* [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/, xml/SCAP/bin/
@ 2013-09-19 14:23 Sven Vermeulen
0 siblings, 0 replies; only message in thread
From: Sven Vermeulen @ 2013-09-19 14:23 UTC (permalink / raw
To: gentoo-commits
commit: 9fbaa6ab52cb7b402e162457f8e0142ed69b271a
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Sep 19 14:23:06 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Sep 19 14:23:06 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=9fbaa6ab
Update on baseline, now working on services
---
xml/SCAP/Makefile | 2 +-
.../gentoo-sce_installation-toolchain-hardened.sh | 43 ++
xml/SCAP/gentoo-oval.xml | 551 +++++++++++++++-
xml/SCAP/gentoo-xccdf.xml | 690 ++++++++++++++++-----
4 files changed, 1107 insertions(+), 179 deletions(-)
diff --git a/xml/SCAP/Makefile b/xml/SCAP/Makefile
index fcbf549..3de65fa 100644
--- a/xml/SCAP/Makefile
+++ b/xml/SCAP/Makefile
@@ -1,7 +1,7 @@
all: report.html guide.html remediate.sh #guide.pdf
report.html: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml
- oscap xccdf eval --cpe gentoo-cpe.xml --profile xccdf_org.gentoo.dev.swift_profile_default --results results-xccdf.xml --oval-results --report report.html gentoo-xccdf.xml
+ -oscap xccdf eval --cpe gentoo-cpe.xml --profile xccdf_org.gentoo.dev.swift_profile_default --results results-xccdf.xml --oval-results --report report.html gentoo-xccdf.xml
guide.html: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml
oscap xccdf generate guide --profile xccdf_org.gentoo.dev.swift_profile_default --output guide.html gentoo-xccdf.xml
diff --git a/xml/SCAP/bin/gentoo-sce_installation-toolchain-hardened.sh b/xml/SCAP/bin/gentoo-sce_installation-toolchain-hardened.sh
new file mode 100755
index 0000000..99ff12c
--- /dev/null
+++ b/xml/SCAP/bin/gentoo-sce_installation-toolchain-hardened.sh
@@ -0,0 +1,43 @@
+#!/bin/sh
+
+# Get CHOST value
+echo "Getting CHOST variable content through portageq.";
+my_chost=$(portageq envvar CHOST);
+if [ -z "${my_chost}" ];
+then
+ echo "-- The portageq command failed. Falling back to glibc build info.";
+ my_chost=$(cat /var/db/pkg/sys-libs/glibc-*/CHOST | tail -1);
+fi
+echo "-- Got CHOST=${my_chost}";
+
+# Get current GCC version
+echo "Getting current GCC version through /etc/env.d/gcc/config-*";
+current_gcc=$(grep CURRENT /etc/env.d/gcc/config-* | sed -e "s:CURRENT=${my_chost}-::g" | sed -e "s:\([0-9\.-r]*\){$,-.*$}:\1:g" );
+echo "-- Got version=${current_gcc}";
+
+# Get type
+echo "Getting compiler type (profile/spec) through its CURRENT= value.";
+current_type=$(grep CURRENT /etc/env.d/gcc/config-* | sed -e "s:CURRENT=${my_chost}-${current_gcc}::g" | sed -e 's:^-::g');
+echo "-- Got type=${current_type}";
+
+echo "Checking USE flags of gcc-${current_gcc} for hardened USE flag.";
+grep -q hardened /var/db/pkg/sys-devel/gcc-${current_gcc}/USE;
+current_hardened_use=$?;
+
+if [ ${current_hardened_use} -ne 0 ];
+then
+ echo "!! GCC ${current_gcc} is not build with USE=hardened!";
+ echo "!! Please enable a hardened profile.";
+ exit ${XCCDF_RESULT_FAIL};
+else
+ echo "-- GCC ${current_gcc} is build with USE=hardened.";
+ if [ -z "${current_type}" ];
+ then
+ echo "-- The default type is used which is a hardened type.";
+ exit ${XCCDF_RESULT_PASS};
+ else
+ echo "!! A non-default type is used: ${current_type}";
+ echo "!! This means not all hardened toolchain measures are enabled.";
+ exit ${XCCDF_RESULT_FAIL};
+ fi
+fi
diff --git a/xml/SCAP/gentoo-oval.xml b/xml/SCAP/gentoo-oval.xml
index 9fa2c1e..4fe52b9 100644
--- a/xml/SCAP/gentoo-oval.xml
+++ b/xml/SCAP/gentoo-oval.xml
@@ -1,17 +1,17 @@
<?xml version="1.0" encoding="UTF-8"?>
<oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5"
- xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5"
- xmlns:lin-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"
- xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"
- xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
- xsi:schemaLocation="
- http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd
- http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd
- http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd
- http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd
- http://standards.iso.org/iso/19770/-2/2009/schema.xsd schema.xsd">
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5"
+ xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5"
+ xmlns:lin-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"
+ xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"
+ xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
+ xsi:schemaLocation="
+ http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd
+ http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd
+ http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd
+ http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd
+ http://standards.iso.org/iso/19770/-2/2009/schema.xsd schema.xsd">
<generator>
<oval:product_name>OVAL Gentoo Linux</oval:product_name>
@@ -46,7 +46,7 @@
<reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14559-9"/>
<description>
This definition tests whether the /home location is a separate file
- system.
+ system.
</description>
</metadata>
<criteria operator="AND">
@@ -62,7 +62,7 @@
</affected>
<description>
This definition tests whether the /home partition is mounted with the nosuid
- mount option.
+ mount option.
</description>
</metadata>
<criteria operator="AND">
@@ -79,7 +79,7 @@
</affected>
<description>
This definition tests whether the /home partition is mounted with the nodev
- mount option.
+ mount option.
</description>
</metadata>
<criteria operator="AND">
@@ -97,7 +97,7 @@
<reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14161-4"/>
<description>
This definition tests whether the /tmp location is a separate file
- system.
+ system.
</description>
</metadata>
<criteria operator="AND">
@@ -105,7 +105,297 @@
</criteria>
</definition>
+ <definition id="oval:org.gentoo.dev.swift:def:6" version="1" class="compliance">
+ <metadata>
+ <title>The /var location must be a separate file system</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14777-7"/>
+ <description>
+ This definition tests whether the /var location is a separate file
+ system.
+ </description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:6" comment="The /var location is on a separate partition" />
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:7" version="1" class="compliance">
+ <metadata>
+ <title>The /var/log location must be a separate file system</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14011-1"/>
+ <description>
+ This definition tests whether the /var/log location is a separate file
+ system.
+ </description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:7" comment="The /var/log location is on a separate partition" />
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:8" version="1" class="compliance">
+ <metadata>
+ <title>The /var/log/audit location must be a separate file system</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14171-3"/>
+ <description>
+ This definition tests whether the /var/log/audit location is a separate file
+ system.
+ </description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:8" comment="The /var/log/audit location is on a separate partition" />
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:9" version="1" class="compliance">
+ <metadata>
+ <title>The /var file system is mounted with the nodev option</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-4249-9"/>
+ <description>
+ This definition tests whether the /var partition is mounted with the nodev
+ mount option.
+ </description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:6" comment="The /var location is on a separate partition" />
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:9" comment="The /var partition is mounted with nodev mount option" />
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:10" version="1" class="compliance">
+ <metadata>
+ <title>The /var/log file system is mounted with the nodev option</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-4249-9"/>
+ <description>
+ This definition tests whether the /var/log partition is mounted with the nodev
+ mount option.
