-
Notifications
You must be signed in to change notification settings - Fork 711
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
New rule tftp_uses_secure_mode_systemd
Add new rule tftp secure mode for systems that use systemd. The old rule tftp_uses_secure_mode uses xinetd which no longer used in new versions of RHEL. There is no remedation or checks since ExecStart cannot be obtained from dbus.
- Loading branch information
Showing
4 changed files
with
40 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -7,3 +7,4 @@ rules: | |
| - package_tftp_removed | ||
| - service_tftp_disabled | ||
| - tftpd_uses_secure_mode | ||
| - tftp_uses_secure_mode_systemd | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
38 changes: 38 additions & 0 deletions
38
linux_os/guide/services/obsolete/tftp/tftp_uses_secure_mode_systemd/rule.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| documentation_complete: true | ||
|
|
||
| title: 'Ensure tftp Daemon Uses Secure Mode Using systemd' | ||
|
|
||
| description: |- | ||
| If running the Trivial File Transfer Protocol (TFTP) service is necessary, | ||
| it should be configured to change its root directory at startup. To do so, | ||
| find the path for the <tt>tftp</tt> systemd service: | ||
| <pre>$ sudo systemctl show tftp | grep ExecStart= | ||
| ExecStart={ path=/usr/sbin/in.tftpd ; argv[]=/usr/sbin/in.tftpd -s /var/lib/tftpboot ; ignore_errors=no ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }e | ||
| </pre> | ||
| and ensure the <tt>ExecStart</tt> line on that file includes the <tt>-s</tt> option with a subdirectory: | ||
| <pre>ExecStart=/usr/sbin/in.tftpd -s {{{ xccdf_value("var_tftpd_secure_directory") }}}</pre> | ||
| rationale: |- | ||
| Using the <tt>-s</tt> option causes the TFTP service to only serve files from the | ||
| given directory. Serving files from an intentionally-specified directory | ||
| reduces the risk of sharing files which should remain private. | ||
| severity: medium | ||
|
|
||
| ocil: |- | ||
| Use <tt>sudo systemctl edit tftp</tt> to adjust the <tt>ExecStart</tt> to | ||
| be <tt>/usr/sbin/in.tftpd -s {{{ xccdf_value("var_tftpd_secure_directory") }}}</tt> | ||
| ocil_clause: 'the ExecStart property of tftp does not contain correctly set -s flag' | ||
|
|
||
| platform: package[tftp-server] | ||
|
|
||
| warnings: | ||
| general: |- | ||
| A remedation is not currently available due limits of the checking engine. | ||
| identifiers: | ||
| cce@rhel10: CCE-86495-9 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -65,7 +65,6 @@ CCE-86484-3 | |
| CCE-86492-6 | ||
| CCE-86493-4 | ||
| CCE-86494-2 | ||
| CCE-86495-9 | ||
| CCE-86496-7 | ||
| CCE-86497-5 | ||
| CCE-86498-3 | ||
|
|
||