Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add package_ftp_removed rule #10294

Merged
merged 1 commit into from
Mar 9, 2023
Merged

Add package_ftp_removed rule #10294

merged 1 commit into from
Mar 9, 2023

Conversation

cortesana
Copy link
Contributor

Description:

The new package_ftp-client_removed rule is created in order to meet the following CIS requirement for RHEL9:

  • 2.3.4 - Ensure FTP client is not installed. (Automated)

Rationale:

FTP does not protect the confidentiality of data or authentication credentials. Unless the system needs to run as a FTP server, the package should be removed to reduce the potential attack surface.

@cortesana cortesana added RHEL9 Red Hat Enterprise Linux 9 product related. CIS CIS Benchmark related. labels Mar 6, 2023
@cortesana cortesana requested a review from a team as a code owner March 6, 2023 16:37
@cortesana cortesana added this to the 0.1.67 milestone Mar 6, 2023
@Mab879 Mab879 added the New Rule Issues or pull requests related to new Rules. label Mar 6, 2023
@github-actions
Copy link

github-actions bot commented Mar 6, 2023

Start a new ephemeral environment with changes proposed in this pull request:

rhel9 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@cortesana cortesana force-pushed the create-rule-package-FTP-client-removed branch from cf5244e to 70298c1 Compare March 6, 2023 17:51
@Mab879
Copy link
Member

Mab879 commented Mar 6, 2023
edited
Loading

It appears that the ftp-client package doesn't exist on RHEL 9. I think the package you are looking for is ftp.

@marcusburghardt
Copy link
Member

It appears that the ftp-client package doesn't exist on RHEL 9. I think the package you are looking for is ftp.

Correct. The package name for the FTP client in RHEL9 is ftp.

marcusburghardt
marcusburghardt requested changes Mar 6, 2023
View reviewed changes
Copy link
Member

@marcusburghardt marcusburghardt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the rule @cortesana . There is a small issue related to the package name. Thanks @Mab879 for catching this.

linux_os/guide/services/ftp/package_ftp-client_removed/rule.yml Outdated Show resolved Hide resolved
linux_os/guide/services/ftp/package_ftp-client_removed/rule.yml Outdated Show resolved Hide resolved
linux_os/guide/services/ftp/package_ftp-client_removed/rule.yml Outdated Show resolved Hide resolved
linux_os/guide/services/ftp/package_ftp-client_removed/rule.yml Outdated Show resolved Hide resolved
@cortesana cortesana changed the title Add package_ftp-client_removed rule Add package_ftp_removed rule Mar 7, 2023
@cortesana cortesana force-pushed the create-rule-package-FTP-client-removed branch from 70298c1 to 5593986 Compare March 7, 2023 09:02
@marcusburghardt marcusburghardt self-assigned this Mar 7, 2023
@cortesana cortesana force-pushed the create-rule-package-FTP-client-removed branch 2 times, most recently from 5286950 to 85dc15e Compare March 7, 2023 10:36
@marcusburghardt
Copy link
Member

The Automatus CS8 failure is expected since the rule is restricted to rhel9.

@cortesana
Copy link
Contributor Author

/retest

@cortesana
Copy link
Contributor Author

Hello @jhrozek - one of the RHCOS tests is failing. Could you take a look at the ci/prow/e2e-aws-rhcos4-moderate job and let me know if there is anything that I can do on my end? Thanks

@cortesana cortesana requested a review from jhrozek March 7, 2023 17:27
Mab879
Mab879 previously requested changes Mar 8, 2023
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one minor nitpick.

linux_os/guide/services/ftp/package_ftp_removed/rule.yml Outdated Show resolved Hide resolved
@cortesana
Add package_ftp_removed rule
f0c929a 
The new package_ftp_removed rule is created in order to meet the following CIS requirement for RHEL9:
- 2.3.4 - Ensure FTP client is not installed. (Automated)
@cortesana cortesana force-pushed the create-rule-package-FTP-client-removed branch from 85dc15e to f0c929a Compare March 9, 2023 08:41
marcusburghardt
marcusburghardt approved these changes Mar 9, 2023
View reviewed changes
Copy link
Member

@marcusburghardt marcusburghardt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this new rule. LGTM!

@marcusburghardt
Copy link
Member

I will only wait the CI tests to finish.

@codeclimate
Copy link

codeclimate bot commented Mar 9, 2023

Code Climate has analyzed commit f0c929a and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 51.7% (0.0% change).

View more on Code Climate.

@marcusburghardt marcusburghardt dismissed Mab879’s stale review March 9, 2023 11:19

The suggestion was accepted

@marcusburghardt marcusburghardt merged commit 37b9141 into master Mar 9, 2023
@cortesana cortesana deleted the create-rule-package-FTP-client-removed branch March 9, 2023 11:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marcusburghardt marcusburghardt marcusburghardt approved these changes

@Mab879 Mab879 Mab879 left review comments

@ggbecker ggbecker Awaiting requested review from ggbecker

@jhrozek jhrozek Awaiting requested review from jhrozek

Assignees

@marcusburghardt marcusburghardt

Labels
CIS CIS Benchmark related. New Rule Issues or pull requests related to new Rules. RHEL9 Red Hat Enterprise Linux 9 product related.
Projects
None yet
Milestone
0.1.67
Development

Successfully merging this pull request may close these issues.
4 participants
@cortesana @Mab879 @marcusburghardt @ggbecker