+ </description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:7" comment="The /var/log location is on a separate partition" />
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:10" comment="The /var/log partition is mounted with nodev mount option" />
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:11" version="1" class="compliance">
+ <metadata>
+ <title>The /var/log/audit file system is mounted with the nodev option</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-4249-9"/>
+ <description>
+ This definition tests whether the /var/log/audit partition is mounted with the nodev
+ mount option.
+ </description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:8" comment="The /var/log/audit location is on a separate partition" />
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:11" comment="The /var/log/audit partition is mounted with nodev mount option" />
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:12" version="1" class="compliance">
+ <metadata>
+ <title>The /tmp file system is mounted with the nodev option</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-4249-9"/>
+ <description>
+ This definition tests whether the /tmp partition is mounted with the nodev
+ mount option.
+ </description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:5" comment="The /var/log/audit location is on a separate partition" />
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:12" comment="The /var/log/audit partition is mounted with nodev mount option" />
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:13" version="1" class="compliance">
+ <metadata>
+ <title>The /tmp file system is mounted with the nosuid option</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14940-1"/>
+ <description>
+ This definition tests whether the /tmp partition is mounted with the nosuid
+ mount option.
+ </description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:5" comment="The /tmp location is on a separate partition" />
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:13" comment="The /tmp partition is mounted with nosuid mount option" />
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:14" version="1" class="compliance">
+ <metadata>
+ <title>The /dev/shm file system is mounted with the nosuid option</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14306-5"/>
+ <description>
+ This definition tests whether the /dev/shm partition is mounted with the nosuid
+ mount option.
+ </description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:14" comment="The /dev/shm location is a separate file system" />
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:15" comment="The /dev/shm file system is mounted with nosuid mount option" />
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:15" version="1" class="compliance">
+ <metadata>
+ <title>The /tmp file system is mounted with the noexec option</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14927-8"/>
+ <description>
+ This definition tests whether the /tmp partition is mounted with the noexec
+ mount option.
+ </description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:5" comment="The /tmp location is on a separate partition" />
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:16" comment="The /tmp partition is mounted with noexec mount option" />
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:16" version="1" class="compliance">
+ <metadata>
+ <title>The /dev/shm file system is mounted with the noexec option</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14703-3"/>
+ <description>
+ This definition tests whether the /dev/shm partition is mounted with the noexec
+ mount option.
+ </description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:14" comment="The /dev/shm location is a separate file system" />
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:17" comment="The /dev/shm file system is mounted with nosuid mount option" />
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:17" version="1" class="compliance">
+ <metadata>
+ <title>The /var/tmp location is on a separate file system</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14584-7"/>
+ <description>
+ This definition tests whether the /var/tmp location is on its own file system.
+ </description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:18" comment="The /var/tmp location is a separate file system" />
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:18" version="1" class="compliance">
+ <metadata>
+ <title>The kernel is build with quota support (CONFIG_QUOTA)</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <description>
+ This definition tests whether the Linux kernel is build with quota support (CONFIG_QUOTA).
+ </description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:19" comment="The Linux kernel is build with CONFIG_QUOTA" />
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:19" version="1" class="compliance">
+ <metadata>
+ <title>No process matching "telnetd" is running</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-3390-2" />
+ <description>
+ This definition tests if no telnet daemon processes are running.
+ </description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:20" comment="No telnet daemons are running" />
+ </criteria>
+ </definition>
+ <definition id="oval:org.gentoo.dev.swift:def:20" version="1" class="compliance">
+ <metadata>
+ <title>No process matching "ftpd" is running</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-4273-9" />
+ <description>
+ This definition tests if no FTP daemon processes are running.
+ </description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:21" comment="No FTP daemons are running" />
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:21" version="1" class="compliance">
+ <metadata>
+ <title>rc.conf's rc_shell should be set to /sbin/sulogin</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-4241-6" />
+ <description>
+ This definition tests if rc_shell in /etc/rc.conf is set to /sbin/sulogin, ensuring
+ that single user boots still require the root password to be provided.
+ </description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:22" comment="/etc/rc.conf rc_shell is set to /sbin/sulogin" />
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:22" version="1" class="compliance">
+ <metadata>
+ <title>Single user definitions in inittab should only refer to '/sbin/rc single' or '/sbin/sulogin'</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-4241-6" />
+ <description>
+ This definition tests if /etc/inittab single user login settings only refers
+ to '/sbin/rc single' or '/sbin/sulogin'.
+ </description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:23" comment="/etc/inittab single user settings refers only to '/sbin/rc single' or '/sbin/sulogin'" />
+ </criteria>
+ </definition>
</definitions>
<tests>
@@ -145,9 +435,158 @@
<lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:5"
version="1" check="all" check_existence="all_exist"
comment="Tests that /tmp is a separate file system">
- <!-- /home partition -->
+ <!-- /tmp partition -->
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:3" />
+ </lin-def:partition_test>
+
+ <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:6"
+ version="1" check="all" check_existence="all_exist"
+ comment="Tests that /var is a separate file system">
+ <!-- /var partition -->
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:4" />
+ </lin-def:partition_test>
+
+ <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:7"
+ version="1" check="all" check_existence="all_exist"
+ comment="Tests that /var/log is a separate file system">
+ <!-- /var/log partition -->
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:5" />
+ </lin-def:partition_test>
+
+ <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:8"
+ version="1" check="all" check_existence="all_exist"
+ comment="Tests that /var/log/audit is a separate file system">
+ <!-- /var/log/audit partition -->
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:6" />
+ </lin-def:partition_test>
+
+ <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:9"
+ version="1" check="all" check_existence="all_exist"
+ comment="Tests that /var is mounted with nodev option">
+ <!-- /var partition -->
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:4" />
+ <!-- "nodev" mount option -->
+ <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:2" />
+ </lin-def:partition_test>
+
+ <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:10"
+ version="1" check="all" check_existence="all_exist"
+ comment="Tests that /var/log is mounted with nodev option">
+ <!-- /var/log partition -->
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:5" />
+ <!-- "nodev" mount option -->
+ <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:2" />
+ </lin-def:partition_test>
+
+ <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:11"
+ version="1" check="all" check_existence="all_exist"
+ comment="Tests that /var/log/audit is mounted with nodev option">
+ <!-- /var/log/audit partition -->
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:6" />
