From f3837e672c45e341da3f0d4425627a96104a6983 Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Tue, 8 Sep 2020 13:25:45 +0200

Subject: [PATCH 1/6] introduce variable

---

 .../obsolete/tftp/tftpd_secure_directory.var       | 14 ++++++++++++++

 .../obsolete/tftp/tftpd_uses_secure_mode/rule.yml  |  7 +++----

 2 files changed, 17 insertions(+), 4 deletions(-)

 create mode 100644 linux_os/guide/services/obsolete/tftp/tftpd_secure_directory.var

diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_secure_directory.var b/linux_os/guide/services/obsolete/tftp/tftpd_secure_directory.var

new file mode 100644

index 0000000000..6a5e29caa4

--- /dev/null

+++ b/linux_os/guide/services/obsolete/tftp/tftpd_secure_directory.var

@@ -0,0 +1,14 @@

+documentation_complete: true

+

+title: 'TFTP server secure directory'

+

+description: "Specify the directory which is used by TFTP server as a root directory when running in secure mode."

+

+type: string

+

+operator: equals

+

+interactive: true

+

+options:

+    default: /var/lib/tftpboot

diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml

index ed64b15bef..10b8ab3a2b 100644

--- a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml

+++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml

@@ -8,8 +8,8 @@ description: |-

     If running the <tt>tftp</tt> service is necessary, it should be configured

     to change its root directory at startup. To do so, ensure

     <tt>/etc/xinetd.d/tftp</tt> includes <tt>-s</tt> as a command line argument, as shown in

-    the following example (which is also the default):

-    
server_args = -s /var/lib/tftpboot

+    the following example:

+    
server_args = -s {{{ sub_var_value("tftpd_secure_directory") }}}

 rationale: |-

     Using the <tt>-s</tt> option causes the TFTP service to only serve files from the

@@ -33,7 +33,6 @@ references:

     srg@rhel6: SRG-OS-999999

     disa: CCI-000366

     nist: CM-6(b),AC-6,CM-7(a)

-

     nist-csf: PR.AC-3,PR.AC-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4

     srg: SRG-OS-000480-GPOS-00227

     stigid@rhel7: RHEL-07-040720

@@ -56,4 +55,4 @@ ocil: |-

     The output should indicate the <tt>server_args</tt> variable is configured

     with the <tt>-s</tt> flag, matching the example below:

     
$ grep "server_args" /etc/xinetd.d/tftp

-    server_args = -s /var/lib/tftpboot

+    server_args = -s {{{ sub_var_value("tftpd_secure_directory") }}}

From bd3d3f90681f505ceff934e9d4c4d618bbc07474 Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Tue, 8 Sep 2020 13:26:06 +0200

Subject: [PATCH 2/6] update oval

---

 .../tftp/tftpd_uses_secure_mode/oval/shared.xml        | 10 +++++++++-

 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml

index 363b499afa..9f42fcd043 100644

--- a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml

+++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml

@@ -17,10 +17,18 @@

   </definition>

   <ind:textfilecontent54_test check="all" comment="tftpd secure mode" id="test_tftpd_uses_secure_mode" version="1">

     <ind:object object_ref="object_tftpd_uses_secure_mode" />

+    <ind:state state_ref="state_tftpd_uses_secure_mode" />

   </ind:textfilecontent54_test>

   <ind:textfilecontent54_object id="object_tftpd_uses_secure_mode" version="1">

     <ind:filepath>/etc/xinetd.d/tftp</ind:filepath>

-    <ind:pattern operation="pattern match">^[\s]*server_args[\s]+=.*[\s]+\-s[\s]+.+$</ind:pattern>

+    <ind:pattern operation="pattern match">^[\s]*server_args[\s]+=[\s]+.*?-s[\s]+([/\.\w]+).*$</ind:pattern>

     <ind:instance datatype="int">1</ind:instance>

   </ind:textfilecontent54_object>

+

+  <ind:textfilecontent54_state id="state_tftpd_uses_secure_mode" version="1">

+    

+    var_ref="tftpd_secure_directory" />

+  </ind:textfilecontent54_state>

+

+    <external_variable comment="TFTP server secure directory" datatype="string" id="tftpd_secure_directory" version="1" />

 </def-group>

From 2a1e67365de4ea7b78ace2fb730b7192d9cb8a43 Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Tue, 8 Sep 2020 13:26:26 +0200

Subject: [PATCH 3/6] update bash remediation

---

 .../tftp/tftpd_uses_secure_mode/bash/shared.sh     | 14 ++++++++++++++

 1 file changed, 14 insertions(+)

 create mode 100644 linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh

diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh

new file mode 100644

index 0000000000..491d8e90d6

--- /dev/null

+++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh

@@ -0,0 +1,14 @@

+#!/bin/bash

+# platform = Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 6,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,WRLinux 1019

