* [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
@ 2013-09-17 19:07 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2013-09-17 19:07 UTC (permalink / raw
To: gentoo-commits
commit: 0d2ac8872167ed30797a5dcd6cf158bab250c7bc
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Sep 17 19:06:23 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Sep 17 19:06:23 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=0d2ac887
Add remediation support
---
xml/SCAP/Makefile | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/xml/SCAP/Makefile b/xml/SCAP/Makefile
index 5964888..ac0b4e2 100644
--- a/xml/SCAP/Makefile
+++ b/xml/SCAP/Makefile
@@ -1,4 +1,4 @@
-all: report.html guide.html
+all: report.html guide.html remediate.sh
report.html: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml
oscap xccdf eval --cpe gentoo-cpe.xml --profile xccdf_org.gentoo.dev.swift_profile_default --results results-xccdf.xml --oval-results --report report.html gentoo-xccdf.xml
@@ -6,7 +6,14 @@ report.html: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml
guide.html: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml
oscap xccdf generate guide --profile xccdf_org.gentoo.dev.swift_profile_default --output guide.html gentoo-xccdf.xml
+remediate.sh: results-xccdf.xml
+ oscap xccdf generate fix --output remediate.sh results-xccdf.xml
+ chmod 0644 remediate.sh
+
eval:
oscap xccdf eval --cpe gentoo-cpe.xml --profile xccdf_org.gentoo.dev.swift_profile_default gentoo-xccdf.xml
-.PHONY: all eval
+clean:
+ -rm results-xccdf.xml report.html guide.html gentoo-oval.xml.results.xml remediate.sh
+
+.PHONY: all eval clean
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
@ 2013-09-17 19:07 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2013-09-17 19:07 UTC (permalink / raw
To: gentoo-commits
commit: d88ab0ae8f09a427faea0822761bba3a6596f216
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Sep 17 19:01:39 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Sep 17 19:01:39 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=d88ab0ae
Updates on SCAP - Test and generate fix code
---
xml/SCAP/Makefile | 12 +-
xml/SCAP/gentoo-oval.xml | 35 +++-
xml/SCAP/gentoo-oval.xml.result.xml | 166 ------------------
xml/SCAP/gentoo-xccdf.xml | 33 +++-
xml/SCAP/report.html | 292 --------------------------------
xml/SCAP/results-xccdf.xml | 326 ------------------------------------
6 files changed, 72 insertions(+), 792 deletions(-)
diff --git a/xml/SCAP/Makefile b/xml/SCAP/Makefile
index 81ebe1c..5964888 100644
--- a/xml/SCAP/Makefile
+++ b/xml/SCAP/Makefile
@@ -1,2 +1,12 @@
+all: report.html guide.html
+
report.html: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml
- oscap xccdf eval --cpe gentoo-cpe.xml --results results-xccdf.xml --oval-results --report report.html gentoo-xccdf.xml
+ oscap xccdf eval --cpe gentoo-cpe.xml --profile xccdf_org.gentoo.dev.swift_profile_default --results results-xccdf.xml --oval-results --report report.html gentoo-xccdf.xml
+
+guide.html: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml
+ oscap xccdf generate guide --profile xccdf_org.gentoo.dev.swift_profile_default --output guide.html gentoo-xccdf.xml
+
+eval:
+ oscap xccdf eval --cpe gentoo-cpe.xml --profile xccdf_org.gentoo.dev.swift_profile_default gentoo-xccdf.xml
+
+.PHONY: all eval
diff --git a/xml/SCAP/gentoo-oval.xml b/xml/SCAP/gentoo-oval.xml
index d2ece23..b520353 100644
--- a/xml/SCAP/gentoo-oval.xml
+++ b/xml/SCAP/gentoo-oval.xml
@@ -53,6 +53,24 @@
<criterion test_ref="oval:org.gentoo.dev.swift:tst:2" comment="The /home location is on a separate partition" />
</criteria>
</definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:3" version="1" class="compliance">
+ <metadata>
+ <title>The /home file system is mounted with the nosuid option</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <description>
+ This definition tests whether the /home partition is mounted with the nosuid
+ mount option.
