Duplicate testing for telnetd instead of rsh #97

aavetis · 2018-07-19T13:52:21Z

https://github.com/dev-sec/linux-baseline/blob/master/controls/package_spec.rb#L39-L55

package-02 and package-03 seem to both be testing for telnetd, but seems like it intends to test for rsh.

control 'package-02' do
  impact 1.0
  title 'Do not install Telnet server'
  desc 'Telnet protocol uses unencrypted communication, that means the password and other sensitive data are unencrypted. http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf, Chapter 3.2.2'
  describe package('telnetd') do
    it { should_not be_installed }
  end
end

control 'package-03' do
  impact 1.0
  title 'Do not install rsh server'
  desc 'The r-commands suffers same problem as telnet. http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf, Chapter 3.2.3'
  describe package('telnetd') do
    it { should_not be_installed }
  end
end

The text was updated successfully, but these errors were encountered:

chris-rock · 2018-07-19T13:53:12Z

@aavetis Thank you for this finding. Would you like to open a PR to fix this?

aavetis · 2018-07-19T13:54:46Z

yep @chris-rock - just made #98; wasn't sure the package name off the top of my head :X

aavetis mentioned this issue Jul 19, 2018

Update to test for rsh-server instead of duplicate telnetd #98

Merged

chris-rock closed this as completed in #98 Jul 19, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Duplicate testing for telnetd instead of rsh #97

Duplicate testing for telnetd instead of rsh #97

aavetis commented Jul 19, 2018

chris-rock commented Jul 19, 2018

aavetis commented Jul 19, 2018

Duplicate testing for telnetd instead of rsh #97

Duplicate testing for telnetd instead of rsh #97

Comments

aavetis commented Jul 19, 2018

chris-rock commented Jul 19, 2018

aavetis commented Jul 19, 2018