+ <!-- "nodev" mount option -->
+ <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:2" />
+ </lin-def:partition_test>
+
+ <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:12"
+ version="1" check="all" check_existence="all_exist"
+ comment="Tests that /tmp is mounted with nodev option">
+ <!-- /tmp partition -->
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:2" />
+ <!-- "nodev" mount option -->
+ <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:2" />
+ </lin-def:partition_test>
+
+ <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:13"
+ version="1" check="all" check_existence="all_exist"
+ comment="Tests that /tmp is mounted with nosuid option">
+ <!-- /tmp partition -->
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:2" />
+ <!-- "nosuid" mount option -->
+ <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:1" />
+ </lin-def:partition_test>
+
+ <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:14"
+ version="1" check="all" check_existence="all_exist"
+ comment="Tests that /dev/shm is a separate file system">
+ <!-- /dev/shm file system -->
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:7" />
+ </lin-def:partition_test>
+
+ <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:15"
+ version="1" check="all" check_existence="all_exist"
+ comment="Tests that /dev/shm is mounted with nosuid option">
+ <!-- /dev/shm file system -->
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:7" />
+ <!-- "nosuid" mount option -->
+ <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:1" />
+ </lin-def:partition_test>
+
+ <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:16"
+ version="1" check="all" check_existence="all_exist"
+ comment="Tests that /tmp is mounted with noexec option">
+ <!-- /tmp file system -->
<lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:3" />
+ <!-- "noexec" mount option -->
+ <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:3" />
</lin-def:partition_test>
+
+ <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:17"
+ version="1" check="all" check_existence="all_exist"
+ comment="Tests that /dev/shm is mounted with noexec option">
+ <!-- /dev/shm file system -->
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:7" />
+ <!-- "noexec" mount option -->
+ <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:3" />
+ </lin-def:partition_test>
+
+ <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:18"
+ version="1" check="all" check_existence="all_exist"
+ comment="Tests that /var/tmp is on its own file system">
+ <!-- /var/tmp file system -->
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:8" />
+ </lin-def:partition_test>
+
+ <ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:19"
+ version="1" check="at least one" check_existence="at_least_one_exists"
+ comment="Tests that CONFIG_QUOTA is in the kernel configuration">
+ <!-- The file containing kernel configuration -->
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:9" />
+ <!-- Match for "^CONFIG_QUOTA=[ym]" -->
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:4" />
+ </ind-def:textfilecontent54_test>
+
+ <unix-def:process58_test id="oval:org.gentoo.dev.swift:tst:20"
+ version="1" check="all" check_existence="none_exist"
+ comment="Tests that no telnet daemons are running">
+ <!-- Process matching "telnetd" -->
+ <unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:10" />
+ </unix-def:process58_test>
+
+ <unix-def:process58_test id="oval:org.gentoo.dev.swift:tst:21"
+ version="1" check="all" check_existence="none_exist"
+ comment="Tests that no FTP daemons are running">
+ <!-- Process matching "ftpd" -->
+ <unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:11" />
+ </unix-def:process58_test>
+
+ <ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:22"
+ version="1" check="at least one" check_existence="all_exist"
+ comment="Tests that rc_shell in /etc/rc.conf is set to /sbin/sulogin">
+ <!-- The variable settings in /etc/rc.conf -->
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:12" />
+ <!-- Match for rc_shell=/sbin/sulogin -->
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:5" />
+ </ind-def:textfilecontent54_test>
+
+ <ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:23"
+ version="1" check="all" check_existence="at_least_one_exists"
+ comment="Tests that single-user boot only triggers '/sbin/rc single' or '/sbin/sulogin'">
+ <!-- The single-user boot rules in /etc/inittab -->
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:13" />
+ <!-- The '/sbin/rc single' or '/sbin/sulogin' matches -->
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:6" />
+ </ind-def:textfilecontent54_test>
+
</tests>
<objects>
@@ -167,6 +606,64 @@
<lin-def:mount_point>/tmp</lin-def:mount_point>
</lin-def:partition_object>
+ <lin-def:partition_object id="oval:org.gentoo.dev.swift:obj:4"
+ version="1" comment="The /var partition">
+ <lin-def:mount_point>/var</lin-def:mount_point>
+ </lin-def:partition_object>
+
+ <lin-def:partition_object id="oval:org.gentoo.dev.swift:obj:5"
+ version="1" comment="The /var/log partition">
+ <lin-def:mount_point>/var/log</lin-def:mount_point>
+ </lin-def:partition_object>
+
+ <lin-def:partition_object id="oval:org.gentoo.dev.swift:obj:6"
+ version="1" comment="The /var/log/audit partition">
+ <lin-def:mount_point>/var/log/audit</lin-def:mount_point>
+ </lin-def:partition_object>
+
+ <lin-def:partition_object id="oval:org.gentoo.dev.swift:obj:7"
+ version="1" comment="The /dev/shm file system">
+ <lin-def:mount_point>/dev/shm</lin-def:mount_point>
+ </lin-def:partition_object>
+
+ <lin-def:partition_object id="oval:org.gentoo.dev.swift:obj:8"
+ version="1" comment="The /var/tmp file system">
+ <lin-def:mount_point>/var/tmp</lin-def:mount_point>
+ </lin-def:partition_object>
+
+ <ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:9"
+ version="1" comment="The file containing kernel configuration">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^CONFIG_.*</ind-def:pattern>
+ <ind-def:instance operation="greater than or equal" datatype="int">1</ind-def:instance>
+ </ind-def:textfilecontent54_object>
+
+ <unix-def:process58_object id="oval:org.gentoo.dev.swift:obj:10"
+ version="1" comment="Process matching telnetd in its command name">
+ <unix-def:command_line operation="pattern match">.*[Tt][Ee][Ll][Nn][Ee][Tt][Dd].*</unix-def:command_line>
+ <unix-def:pid datatype="int" operation="greater than">0</unix-def:pid>
+ </unix-def:process58_object>
+
+ <unix-def:process58_object id="oval:org.gentoo.dev.swift:obj:11"
+ version="1" comment="Process matching ftpd in its command name">
+ <unix-def:command_line operation="pattern match">.*[Ff][Tt][Pp][Dd].*</unix-def:command_line>
+ <unix-def:pid datatype="int" operation="greater than">0</unix-def:pid>
+ </unix-def:process58_object>
+
+ <ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:12"
+ version="1" comment="The /etc/rc.conf variable declarations">
+ <ind-def:filepath>/etc/rc.conf</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^[[:space:]]*[\S]+[[:space:]]*=[[:space:]]*[\S]+</ind-def:pattern>
+ <ind-def:instance operation="greater than or equal" datatype="int">1</ind-def:instance>
+ </ind-def:textfilecontent54_object>
+
+ <ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:13"
+ version="1" comment="The /etc/inittab contents">
+ <ind-def:filepath>/etc/inittab</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^[\S]+:S:[\S]+:.*</ind-def:pattern>
+ <ind-def:instance operation="greater than or equal" datatype="int">1</ind-def:instance>
+ </ind-def:textfilecontent54_object>
+
</objects>
<states>
@@ -181,6 +678,26 @@
<lin-def:mount_options entity_check="at least one">nodev</lin-def:mount_options>
</lin-def:partition_state>
+ <lin-def:partition_state id="oval:org.gentoo.dev.swift:ste:3"
+ version="1" comment="The file system is mounted with the noexec mount option">
+ <lin-def:mount_options entity_check="at least one">noexec</lin-def:mount_options>
+ </lin-def:partition_state>
+
+ <ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:4"
+ version="1" comment="Matching ^CONFIG_QUOTA=[ym]">
+ <ind-def:text datatype="string" operation="pattern match" entity_check="all">^CONFIG_QUOTA=[ym]</ind-def:text>
+ </ind-def:textfilecontent54_state>
+
+ <ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:5"
+ version="1" comment="Matching rc_shell=/sbin/sulogin">
+ <ind-def:text datatype="string" operation="pattern match" entity_check="all">rc_shell[[:space:]]*=[[:space:]]*["]?/sbin/sulogin["]?</ind-def:text>
+ </ind-def:textfilecontent54_state>
+
+ <ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:6"
+ version="1" comment="Single user boot lines may only match '/sbin/rc single' or '/sbin/sulogin'">
+ <ind-def:text datatype="string" operation="pattern match" entity_check="all">su[[:digit:]]+:S:[\S]+:(/sbin/rc single|/sbin/sulogin)</ind-def:text>
+ </ind-def:textfilecontent54_state>
+
</states>
<!--
diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml
index 39af64c..bc6d977 100644
--- a/xml/SCAP/gentoo-xccdf.xml
+++ b/xml/SCAP/gentoo-xccdf.xml
@@ -8,6 +8,9 @@
</description>