+ </description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:2" comment="The /home location is on a separate partition" />
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:3" comment="The /home partition is mounted with nosuid mount option" />
+ </criteria>
+ </definition>
+
</definitions>
<tests>
@@ -70,6 +88,15 @@
<!-- /home partition -->
<lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:2" />
</lin-def:partition_test>
+
+ <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:3"
+ version="1" check="all" check_existence="all_exist"
+ comment="Tests that /home is mounted with nosuid option">
+ <!-- /home partition -->
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:2" />
+ <!-- "nosuid" mount option -->
+ <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:1" />
+ </lin-def:partition_test>
</tests>
<objects>
@@ -85,10 +112,14 @@
</lin-def:partition_object>
</objects>
-<!--
<states>
+
+ <lin-def:partition_state id="oval:org.gentoo.dev.swift:ste:1"
+ version="1" comment="The file system is mounted with the nosuid mount option">
+ <lin-def:mount_options entity_check="at least one">nosuid</lin-def:mount_options>
+ </lin-def:partition_state>
+
</states>
--->
<!--
<variables>
diff --git a/xml/SCAP/gentoo-oval.xml.result.xml b/xml/SCAP/gentoo-oval.xml.result.xml
deleted file mode 100644
index 5ae9a7a..0000000
--- a/xml/SCAP/gentoo-oval.xml.result.xml
+++ /dev/null
@@ -1,166 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<oval_results xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://oval.mitre.org/XMLSchema/oval-results-5" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-results-5 oval-results-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd">
- <generator>
- <oval:product_name>cpe:/a:open-scap:oscap</oval:product_name>
- <oval:schema_version>5.10</oval:schema_version>
- <oval:timestamp>2013-09-17T20:24:00</oval:timestamp>
- </generator>
- <directives>
- <definition_true reported="true" content="full"/>
- <definition_false reported="true" content="full"/>
- <definition_unknown reported="true" content="full"/>
- <definition_error reported="true" content="full"/>
- <definition_not_evaluated reported="true" content="full"/>
- <definition_not_applicable reported="true" content="full"/>
- </directives>
- <oval_definitions xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:lin-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd">
- <generator>
- <oval:product_name>OVAL Gentoo Linux</oval:product_name>
- <oval:product_version>20130917.1</oval:product_version>
- <oval:schema_version>5.10</oval:schema_version>
- <oval:timestamp>2013-09-17T19:42:00</oval:timestamp>
- </generator>
- <definitions>
- <definition id="oval:org.gentoo.dev.swift:def:2" version="1" class="compliance">
- <metadata>
- <title>The /home location must be a separate file system</title>
- <affected family="unix">
- <platform>Gentoo Linux</platform>
- </affected>
- <reference source="CCE" ref_id="CCE-14559-9" ref_url="http://nvd.nist.gov/cce/index.cfm"/>
- <description>
- This definition tests whether the /home location is a separate file
- system.
- </description>
- </metadata>
- <criteria>
- <criterion test_ref="oval:org.gentoo.dev.swift:tst:2" comment="The /home location is on a separate partition"/>
- </criteria>
- </definition>
- <definition id="oval:org.gentoo.dev.swift:def:1" version="1" class="inventory">
- <metadata>
- <title>Gentoo Linux is installed</title>
- <affected family="unix">
- <platform>Gentoo Linux</platform>
- </affected>
- <description>
- This definition tests whether Gentoo Linux is installed.
- </description>
- </metadata>
- <criteria>
- <criterion test_ref="oval:org.gentoo.dev.swift:tst:1" comment="The /etc/gentoo-release file exists"/>
- </criteria>
- </definition>
- </definitions>
- <tests>
- <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:2" version="1" check_existence="all_exist" check="all" comment="Tests that /home is a separate file system">
- <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:2"/>
- </lin-def:partition_test>
- <unix-def:file_test id="oval:org.gentoo.dev.swift:tst:1" version="1" check_existence="all_exist" check="all" comment="Tests that /etc/gentoo-release exists">
- <unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:1"/>
- </unix-def:file_test>
- </tests>
- <objects>
- <lin-def:partition_object id="oval:org.gentoo.dev.swift:obj:2" version="1" comment="The /home partition">
- <lin-def:mount_point>/home</lin-def:mount_point>
- </lin-def:partition_object>
- <unix-def:file_object id="oval:org.gentoo.dev.swift:obj:1" version="1" comment="The /etc/gentoo-release file">
- <unix-def:filepath>/etc/gentoo-release</unix-def:filepath>
- </unix-def:file_object>
- </objects>
- </oval_definitions>
- <results>
- <system>
- <definitions>
- <definition definition_id="oval:org.gentoo.dev.swift:def:2" result="true" version="1">
- <criteria operator="AND" result="true">
- <criterion test_ref="oval:org.gentoo.dev.swift:tst:2" version="1" result="true"/>
- </criteria>
- </definition>
