New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update tftpd_uses_secure_mode #6051
Update tftpd_uses_secure_mode #6051
Conversation
Let's create the remediation instead of using a warning. |
4a2586c
to
f72aeee
Compare
lineinfile: | ||
path: "/etc/xinetd.d/tftp" | ||
regexp: '^[\s]*(serger_args[\s]+=[\s]+.*?)(-s[\s]+[/\.\w]+)(.*)$' | ||
line: '\1 -s {{ tftpd_secure_directory {{ \3' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
line: '\1 -s {{ tftpd_secure_directory {{ \3' | |
line: '\1 -s {{ tftpd_secure_directory }} \3' |
@@ -0,0 +1,14 @@ | |||
documentation_complete: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
usually we have variable files starting with prefix var_
. What do you think about this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am impartial - those files end with var
already, and you can't confuse a variable with something else just by accident. But if someone requires to prepend var_
in order for the PR to get merged, then I wouldn't object.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are lots of inconsistent variables. I suggest that one day we unite it and document it somewhere, currently this works and I would like to move forward. So if you don't mind I would like to leav it as it is.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be called var_tftpd_secure_directory.var
. This makes it easier to understand that it is a variable when the content is fully generated into SCAP. The older use of variables is a lot harder to change since they are used in production and would introduce some painful changes.
f72aeee
to
57554f1
Compare
e5f3f2b
to
df97d24
Compare
Changes identified: Recommended tests to execute: |
@vojtapolasek Thanks for updating the variable name. Now it looks fine. |
Description:
add xccdf variable
update description, check and remediation appropriately
add tests
adding ansible remediation
Rationale:
STIG effort
reference: https://vaulted.io/library/disa-stigs-srgs/red_hat_enterprise_linux_7_security_technical_implementation_guide/V-72305?version=v2r7