Merge pull request #10294 from ComplianceAsCode/create-rule-package-F…

…TP-client-removed Add package_ftp_removed rule
ComplianceAsCode · Mar 9, 2023 · 37b9141 · 37b9141
2 parents 35c1926 + f0c929a
commit 37b9141
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 2 deletions.
diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml
@@ -902,7 +902,9 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    status: planned
+    status: automated
+    rules:
+      - package_ftp_removed
 
   - id: 2.4
     title: Ensure nonessential services are removed or masked (Manual)

diff --git a/linux_os/guide/services/ftp/package_ftp_removed/rule.yml b/linux_os/guide/services/ftp/package_ftp_removed/rule.yml
@@ -0,0 +1,33 @@
+documentation_complete: true
+
+prodtype: rhel9
+
+title: 'Remove ftp Package'
+
+description: |-
+    FTP (File Transfer Protocol) is a traditional and widely used standard tool for
+    transferring files between a server and clients over a network, especially where no
+    authentication is necessary (permits anonymous users to connect to a server).
+    <br/>
+    {{{ describe_package_remove(package="ftp") }}}
+
+rationale: |-
+    FTP does not protect the confidentiality of data or authentication credentials. It
+    is recommended SFTP be used if file transfer is required. Unless there is a need
+    to run the system as a FTP server (for example, to allow anonymous downloads), it is
+    recommended that the package be removed to reduce the potential attack surface.
+
+severity: low
+
+identifiers:
+    cce@rhel9: CCE-86075-9
+
+references:
+    cis@rhel9: 2.3.4
+
+ocil: '{{{ describe_package_remove(package="ftp") }}}'
+
+template:
+    name: package_removed
+    vars:
+        pkgname: ftp
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -5,7 +5,6 @@ CCE-86071-8
 CCE-86072-6
 CCE-86073-4
 CCE-86074-2
-CCE-86075-9
 CCE-86076-7
 CCE-86078-3
 CCE-86081-7