- <definition definition_id="oval:org.gentoo.dev.swift:def:1" result="not evaluated" version="1">
- <criteria operator="AND" result="not evaluated">
- <criterion test_ref="oval:org.gentoo.dev.swift:tst:1" version="1" result="not evaluated"/>
- </criteria>
- </definition>
- </definitions>
- <tests>
- <test test_id="oval:org.gentoo.dev.swift:tst:2" version="1" check_existence="all_exist" check="all" result="true">
- <tested_item item_id="1277011" result="not evaluated"/>
- </test>
- <test test_id="oval:org.gentoo.dev.swift:tst:1" version="1" check_existence="all_exist" check="all" result="not evaluated"/>
- </tests>
- <oval_system_characteristics xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:unix-sys="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#unix" xmlns:ind-sys="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#independent" xmlns:lin-sys="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#linux" xmlns="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5 oval-system-characteristics-schema.xsd http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#independent independent-system-characteristics-schema.xsd http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#unix unix-system-characteristics-schema.xsd http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#linux linux-system-characteristics-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.x
sd">
- <generator>
- <oval:product_name>cpe:/a:open-scap:oscap</oval:product_name>
- <oval:schema_version>5.10</oval:schema_version>
- <oval:timestamp>2013-09-17T20:24:00</oval:timestamp>
- </generator>
- <system_info>
- <os_name>Linux</os_name>
- <os_version>#5 SMP PREEMPT Wed Aug 14 18:25:47 CEST 2013</os_version>
- <architecture>x86_64</architecture>
- <primary_host_name>hpl</primary_host_name>
- <interfaces>
- <interface>
- <interface_name>lo</interface_name>
- <ip_address>127.0.0.1</ip_address>
- <mac_address>00:00:00:00:00:00</mac_address>
- </interface>
- <interface>
- <interface_name>wlan0</interface_name>
- <ip_address>192.168.1.3</ip_address>
- <mac_address>F0:7B:CB:0F:5A:3B</mac_address>
- </interface>
- <interface>
- <interface_name>tap0</interface_name>
- <ip_address>192.168.100.1</ip_address>
- <mac_address>22:45:EA:47:E5:69</mac_address>
- </interface>
- <interface>
- <interface_name>lo</interface_name>
- <ip_address>::1</ip_address>
- <mac_address>00:00:00:00:00:00</mac_address>
- </interface>
- <interface>
- <interface_name>wlan0</interface_name>
- <ip_address>fe80::f27b:cbff:fe0f:5a3b</ip_address>
- <mac_address>F0:7B:CB:0F:5A:3B</mac_address>
- </interface>
- <interface>
- <interface_name>tap0</interface_name>
- <ip_address>2001:db8:81:e2:0:26b5:365b:5072</ip_address>
- <mac_address>22:45:EA:47:E5:69</mac_address>
- </interface>
- <interface>
- <interface_name>tap0</interface_name>
- <ip_address>fe80::2045:eaff:fe47:e569</ip_address>
- <mac_address>22:45:EA:47:E5:69</mac_address>
- </interface>
- </interfaces>
- </system_info>
- <collected_objects>
- <object id="oval:org.gentoo.dev.swift:obj:2" version="1" flag="complete">
- <reference item_ref="1277011"/>
- </object>
- </collected_objects>
- <system_data>
- <lin-sys:partition_item id="1277011" status="exists">
- <lin-sys:mount_point>/home</lin-sys:mount_point>
- <lin-sys:device>/dev/mapper/volgrp-home</lin-sys:device>
- <lin-sys:fs_type>ext4</lin-sys:fs_type>
- <lin-sys:mount_options>rw</lin-sys:mount_options>
- <lin-sys:mount_options>seclabel</lin-sys:mount_options>
- <lin-sys:mount_options>nosuid</lin-sys:mount_options>
- <lin-sys:mount_options>nodev</lin-sys:mount_options>
- <lin-sys:mount_options>noatime</lin-sys:mount_options>
- <lin-sys:mount_options>nodelalloc</lin-sys:mount_options>
- <lin-sys:mount_options>data=journal</lin-sys:mount_options>
- <lin-sys:total_space datatype="int">15449087</lin-sys:total_space>
- <lin-sys:space_used datatype="int">12723993</lin-sys:space_used>
- <lin-sys:space_left datatype="int">2725094</lin-sys:space_left>
- </lin-sys:partition_item>
- </system_data>
- </oval_system_characteristics>
- </system>
- </results>
-</oval_results>
diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml
index 28098a7..a501b53 100644
--- a/xml/SCAP/gentoo-xccdf.xml
+++ b/xml/SCAP/gentoo-xccdf.xml
@@ -26,6 +26,8 @@
</description>
<!-- The /home location is a separate file system -->
<select idref="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="true" />
+ <!-- The /home partition is mounted with nosuid -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_partition-home-nosuid" selected="true" />
</Profile>
<Group id="xccdf_org.gentoo.dev.swift_group_intro">
<title>Introduction</title>
@@ -106,7 +108,7 @@
the following command is used to generate the HTML output:
<h:br />
<h:pre>### Command to generate this guide ###
-# <h:b>oscap xccdf generate guide scap-gentoo-xccdf.xml > output.html</h:b>
+# <h:b>oscap xccdf generate guide gentoo-xccdf.xml > output.html</h:b>
</h:pre>
<h:br />
Secondly, together with this XCCDF XML, you will also find an OVAL XML file.
@@ -116,11 +118,11 @@
<h:br />
Now, to validate the tests, you can use the following commands:
<h:pre>### Testing the rules mentioned in the XCCDF document ###
-# <h:b>oscap xccdf eval --profile xccdf_org.gentoo.dev.swift_profile_default scap-gentoo-xccdf.xml</h:b></h:pre>
+# <h:b>oscap xccdf eval --profile xccdf_org.gentoo.dev.swift_profile_default gentoo-xccdf.xml</h:b></h:pre>
<h:br />
To generate a full report in HTML as well, you can use the next command:
<h:pre>### Testing the rules and generating an HTML report ###
-# <h:b>oscap xccdf eval --profile xccdf_org.gentoo.dev.swift_profile_default --results xccdf-results.xml --report report.html scap-gentoo-xccdf.xml</h:b></h:pre>
+# <h:b>oscap xccdf eval --profile xccdf_org.gentoo.dev.swift_profile_default --results xccdf-results.xml --report report.html gentoo-xccdf.xml</h:b></h:pre>
<h:br />
<h:br />
Finally, this benchmark will suggest some settings which you do not want
@@ -280,13 +282,34 @@
The <h:code>/home</h:code> location should be on its own partition,
allowing the administrator to mount this location with specific
options targetting the file systems' security settings or quota.
+ <h:br />
+ <h:br />
+ Next to the separate file system, it should also be mounted with
+ the <h:em>nosuid</h:em> mount option. When a vulnerability in a
+ software, or a rogue user, would somehow place a setuid binary in
+ this home directory in order to create a simple backdoor to gain
+ root privileges, this mount option disables the setuid ability.
</description>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="true">
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="false">
<title>Test if /home is a separate partition</title>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.gentoo.dev.swift:def:2" href="gentoo-oval.xml" />
</check>
</Rule>
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home-nosuid" selected="false">
+ <title>Test if /home is mounted with nosuid</title>
+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-home-nosuid">Mount /home with nosuid mount option</fixtext>
+ <!-- TODO can we put in multiple fixes? I would like to add in one
+ that asks the user (not automatically) to update fstab -->
+ <fix id="xccdf_org.gentoo.dev.swift_fix_partition-home-nosuid"
+ system="urn:xccdf:fix:system:commands"
+ platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+mount -o remount,nosuid /home
+ </fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:3" href="gentoo-oval.xml" />
+ </check>
+ </Rule>
</Group>
</Group>
</Group>
@@ -921,7 +944,7 @@ session required pam_unix.so</h:pre>
<title>World writeable directories must have sticky bit set</title>
<description>World writeable directories must have sticky bit set</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref href="scap-gentoo-oval.xml" name="oval:@@OVALNS@@.static:def:2" />
+ <check-content-ref href="gentoo-oval.xml" name="oval:@@OVALNS@@.static:def:2" />
</check>
</Rule>
</Group>
diff --git a/xml/SCAP/report.html b/xml/SCAP/report.html
deleted file mode 100644
index 76fed49..0000000
--- a/xml/SCAP/report.html
+++ /dev/null
@@ -1,292 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:svg="http://www.w3.org/2000/svg">
- <head>
- <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
- <title>XCCDF test result</title>
- <meta name="generator" content="" />
- <meta name="Content-Type" content="text/html;charset=utf-8" />
- <style type="text/css" media="all">
- html, body { background-color: black; font-family:sans-serif; margin:0; padding:0; }
- abbr { text-transform:none; border:none; font-variant:normal; }
- div.score-outer { height: .8em; width:100%; min-width:100px; background-color: red; }
- div.score-inner { height: 100%; background-color: green; }
- .score-max, .score-val, .score-percent { text-align:right; }
- .score-percent { font-weight: bold; }
- th, td { padding-left:.5em; padding-right:.5em; }
- .rule-selected, .result-pass strong, .result-fixed strong { color:green; }
- .rule-inactive, .unknown, .result-notselected strong, .result-notchecked strong, .result-notapplicable strong, .result-informational strong, .result-unknown strong { color:#555; }
- .rule-notselected, .result-error strong, .result-fail strong { color:red; }
