From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
Date: Sat, 1 Feb 2014 14:24:19 +0000 (UTC) [thread overview]
Message-ID: <1391264607.9b2ba0b21a29addbe49dd8bffb82c245f37cc65f.swift@gentoo> (raw)
commit: 9b2ba0b21a29addbe49dd8bffb82c245f37cc65f
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Feb 1 14:23:27 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Feb 1 14:23:27 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=9b2ba0b2
Add in hidepid information (yes I know, grsec can also do this)
---
xml/SCAP/gentoo-xccdf.xml | 41 ++++++++++++++++++++++++++++++++++++-----
1 file changed, 36 insertions(+), 5 deletions(-)
diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml
index 25621c0..d2bf154 100644
--- a/xml/SCAP/gentoo-xccdf.xml
+++ b/xml/SCAP/gentoo-xccdf.xml
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8"?>
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:h="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.gentoo.dev.swift_benchmark_gentoo-20130917-1" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" resolved="0">
- <status date="2013-12-20">draft</status>
+ <status date="2014-02-01">draft</status>
<title>Gentoo Security Benchmark</title>
<description>
This benchmarks helps people in improving their system configuration to be
more resilient against attacks and vulnerabilities.
</description>
<platform idref="cpe:/o:gentoo:linux"/>
- <version>20131220.1</version>
+ <version>20140201.1</version>
<model system="urn:xccdf:scoring:default" />
<model system="urn:xccdf:scoring:flat" />
<model system="urn:xccdf:scoring:flat-unweighted" />
@@ -57,7 +57,7 @@
<select idref="xccdf_org.gentoo.dev.swift_rule_partition-varlog-nodev" selected="true" />
<!-- The /var/log/audit partition is mounted with nodev -->
<select idref="xccdf_org.gentoo.dev.swift_rule_partition-varlogaudit-nodev" selected="true" />
- <!-- The /home partition is mounted with nodev -->
+ <!-- The /home partition is moounted with nodev -->
<select idref="xccdf_org.gentoo.dev.swift_rule_partition-home-nodev" selected="true" />
<!-- The /tmp partition is mounted with nodev -->
<select idref="xccdf_org.gentoo.dev.swift_rule_partition-tmp-nodev" selected="true" />
@@ -99,6 +99,8 @@
<select idref="xccdf_org.gentoo.dev.swift_rule_FEATURES-webrsync-gpg" selected="true" />
<!-- Make sure PORTAGE_GPG_DIR is set -->
<select idref="xccdf_org.gentoo.dev.swift_rule_PORTAGE_GPG_DIR-nonempty" selected="true" />
+ <!-- Make sure /etc/securetty only contains console and tty's -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_securetty-limitentries" selected="true" />
</Profile>
<Profile id="xccdf_org.gentoo.dev.swift_profile_default" extends="xccdf_org.gentoo.dev.swift_profile_default-oval">
<title>Default server setup settings</title>
@@ -701,7 +703,7 @@
for file systems are explained.
</description>
<Group id="xccdf_org.gentoo.dev.swift_group_system-fs-mountoptions">
- <title>Appropriate mount options for the file systems</title>
+ <title>Using no* mount options for the file systems</title>
<description>
<h:p>
Non-root file systems should be mounted with the <h:em>nodev</h:em> mount option.
@@ -988,6 +990,26 @@ mount -o remount,usrquota,grpquota /home
</check>
</Rule>
</Group> <!-- system-fs-quotas -->
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-fs-hidepid">
+ <title>Hiding process information through hidepid</title>
+ <description>
+ <h:p>
+ In order to hide process information from other users, the <h:code>/proc</h:code> file system needs to be
+ mounted with the <h:code>hidepid</h:code> option. With value 0, the default behavior is used, meaning that
+ all process information is world readable.
+ </h:p>
+ <h:p>
+ When the value 1 is passed, the process information is not readable, but process directories are still shown
+ in the <h:code>/proc</h:code> mount. In order to truly hide this information, pass on the value 2.
