Check for TFTP secure mode [+Docs]

This patch adds tasks that verify if TFTP is running in secure mode.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: I73fd30e295cef9a3d9d7ebb5769df6b3f45db668

doc/metadata/rhel7/RHEL-07-040520.rst

@@ -1,7 +1,10 @@
 ---
 id: RHEL-07-040520
-status: not implemented
+status: verification only
 tag: misc
 ---
 
-This STIG requirement is not yet implemented.
+The tasks in the security role examine the TFTP server configuration file (if
+it exists) to verify that the secure operation flag (``-s``) is listed on the
+``server_args`` line. If it is missing, a warning message is printed in the
+Ansible output.

tasks/rhel7stig/misc.yml

@@ -285,3 +285,33 @@
     - medium
     - misc
     - RHEL-07-040480
+
+- name: Check for TFTP server configuration file
+  stat:
+    path: /etc/xinetd.d/tftp
+  register: tftp_config_check
+  check_mode: no
+  tags:
+    - always
+
+- name: Check TFTP configuration mode
+  command: 'grep server_args /etc/xinetd.d/tftp'
+  register: tftp_secure_check
+  changed_when: False
+  failed_when: False
+  check_mode: no
+  when:
+    - tftp_config_check.stat.exists
+  tags:
+    - always
+
+- name: RHEL-07-040520 - TFTP must be configured to operate in secure mode
+  debug:
+    msg: TFTP must be configured to run in secure mode with the '-s' flag.
+  when:
+    - tftp_config_check.stat.exists
+    - "'-s' not in tftp_secure_check.stdout"
+  tags:
+    - medium
+    - misc
+    - RHEL-07-040520