- table { border-collapse: collapse; border: 1px black solid; width:100%; }
- table th, thead tr { background-color:black; color:white; }
- table td { border-right: 1px black solid; }
- table td.result, table td.link { text-align:center; }
- table td.num { text-align:right; }
- div#rule-results-summary { margin-bottom: 1em; }
- table tr.result-legend td { width: 10%; }
- div#content p { text-align:justify; }
- div.result-detail { border: 1px solid black; margin: 2em 0; padding: 0 1em; }
- div#content h2 { border-bottom:2px dashed; margin-top:1em; margin-bottom:0.5em; text-align:center; }
- div#content h2#summary { margin-top:0; }
- h1 { margin:1em 0; }
- div.raw table, div.raw table td { border:none; width:auto; padding:0; }
- div.raw table { margin-left: 2em; }
- div.raw table td { padding: .1em .7em; }
- table tr { border-bottom: 1px dotted #000; }
- dir.raw table tr { border-bottom: 0 !important; }
- pre.code { background: #ccc; padding:.2em; }
- ul.toc-struct li { list-style-type: none; }
- div.xccdf-rule { margin-left: 10%; }
- div#footer, p.remark, .link { font-size:.8em; }
- thead tr td { font-weight:bold; text-align:center; }
- .hidden { display:none; }
- td.score-bar { text-align:center; }
- td.score-bar span.media { width:100%; min-width:7em; height:.8em; display:block; margin:0; padding:0; }
- .oval-results { font-size:.8em; overflow:auto; }
- div#guide-top-table table { width: 100%; }
- td#common-info { min-width: 25.0em; border-right: 1px solid #000; }
- td#versions-revisions { width: 25.0em; }
- </style>
- <style type="text/css" media="screen">
- div#content, div#header, div#footer { margin-left:1em; margin-right:1em; }
- div#content { background-color: white; padding:2em; }
- div#footer, div#header { color:white; text-align:center; }
- a, a:visited { color:blue; text-decoration:underline; }
- div#content p.link { text-align:right; font-size:.8em; }
- div#footer a { color:white; }
- div.xccdf-group, div.xccdf-rule { border-left: 3px solid white; padding-left:.3em; }
- div.xccdf-group:target, div.xccdf-rule:target { border-left-color:#ccc; }
- .toc-struct li:target { background:#ddd; }
- abbr { border-bottom: 1px black dotted; }
- abbr.date { border-bottom:none; }
- pre.code { overflow:auto; }
- table tbody tr:hover { background: #ccc; }
- div.raw table tbody tr:hover { background: transparent !important; }
- </style>
- <style type="text/css" media="print">
- @page { margin:3cm; }
- html, body { background-color:white; font-family:serif; }
- .link { display:none; }
- a, a:visited { color:black; text-decoration:none; }
- div#header, div#footer { text-align:center; }
- div#header { padding-top:36%; }
- h1 { vertical-align:center; }
- h2 { page-break-before:always; }
- h3, h4, h5 { page-break-after:avoid; }
- pre.code { background: #ccc; }
- div#footer { margin-top:auto; }
- .toc-struct { page-break-after:always; }
- </style>
- </head>
- <body>
- <div id="xccdf_org.open-scap_testresult_default-profile">
- <div id="header">
- <h1>XCCDF test result</h1>
- </div>
- <div id="content">
- <div id="intro">
- <h2>Introduction</h2>
- <div>
- <h3>Test Result</h3>
- <div id="test-result-summary">
- <table>
- <thead>
- <tr>
- <td>Result ID</td>
- <td>Profile</td>
- <td>Start time</td>
- <td>End time</td>
- <td>Benchmark</td>
- <td>Benchmark version</td>
- </tr>
- </thead>
- <tbody>
- <tr>
- <td align="center">xccdf_org.open-scap_testresult_default-profile</td>
- <td align="center">
- (Default profile)
- </td>
- <td align="center">
- <abbr title="2013-09-17T20:24:00" class="date">2013-09-17 20:24</abbr>
- </td>
- <td align="center">
- <abbr title="2013-09-17T20:24:00" class="date">2013-09-17 20:24</abbr>
- </td>
- <td align="center">
- <span>embedded</span>
- </td>
- <td align="center">20130917.1</td>
- </tr>
- </tbody>
- </table>
- </div>
- </div>
- <div>
- <h3>Target info</h3>
- <div class="raw">
- <table>
- <tbody>
- <tr>
- <td valign="top">
- <h4>Targets</h4>
- <ul class="itemizedlist">
- <li>hpl</li>
- </ul>
- </td>
- <td valign="top">
- <h4>Addresses</h4>
- <ul class="itemizedlist">
- <li>127.0.0.1</li>
- <li>192.168.1.3</li>
- <li>192.168.100.1</li>
- <li>::1</li>
- <li>fe80::f27b:cbff:fe0f:5a3b</li>
- <li>2001:db8:81:e2:0:26b5:365b:5072</li>
- <li>fe80::2045:eaff:fe47:e569</li>
- </ul>
- </td>
- <td></td>
- <td valign="top">
- <h4>Platforms</h4>
- <ul class="itemizedlist">
- <li>cpe:/o:gentoo:linux</li>
- </ul>
- </td>
- <td valign="top"></td>
- </tr>
- </tbody>
- </table>
- </div>
- </div>
- <div>
- <h3>Score</h3>
- <div>
- <table>
- <thead>
- <tr>
- <td>system</td>
- <td>score</td>
- <td>max</td>
- <td>%</td>
- <td>bar</td>
- </tr>
- </thead>
- <tbody>
- <tr id="score-urn-xccdf-scoring-default">
- <td class="score-sys">urn:xccdf:scoring:default</td>
- <td class="score-val">100.00</td>
- <td class="score-max">100.00</td>
- <td class="score-percent">100.00%</td>
- <td class="score-bar">
- <span class="media">
- <svg xmlns="http://www.w3.org/2000/svg" xmlns:ovalres="http://oval.mitre.org/XMLSchema/oval-results-5" xmlns:sceres="http://open-scap.org/page/SCE_result_file" width="100%" height="100%" version="1.1" baseProfile="full">
- <rect width="100%" height="100%" fill="red"></rect>
- <rect height="100%" width="100.00%" fill="green"></rect>
- <rect height="100%" x="100.00%" width="2" fill="black"></rect>
- </svg>
- </span>
- </td>
- </tr>
- </tbody>
- </table>
- </div>
- </div>
- </div>
- <div id="results-overview">
- <h2>Results overview</h2>
- <div id="rule-results-summary">
- <h4>Rule Results Summary</h4>
- <table>
- <thead>
- <tr>
- <td>pass</td>
- <td>fixed</td>
- <td>fail</td>
- <td>error</td>
- <td>not selected</td>
- <td>not checked</td>
- <td>not applicable</td>
- <td>informational</td>
- <td>unknown</td>
- <td>total</td>
- </tr>
- </thead>
- <tbody>
- <tr class="result-legend">
- <td align="center" class="result-pass">
- <strong class="strong">1</strong>
- </td>
- <td align="center" class="result-fixed">
- <strong class="strong">0</strong>
- </td>
- <td align="center" class="result-fail">
- <strong class="strong">0</strong>
- </td>
- <td align="center" class="result-error">
- <strong class="strong">0</strong>
- </td>
- <td align="center" class="result-notselected">
- <strong class="strong">0</strong>
- </td>
- <td align="center" class="result-notchecked">
- <strong class="strong">0</strong>
- </td>
- <td align="center" class="result-notapplicable">
- <strong class="strong">0</strong>
- </td>
- <td align="center" class="result-informational">
- <strong class="strong">0</strong>
- </td>
- <td align="center" class="result-unknown">
- <strong class="strong">0</strong>
- </td>
- <td align="center">
- <strong class="strong">1</strong>
- </td>
- </tr>
- </tbody>
- </table>
- </div>
- <div>
- <h4 class="hidden">Rule results summary</h4>
- <table>
- <thead>
- <tr>
- <td>Title</td>
- <td>Result</td>
- </tr>
- </thead>
- <tbody>
- <tr class="result-pass">
- <td class="id">
- <a href="#ruleresult-idm2812214624720">Test if /home is a separate partition</a>
- </td>
- <td class="result">
- <strong class="strong">pass</strong>
- </td>
- </tr>
- </tbody>
- </table>
- </div>
- </div>
- <div id="results-details">
- <h2>Results details</h2>
- <div class="result-detail" id="ruleresult-idm2812214624720">
- <h3>Result for Test if /home is a separate partition</h3>
- <p class="result-pass">Result: <strong class="strong">pass</strong></p>
- <p>Rule ID: <strong class="strong">xccdf_org.gentoo.dev.swift_rule_partition-home</strong></p>
- <p>Time: <strong class="strong"><abbr title="2013-09-17T20:24:00" class="date">2013-09-17 20:24</abbr></strong></p>
- <p class="link">
- <a href="#results-overview">results overview</a>
- </p>
- </div>
- </div>
- </div>
- <div id="footer">
- <p> Generated by <a href="http://open-scap.org">OpenSCAP</a>
- (0.9.8)
- on <abbr title="2013-09-17T20:24:00+02:00" class="date">2013-09-17 20:24</abbr>.</p>
- </div>
- </div>
- </body>
-</html>
diff --git a/xml/SCAP/results-xccdf.xml b/xml/SCAP/results-xccdf.xml
deleted file mode 100644
index db19a4c..0000000
--- a/xml/SCAP/results-xccdf.xml
+++ /dev/null
@@ -1,326 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.gentoo.dev.swift_benchmark_gentoo-20130917-1" resolved="1">
- <status date="2013-09-17">draft</status>
- <title>Gentoo Security Benchmark</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- This benchmarks helps people in improving their system configuration to be
- more resilient against attacks and vulnerabilities.
- </description>
- <platform idref="cpe:/o:gentoo:linux"/>
- <version>20130917.1</version>
- <model system="urn:xccdf:scoring:default"/>
- <Profile id="xccdf_org.gentoo.dev.swift_profile_intensive">
- <title>Default server setup settingsIntensive validation profile</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- In this profile, we verify common settings for Gentoo Linux
- configurations. The tests that are enabled in this profile can be ran
- without visibly impacting the performance of the system.
-
- This profile extends the default server profile by including tests that
- are more intensive to run on a system. Tests such as full file system
- scans to find world-writable files or directories have an otherwise too
- large impact on the performance of a server.
- </description>
- <select idref="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="true"/>
- </Profile>
- <Profile id="xccdf_org.gentoo.dev.swift_profile_default">
- <title>Default server setup settings</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- In this profile, we verify common settings for Gentoo Linux
- configurations. The tests that are enabled in this profile can be ran
- without visibly impacting the performance of the system.
- </description>
- <select idref="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="true"/>
- </Profile>
- <Group id="xccdf_org.gentoo.dev.swift_group_intro">
- <title>Introduction</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- Since years, Gentoo Linux has a Gentoo Security Handbook
- which provides a good insight in secure system
- configuration for a Gentoo systems. Although this is important, an
- improved method for describing and tuning a systems' security state has
- emerged: SCAP, or the <h:em xmlns:h="http://www.w3.org/1999/xhtml">Security Content Automation Protocol</h:em>.
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- As such, this benchmark is an update on the security
- handbook, including both the in-depth explanation of settings as well as
- the means to validate if a system complies with this or not. Now, during
- the development of this benchmark document, we did not include all
- information from the Gentoo Security Handbook as some of the settings are
- specific to a service that is not all that default on a Gentoo Linux
- system. Although these settings are important as well, it is our believe
- that this is best done in separate benchmarks for those services instead.
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- Where applicable, this benchmark will refer to a different hardening guide
- for specific purposes (such as the Hardening OpenSSH benchmark).
- </description>
- <reference href="http://www.gentoo.org/doc/en/security/security-handbook.xml">Gentoo
- Security Handbook</reference>
- <Group id="xccdf_org.gentoo.dev.swift_group_intro-security">
- <title>This is no security policy</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- It is <h:em xmlns:h="http://www.w3.org/1999/xhtml">very important</h:em> to realize that this document is not a
- policy. You are not obliged to follow this if you want a secure system
- nor do you need to agree with everything said in the document.
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- The purpose of this document is to guide you in your quest to hardening
- your system. It will provide pointers that could help you decide in
- particular configuration settings and will do this hopefully using
- sufficient background information to make a good choice.
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- You <h:em xmlns:h="http://www.w3.org/1999/xhtml">will</h:em> find settings you don't agree with. That's fine, but
- if you disagree with <h:em xmlns:h="http://www.w3.org/1999/xhtml">why</h:em> we do this, we would like to hear it
- and we'll add the feedback to the guide.
- </description>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_intro-scap">
- <title>A little more about SCAP and OVAL</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- Within SCAP, NIST has defined some new standards of which XCCDF and OVAL
- are notably important in light of the guide you are currently using.
- <h:ul xmlns:h="http://www.w3.org/1999/xhtml">
- <h:li>
- XCCDF (Extensible Configuration Checklist Description Format) is
- a specification language for writing security checklists and benchmarks
- (such as the one you are reading now)
- </h:li>
- <h:li>
- OVAL (Open Vulnerability and Assessment Language) is a standard to describe
- and validate system settings
- </h:li>
- </h:ul>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- Thanks to the OVAL and XCCDF standards, a security engineer can now describe
- how the state of a system should be configured, how this can be checked
- automatically and even report on these settings. Furthermore, within the
- description, the engineer can make "profiles" of different states (such as
- a profile for a workstation, server (generic), webserver, LDAP server,
- ...) and reusing the states (rules) identified in a more global scope.