<platform idref="cpe:/o:gentoo:linux"/>
<version>20130917.1</version>
+ <model system="urn:xccdf:scoring:default" />
+ <model system="urn:xccdf:scoring:flat" />
+ <model system="urn:xccdf:scoring:flat-unweighted" />
<Profile id="xccdf_org.gentoo.dev.swift_profile_intensive" extends="xccdf_org.gentoo.dev.swift_profile_default">
<title>Intensive validation profile</title>
<description>
@@ -26,13 +29,48 @@
</description>
<!-- The /tmp location is a separate file system -->
<select idref="xccdf_org.gentoo.dev.swift_rule_partition-tmp" selected="true" />
+ <!-- The /var location is a separate file system -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_partition-var" selected="true" />
+ <!-- The /var/log location is a separate file system -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_partition-varlog" selected="true" />
+ <!-- The /var/log/audit location is a separate file system -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_partition-varlogaudit" selected="true" />
<!-- The /home location is a separate file system -->
<select idref="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="true" />
- <!-- The /home partition is mounted with nosuid -->
- <select idref="xccdf_org.gentoo.dev.swift_rule_partition-home-nosuid" selected="true" />
+ <!-- The /var/tmp location is a separate file system -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_partition-vartmp" selected="true" />
+ <!-- The /var partition is mounted with nodev -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_partition-var-nodev" selected="true" />
+ <!-- The /var/log partition is mounted with nodev -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_partition-varlog-nodev" selected="true" />
+ <!-- The /var/log/audit partition is mounted with nodev -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_partition-varlogaudit-nodev" selected="true" />
<!-- The /home partition is mounted with nodev -->
<select idref="xccdf_org.gentoo.dev.swift_rule_partition-home-nodev" selected="true" />
-
+ <!-- The /tmp partition is mounted with nodev -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_partition-tmp-nodev" selected="true" />
+ <!-- The /tmp partition is mounted with nosuid -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_partition-tmp-nosuid" selected="true" />
+ <!-- The /home partition is mounted with nosuid -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_partition-home-nosuid" selected="true" />
+ <!-- The /dev/shm partition is mounted with nosuid -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_partition-devshm-nosuid" selected="true" />
+ <!-- The /tmp partition is mounted with noexec -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_partition-tmp-noexec" selected="true" />
+ <!-- The /dev/shm partition is mounted with noexec -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_partition-devshm-noexec" selected="true" />
+ <!-- The hardened toolchain must be installated and used -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_installation-toolchain-hardened" selected="true" />
+ <!-- Kernel quota support must be enabled -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_kernel-quota" selected="true" />
+ <!-- No telnetd process is running -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_telnetd-notrunning" selected="true" />
+ <!-- No ftpd process is running -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_ftpd-notrunning" selected="true" />
+ <!-- sulogin is used as shell for single user boot (definition /etc/rc.conf) -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_rcconf-sulogin" selected="true" />
+ <!-- sulogin is used as shell for single user boot (definition /etc/inittab) -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_inittab-sulogin" selected="true" />
</Profile>
<Group id="xccdf_org.gentoo.dev.swift_group_intro">
<title>Introduction</title>
@@ -155,6 +193,84 @@
Substitute the profile information in the commands above with the required profile.
</description>
</Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_intro-weights">
+ <title>About the rule weights</title>
+ <description>
+ Within this guide, weights are assigned to tests to give some importance to
+ the rule (higher weight is more important) as well as a severity.
+ <h:br />
+ <h:br />
+ The severity is one of the following:
+ <h:ul>
+ <h:li>
+ <h:em>high</h:em> constitutes a grave or critical problem. A rule with this severity
+ <h:em>MUST</h:em> be tackled as it detected a misconfiguration that is easily
+ exploitable and could lead to full system compromise.
+ </h:li>
+ <h:li>
+ <h:em>medium</h:em> reflects a fairly serious problem. A rule with this severity
+ <h:em>SHOULD</h:em> be tackled as it detected a misconfiguration that is easily
+ exploitable.
+ </h:li>
+ <h:li>
+ <h:em>low</h:em> reflects a non-serious problem. A rule with this severity
+ has detected a misconfiguration but its influence on the overall system security
+ is minor (if other compliance rules are followed).
+ </h:li>
+ <h:li>
+ <h:em>info</h:em> reflects an informational rule. Failure to comply with this rule
+ does not mean failure to comply with the document itself.
+ </h:li>
+ </h:ul>
+ It is important to understand though that rules with a low severity can still lead to
+ grave security problems if they are not met. Chaining of vulnerabilities or
+ misconfiguration can still lead to full system compromise.
+ <h:br />
+ <h:br />
+ For this reason, weights are added to rules as well. A higher weight has a more
+ severe potential impact.
+ <h:br />
+ <h:br />
+ Weights are the CVSS score that the author assumes is the case for a misconfiguration.
+ They are calculated by NVD's CVSS calculator. Each rule is scored individually; a
+ "chain" of misconfigurations might lead to a significantly higher issue, but this would
+ make it very hard to make proper scoring.
+ <h:br />
+ <h:br />
+ As an example, take the rule that says <h:code>/var</h:code> has to be on its own
+ partition. The metrics we fill in in the calculator are currently based on the risk
+ that the root file system is filled (no more free space), which can halt the system.
+ <h:ul>
+ <h:li>
+ The <h:em>related exploit range</h:em> (access vector) is "Local", because this is
+ by itself not exploitable remotely - unless of course certain services are running
+ that can fill up <h:code>/var</h:code>, but we do not take such assumptions.
+ </h:li>
+ <h:li>
+ The <h:em>attack complexity</h:em> (access complexity) is "Low", as all that is
+ needed is a local account and we can find the necessary ways to fill up
+ <h:code>/var</h:code>.
+ </h:li>
+ <h:li>
+ The <h:em>level of authentication needed</h:em> (authentication) is "Single"
+ as the attacker needs one authentication step (local access) to exploit.
+ </h:li>
+ <h:li>
+ The <h:em>confidentiality impact</h:em> is "None" (no data leakage)
+ </h:li>
+ <h:li>
+ The <h:em>integrity impact</h:em> is "None" (no data manipulation)
+ </h:li>
+ <h:li>
+ The <h:em>availability impact</h:em> is "Complete" (system crash or halt).
+ </h:li>
+ </h:ul>
+ This results in the CVSS base score of 4.6. The environmental score metrics and
+ temporal score metrics are ignored as those are too specific for environments
+ and organizations.
+ </description>
+ <reference href="https://nvd.nist.gov/cvss.cfm?calculator&version=2">NVD CVSS calculator</reference>
+ </Group>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_preinstallation">
<title>Before we start</title>
@@ -279,7 +395,7 @@
</description>
<reference href="http://www.pathname.com/fhs/">Filesystem Hierarchy
Standard</reference>
- <Group id="xccdf_org.gentoo.dev.swift_group_installation-storage-partitioning-separate">
+ <Group id="xccdf_org.gentoo.dev.swift_group_installation-storage-partitioning-separate">
<title>Separate file systems for important locations</title>
<description>
Having a separate file system for important locations has several advantages, but
@@ -331,11 +447,42 @@
<h:li>
<h:code>/tmp</h:code> as this is a world-writable location and requires
specific mount options. When possible, this location can be made a
- <h:em>tmpfs</h:em> file system.
+ <h:em>tmpfs</h:em> file system. This is to protect the root file system
+ from being flooded.
+ </h:li>
+ <h:li>
+ <h:code>/var</h:code> as this contains variable data (and thus is prone
+ to grow extensively depending on the installed services). This is to protect
+ the root file system from being flooded.
+ </h:li>
+ <h:li>
+ <h:code>/var/log</h:code> as this contains logging data (and thus is prone
+ to grow extensively depending on the services). This is to protect the
+ <h:code>/var</h:code> file system from being flooded, as this might impact
+ various services (like databases, web servers, etc.).
+ </h:li>
+ <h:li>
+ <h:code>/var/log/audit</h:code> as this contains (potentially sensitive)
+ logging data. Some services refuse to continue if the audit target location
+ is full. Having the location separate from <h:code>/var/log</h:code> protects
+ the audit file system when <h:code>/var/log</h:code> would be flooded.
+ </h:li>
+ <h:li>
+ <h:code>/home</h:code> as this is completely under the control of end users.
+ It needs to be mounted with more secure settings (more about that later) and
+ should be separate both to protect the root file system, but also to allow
+ the <h:code>/home</h:code> location to be either shared or used elsewhere.
+ </h:li>
+ <h:li>
+ <h:code>/var/tmp</h:code> which is a "second" <h:code>/tmp</h:code> location,
+ but where the content is preserved after a reboot. Still, it is world-writable
+ and requires specific mount options, and should be on a different file system
+ to prevent <h:code>/var</h:code> to be flooded which might impact the
+ availability of services.
</h:li>
</h:ul>
</description>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-tmp" selected="false">
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-tmp" selected="false" severity="medium" weight="4.6">
<title>Test if /tmp is a separate file system</title>
<fixtext>
Create a file system for <h:code>/tmp</h:code>; make sure it is added in
@@ -345,72 +492,60 @@
<check-content-ref name="oval:org.gentoo.dev.swift:def:5" href="gentoo-oval.xml" />
</check>
</Rule>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_installation-storage-partitioning-home">
- <title>/home Location</title>
- <description>
- The <h:code>/home</h:code> location should be on its own partition,
- allowing the administrator to mount this location with specific
- options targetting the file systems' security settings or quota. It
- also prevents the system to become unresponsive when a user starts
- filling up his home directory, although quota support can be used
- to mitigate this risk as well.
- <h:br />
- <h:br />
- Next to the separate file system, it should also be mounted with
- the <h:em>nosuid</h:em> mount option. When a vulnerability in a
- software, or a rogue user, would somehow place a setuid binary in
- this home directory in order to create a simple backdoor to gain
- root privileges, this mount option disables the setuid ability.
- <h:br />
- <h:br />
- There is also no reason for the <h:code>/home</h:code> location to
- contain any device files, so mount it with <h:em>nodev</h:em> too.
- If an attacker would somehow be able to create sensitive device files
- with the rights for him to read/write to those device files, then he
- might be able to impact the system security.
- </description>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="false">
- <title>Test if /home is a separate partition</title>
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-var" selected="false" severity="medium" weight="4.6">
+ <title>Test if /var is a separate file system</title>
<fixtext>
- Create a file system for the user home files and mount it at <h:code>/home</h:code>
- after migrating the users' files to it.
+ Create a file system for <h:code>/var</h:code>; make sure it is added in
+ the <h:code>/etc/fstab</h:code> file and reboot the system.
</fixtext>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:2" href="gentoo-oval.xml" />
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:6" href="gentoo-oval.xml" />
</check>
</Rule>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home-nosuid" selected="false">
- <title>Test if /home is mounted with nosuid</title>
- <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-home-nosuid">Mount /home with nosuid mount option</fixtext>
- <!-- TODO can we put in multiple fixes? I would like to add in one
- that asks the user (not automatically) to update fstab -->
- <fix id="xccdf_org.gentoo.dev.swift_fix_partition-home-nosuid"
- system="urn:xccdf:fix:system:commands"
- platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
-mount -o remount,nosuid /home
- </fix>
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-varlog" selected="false" severity="low" weight="2.1">
+ <title>Test if /var/log is a separate file system</title>
+ <fixtext>
+ Create a file system for <h:code>/var/log</h:code>; make sure it is added in
+ the <h:code>/etc/fstab</h:code> file and reboot the system.
+ </fixtext>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:3" href="gentoo-oval.xml" />
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:7" href="gentoo-oval.xml" />
</check>
</Rule>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home-nodev" selected="false">
- <title>Test if /home is mounted with nodev</title>
- <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-home-nodev">Mount /home with nodev mount option</fixtext>
- <fix id="xccdf_org.gentoo.dev.swift_fix_partition-home-nodev"
- system="urn:xccdf:fix:system:commands"
- platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
-mount -o remount,nodev /home
- </fix>
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-varlogaudit" selected="false" severity="low" weight="2.1">
+ <title>Test if /var/log/audit is a separate file system</title>
+ <fixtext>
+ Create a file system for <h:code>/var/log/audit</h:code>; make sure it is added in
+ the <h:code>/etc/fstab</h:code> file and reboot the system.
+ </fixtext>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:8" href="gentoo-oval.xml" />
+ </check>
+ </Rule>
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="false" severity="medium" weight="4.6">
+ <title>Test if /home is a separate file system</title>
+ <fixtext>
+ Create a file system for <h:code>/home</h:code>; make sure it is added in
+ the <h:code>/etc/fstab</h:code> file and reboot the system.
+ </fixtext>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:2" href="gentoo-oval.xml" />
+ </check>
+ </Rule>
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-vartmp" selected="false" severity="low" weight="2.1">
+ <title>Test if /var/tmp is a separate file system</title>
+ <fixtext>
+ Create a file system for <h:code>/var/tmp</h:code>; make sure it is added in
+ the <h:code>/etc/fstab</h:code> file and reboot the system.
+ </fixtext>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:4" href="gentoo-oval.xml" />
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:17" href="gentoo-oval.xml" />
</check>
</Rule>
</Group>
</Group>
</Group>
- <!--
- <Group id="gt-installation-toolchain">
+ <Group id="xccdf_org.gentoo.dev.swift_group_installation-toolchain">
<title>Use a Hardened Toolchain</title>
<description>
When you install Gentoo, use the hardened stages and hardened toolchain.
@@ -418,12 +553,25 @@ mount -o remount,nodev /home
support for non-executable program stacks and buffer overflow detection.
<h:br />
<h:br />
+ <h:ul>
+ <h:li>
+ <h:em>Position Independent Executables (PIE)</h:em> and <h:em>Position Independent
+ Code (PIC)</h:em> implements a memory hardening approach where the application
+ (or library), when loaded to memory, does not have hard requirements where in
+ memory it is loaded. Together with ASLR this makes it more difficult for exploits
+ to know at which memory region certain data will be available.
+ </h:li>
+ <h:li>
+ <h:em>Stack Smashing Protection (SSP)</h:em> adds markers outside buffer areas
+ to detect buffer overflow attacks, killing the application rather than effectively
+ having the overflow succeed.
+ </h:li>
+ </h:ul>
During installation, make sure that the <h:em>default</h:em> hardened
toolchain is selected, not one of the <h:code>-hardenedno*</h:code> as
those are toolchains where specific settings are disabled. The
<h:code>-vanilla</h:code> one is a toolchain with no hardened patches.
- <h:pre>
-# <h:b>gcc-config -l</h:b>
+ <h:pre># <h:b>gcc-config -l</h:b>
[1] x86_64-pc-linux-gnu-4.4.5 *
[2] x86_64-pc-linux-gnu-4.4.5-hardenednopie
[3] x86_64-pc-linux-gnu-4.4.5-hardenednopie.gcc-config-ref
@@ -431,7 +579,19 @@ mount -o remount,nodev /home
[5] x86_64-pc-linux-gnu-4.4.5-hardenednossp
[6] x86_64-pc-linux-gnu-4.4.5-vanilla</h:pre>
</description>
- </Group>
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_installation-toolchain-hardened" selected="false" severity="low" weight="0.0">
+ <title>Test if the hardened toolchain is used</title>
+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_installation-toolchain-hardened">
+ Use a hardened Gentoo profile and select the default compiler (not vanilla
+ nor any of the hardenedno* ones).
+ </fixtext>
+ <check system="http://open-scap.org/page/SCE">
+ <check-import import-name="stdout" />
+ <check-content-ref href="bin/gentoo-sce_installation-toolchain-hardened.sh" />
+ </check>
+ </Rule>
+ </Group> <!-- installation-toolchain -->
+ <!--
<Group id="gt-installation-selinux">
<title>Use a Mandatory Access Control system</title>
<description>
@@ -452,84 +612,231 @@ mount -o remount,nodev /home
<reference href="http://hardened.gentoo.org/selinux">Gentoo Hardened SELinux project page</reference>
</Group>
-->
- </Group>
- <!--
- <Group id="gt-system">
- <title>System Settings</title>
+ </Group> <!-- installation -->
+ <Group id="xccdf_org.gentoo.dev.swift_group_system">
+ <title>System settings</title>
<description>
- Within this chapter, we describe the (recommended) settings that can be
- adjusted relatively easily, even when a Gentoo installation has already
- been performed. This is the bulk of the security settings.
+ Within this chapter, the (recommended) settings that can be adjusted relatively easily
+ are presented, even when a Gentoo installation has already been performed. This is the
+ bulk of the security settings.
</description>
- <Group id="gt-system-mounts">
- <title>Mounts and Mount Points</title>
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-fs">
+ <title>File system related settings</title>
<description>
- When mounting file systems, options can be presented that add or remove
- features from the mount point. Some of these options can be used to
- restrict actions taken or originating from the file system.
- <h:br />
- <h:br />
- Mount options can be set in <h:code>/etc/fstab</h:code> in the fourth column.
- <h:pre>
-# <h:b>vim /etc/fstab</h:b>
-[...]
-tmpfs /tmp tmpfs defaults<h:b>,nosuid,noexec,nodev</h:b> 0 0</h:pre>
- <h:br />
- Important mount options that are used later are:
- <h:ul>
- <h:li>
- <h:code>nosuid</h:code> will ignore SUID bits on binaries. If such
- a binary is encountered, it is executed as if it did not have the SUID
- bit set.
- </h:li>
- <h:li>
- <h:code>noexec</h:code> will prevent direct execution of files or
- binaries from this partition.
- </h:li>
- <h:li>
- <h:code>nodev</h:code> will ignore device files in this partition.
- </h:li>
- </h:ul>
- <h:br />
- Even though these mount options can be worked around, it is a first line
- of defence against popular exploits and worms.
+ Servers and systems are about manipulating data. In this chapter, the security settings
+ for file systems are explained.
</description>
- <Group id="gt-system-mounts-tmp">
- <title>Temporary Files</title>
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-fs-mountoptions">
+ <title>Appropriate mount options for the file systems</title>
<description>
- The <h:code>/tmp</h:code> location is world writable, allowing for
- any service to put temporary files in it that are required during
- service operation.
+ Non-root file systems should be mounted with the <h:em>nodev</h:em> mount option.
+ This mount option ensures that device files are not allowed on these file systems
+ (and if they are there, they are ignored by the Linux kernel for any device
+ operation).
<h:br />
<h:br />
- This location should be a tmpfs file system (so that its content is
- cleared during shut down or reboot) and mounted with nosuid,noexec and
- nodev mount options (to reduce the impact when an exploit is attempted from
- within this location).
- <h:pre>
-tmpfs /tmp tmpfs defaults,nosuid,noexec,nodev 0 0</h:pre>
- Also, the location must have the sticky bit set (cfr the trailing 't' in the
- output of <h:b>ls -ld</h:b>).
- <h:pre>
-# <h:b>ls -ld /tmp</h:b>
-drwxrwxrwt 9 root root 260 Dec 27 16:00 /tmp</h:pre>
- Of course, using <h:code>tmpfs</h:code> does not give you freedom nor a
- secure means to write security sensitive information in <h:code>/tmp</h:code>.
- </description>
- </Group>
- <Group id="gt-system-mounts-home">
- <title>Home Directories</title>
- <description>
- The <h:code>/home</h:code> location is used to host end user files.
- To reduce the risk of an exploit being launched, it is adviseable to
- mount this partition with the <h:code>nosuid,nodev</h:code> mount options.
+ Having device files on non-root file systems could allow unauthorized people access
+ to sensitive data (for instance when having a readable raw disk device files) or
+ even manipulate the system.
<h:br />
- <h:pre>
-/dev/mapper/volgrp-home /home ext4 noatime,nosuid,nodev,data=journal 0 2</h:pre>
+ <h:br />
+ The privilege to create special device files (beyond regular sockets) such as
+ character and block device files is handled through the CAP_MKNOD capability
+ which is not granted to regular users. As such, the risk is when more privileged
+ users or processes are tricked to create such device files.
+ <h:br />
+ <h:br />
+ This setting is appropriate for file systems such as (non-exhaustive list):
+ <h:ul>
+ <h:li>
+ <h:code>/var</h:code> (as it is recommended to be a separate file system)
+ </h:li>
+ <h:li>
+ <h:code>/var/log</h:code> (as it is recommended to be a separate file system)
+ </h:li>
+ <h:li>
+ <h:code>/var/log/audit</h:code> (as it is recommended to be a separate file system)
+ </h:li>
+ <h:li>
+ <h:code>/home</h:code> (as it is recommended to be a separate file system)
+ </h:li>
+ <h:li>
+ <h:code>/tmp</h:code> (as it is recommended to be a separate file system)
+ </h:li>
+ </h:ul>
+ Specific file systems should also be mounted with the <h:em>nosuid</h:em> mount
+ option. This prevents setuid binaries to run as a different user when hosted
+ on this file system. As there are several locations where setuid binaries might
+ be needed, this only affects particular file systems:
+ <h:ul>
+ <h:li>
+ The <h:code>/tmp</h:code> file system should not be used for setuid binaries
+ as this is a world-writable location and often target storage for attacks.
+ </h:li>
+ <h:li>
+ The <h:code>/home</h:code> file system should not be used for setuid binaries
+ as this is the home location for non-root users.
+ </h:li>
+ <h:li>
+ The <h:code>/dev/shm</h:code> file system should not be used for any binaries
+ (shared memory region).
+ </h:li>
+ </h:ul>
+ Specific file systems should also be mounted with the <h:em>noexec</h:em> mount
+ option. This prevents some automated attacks to execute certain payload (exploits)
+ from these locations.
+ <h:br />
+ <h:br />
+ This is just one of the many "layers" though, as executing payload can still be
+ done using different methods. For instance, scripts can be invoked through the
+ shell itself (rather than directly) and in the past, binaries could even be
+ executed through the <h:code>ld-linux.so</h:code> binary (although this has
+ been fixed).
+ <h:br />
+ <h:br />
+ File systems for which <h:em>noexec</h:em> is recommended are:
+ <h:ul>
+ <h:li>
+ The <h:code>/tmp</h:code> file system as it is a popular target to store exploit
+ code in.
+ </h:li>
+ <h:li>
+ The <h:code>/dev/shm</h:code> file system as it is meant as a shared memory
+ location and is becoming a popular target to store exploit code in.
+ </h:li>
+ </h:ul>
</description>
- </Group>
- <Group id="gt-system-mounts-quotas">
- <title>Quota's</title>
+ <!-- CVSS2 AV:L/Au:M/C:C/I:C/A:C (high complexity as device node needs
+ to be created first and is then only exploitable after local access.
+ Multiple authentication (one to create device file, one to log on)
+ -->
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-var-nodev" selected="false" severity="low" weight="5.9">
+ <title>Test if /var is mounted with nodev</title>
+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-var-nodev">Mount /var with nodev mount option</fixtext>
+ <fix id="xccdf_org.gentoo.dev.swift_fix_partition-var-nodev"
+ system="urn:xccdf:fix:system:commands"
+ platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+mount -o remount,nodev /var
+ </fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:9" href="gentoo-oval.xml" />
+ </check>
+ </Rule>
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-varlog-nodev" selected="false" severity="low" weight="5.9">
+ <title>Test if /var/log is mounted with nodev</title>
+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-varlog-nodev">Mount /var/log with nodev mount option</fixtext>
+ <fix id="xccdf_org.gentoo.dev.swift_fix_partition-varlog-nodev"
+ system="urn:xccdf:fix:system:commands"
+ platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+mount -o remount,nodev /var/log
+ </fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:10" href="gentoo-oval.xml" />
+ </check>
+ </Rule>
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-varlogaudit-nodev" selected="false" severity="low" weight="5.9">
+ <title>Test if /var/log/audit is mounted with nodev</title>
+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-varlogaudit-nodev">Mount /var/log/audit with nodev mount option</fixtext>
+ <fix id="xccdf_org.gentoo.dev.swift_fix_partition-varlogaudit-nodev"
+ system="urn:xccdf:fix:system:commands"
+ platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+mount -o remount,nodev /var/log/audit
+ </fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:11" href="gentoo-oval.xml" />
+ </check>
+ </Rule>
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home-nodev" selected="false" severity="low" weight="5.9">
+ <title>Test if /home is mounted with nodev</title>
+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-home-nodev">Mount /home with nodev mount option</fixtext>
+ <fix id="xccdf_org.gentoo.dev.swift_fix_partition-home-nodev"
+ system="urn:xccdf:fix:system:commands"
+ platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+mount -o remount,nodev /home
+ </fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:4" href="gentoo-oval.xml" />
+ </check>
+ </Rule>
+ <!-- Higher severity due to more best practices and world writeable,
+ also more likely that exploit of process is done towards /tmp -->
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-tmp-nodev" selected="false" severity="medium" weight="5.9">
+ <title>Test if /tmp is mounted with nodev</title>
+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-tmp-nodev">Mount /tmp with nodev mount option</fixtext>
+ <fix id="xccdf_org.gentoo.dev.swift_fix_partition-tmp-nodev"
+ system="urn:xccdf:fix:system:commands"
+ platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+mount -o remount,nodev /tmp
+ </fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:12" href="gentoo-oval.xml" />
+ </check>
+ </Rule>
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-tmp-nosuid" selected="false" severity="medium" weight="5.9">
+ <title>Test if /tmp is mounted with nosuid</title>
+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-tmp-nosuid">Mount /tmp with nosuid mount option</fixtext>
+ <fix id="xccdf_org.gentoo.dev.swift_fix_partition-tmp-nosuid"
+ system="urn:xccdf:fix:system:commands"
+ platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+mount -o remount,nosuid /tmp
+ </fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:13" href="gentoo-oval.xml" />
+ </check>
+ </Rule>
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home-nosuid" selected="false" severity="low" weight="5.9">
+ <title>Test if /home is mounted with nosuid</title>
+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-home-nosuid">Mount /home with nosuid mount option</fixtext>
+ <fix id="xccdf_org.gentoo.dev.swift_fix_partition-home-nosuid"
+ system="urn:xccdf:fix:system:commands"
+ platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+mount -o remount,nosuid /home
+ </fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:3" href="gentoo-oval.xml" />
+ </check>
+ </Rule>
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-devshm-nosuid" selected="false" severity="medium" weight="5.9">
+ <title>Test if /dev/shm is mounted with nosuid</title>
+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-devshm-nosuid">Mount /dev/shm with nosuid mount option</fixtext>
+ <fix id="xccdf_org.gentoo.dev.swift_fix_partition-devshm-nosuid"
+ system="urn:xccdf:fix:system:commands"
+ platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+mount -o remount,nosuid /dev/shm
+ </fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:14" href="gentoo-oval.xml" />
+ </check>
+ </Rule>
+ <!-- Weight is 0 as this is a means to exploit, not exploitable by
+ itself -->
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-tmp-noexec" selected="false" severity="medium" weight="0.0">
+ <title>Test if /tmp is mounted with noexec</title>
+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-tmp-noexec">Mount /tmp with noexec mount option</fixtext>
+ <fix id="xccdf_org.gentoo.dev.swift_fix_partition-tmp-noexec"
+ system="urn:xccdf:fix:system:commands"
+ platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+mount -o remount,noexec /tmp
+ </fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:15" href="gentoo-oval.xml" />
+ </check>
+ </Rule>
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-devshm-noexec" selected="false" severity="medium" weight="0.0">
+ <title>Test if /dev/shm is mounted with noexec</title>
+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-devshm-noexec">Mount /dev/shm with nosuid mount option</fixtext>
+ <fix id="xccdf_org.gentoo.dev.swift_fix_partition-devshm-noexec"
+ system="urn:xccdf:fix:system:commands"
+ platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+mount -o remount,noexec /dev/shm
+ </fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:16" href="gentoo-oval.xml" />
+ </check>
+ </Rule>
+ </Group> <!-- system-fs-mountoptions -->
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-fs-quotas">
+ <title>Disk quota support</title>
<description>
Most file systems support the notion of <h:em>quotas</h:em> - limits
on the amount of data / files you are allowed to have on that
@@ -541,15 +848,13 @@ drwxrwxrwt 9 root root 260 Dec 27 16:00 /tmp</h:pre>
<h:br />
<h:br />
Next, install the <h:code>sys-fs/quota</h:code> package.
- <h:pre>
-# <h:b>emerge quota</h:b></h:pre>
+ <h:pre># <h:b>emerge quota</h:b></h:pre>
Then add <h:code>usrquota</h:code> and <h:code>grpquota</h:code> to
the partitions (in <h:code>/etc/fstab</h:code>) where you want to
enable quotas on. For instance, the following snippet from
<h:code>/etc/fstab</h:code> enables quotas on <h:code>/var</h:code>
and <h:code>/home</h:code>.
- <h:pre>
-/dev/mapper/volgrp-home /home ext4 noatime,nodev,nosuid,<h:b>usrquota,grpquota</h:b> 0 0
+ <h:pre>/dev/mapper/volgrp-home /home ext4 noatime,nodev,nosuid,<h:b>usrquota,grpquota</h:b> 0 0
/dev/mapper/volgrp-var /var ext4 noatime,<h:b>usrquota,grpquota</h:b> 0 0
</h:pre>
Finally, add the <h:code>quota</h:code> service to the boot runlevel.
@@ -563,10 +868,17 @@ drwxrwxrwt 9 root root 260 Dec 27 16:00 /tmp</h:pre>
href="http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch28_:_Managing_Disk_Usage_with_Quotas">Managing
Disk Usage with Quotas (LinuxHomeNetworking)</reference>
<reference href="http://www.gentoo.org/doc/en/kernel-config.xml#shorthand">Gentoo Linux Kernel Configuration - shorthand notation information</reference>
- </Group>
- </Group>
- <Group id="gt-system-services">
- <title>Services</title>
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_kernel-quota" selected="false" severity="low" weight="1.7">
+ <title>Test if the kernel supports quota (CONFIG_QUOTA)</title>
+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_kernel-quota">Rebuild the Linux kernel with quota support (CONFIG_QUOTA)</fixtext>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:18" href="gentoo-oval.xml" />
+ </check>
+ </Rule>
+ </Group> <!-- system-fs-quotas -->
+ </Group> <!-- system-fs -->
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-services">
+ <title>System services</title>
<description>
Services (daemons) are the primary reason for a server to exist.
They represent the function of the server. For instance, a web server
@@ -574,20 +886,20 @@ drwxrwxrwt 9 root root 260 Dec 27 16:00 /tmp</h:pre>
named service.
<h:br />
<h:br />
- In this benchmark, we will only focus on those services that are either
+ In this benchmark, the focus is on those services that are either
default available on a Gentoo installation (like SSHd) or that are
commonly used in Gentoo server architectures (like rsync). For the other
- services, we refer to other benchmarks.
+ services it is wise to consult other hardening guides specific for those
+ services.
</description>
<reference href="http://www.cisecurity.org">Center for Internet Security,
host of many service benchmarks</reference>
- <Group id="gt-system-services-disable">
- <title>Disable Unsafe Services</title>
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-services-disable">
+ <title>Disable unsafe services</title>
<description>
- We recommend not to enable the following services unless absolutely
- necessary. These services use plain-text protocols and as thus unsafe
- to use on untrusted networks (like the Internet, but also internal
- networks).
+ It is recommended to disable (or even uninstall) the following services unless
+ absolutely necessary. These services use plain-text protocols and are as such unsafe
+ to use on (untrusted) networks.
<h:ul>
<h:li>Telnet service</h:li>
<h:li>FTP Service</h:li>
@@ -596,25 +908,76 @@ drwxrwxrwt 9 root root 260 Dec 27 16:00 /tmp</h:pre>
It is recommended to substitute these services with their more secure
counterparts (like sFTP, SSH, ...).
</description>
+ <!-- Max score: password in clear text and your system is compromised (if it is root) -->
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_telnetd-notrunning" selected="false" severity="high" weight="10.0">
+ <title>Test if no telnet daemons are running</title>
+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_telnetd-notrunning">Stop telnet services</fixtext>
+ <fix id="xccdf_org.gentoo.dev.swift_fix_telnetd-notrunning"
+ system="urn:xccdf:fix:system:commands"
+ platform="cpe:/o:gentoo:linux" complexity="low" disruption="high" reboot="false">
+for service in /etc/init.d/*telnet*; do test -f ${service} && run_init rc-service ${service##*/} stop; done
+ </fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:19" href="gentoo-oval.xml" />
+ </check>
+ </Rule>
+ <!-- Partial breach, assuming accounts are not system accounts -->
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_ftpd-notrunning" selected="false" severity="medium" weight="7.5">
+ <title>Test if no FTP daemons are running</title>
+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_ftpd-notrunning">Stop FTPd services</fixtext>
+ <fix id="xccdf_org.gentoo.dev.swift_fix_ftpd-notrunning"
+ system="urn:xccdf:fix:system:commands"
+ platform="cpe:/o:gentoo:linux" complexity="low" disruption="high" reboot="false">
+for service in /etc/init.d/*ftp*; do test -f ${service} && run_init rc-service ${service##*/} stop; done
+ </fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:20" href="gentoo-oval.xml" />
+ </check>
+ </Rule>
</Group>
- <Group id="gt-system-services-sulogin">
- <title>Require Single-User Boot to Give Root Password</title>
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-services-sulogin">
+ <title>Require single-user boot to give root password</title>
<description>
When a system is booted in single user mode, some users might find it
- handy to immediately get a root prompt; others even have a specific
+ handy to immediately get a root prompt; many even have a specific
bootloader entry to boot in single user mode.
<h:br />
<h:br />
It is important that, for a more secure server environment, even
booting in single user mode requires the user to enter the root
- password. This is already done by default in Gentoo and is part of
- <h:code>/etc/inittab</h:code>'s definition:
- <h:pre>
-su0:S:wait:/sbin/rc single
+ password. This is already done by default in Gentoo through the
+ <h:code>rc_shell</h:code> variable in <h:code>/etc/rc.conf</h:code>.
+ <h:br />
+ <h:br />
+ Administrators should also make sure that no direct shells are provided
+ in <h:code>/etc/inittab</h:code> for single-user mode. Gentoo's
+ <h:code>/etc/inittab</h:code> definition should look like so:
+ <h:pre>su0:S:wait:/sbin/rc single
<h:b>su1:S:wait:/sbin/sulogin</h:b></h:pre>
</description>
+ <!-- CVSS2: AV:L/AC:H/Au:S/C:C/I:C/A:C (high attack complexity due to console access) -->
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_rcconf-sulogin" selected="false" severity="medium" weight="6.0">
+ <title>Test if sulogin is used for single-user boot (/etc/rc.conf)</title>
+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_rcconf-sulogin">Set /sbin/sulogin for rc_shell</fixtext>
+ <fix id="xccdf_org.gentoo.dev.swift_fix_rcconf-sulogin"
+ system="urn:xccdf:fix:system:commands"
+ platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+sed -i -e 's:^rc_shell=.*:rc_shell="/sbin/sulogin":g' /etc/rc.conf
+ </fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:21" href="gentoo-oval.xml" />
+ </check>
+ </Rule>
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_inittab-sulogin" selected="false" severity="medium" weight="6.0">
+ <title>Test if sulogin is used for single-user boot (/etc/inittab)</title>
+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_inittab-sulogin">Set /sbin/sulogin or '/sbin/rc single' for single-user boot</fixtext>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:22" href="gentoo-oval.xml" />
+ </check>
+ </Rule>
+
</Group>
- <Group id="gt-system-services-tcpwrappers">
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-services-tcpwrappers">
<title>Properly Configure TCP Wrappers</title>
<description>
With TCP wrappers, services that support TCP wrappers (or those
@@ -628,7 +991,7 @@ su0:S:wait:/sbin/rc single
<h:b>man 5 hosts_access</h:b>.
</description>
</Group>
- <Group id="gt-system-services-ssh">
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-services-ssh">
<title>SSH Service</title>
<description>
The SSH service is used for secure remote access towards a system, but
@@ -639,13 +1002,13 @@ su0:S:wait:/sbin/rc single
Please use the "Hardening OpenSSH" guide for the necessary instructions.
</description>
</Group>
- <Group id="gt-system-services-cron">
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-services-cron">
<title>Cron Service</title>
<description>
A cron service is used to schedule tasks and processes on predefined
times. Cron is most often used for regular maintenance tasks.
</description>
- <Group id="gt-system-services-cron-acl">
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-services-cron-acl">
<title>Only Allow Trusted Accounts Cron Access</title>
<description>
Only allow trusted accounts to use cron. You should list trusted
@@ -653,14 +1016,14 @@ su0:S:wait:/sbin/rc single
</description>
</Group>
</Group>
- <Group id="gt-system-services-at">
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-services-at">
<title>At Service</title>
<description>
The at service allows users to execute a task once on a given time.
Unlike cron, this is not scheduled repeatedly - once executed, the
task is considered completed and at will not invoke it again.
</description>
- <Group id="gt-system-services-at-acl">
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-services-at-acl">
<title>Only Allow Trusted Accounts At Access</title>
<description>
Only allow trusted accounts to use at. You should list trusted
@@ -668,7 +1031,7 @@ su0:S:wait:/sbin/rc single
</description>
</Group>
</Group>
- <Group id="gt-system-services-ntp">
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-services-ntp">
<title>NTP Service</title>
<description>
With NTP, systems can synchronise their clocks, ensuring correct date
@@ -676,7 +1039,7 @@ su0:S:wait:/sbin/rc single
cause misinterpretation of log files or even unwanted execution of
commands.
</description>
- <Group id="gt-system-services-ntp-sync">
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-services-ntp-sync">
<title>Synchronise The System Clock</title>
<description>
Synchronise your systems' clock with an authorative NTP server, and
@@ -690,6 +1053,11 @@ su0:S:wait:/sbin/rc single
</Group>
</Group>
</Group>
+ </Group> <!-- system -->
+ <!--
+ <Group id="gt-system-services">
+
+ </Group>
<Group id="gt-system-portage">
<title>Portage Settings</title>
<description>
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2013-09-19 14:23 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-09-19 14:23 [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/, xml/SCAP/bin/ Sven Vermeulen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox