>From 8a920192505dee3b4453300bd2556ee2c2e97271 Mon Sep 17 00:00:00 2001 From: Shawn Wells <sh...@redhat.com> Date: Sun, 13 Apr 2014 01:58:46 -0400 Subject: [PATCH 12/26] New RHEL6 rule: package_tftp_removed
Added in support of CIS/C2S baseline. --- RHEL/6/input/checks/package_tftp_removed.xml | 26 ++++++++++++++++++++ RHEL/6/input/checks/templates/packages_removed.csv | 1 + RHEL/6/input/services/obsolete.xml | 15 +++++++++++ 3 files changed, 42 insertions(+), 0 deletions(-) create mode 100644 RHEL/6/input/checks/package_tftp_removed.xml diff --git a/RHEL/6/input/checks/package_tftp_removed.xml b/RHEL/6/input/checks/package_tftp_removed.xml new file mode 100644 index 0000000..a15af45 --- /dev/null +++ b/RHEL/6/input/checks/package_tftp_removed.xml @@ -0,0 +1,26 @@ +<def-group> + <!-- THIS FILE IS GENERATED by create_package_removed.py. DO NOT EDIT. --> + <definition class="compliance" id="package_tftp_removed" + version="1"> + <metadata> + <title>Package tftp Removed</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>The RPM package tftp should be removed.</description> + <reference source="swells" ref_id="20130829" ref_url="test_attestation"/> + </metadata> + <criteria> + <criterion comment="package tftp is removed" + test_ref="test_package_tftp_removed" /> + </criteria> + </definition> + <linux:rpminfo_test check="all" check_existence="none_exist" + id="test_package_tftp_removed" version="1" + comment="package tftp is removed"> + <linux:object object_ref="obj_package_tftp_removed" /> + </linux:rpminfo_test> + <linux:rpminfo_object id="obj_package_tftp_removed" version="1"> + <linux:name>tftp</linux:name> + </linux:rpminfo_object> +</def-group> diff --git a/RHEL/6/input/checks/templates/packages_removed.csv b/RHEL/6/input/checks/templates/packages_removed.csv index 3bd9afc..790b74d 100644 --- a/RHEL/6/input/checks/templates/packages_removed.csv +++ b/RHEL/6/input/checks/templates/packages_removed.csv @@ -37,6 +37,7 @@ sysstat talk-server telnet telnet-server +tftp tftp-server vsftpd xinetd diff --git a/RHEL/6/input/services/obsolete.xml b/RHEL/6/input/services/obsolete.xml index 604be4d..619f0ab 100644 --- a/RHEL/6/input/services/obsolete.xml +++ b/RHEL/6/input/services/obsolete.xml @@ -348,6 +348,21 @@ accidental (or intentional) activation of tftp services. <tested by="DS" on="20121026"/> </Rule> +<Rule id="package_tftp_removed"> +<title>Remove tftp</title> +<description>Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, +typically used to automatically transfer configuration or boot files between machines. +TFTP does not support authentication and can be easily hacked. The package +<tt>tftp</tt> is a client program that allows for connections to a <tt>tftp</tt> server. +</description> +<ocil><package-remove-macro package="tftp"/></ocil> +<rationale>It is recommended that TFTP be remvoed, unless there is a specific need +for TFTP (such as a boot server). In that case, use extreme caution when configuring +the services.</rationale> +<ident cce="" /> +<oval id="package_tftp_removed" /> +</Rule> + <Rule id="tftpd_uses_secure_mode" severity="high"> <title>Ensure <tt>tftp</tt> Daemon Uses Secure Mode</title> <description>If running the <tt>tftp</tt> service is necessary, it should be configured -- 1.7.1
_______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