+

+. /usr/share/scap-security-guide/remediation_functions

+

+{{{ bash_instantiate_variables ("tftpd_secure_directory") }}}

+

+if grep -q 'server_args' /etc/xinetd.d/tftp; then

+    sed -i -E "s;^([[:blank:]]*server_args[[:blank:]]+=[[:blank:]]+.*?)(-s[[:blank:]]+[[:graph:]]+)*(.*)$;\1 -s $tftpd_secure_directory \3;" /etc/xinetd.d/tftp

+else

+    echo "server_args = -s $tftpd_secure_directory" >> /etc/xinetd.d/tftp

+fi

+

+

From 649880f746bd80cb3e6a9ae3908ce422e03c1690 Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Tue, 8 Sep 2020 13:26:43 +0200

Subject: [PATCH 4/6] add tests

---

 .../tftp/tftpd_uses_secure_mode/tests/correct.pass.sh    | 9 +++++++++

 .../tftpd_uses_secure_mode/tests/line_missing.fail.sh    | 7 +++++++

 .../tftp/tftpd_uses_secure_mode/tests/wrong.fail.sh      | 9 +++++++++

 3 files changed, 25 insertions(+)

 create mode 100644 linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/correct.pass.sh

 create mode 100644 linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/line_missing.fail.sh

 create mode 100644 linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/wrong.fail.sh

diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/correct.pass.sh b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/correct.pass.sh

new file mode 100644

index 0000000000..392e68740f

--- /dev/null

+++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/correct.pass.sh

@@ -0,0 +1,9 @@

+#!/bin/bash

+

+yum -y install tftp-server

+

+if grep -q 'server_args' /etc/xinetd.d/tftp; then

+	sed -i 's/.*server_args.*/server_args = -s \/var\/lib\/tftpboot/' /etc/xinetd.d/tftp

+else

+	echo "server_args = -s /var/lib/tftpboot" >> /etc/xinetd.d/tftp

+fi

diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/line_missing.fail.sh b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/line_missing.fail.sh

new file mode 100644

index 0000000000..a342248240

--- /dev/null

+++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/line_missing.fail.sh

@@ -0,0 +1,7 @@

+#!/bin/bash

+

+yum -y install tftp-server

+

+if grep -q 'server_args' /etc/xinetd.d/tftp; then

+	sed -i '/.*server_args.*/d' /etc/xinetd.d/tftp

+fi

diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/wrong.fail.sh b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/wrong.fail.sh

new file mode 100644

index 0000000000..d9a9b4b622

--- /dev/null

+++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/wrong.fail.sh

@@ -0,0 +1,9 @@

+#!/bin/bash

+

+yum -y install tftp-server

+

+if grep -q 'server_args' /etc/xinetd.d/tftp; then

+	sed -i 's/.*server_args.*/server_args = --something/' /etc/xinetd.d/tftp

+else

+	echo "server_args = --something" >> /etc/xinetd.d/tftp

+fi

From 57554f1ba9fb7464c808f00d4bd26475451243b9 Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Tue, 8 Sep 2020 13:27:03 +0200

Subject: [PATCH 5/6] add ansible remediation

---

 .../tftpd_uses_secure_mode/ansible/shared.yml | 31 +++++++++++++++++++

 1 file changed, 31 insertions(+)

 create mode 100644 linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml

diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml

new file mode 100644

index 0000000000..9f5bdea58e

--- /dev/null

+++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml

@@ -0,0 +1,31 @@

+# platform = Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 6,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,WRLinux 1019

+# reboot = false

+# complexity = low

+# strategy = configure

+# disruption = low

+

+{{{ ansible_instantiate_variables("tftpd_secure_directory") }}}

+

+- name: "Find out if the file exists and contains the line configuring server arguments"

+  find:

+    path: "/etc/xinetd.d"

+    patterns: "tftp"

+    contains: '^[\s]+server_args.*$'

+  register: tftpd_secure_config_line

+

+- name: "Ensure that TFTP server is configured to start with secure directory"

+  lineinfile:

+    path: "/etc/xinetd.d/tftp"

+    regexp: '^[\s]*(server_args[\s]+=[\s]+.*?)(-s[\s]+[/\.\w]+)*(.*)$'

+    line: '\1 -s {{ tftpd_secure_directory }} \3'

+    state: present

+    backrefs: true

+  when: tftpd_secure_config_line is defined and tftpd_secure_config_line.matched > 0

+

+- name: "Insert correct config line to start TFTP server with secure directory"

+  lineinfile:

+    path: "/etc/xinetd.d/tftp"

+    line: "server_args = -s {{ tftpd_secure_directory }}"

+    state: present

+    create: true

+  when: tftpd_secure_config_line is defined and tftpd_secure_config_line.matched == 0

From df97d24f0cfd1a182925d1ddf0d72a02caa943bf Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Wed, 9 Sep 2020 09:36:25 +0200

Subject: [PATCH 6/6] rename variable

---

 .../obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml | 6 +++---

 .../obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh     | 6 +++---

 .../obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml    | 4 ++--

 .../services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml  | 4 ++--

 ..._secure_directory.var => var_tftpd_secure_directory.var} | 0

 5 files changed, 10 insertions(+), 10 deletions(-)

 rename linux_os/guide/services/obsolete/tftp/{tftpd_secure_directory.var => var_tftpd_secure_directory.var} (100%)

diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml

index 9f5bdea58e..604491357e 100644

--- a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml

+++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml

@@ -4,7 +4,7 @@

 # strategy = configure

 # disruption = low

-{{{ ansible_instantiate_variables("tftpd_secure_directory") }}}

+{{{ ansible_instantiate_variables("var_tftpd_secure_directory") }}}

 - name: "Find out if the file exists and contains the line configuring server arguments"

   find:

@@ -17,7 +17,7 @@

   lineinfile:

     path: "/etc/xinetd.d/tftp"

     regexp: '^[\s]*(server_args[\s]+=[\s]+.*?)(-s[\s]+[/\.\w]+)*(.*)$'

-    line: '\1 -s {{ tftpd_secure_directory }} \3'

+    line: '\1 -s {{ var_tftpd_secure_directory }} \3'

     state: present

     backrefs: true

   when: tftpd_secure_config_line is defined and tftpd_secure_config_line.matched > 0

@@ -25,7 +25,7 @@

 - name: "Insert correct config line to start TFTP server with secure directory"

   lineinfile:

     path: "/etc/xinetd.d/tftp"

-    line: "server_args = -s {{ tftpd_secure_directory }}"

+    line: "server_args = -s {{ var_tftpd_secure_directory }}"

     state: present

     create: true

   when: tftpd_secure_config_line is defined and tftpd_secure_config_line.matched == 0

diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh

index 491d8e90d6..3f0881a320 100644

--- a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh

+++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh

@@ -3,12 +3,12 @@

 . /usr/share/scap-security-guide/remediation_functions

-{{{ bash_instantiate_variables ("tftpd_secure_directory") }}}

+{{{ bash_instantiate_variables ("var_tftpd_secure_directory") }}}

 if grep -q 'server_args' /etc/xinetd.d/tftp; then

-    sed -i -E "s;^([[:blank:]]*server_args[[:blank:]]+=[[:blank:]]+.*?)(-s[[:blank:]]+[[:graph:]]+)*(.*)$;\1 -s $tftpd_secure_directory \3;" /etc/xinetd.d/tftp

+    sed -i -E "s;^([[:blank:]]*server_args[[:blank:]]+=[[:blank:]]+.*?)(-s[[:blank:]]+[[:graph:]]+)*(.*)$;\1 -s $var_tftpd_secure_directory \3;" /etc/xinetd.d/tftp

 else

-    echo "server_args = -s $tftpd_secure_directory" >> /etc/xinetd.d/tftp

+    echo "server_args = -s $var_tftpd_secure_directory" >> /etc/xinetd.d/tftp

 fi

diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml

index 9f42fcd043..2268a49467 100644

--- a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml

+++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml

@@ -27,8 +27,8 @@

   <ind:textfilecontent54_state id="state_tftpd_uses_secure_mode" version="1">

-    var_ref="tftpd_secure_directory" />

+    var_ref="var_tftpd_secure_directory" />

   </ind:textfilecontent54_state>

-    <external_variable comment="TFTP server secure directory" datatype="string" id="tftpd_secure_directory" version="1" />

+    <external_variable comment="TFTP server secure directory" datatype="string" id="var_tftpd_secure_directory" version="1" />

 </def-group>

diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml

index 10b8ab3a2b..002e78535e 100644

--- a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml

+++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml

@@ -9,7 +9,7 @@ description: |-

     to change its root directory at startup. To do so, ensure

     <tt>/etc/xinetd.d/tftp</tt> includes <tt>-s</tt> as a command line argument, as shown in

     the following example:

-    
server_args = -s {{{ sub_var_value("tftpd_secure_directory") }}}

+    
server_args = -s {{{ sub_var_value("var_tftpd_secure_directory") }}}

 rationale: |-

     Using the <tt>-s</tt> option causes the TFTP service to only serve files from the

@@ -55,4 +55,4 @@ ocil: |-

     The output should indicate the <tt>server_args</tt> variable is configured

     with the <tt>-s</tt> flag, matching the example below:

     
$ grep "server_args" /etc/xinetd.d/tftp

-    server_args = -s {{{ sub_var_value("tftpd_secure_directory") }}}

+    server_args = -s {{{ sub_var_value("var_tftpd_secure_directory") }}}

diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_secure_directory.var b/linux_os/guide/services/obsolete/tftp/var_tftpd_secure_directory.var

similarity index 100%

rename from linux_os/guide/services/obsolete/tftp/tftpd_secure_directory.var

rename to linux_os/guide/services/obsolete/tftp/var_tftpd_secure_directory.var