Check for TFTP secure mode [+Docs]

This patch adds tasks that verify if TFTP is running in secure mode. Documentation is included. Implements: blueprint security-rhel7-stig Change-Id: I73fd30e295cef9a3d9d7ebb5769df6b3f45db668
2016-12-06 15:07:47 -06:00 · 2016-12-06 15:07:47 -06:00 · 5b06a4484f
commit 5b06a4484f
parent fc2c356bc4
2 changed files with 35 additions and 2 deletions
--- a/doc/metadata/rhel7/RHEL-07-040520.rst
+++ b/doc/metadata/rhel7/RHEL-07-040520.rst
@ -1,7 +1,10 @@
 ---
 id: RHEL-07-040520
-status: not implemented
+status: verification only
 tag: misc
 ---

-This STIG requirement is not yet implemented.
+The tasks in the security role examine the TFTP server configuration file (if
+it exists) to verify that the secure operation flag (``-s``) is listed on the
+``server_args`` line. If it is missing, a warning message is printed in the
+Ansible output.
--- a/tasks/rhel7stig/misc.yml
+++ b/tasks/rhel7stig/misc.yml
@ -285,3 +285,33 @@
    - medium
    - misc
    - RHEL-07-040480
+
+- name: Check for TFTP server configuration file
+  stat:
+    path: /etc/xinetd.d/tftp
+  register: tftp_config_check
+  check_mode: no
+  tags:
+    - always
+
+- name: Check TFTP configuration mode
+  command: 'grep server_args /etc/xinetd.d/tftp'
+  register: tftp_secure_check
+  changed_when: False
+  failed_when: False
+  check_mode: no
+  when:
+    - tftp_config_check.stat.exists
+  tags:
+    - always
+
+- name: RHEL-07-040520 - TFTP must be configured to operate in secure mode
+  debug:
+    msg: TFTP must be configured to run in secure mode with the '-s' flag.
+  when:
+    - tftp_config_check.stat.exists
+    - "'-s' not in tftp_secure_check.stdout"
+  tags:
+    - medium
+    - misc
+    - RHEL-07-040520