Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update tftpd_uses_secure_mode #6051

Merged
merged 6 commits into from Sep 10, 2020
Merged

Update tftpd_uses_secure_mode #6051

merged 6 commits into from Sep 10, 2020

Conversation

vojtapolasek
Copy link
Collaborator

@vojtapolasek vojtapolasek commented Sep 4, 2020
edited

Description:

  • add xccdf variable

  • update description, check and remediation appropriately

  • add tests

  • adding ansible remediation

Rationale:

STIG effort

reference: https://vaulted.io/library/disa-stigs-srgs/red_hat_enterprise_linux_7_security_technical_implementation_guide/V-72305?version=v2r7

@vojtapolasek vojtapolasek added this to the 0.1.53 milestone Sep 4, 2020
@redhatrises
Copy link
Contributor

Description:

  • add warning that rule has no remdiation
  • add tests

Rationale:

STIG effort

reference: https://vaulted.io/library/disa-stigs-srgs/red_hat_enterprise_linux_7_security_technical_implementation_guide/V-72305?version=v2r7

Let's create the remediation instead of using a warning.

@vojtapolasek vojtapolasek marked this pull request as draft September 8, 2020 11:28
@openshift-ci-robot openshift-ci-robot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Sep 8, 2020
ggbecker
ggbecker reviewed Sep 8, 2020
View reviewed changes
linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml Outdated
lineinfile:
path: "/etc/xinetd.d/tftp"
regexp: '^[\s]*(serger_args[\s]+=[\s]+.*?)(-s[\s]+[/\.\w]+)(.*)$'
line: '\1 -s {{ tftpd_secure_directory {{ \3'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
line: '\1 -s {{ tftpd_secure_directory {{ \3'
line: '\1 -s {{ tftpd_secure_directory }} \3'

ggbecker
ggbecker reviewed Sep 8, 2020
View reviewed changes
linux_os/guide/services/obsolete/tftp/tftpd_secure_directory.var Outdated
@@ -0,0 +1,14 @@
documentation_complete: true
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

usually we have variable files starting with prefix var_. What do you think about this?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am impartial - those files end with var already, and you can't confuse a variable with something else just by accident. But if someone requires to prepend var_ in order for the PR to get merged, then I wouldn't object.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are lots of inconsistent variables. I suggest that one day we unite it and document it somewhere, currently this works and I would like to move forward. So if you don't mind I would like to leav it as it is.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be called var_tftpd_secure_directory.var. This makes it easier to understand that it is a variable when the content is fully generated into SCAP. The older use of variables is a lot harder to change since they are used in production and would introduce some painful changes.

@vojtapolasek vojtapolasek marked this pull request as ready for review September 8, 2020 12:35
@openshift-ci-robot openshift-ci-robot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Sep 8, 2020
@mildas
Copy link
Contributor

mildas commented Sep 9, 2020

Changes identified:
Rule tftpd_uses_secure_mode:
 New node inserted to OVAL check.
 Bash remediation is newly added.
 Text changed in OVAL check.
 Ansible remediation newly added.

Recommended tests to execute:
 build_product ol7
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using ansible --datastream build/ssg-ol7-ds.xml tftpd_uses_secure_mode
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using bash --datastream build/ssg-ol7-ds.xml tftpd_uses_secure_mode

@jan-cerny jan-cerny self-assigned this Sep 10, 2020
@jan-cerny
Copy link
Collaborator

@vojtapolasek Thanks for updating the variable name. Now it looks fine.

@jan-cerny jan-cerny merged commit 35e27dd into ComplianceAsCode:master Sep 10, 2020
@marcusburghardt marcusburghardt added RHEL7 Red Hat Enterprise Linux 7 product related. STIG STIG Benchmark related. labels Jun 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matejak matejak matejak left review comments

@redhatrises redhatrises redhatrises left review comments

@jan-cerny jan-cerny jan-cerny left review comments

@ggbecker ggbecker ggbecker left review comments

Assignees

@jan-cerny jan-cerny

Labels
RHEL7 Red Hat Enterprise Linux 7 product related. STIG STIG Benchmark related.
Projects
None yet
Milestone
0.1.53
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@vojtapolasek @redhatrises @mildas @jan-cerny @matejak @ggbecker @marcusburghardt @openshift-ci-robot