Welcome to the list :-)
There is a ticket for this that Sawn Wells entered for me.
R/ BP
On Wed, 31 Jul 2013 16:15:42 +0100, Stuart Green
<stuart.green(a)doccentrics.com> wrote:
Greetings All,
New to this list!
I think I might have found an issue with the SSG policy content.
Summary: If you do not have telnet installed on the system it causes
Rule ID: disable_telnet_service to fail.
In no place in this rule does it consider that telnet might not be
installed at all, so it fails (rather than errors, or even better
does a check as a precursor to see if its installed at all and if not
passes!)
grep 'id="oval:ssg:tst:231"' ssg-rhel6-oval.xml.result.xml
<ind-def:textfilecontent54_test id="oval:ssg:tst:231"
version="1" check_existence="all_exist" check="all"
comment="Disable
Telnet Service">
<test test_id="oval:ssg:tst:231" version="1"
check_existence="all_exist" check="all"
result="false"/>
<Rule id="disable_telnet_service" selected="false"
severity="high">
<title xml:lang="en-US">Disable telnet Service</title>
<description
xmlns:xhtml="http://www.w3.org/1999/xhtml"
xml:lang="en-US">
The <xhtml:code>telnet</xhtml:code> service can be disabled with
the following command:
<xhtml:pre># chkconfig telnet off</xhtml:pre>
</description>
<reference
href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-5...
<reference
href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-5...
<reference
href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-5...
<reference
href="http://iase.disa.mil/cci/index.html">68</reference>
<reference
href="http://iase.disa.mil/cci/index.html">1436</referenc...
<reference
href="http://iase.disa.mil/cci/index.html">197</reference...
<reference
href="http://iase.disa.mil/cci/index.html">877</reference...
<reference
href="http://iase.disa.mil/cci/index.html">888</reference...
<reference
xmlns:dc="http://purl.org/dc/elements/1.1/"
href="test_attestation">
<dc:contributor>DS</dc:contributor>
<dc:date>20121026</dc:date>
</reference>
<rationale
xmlns:xhtml="http://www.w3.org/1999/xhtml"
xml:lang="en-US">
The telnet protocol uses unencrypted network communication, which
means that data from the login session, including passwords and
all other information transmitted during the session, can be
stolen by eavesdroppers on the network. The telnet protocol is also
subject to man-in-the-middle attacks.
</rationale>
<ident
system="http://cce.mitre.org">CCE-26836-7</ident>
<check
system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:230"
href="ssg-rhel6-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="the service is running"
value-id="conditional_clause"/>
<check-content
xmlns:xhtml="http://www.w3.org/1999/xhtml">
To check that the <xhtml:code>telnet</xhtml:code> service is
disabled in system boot configuration, run the following command:
<xhtml:pre># chkconfig <xhtml:code>telnet</xhtml:code>
--list</xhtml:pre>
Output should indicate the <xhtml:code>telnet</xhtml:code>
service has either not been installed,
or has been disabled at all runlevels, as shown in the example below:
<xhtml:pre># chkconfig <xhtml:code>telnet</xhtml:code> --list
<xhtml:code>telnet</xhtml:code> 0:off 1:off 2:off 3:off
4:off 5:off 6:off</xhtml:pre>
Run the following command to verify
<xhtml:code>telnet</xhtml:code> is disabled through current runtime
configuration:
<xhtml:pre># service telnet status</xhtml:pre>
If the service is disabled the command will return the following output:
<xhtml:pre>telnet is stopped</xhtml:pre>
</check-content>
</check>
</Rule>
Cheers,
Stu
_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide