From 39646ef87caf4e69c0c3f48c68e58e3f2707e739 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Mon, 30 Sep 2024 11:22:22 -0500 Subject: [PATCH 1/2] New rule tftp_uses_secure_mode_systemd Add new rule tftp secure mode for systems that use systemd. The old rule tftp_uses_secure_mode uses xinetd which no longer used in new versions of RHEL. There is no remediation or checks since ExecStart cannot be obtained from dbus. --- components/tftp.yml | 1 + .../srg_gpos/SRG-OS-000480-GPOS-00227.yml | 3 +- .../tftp_uses_secure_mode_systemd/rule.yml | 38 +++++++++++++++++++ shared/references/cce-redhat-avail.txt | 1 - 4 files changed, 40 insertions(+), 3 deletions(-) create mode 100644 linux_os/guide/services/obsolete/tftp/tftp_uses_secure_mode_systemd/rule.yml diff --git a/components/tftp.yml b/components/tftp.yml index 010963f9296..918a53f398b 100644 --- a/components/tftp.yml +++ b/components/tftp.yml @@ -7,3 +7,4 @@ rules: - package_tftp_removed - service_tftp_disabled - tftpd_uses_secure_mode +- tftp_uses_secure_mode_systemd diff --git a/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml b/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml index 84d8ca01f9f..7ad5581ae3e 100644 --- a/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml +++ b/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml @@ -239,11 +239,10 @@ controls: - enable_authselect - no_host_based_files - no_user_host_based_files - - tftpd_uses_secure_mode - display_login_attempts - installed_OS_is_vendor_supported - selinux_all_devicefiles_labeled - xwindows_remove_packages - chrony_set_nts - + - tftp_uses_secure_mode_systemd status: automated diff --git a/linux_os/guide/services/obsolete/tftp/tftp_uses_secure_mode_systemd/rule.yml b/linux_os/guide/services/obsolete/tftp/tftp_uses_secure_mode_systemd/rule.yml new file mode 100644 index 00000000000..3b4855f5c8f --- /dev/null +++ b/linux_os/guide/services/obsolete/tftp/tftp_uses_secure_mode_systemd/rule.yml @@ -0,0 +1,38 @@ +documentation_complete: true + +title: 'Ensure tftp Daemon Uses Secure Mode Using systemd' + +description: |- + If running the Trivial File Transfer Protocol (TFTP) service is necessary, + it should be configured to change its root directory at startup. To do so, + find the path for the tftp systemd service: + 
$ sudo systemctl show tftp | grep ExecStart=
+    ExecStart={ path=/usr/sbin/in.tftpd ; argv[]=/usr/sbin/in.tftpd -s /var/lib/tftpboot ; ignore_errors=no ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }e
+
+ + and ensure the ExecStart line on that file includes the -s option with a subdirectory: + 
ExecStart=/usr/sbin/in.tftpd -s {{{ xccdf_value("var_tftpd_secure_directory") }}}
+ +rationale: |- + Using the -s option causes the TFTP service to only serve files from the + given directory. Serving files from an intentionally-specified directory + reduces the risk of sharing files which should remain private. + +severity: medium + +ocil: |- + Use sudo systemctl edit tftp to adjust the ExecStart to + be /usr/sbin/in.tftpd -s {{{ xccdf_value("var_tftpd_secure_directory") }}} + + +ocil_clause: 'the ExecStart property of tftp does not contain correctly set -s flag' + +platform: package[tftp-server] + +warnings: + - general: |- + A remedation is not currently available due limits of the checking engine. + + +identifiers: + cce@rhel10: CCE-86495-9 diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 46626ff8f93..33debb230d4 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -64,7 +64,6 @@ CCE-86484-3 CCE-86492-6 CCE-86493-4 CCE-86494-2 -CCE-86495-9 CCE-86496-7 CCE-86497-5 CCE-86498-3 From 3374111b3dd60f43dea6cf36416a0a43499a9d71 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Mon, 30 Sep 2024 11:34:45 -0500 Subject: [PATCH 2/2] Update tftp_uses_secure_mode_systemd based on feedback #12436 --- .../tftp/tftp_uses_secure_mode_systemd/rule.yml | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/linux_os/guide/services/obsolete/tftp/tftp_uses_secure_mode_systemd/rule.yml b/linux_os/guide/services/obsolete/tftp/tftp_uses_secure_mode_systemd/rule.yml index 3b4855f5c8f..7b490bd123b 100644 --- a/linux_os/guide/services/obsolete/tftp/tftp_uses_secure_mode_systemd/rule.yml +++ b/linux_os/guide/services/obsolete/tftp/tftp_uses_secure_mode_systemd/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -title: 'Ensure tftp Daemon Uses Secure Mode Using systemd' +title: 'Ensure tftp systemd Service Uses Secure Mode' description: |- If running the Trivial File Transfer Protocol (TFTP) service is necessary, @@ -21,8 +21,13 @@ rationale: |- severity: medium ocil: |- - Use sudo systemctl edit tftp to adjust the ExecStart to - be /usr/sbin/in.tftpd -s {{{ xccdf_value("var_tftpd_secure_directory") }}} + Use udo systemctl show tftp to verify that tftp service is using secure mode. + 
$ sudo systemctl show tftp | grep ExecStart=
+    ExecStart={ path=/usr/sbin/in.tftpd ; argv[]=/usr/sbin/in.tftpd -s /var/lib/tftpboot ; ignore_errors=no ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }e
+
+ + and ensure the ExecStart line on that file includes the -s option with a subdirectory: + 
ExecStart=/usr/sbin/in.tftpd -s {{{ xccdf_value("var_tftpd_secure_directory") }}}
ocil_clause: 'the ExecStart property of tftp does not contain correctly set -s flag' @@ -31,7 +36,8 @@ platform: package[tftp-server] warnings: - general: |- - A remedation is not currently available due limits of the checking engine. + An OVAL check is not currently available since ExecStart cannot be checked with OVAL since it is not exposed via dbus. + Currently, a remedation is not available for this rule. identifiers: