For Disable tftp Service - (CCE-27055-3), with either the stig-rhel6-server or the usgcb-rhel6-server profiles selected from the SCAP stream, when run with SCC 3.1.1.1, may produce a false-negative on a RHEL6V1R2 non-complaint machine. The Check Content for RHEL-06-000223 reads, "Output should indicate the "tftp" service has either not been installed, or has been disabled at all run levels, as shown in the example below: # chkconfig "tftp" --list "tftp" 0:off 1:off 2:off 3:off 4:off 5:off 6:off" The expected output should be, "tftp off" as it is part of xinetd. chkconfig can manage xinetd scripts via the means of xinetd.d configuration files, but only the on, off, and --list commands are supported for xinetd.d services. The non-compliant system has tftp running: /usr/bin/sudo /sbi\n/chkconfig "tftp" --list tftp on See the following report output: Disable tftp Service ID: disable_tftp Result: Pass Identities: CCE-27055-3 Description: The tftp service should be disabled. The tftp service can be disabled with the following command: # chkconfig tftp off Fix Text: Severity: medium Weight: Reference: AC-17(8) CM-7 1436 Definitions: ID: oval:ssg:def:247 Result: true Title: Service tftp Disabled Description: The tftp service should be disabled if possible. Class: compliance Tests:
true (One or more item-state comparisons may be true.) true (All item-state comparisons must be true.) true (Runlevel test) true (Runlevel test) true (Runlevel test) true (Runlevel test) true (Runlevel test) true (Runlevel test) true (Runlevel test) false (All item-state comparisons must be true.) false (package tftp-server is removed) Tests: Test ID: oval:ssg:tst:249 Result: true Title: Runlevel test Check Existence: Zero or more collected items may exist. Check: All collected items must match the given state(s). State Operator: All item-state comparisons must be true. Object ID: oval:ssg:obj:1360 Object Requirements: service_name must be equal to 'tftp' runlevel must be equal to '0' State ID: oval:ssg:ste:1361 State Requirements: start must be equal to 'false' kill must be equal to 'true' Collected Item Properties: service_name does not exist runlevel does not exist start does not exist kill does not exist Additional Information: Test ID: oval:ssg:tst:250 Result: true Title: Runlevel test Check Existence: Zero or more collected items may exist. Check: All collected items must match the given state(s). State Operator: All item-state comparisons must be true. Object ID: oval:ssg:obj:1362 Object Requirements: service_name must be equal to 'tftp' runlevel must be equal to '1' State ID: oval:ssg:ste:1361 State Requirements: start must be equal to 'false' kill must be equal to 'true' Collected Item Properties: service_name does not exist runlevel does not exist start does not exist kill does not exist Additional Information: Test ID: oval:ssg:tst:251 Result: true Title: Runlevel test Check Existence: Zero or more collected items may exist. Check: All collected items must match the given state(s). State Operator: All item-state comparisons must be true. Object ID: oval:ssg:obj:1363 Object Requirements: service_name must be equal to 'tftp' runlevel must be equal to '2' State ID: oval:ssg:ste:1361 State Requirements: start must be equal to 'false' kill must be equal to 'true' Collected Item Properties: service_name does not exist runlevel does not exist start does not exist kill does not exist Additional Information: Test ID: oval:ssg:tst:252 Result: true Title: Runlevel test Check Existence: Zero or more collected items may exist. Check: All collected items must match the given state(s). State Operator: All item-state comparisons must be true. Object ID: oval:ssg:obj:1364 Object Requirements: service_name must be equal to 'tftp' runlevel must be equal to '3' State ID: oval:ssg:ste:1361 State Requirements: start must be equal to 'false' kill must be equal to 'true' Collected Item Properties: service_name does not exist runlevel does not exist start does not exist kill does not exist Additional Information: Test ID: oval:ssg:tst:253 Result: true Title: Runlevel test Check Existence: Zero or more collected items may exist. Check: All collected items must match the given state(s). State Operator: All item-state comparisons must be true. Object ID: oval:ssg:obj:1365 Object Requirements: service_name must be equal to 'tftp' runlevel must be equal to '4' State ID: oval:ssg:ste:1361 State Requirements: start must be equal to 'false' kill must be equal to 'true' Collected Item Properties: service_name does not exist runlevel does not exist start does not exist kill does not exist Additional Information: Test ID: oval:ssg:tst:254 Result: true Title: Runlevel test Check Existence: Zero or more collected items may exist. Check: All collected items must match the given state(s). State Operator: All item-state comparisons must be true. Object ID: oval:ssg:obj:1366 Object Requirements: service_name must be equal to 'tftp' runlevel must be equal to '5' State ID: oval:ssg:ste:1361 State Requirements: start must be equal to 'false' kill must be equal to 'true' Collected Item Properties: service_name does not exist runlevel does not exist start does not exist kill does not exist Additional Information: Test ID: oval:ssg:tst:255 Result: true Title: Runlevel test Check Existence: Zero or more collected items may exist. Check: All collected items must match the given state(s). State Operator: All item-state comparisons must be true. Object ID: oval:ssg:obj:1367 Object Requirements: service_name must be equal to 'tftp' runlevel must be equal to '6' State ID: oval:ssg:ste:1361 State Requirements: start must be equal to 'false' kill must be equal to 'true' Collected Item Properties: service_name does not exist runlevel does not exist start does not exist kill does not exist Additional Information: Test ID: oval:ssg:tst:583 Result: false Title: package tftp-server is removed Check Existence: No collected items may exist. Check: Result is based on check existence only. State Operator: All item-state comparisons must be true. Object ID: oval:ssg:obj:1639 Object Requirements: name must be equal to 'tftp-server' Collected Item Properties: name equals 'tftp-server' arch equals 'i686' epoch equals '0' release equals '7.el6' version equals '0.49' evr equals '0:0.49-7.el6' signature_keyid equals '0946fca2c105b9de' Additional Information: Collected items did not meet the check existence requirement. _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