+ </h:p>
+ <h:p>
+ In order to allow a particular group of people to see other people's processes, the <h:code>gid=</h:code>
+ option can be used to exempt this group from the PID hiding.
+ </h:p>
+ </description>
+ <reference href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0499680a42141d86417a8fbaa8c8db806bea1201">Kernel commit introducing
+ the hidepid support</reference>
+ </Group>
</Group> <!-- system-fs -->
<Group id="xccdf_org.gentoo.dev.swift_group_system-services">
<title>System services</title>
@@ -1399,8 +1421,8 @@ PORTAGE_GPG_DIR="/etc/portage/gpg"
<h:p>
TODO looks like this has become a lot more difficult to obtain
</h:p>
- <reference href="https://help.ubuntu.com/community/Grub2/Passwords">GRUB2 Passwords (Ubuntu wiki)</reference>
</description>
+ <reference href="https://help.ubuntu.com/community/Grub2/Passwords">GRUB2 Passwords (Ubuntu wiki)</reference>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_system-bootloader-grub1pass">
<title>Password protect GRUB (legacy)</title>
@@ -1504,6 +1526,15 @@ tty1
...
tty12</h:pre>
</description>
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_securetty-limitentries" selected="false" severity="low" weight="0.0">
+ <title>/etc/securetty is limited to console and tty's</title>
+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_securetty-limitentries">
+ Edit /etc/securetty and make sure only 'console' and 'tty[0-9]*' are defined.
+ </fixtext>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:32" href="gentoo-oval.xml" />
+ </check>
+ </Rule>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_system-auth-userlogin">
<title>Allow only known users to login</title>
next reply other threads:[~2014-02-01 14:24 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-01 14:24 Sven Vermeulen [this message]
-- strict thread matches above, loose matches on Subject: below --
2015-09-04 19:50 [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/ Sven Vermeulen
2015-09-02 20:24 Sven Vermeulen
2014-03-30 20:08 Sven Vermeulen
2014-03-30 20:08 Sven Vermeulen
2014-03-30 18:29 Sven Vermeulen
2014-03-30 18:29 Sven Vermeulen
2014-03-26 21:07 Sven Vermeulen
2014-02-01 14:24 Sven Vermeulen
2014-02-01 14:24 Sven Vermeulen
2014-02-01 14:24 Sven Vermeulen
2013-12-20 14:48 Sven Vermeulen
2013-12-20 14:47 Sven Vermeulen
2013-12-20 14:41 Sven Vermeulen
2013-12-20 14:38 Sven Vermeulen
2013-12-20 14:25 Sven Vermeulen
2013-12-20 14:15 Sven Vermeulen
2013-12-20 14:15 Sven Vermeulen
2013-12-20 13:56 Sven Vermeulen
2013-12-20 13:56 Sven Vermeulen
2013-12-20 13:56 Sven Vermeulen
2013-12-20 13:56 Sven Vermeulen
2013-12-20 13:56 Sven Vermeulen
2013-12-20 13:56 Sven Vermeulen
2013-12-20 10:59 Sven Vermeulen
2013-12-11 20:58 Sven Vermeulen
2013-12-11 20:58 Sven Vermeulen
2013-12-11 20:53 Sven Vermeulen
2013-12-11 20:53 Sven Vermeulen
2013-09-24 17:10 Sven Vermeulen
2013-09-23 11:46 Sven Vermeulen
2013-09-23 11:40 Sven Vermeulen
2013-09-19 19:26 Sven Vermeulen
2013-09-18 13:51 Sven Vermeulen
2013-09-17 19:07 Sven Vermeulen
2013-09-17 19:07 Sven Vermeulen
2013-09-17 19:07 Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1391264607.9b2ba0b21a29addbe49dd8bffb82c245f37cc65f.swift@gentoo \
--to=swift@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox