From stuart.green at doccentrics.com Thu Aug 20 11:34:41 2015
Content-Type: multipart/mixed; boundary="===============5983144710014825728=="
MIME-Version: 1.0
From: Stuart Green <stuart.green at doccentrics.com>
To: scap-security-guide at lists.fedorahosted.org
Subject: telnet section
Date: Wed, 31 Jul 2013 16:15:42 +0100
Message-ID: <51F92A1E.2010103@doccentrics.com>

--===============5983144710014825728==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Greetings All,

New to this list!

I think I might have found an issue with the  SSG policy content.

Summary:  If you do not have telnet installed on the system it causes =

Rule ID: disable_telnet_service to fail.



In no place in this rule does it consider that telnet might not be =

installed at all, so it fails (rather than errors, or even better does a =

check as a precursor to see if its installed at all and if not passes!)


grep 'id=3D"oval:ssg:tst:231"' ssg-rhel6-oval.xml.result.xml
       <ind-def:textfilecontent54_test id=3D"oval:ssg:tst:231" version=3D"1=
" =

check_existence=3D"all_exist" check=3D"all" comment=3D"Disable Telnet Servi=
ce">
         <test test_id=3D"oval:ssg:tst:231" version=3D"1" =

check_existence=3D"all_exist" check=3D"all" result=3D"false"/>


         <Rule id=3D"disable_telnet_service" selected=3D"false" severity=3D=
"high">
           <title xml:lang=3D"en-US">Disable telnet Service</title>
           <description xmlns:xhtml=3D"http://www.w3.org/1999/xhtml" =

xml:lang=3D"en-US">

     The <xhtml:code>telnet</xhtml:code> service can be disabled with =

the following command:

     <xhtml:pre># chkconfig telnet off</xhtml:pre>
           </description>
           <reference =

href=3D"http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev=
3-final.pdf">AC-17(8)</reference>
           <reference =

href=3D"http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev=
3-final.pdf">CM-7</reference>
           <reference =

href=3D"http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev=
3-final.pdf">IA-5(1)(c)</reference>
           <reference =

href=3D"http://iase.disa.mil/cci/index.html">68</reference>
           <reference =

href=3D"http://iase.disa.mil/cci/index.html">1436</reference>
           <reference =

href=3D"http://iase.disa.mil/cci/index.html">197</reference>
           <reference =

href=3D"http://iase.disa.mil/cci/index.html">877</reference>
           <reference =

href=3D"http://iase.disa.mil/cci/index.html">888</reference>
           <reference xmlns:dc=3D"http://purl.org/dc/elements/1.1/" =

href=3D"test_attestation">
             <dc:contributor>DS</dc:contributor>
             <dc:date>20121026</dc:date>
           </reference>

           <rationale xmlns:xhtml=3D"http://www.w3.org/1999/xhtml" =

xml:lang=3D"en-US">

The telnet protocol uses unencrypted network communication, which
means that data from the login session, including passwords and
all other information transmitted during the session, can be
stolen by eavesdroppers on the network. The telnet protocol is also
subject to man-in-the-middle attacks.

</rationale>

           <ident system=3D"http://cce.mitre.org">CCE-26836-7</ident>
           <check =

system=3D"http://oval.mitre.org/XMLSchema/oval-definitions-5">
             <check-content-ref name=3D"oval:ssg:def:230" =

href=3D"ssg-rhel6-oval.xml"/>
           </check>

           <check system=3D"ocil-transitional">
             <check-export export-name=3D"the service is running" =

value-id=3D"conditional_clause"/>
             <check-content xmlns:xhtml=3D"http://www.w3.org/1999/xhtml">

     To check that the <xhtml:code>telnet</xhtml:code> service is =

disabled in system boot configuration, run the following command:
     <xhtml:pre># chkconfig <xhtml:code>telnet</xhtml:code> =

--list</xhtml:pre>
     Output should indicate the <xhtml:code>telnet</xhtml:code> service =

has either not been installed,
     or has been disabled at all runlevels, as shown in the example below:
     <xhtml:pre># chkconfig <xhtml:code>telnet</xhtml:code> --list
<xhtml:code>telnet</xhtml:code>       0:off   1:off 2:off   3:off   =

4:off   5:off   6:off</xhtml:pre>


     Run the following command to verify <xhtml:code>telnet</xhtml:code> =

is disabled through current runtime configuration:

     <xhtml:pre># service telnet status</xhtml:pre>

     If the service is disabled the command will return the following =

output:

     <xhtml:pre>telnet is stopped</xhtml:pre>
           </check-content>
           </check>
         </Rule>



Cheers,
Stu


--===============5983144710014825728==--