>From c8cd7e6586e9faecfa78c3845f46086174be5a84 Mon Sep 17 00:00:00 2001
From: Shawn Wells <[email protected]>
Date: Sat, 20 Apr 2013 02:27:12 -0400
Subject: [PATCH] [bugfix] Ticket 381 - Rule "disable_telnet_service" always true
As ruchkinalexandr correctly pointed out, disable_telnet_service
was always true. Old OVAL checked for init, however proper method
is to check /etc/xinetd.d/telnet.
- Created new OVAL
- Deleted old, which didn't match XCCDF OVAL tag
- Removed telnet from the check/template macros
Testing:
[root@rhel6 checks]# chkconfig telnet on
[root@rhel6 checks]# ./testcheck.py service_telnetd_disabled.xml
Evaluating with OVAL tempfile : /tmp/service_telnetd_disabledvB75F5.xml
Definition oval:scap-security-guide.testing:def:347: false
Evaluation done.
[root@rhel6 checks]# chkconfig telnet off
[root@rhel6 checks]# ./testcheck.py service_telnetd_disabled.xml
Evaluating with OVAL tempfile : /tmp/service_telnetd_disabled2Q1CA_.xml
Definition oval:scap-security-guide.testing:def:347: true
Evaluation done.
---
RHEL6/input/checks/service_telnet_disabled.xml | 99 ------------------
RHEL6/input/checks/service_telnetd_disabled.xml | 106 ++++----------------
RHEL6/input/checks/templates/services_disabled.csv | 2 -
3 files changed, 19 insertions(+), 188 deletions(-)
delete mode 100644 RHEL6/input/checks/service_telnet_disabled.xml
diff --git a/RHEL6/input/checks/service_telnet_disabled.xml
b/RHEL6/input/checks/service_telnet_disabled.xml
deleted file mode 100644
index 0d71404..0000000
--- a/RHEL6/input/checks/service_telnet_disabled.xml
+++ /dev/null
@@ -1,99 +0,0 @@
-<def-group>
- <!-- THIS FILE IS GENERATED by create_services_disabled.py. DO NOT EDIT.
-->
- <definition class="compliance" id="service_telnet_disabled"
- version="1">
- <metadata>
- <title>Service telnet Disabled</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <description>The telnet service should be disabled if
possible.</description>
- </metadata>
- <criteria comment="package telnet-server removed or service telnet is not
configured to start" operator="OR">
- <extend_definition comment="telnet-server removed"
definition_ref="package_telnet-server_removed" />
- <criteria operator="AND" comment="service telnet is not configured to
start">
- <criterion comment="telnet runlevel 0" test_ref="test_runlevel0_telnet"
/>
- <criterion comment="telnet runlevel 1" test_ref="test_runlevel1_telnet"
/>
- <criterion comment="telnet runlevel 2" test_ref="test_runlevel2_telnet"
/>
- <criterion comment="telnet runlevel 3" test_ref="test_runlevel3_telnet"
/>
- <criterion comment="telnet runlevel 4" test_ref="test_runlevel4_telnet"
/>
- <criterion comment="telnet runlevel 5" test_ref="test_runlevel5_telnet"
/>
- <criterion comment="telnet runlevel 6" test_ref="test_runlevel6_telnet"
/>
- </criteria>
- </criteria>
- </definition>
- <unix:runlevel_test check="all" check_existence="any_exist"
- comment="Runlevel test" id="test_runlevel0_telnet"
- version="2">
- <unix:object object_ref="obj_runlevel0_telnet" />
- <unix:state state_ref="state_service_telnet_off" />
- </unix:runlevel_test>
- <unix:runlevel_test check="all" check_existence="any_exist"
- comment="Runlevel test" id="test_runlevel1_telnet"
- version="2">
- <unix:object object_ref="obj_runlevel1_telnet" />
- <unix:state state_ref="state_service_telnet_off" />
- </unix:runlevel_test>
- <unix:runlevel_test check="all" check_existence="any_exist"
- comment="Runlevel test" id="test_runlevel2_telnet"
- version="2">
- <unix:object object_ref="obj_runlevel2_telnet" />
- <unix:state state_ref="state_service_telnet_off" />
- </unix:runlevel_test>
- <unix:runlevel_test check="all" check_existence="any_exist"
- comment="Runlevel test" id="test_runlevel3_telnet"
- version="2">
- <unix:object object_ref="obj_runlevel3_telnet" />
- <unix:state state_ref="state_service_telnet_off" />
- </unix:runlevel_test>
- <unix:runlevel_test check="all" check_existence="any_exist"
- comment="Runlevel test" id="test_runlevel4_telnet"
- version="2">
- <unix:object object_ref="obj_runlevel4_telnet" />
- <unix:state state_ref="state_service_telnet_off" />
- </unix:runlevel_test>
- <unix:runlevel_test check="all" check_existence="any_exist"
- comment="Runlevel test" id="test_runlevel5_telnet"
- version="2">
- <unix:object object_ref="obj_runlevel5_telnet" />
- <unix:state state_ref="state_service_telnet_off" />
- </unix:runlevel_test>
- <unix:runlevel_test check="all" check_existence="any_exist"
- comment="Runlevel test" id="test_runlevel6_telnet"
- version="2">
- <unix:object object_ref="obj_runlevel6_telnet" />
- <unix:state state_ref="state_service_telnet_off" />
- </unix:runlevel_test>
- <unix:runlevel_object id="obj_runlevel0_telnet" version="1">
- <unix:service_name>telnet</unix:service_name>
- <unix:runlevel operation="equals">0</unix:runlevel>
- </unix:runlevel_object>
- <unix:runlevel_object id="obj_runlevel1_telnet" version="1">
- <unix:service_name>telnet</unix:service_name>
- <unix:runlevel operation="equals">1</unix:runlevel>
- </unix:runlevel_object>
- <unix:runlevel_object id="obj_runlevel2_telnet" version="1">
- <unix:service_name>telnet</unix:service_name>
- <unix:runlevel operation="equals">2</unix:runlevel>
- </unix:runlevel_object>
- <unix:runlevel_object id="obj_runlevel3_telnet" version="1">
- <unix:service_name>telnet</unix:service_name>
- <unix:runlevel operation="equals">3</unix:runlevel>
- </unix:runlevel_object>
- <unix:runlevel_object id="obj_runlevel4_telnet" version="1">
- <unix:service_name>telnet</unix:service_name>
- <unix:runlevel operation="equals">4</unix:runlevel>
- </unix:runlevel_object>
- <unix:runlevel_object id="obj_runlevel5_telnet" version="1">
- <unix:service_name>telnet</unix:service_name>
- <unix:runlevel operation="equals">5</unix:runlevel>
- </unix:runlevel_object>
- <unix:runlevel_object id="obj_runlevel6_telnet" version="1">
- <unix:service_name>telnet</unix:service_name>
- <unix:runlevel operation="equals">6</unix:runlevel>
- </unix:runlevel_object>
- <unix:runlevel_state comment="not configured to start"
id="state_service_telnet_off" version="1">
- <unix:start datatype="boolean">false</unix:start>
- <unix:kill datatype="boolean">true</unix:kill>
- </unix:runlevel_state>
-</def-group>
diff --git a/RHEL6/input/checks/service_telnetd_disabled.xml
b/RHEL6/input/checks/service_telnetd_disabled.xml
index 30dfd9b..55623fc 100644
--- a/RHEL6/input/checks/service_telnetd_disabled.xml
+++ b/RHEL6/input/checks/service_telnetd_disabled.xml
@@ -1,96 +1,28 @@
<def-group>
- <!-- THIS FILE IS GENERATED by create_services_disabled.py. DO NOT EDIT.
-->
- <definition class="compliance" id="service_telnetd_disabled"
- version="1">
+ <definition class="compliance"
+ id="service_telnetd_disabled" version="1">
<metadata>
- <title>Service telnetd Disabled</title>
+ <title>Disable telnet Service</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
- <description>The telnetd service should be disabled if
possible.</description>
+ <description>Disable telnet Service</description>
</metadata>
- <criteria operator="AND" comment="service telnetd is not configured to
start">
- <criterion comment="telnetd runlevel 0"
test_ref="test_runlevel0_telnetd" />
- <criterion comment="telnetd runlevel 1"
test_ref="test_runlevel1_telnetd" />
- <criterion comment="telnetd runlevel 2"
test_ref="test_runlevel2_telnetd" />
- <criterion comment="telnetd runlevel 3"
test_ref="test_runlevel3_telnetd" />
- <criterion comment="telnetd runlevel 4"
test_ref="test_runlevel4_telnetd" />
- <criterion comment="telnetd runlevel 5"
test_ref="test_runlevel5_telnetd" />
- <criterion comment="telnetd runlevel 6"
test_ref="test_runlevel6_telnetd" />
+ <criteria operator="AND">
+ <criterion comment="Disable telnet Service"
test_ref="test_disable_telnet_service" />
</criteria>
</definition>
- <unix:runlevel_test check="all" check_existence="any_exist"
- comment="Runlevel test" id="test_runlevel0_telnetd"
- version="2">
- <unix:object object_ref="obj_runlevel0_telnetd" />
- <unix:state state_ref="state_service_telnetd_off" />
- </unix:runlevel_test>
- <unix:runlevel_test check="all" check_existence="any_exist"
- comment="Runlevel test" id="test_runlevel1_telnetd"
- version="2">
