[PATCH] [bugfix] Ticket 382 - Rule "Disable tftp Service" always true

Fri, 19 Apr 2013 23:38:12 -0700 

>From 94d4982662bc04f51cbaac6906fb917add16fcee Mon Sep 17 00:00:00 2001
From: Shawn Wells <[email protected]>
Date: Sat, 20 Apr 2013 02:35:35 -0400
Subject: [PATCH] [bugfix] Ticket 382 - Rule "Disable tftp Service" always true
 As reported by ruchkinalexandr, tftp check always returned true.
 Updated to reflect proper settings in /etc/xinetd vs init

[root@rhel6 checks]# chkconfig tftp on

[root@rhel6 checks]# ./testcheck.py service_tftp_disabled.xml
Evaluating with OVAL tempfile : /tmp/service_tftpd_disabledRjb75o.xml
Definition oval:scap-security-guide.testing:def:350: false
Evaluation done.

[root@rhel6 checks]# chkconfig tftp off

[root@rhel6 checks]# ./testcheck.py service_tftp_disabled.xml
Evaluating with OVAL tempfile : /tmp/service_tftpd_disabled0HtYRQ.xml
Definition oval:scap-security-guide.testing:def:350: true
Evaluation done.
---
 RHEL6/input/checks/service_tftp_disabled.xml |  109 +++++---------------------
 1 files changed, 19 insertions(+), 90 deletions(-)

diff --git a/RHEL6/input/checks/service_tftp_disabled.xml 
b/RHEL6/input/checks/service_tftp_disabled.xml
index 73f7b5b..711a781 100644
--- a/RHEL6/input/checks/service_tftp_disabled.xml
+++ b/RHEL6/input/checks/service_tftp_disabled.xml
@@ -1,99 +1,28 @@
 <def-group>
-  <!-- THIS FILE IS GENERATED by create_services_disabled.py.  DO NOT EDIT.  
-->
-  <definition class="compliance" id="service_tftp_disabled"
-  version="1">
+  <definition class="compliance"
+  id="service_tftpd_disabled" version="1">
     <metadata>
-      <title>Service tftp Disabled</title>
+      <title>Disable tftp Service</title>
       <affected family="unix">
         <platform>Red Hat Enterprise Linux 6</platform>
       </affected>
-      <description>The tftp service should be disabled if 
possible.</description>
+      <description>Disable tftp Service</description>
     </metadata>
-   <criteria comment="package tftp-server removed or service tftp is not 
configured to start" operator="OR">
-    <extend_definition comment="tftp-server removed" 
definition_ref="package_tftp-server_removed" />
-    <criteria operator="AND" comment="service tftp is not configured to start">
-      <criterion comment="tftp runlevel 0" test_ref="test_runlevel0_tftp" />
-      <criterion comment="tftp runlevel 1" test_ref="test_runlevel1_tftp" />
-      <criterion comment="tftp runlevel 2" test_ref="test_runlevel2_tftp" />
-      <criterion comment="tftp runlevel 3" test_ref="test_runlevel3_tftp" />
-      <criterion comment="tftp runlevel 4" test_ref="test_runlevel4_tftp" />
-      <criterion comment="tftp runlevel 5" test_ref="test_runlevel5_tftp" />
-      <criterion comment="tftp runlevel 6" test_ref="test_runlevel6_tftp" />
-    </criteria>
+    <criteria operator="AND">
+      <criterion comment="Disable tftp Service" 
test_ref="test_disable_tftp_service" />
     </criteria>
   </definition>
-  <unix:runlevel_test check="all" check_existence="any_exist"
-  comment="Runlevel test" id="test_runlevel0_tftp"
-  version="2">
-    <unix:object object_ref="obj_runlevel0_tftp" />
-    <unix:state state_ref="state_service_tftp_off" />
-  </unix:runlevel_test>
-  <unix:runlevel_test check="all" check_existence="any_exist"
-  comment="Runlevel test" id="test_runlevel1_tftp"
-  version="2">
-    <unix:object object_ref="obj_runlevel1_tftp" />
-    <unix:state state_ref="state_service_tftp_off" />
-  </unix:runlevel_test>
-  <unix:runlevel_test check="all" check_existence="any_exist"
-  comment="Runlevel test" id="test_runlevel2_tftp"
-  version="2">
-    <unix:object object_ref="obj_runlevel2_tftp" />
-    <unix:state state_ref="state_service_tftp_off" />
-  </unix:runlevel_test>
-  <unix:runlevel_test check="all" check_existence="any_exist"
-  comment="Runlevel test" id="test_runlevel3_tftp"
-  version="2">
-    <unix:object object_ref="obj_runlevel3_tftp" />
-    <unix:state state_ref="state_service_tftp_off" />
-  </unix:runlevel_test>
-  <unix:runlevel_test check="all" check_existence="any_exist"
-  comment="Runlevel test" id="test_runlevel4_tftp"
-  version="2">
-    <unix:object object_ref="obj_runlevel4_tftp" />
-    <unix:state state_ref="state_service_tftp_off" />
-  </unix:runlevel_test>
-  <unix:runlevel_test check="all" check_existence="any_exist"
-  comment="Runlevel test" id="test_runlevel5_tftp"
-  version="2">
-    <unix:object object_ref="obj_runlevel5_tftp" />
-    <unix:state state_ref="state_service_tftp_off" />
-  </unix:runlevel_test>
-  <unix:runlevel_test check="all" check_existence="any_exist"
-  comment="Runlevel test" id="test_runlevel6_tftp"
-  version="2">
-    <unix:object object_ref="obj_runlevel6_tftp" />
-    <unix:state state_ref="state_service_tftp_off" />
-  </unix:runlevel_test>
-  <unix:runlevel_object id="obj_runlevel0_tftp" version="1">
-    <unix:service_name>tftp</unix:service_name>
-    <unix:runlevel operation="equals">0</unix:runlevel>
-  </unix:runlevel_object>
-  <unix:runlevel_object id="obj_runlevel1_tftp" version="1">
-    <unix:service_name>tftp</unix:service_name>
-    <unix:runlevel operation="equals">1</unix:runlevel>
-  </unix:runlevel_object>
-  <unix:runlevel_object id="obj_runlevel2_tftp" version="1">
-    <unix:service_name>tftp</unix:service_name>
-    <unix:runlevel operation="equals">2</unix:runlevel>
-  </unix:runlevel_object>
-  <unix:runlevel_object id="obj_runlevel3_tftp" version="1">
-    <unix:service_name>tftp</unix:service_name>
-    <unix:runlevel operation="equals">3</unix:runlevel>
-  </unix:runlevel_object>
-  <unix:runlevel_object id="obj_runlevel4_tftp" version="1">
-    <unix:service_name>tftp</unix:service_name>
-    <unix:runlevel operation="equals">4</unix:runlevel>
-  </unix:runlevel_object>
-  <unix:runlevel_object id="obj_runlevel5_tftp" version="1">
-    <unix:service_name>tftp</unix:service_name>
-    <unix:runlevel operation="equals">5</unix:runlevel>
-  </unix:runlevel_object>
-  <unix:runlevel_object id="obj_runlevel6_tftp" version="1">
-    <unix:service_name>tftp</unix:service_name>
-    <unix:runlevel operation="equals">6</unix:runlevel>
-  </unix:runlevel_object>
-  <unix:runlevel_state comment="not configured to start" 
id="state_service_tftp_off" version="1">
-    <unix:start datatype="boolean">false</unix:start>
-    <unix:kill datatype="boolean">true</unix:kill>
-  </unix:runlevel_state>
+
+  <ind:textfilecontent54_test check="all"
+  check_existence="all_exist" comment="Disable Telnet Service"
+  id="test_disable_tftp_service" version="1">
+    <ind:object object_ref="obj_disable_tftp_service" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object comment="Disable Telnet Service"
+  id="obj_disable_tftp_service" version="1">
+    <ind:path>/etc/xinetd.d</ind:path>
+    <ind:filename>tftp</ind:filename>
+    <ind:pattern operation="pattern match">disable\s=\syes</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
 </def-group>
-- 
1.7.1


_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide






















					Reply via email to