/var\/lib\/tftpboot/' /etc/xinetd.d/tftp +else + echo "server_args = -s /var/lib/tftpboot" >> /etc/xinetd.d/tftp +fi diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/line_missing.fail.sh b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/line_missing.fail.sh new file mode 100644 index 0000000000..a342248240 --- /dev/null +++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/line_missing.fail.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +yum -y install tftp-server + +if grep -q 'server_args' /etc/xinetd.d/tftp; then + sed -i '/.*server_args.*/d' /etc/xinetd.d/tftp +fi diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/wrong.fail.sh b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/wrong.fail.sh new file mode 100644 index 0000000000..d9a9b4b622 --- /dev/null +++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/wrong.fail.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +yum -y install tftp-server + +if grep -q 'server_args' /etc/xinetd.d/tftp; then + sed -i 's/.*server_args.*/server_args = --something/' /etc/xinetd.d/tftp +else + echo "server_args = --something" >> /etc/xinetd.d/tftp +fi From 57554f1ba9fb7464c808f00d4bd26475451243b9 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 8 Sep 2020 13:27:03 +0200 Subject: [PATCH 5/6] add ansible remediation --- .../tftpd_uses_secure_mode/ansible/shared.yml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml new file mode 100644 index 0000000000..9f5bdea58e --- /dev/null +++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml @@ -0,0 +1,31 @@ +# platform = Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 6,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,WRLinux 1019 +# reboot = false +# complexity = low +# strategy = configure +# disruption = low + +{{{ ansible_instantiate_variables("tftpd_secure_directory") }}} + +- name: "Find out if the file exists and contains the line configuring server arguments" + find: + path: "/etc/xinetd.d" + patterns: "tftp" + contains: '^[\s]+server_args.*$' + register: tftpd_secure_config_line + +- name: "Ensure that TFTP server is configured to start with secure directory" + lineinfile: + path: "/etc/xinetd.d/tftp" + regexp: '^[\s]*(server_args[\s]+=[\s]+.*?)(-s[\s]+[/\.\w]+)*(.*)$' + line: '\1 -s {{ tftpd_secure_directory }} \3' + state: present + backrefs: true + when: tftpd_secure_config_line is defined and tftpd_secure_config_line.matched > 0 + +- name: "Insert correct config line to start TFTP server with secure directory" + lineinfile: + path: "/etc/xinetd.d/tftp" + line: "server_args = -s {{ tftpd_secure_directory }}" + state: present + create: true + when: tftpd_secure_config_line is defined and tftpd_secure_config_line.matched == 0 From df97d24f0cfd1a182925d1ddf0d72a02caa943bf Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 9 Sep 2020 09:36:25 +0200 Subject: [PATCH 6/6] rename variable --- .../obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml | 6 +++--- .../obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh | 6 +++--- .../obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml | 4 ++-- .../services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml | 4 ++-- ..._secure_directory.var => var_tftpd_secure_directory.var} | 0 5 files changed, 10 insertions(+), 10 deletions(-) rename linux_os/guide/services/obsolete/tftp/{tftpd_secure_directory.var => var_tftpd_secure_directory.var} (100%) diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml index 9f5bdea58e..604491357e 100644 --- a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml +++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml @@ -4,7 +4,7 @@ # strategy = configure # disruption = low -{{{ ansible_instantiate_variables("tftpd_secure_directory") }}} +{{{ ansible_instantiate_variables("var_tftpd_secure_directory") }}} - name: "Find out if the file exists and contains the line configuring server arguments" find: @@ -17,7 +17,7 @@ lineinfile: path: "/etc/xinetd.d/tftp" regexp: '^[\s]*(server_args[\s]+=[\s]+.*?)(-s[\s]+[/\.\w]+)*(.*)$' - line: '\1 -s {{ tftpd_secure_directory }} \3' + line: '\1 -s {{ var_tftpd_secure_directory }} \3' state: present backrefs: true when: tftpd_secure_config_line is defined and tftpd_secure_config_line.matched > 0 @@ -25,7 +25,7 @@ - name: "Insert correct config line to start TFTP server with secure directory" lineinfile: path: "/etc/xinetd.d/tftp" - line: "server_args = -s {{ tftpd_secure_directory }}" + line: "server_args = -s {{ var_tftpd_secure_directory }}" state: present create: true when: tftpd_secure_config_line is defined and tftpd_secure_config_line.matched == 0 diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh index 491d8e90d6..3f0881a320 100644 --- a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh +++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh @@ -3,12 +3,12 @@ . /usr/share/scap-security-guide/remediation_functions -{{{ bash_instantiate_variables ("tftpd_secure_directory") }}} +{{{ bash_instantiate_variables ("var_tftpd_secure_directory") }}} if grep -q 'server_args' /etc/xinetd.d/tftp; then - sed -i -E "s;^([[:blank:]]*server_args[[:blank:]]+=[[:blank:]]+.*?)(-s[[:blank:]]+[[:graph:]]+)*(.*)$;\1 -s $tftpd_secure_directory \3;" /etc/xinetd.d/tftp + sed -i -E "s;^([[:blank:]]*server_args[[:blank:]]+=[[:blank:]]+.*?)(-s[[:blank:]]+[[:graph:]]+)*(.*)$;\1 -s $var_tftpd_secure_directory \3;" /etc/xinetd.d/tftp else - echo "server_args = -s $tftpd_secure_directory" >> /etc/xinetd.d/tftp + echo "server_args = -s $var_tftpd_secure_directory" >> /etc/xinetd.d/tftp fi diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml index 9f42fcd043..2268a49467 100644 --- a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml +++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml @@ -27,8 +27,8 @@ + var_ref="var_tftpd_secure_directory" /> - + diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml index 10b8ab3a2b..002e78535e 100644 --- a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml +++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml @@ -9,7 +9,7 @@ description: |- to change its root directory at startup. To do so, ensure /etc/xinetd.d/tftp includes -s as a command line argument, as shown in the following example: - 
server_args = -s {{{ sub_var_value("tftpd_secure_directory") }}}
+ 
server_args = -s {{{ sub_var_value("var_tftpd_secure_directory") }}}
rationale: |- Using the -s option causes the TFTP service to only serve files from the @@ -55,4 +55,4 @@ ocil: |- The output should indicate the server_args variable is configured with the -s flag, matching the example below: 
$ grep "server_args" /etc/xinetd.d/tftp
-    server_args = -s {{{ sub_var_value("tftpd_secure_directory") }}}
+ server_args = -s {{{ sub_var_value("var_tftpd_secure_directory") }}} diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_secure_directory.var b/linux_os/guide/services/obsolete/tftp/var_tftpd_secure_directory.var similarity index 100% rename from linux_os/guide/services/obsolete/tftp/tftpd_secure_directory.var rename to linux_os/guide/services/obsolete/tftp/var_tftpd_secure_directory.var