- <unix:object object_ref="obj_runlevel1_telnetd" />
- <unix:state state_ref="state_service_telnetd_off" />
- </unix:runlevel_test>
- <unix:runlevel_test check="all" check_existence="any_exist"
- comment="Runlevel test" id="test_runlevel2_telnetd"
- version="2">
- <unix:object object_ref="obj_runlevel2_telnetd" />
- <unix:state state_ref="state_service_telnetd_off" />
- </unix:runlevel_test>
- <unix:runlevel_test check="all" check_existence="any_exist"
- comment="Runlevel test" id="test_runlevel3_telnetd"
- version="2">
- <unix:object object_ref="obj_runlevel3_telnetd" />
- <unix:state state_ref="state_service_telnetd_off" />
- </unix:runlevel_test>
- <unix:runlevel_test check="all" check_existence="any_exist"
- comment="Runlevel test" id="test_runlevel4_telnetd"
- version="2">
- <unix:object object_ref="obj_runlevel4_telnetd" />
- <unix:state state_ref="state_service_telnetd_off" />
- </unix:runlevel_test>
- <unix:runlevel_test check="all" check_existence="any_exist"
- comment="Runlevel test" id="test_runlevel5_telnetd"
- version="2">
- <unix:object object_ref="obj_runlevel5_telnetd" />
- <unix:state state_ref="state_service_telnetd_off" />
- </unix:runlevel_test>
- <unix:runlevel_test check="all" check_existence="any_exist"
- comment="Runlevel test" id="test_runlevel6_telnetd"
- version="2">
- <unix:object object_ref="obj_runlevel6_telnetd" />
- <unix:state state_ref="state_service_telnetd_off" />
- </unix:runlevel_test>
- <unix:runlevel_object id="obj_runlevel0_telnetd" version="1">
- <unix:service_name>telnetd</unix:service_name>
- <unix:runlevel operation="equals">0</unix:runlevel>
- </unix:runlevel_object>
- <unix:runlevel_object id="obj_runlevel1_telnetd" version="1">
- <unix:service_name>telnetd</unix:service_name>
- <unix:runlevel operation="equals">1</unix:runlevel>
- </unix:runlevel_object>
- <unix:runlevel_object id="obj_runlevel2_telnetd" version="1">
- <unix:service_name>telnetd</unix:service_name>
- <unix:runlevel operation="equals">2</unix:runlevel>
- </unix:runlevel_object>
- <unix:runlevel_object id="obj_runlevel3_telnetd" version="1">
- <unix:service_name>telnetd</unix:service_name>
- <unix:runlevel operation="equals">3</unix:runlevel>
- </unix:runlevel_object>
- <unix:runlevel_object id="obj_runlevel4_telnetd" version="1">
- <unix:service_name>telnetd</unix:service_name>
- <unix:runlevel operation="equals">4</unix:runlevel>
- </unix:runlevel_object>
- <unix:runlevel_object id="obj_runlevel5_telnetd" version="1">
- <unix:service_name>telnetd</unix:service_name>
- <unix:runlevel operation="equals">5</unix:runlevel>
- </unix:runlevel_object>
- <unix:runlevel_object id="obj_runlevel6_telnetd" version="1">
- <unix:service_name>telnetd</unix:service_name>
- <unix:runlevel operation="equals">6</unix:runlevel>
- </unix:runlevel_object>
- <unix:runlevel_state comment="not configured to start"
id="state_service_telnetd_off" version="1">
- <unix:start datatype="boolean">false</unix:start>
- <unix:kill datatype="boolean">true</unix:kill>
- </unix:runlevel_state>
+
+ <ind:textfilecontent54_test check="all"
+ check_existence="all_exist" comment="Disable Telnet Service"
+ id="test_disable_telnet_service" version="1">
+ <ind:object object_ref="obj_disable_telnet_service" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object comment="Disable Telnet Service"
+ id="obj_disable_telnet_service" version="1">
+ <ind:path>/etc/xinetd.d</ind:path>
+ <ind:filename>telnet</ind:filename>
+ <ind:pattern operation="pattern match">disable\s=\syes</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
</def-group>
diff --git a/RHEL6/input/checks/templates/services_disabled.csv
b/RHEL6/input/checks/templates/services_disabled.csv
index ac10178..74e93e4 100644
--- a/RHEL6/input/checks/templates/services_disabled.csv
+++ b/RHEL6/input/checks/templates/services_disabled.csv
@@ -4,7 +4,6 @@ autofs,
certmonger,
cgred,
sssd,
-telnetd,
atd,at
avahi-daemon,
bluetooth,
@@ -44,7 +43,6 @@ snmpd,net-snmp
squid,squid
sshd,openssh-server
sysstat,sysstat
-telnet,telnet-server
tftp,tftp-server
vsftpd,vsftpd
xinetd,xinetd
--
1.7.1
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