- </description>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_intro-using">
- <title>Using this guide</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- The guide you are currently reading is the guide generated from this SCAP
- content (more specifically, the XCCDF document) using <h:b xmlns:h="http://www.w3.org/1999/xhtml">openscap</h:b>,
- a free software implementation for handling SCAP content. Within Gentoo,
- the package <h:code xmlns:h="http://www.w3.org/1999/xhtml">app-forensics/openscap</h:code> provides the tools, and
- the following command is used to generate the HTML output:
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- <h:pre xmlns:h="http://www.w3.org/1999/xhtml">### Command to generate this guide ###
-# <h:b>oscap xccdf generate guide scap-gentoo-xccdf.xml > output.html</h:b>
- </h:pre>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- Secondly, together with this XCCDF XML, you will also find an OVAL XML file.
- The two files combined allow you to automatically validate various settings as
- documented in the benchmark.
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- Now, to validate the tests, you can use the following commands:
- <h:pre xmlns:h="http://www.w3.org/1999/xhtml">### Testing the rules mentioned in the XCCDF document ###
-# <h:b>oscap xccdf eval --profile xccdf_org.gentoo.dev.swift_profile_default scap-gentoo-xccdf.xml</h:b></h:pre>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- To generate a full report in HTML as well, you can use the next command:
- <h:pre xmlns:h="http://www.w3.org/1999/xhtml">### Testing the rules and generating an HTML report ###
-# <h:b>oscap xccdf eval --profile xccdf_org.gentoo.dev.swift_profile_default --results xccdf-results.xml --report report.html scap-gentoo-xccdf.xml</h:b></h:pre>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- Finally, this benchmark will suggest some settings which you do not want
- to enable. That is perfectly fine - even more, some settings might even
- raise eyebrows left and right. We will try to document the reasoning behind
- the settings but you are free to deviate from them. If that is the case,
- you might want to disable the rules in the XCCDF document so that they are
- not checked on your system.
- </description>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_intro-profiles">
- <title>Available XCCDF Profiles</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- As mentioned earlier, the XCCDF document supports multiple profiles. For the time
- being, two profiles are defined:
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- <h:ul xmlns:h="http://www.w3.org/1999/xhtml" xmlns="http://checklists.nist.gov/xccdf/1.2">
- <h:li>
- The <em>default</em> profile contains tests that are quick to validate
- </h:li>
- <h:li>
- The <em>intensive</em> profile contains all tests, including those that
- take a while (for instance because they perform full file system scans)
- </h:li>
- </h:ul>
- Substitute the profile information in the commands above with the profile you want to test on.
- </description>
- </Group>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_preinstallation">
- <title>Before You Start</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- Before you start deploying Gentoo Linux and start hardening it, it is wise
- to take a step back and think about what you want to accomplish. Setting
- up a more secured Gentoo Linux isn't a goal, but a means to reach
- something. Most likely, you are considering setting up a Gentoo Linux
- powered server. What is this server for? Where will you put it? What other
- services will you want to run on the same OS? Etc.
- </description>
- <Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-architecturing">
- <title>Infrastructure Architecturing</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- When considering your entire IT architecture, many architecturing
- frameworks exist to write down and further design your infrastructure.
- There are very elaborate ones, like TOGAF (The Open Group Architecture
- Framework), but smaller ones exist as well.
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- A well written and maintained infrastructure architecture helps you
- position new services or consider the impact of changes on existing
- components. And the reason for mentioning such a well designed architecture
- in a hardening guide is not weird.
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- Security is about reducing risks, not about harassing people or making
- work for a system administrator harder. And reducing risks also means
- that you need to keep a clear eye out on your architecture and all its
- components. If you do not know what you are integrating, where you are
- putting it or why, then you have more issues to consider than hardening
- a system.
- </description>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-requirements">
- <title>Mapping Requirements</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- When you design a service, you need to take both functional and
- non-functional requirements into account. That does sound like
- overshooting for a simple server installation, but it is not. Have you
- considered auditing? Where do the audit logs need to be sent to? What
- about authentication? Centrally managed, or manually set? And the server
- you are installing, will it only host a particular service, or will it
- provide several services?
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- When hosting multiple services on the same server, make sure that the
- server is positioned within your network on an acceptable segment. It is
- not safe to host your central LDAP infrastructure on the same system as
- your web server that is facing the Internet.
- </description>
- <reference href="https://www.ibm.com/developerworks/rational/library/4706.html">IBM DeveloperWorks article on "Capturing Architectural Requirements"</reference>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-nonsoftware">
- <title>Non-Software Security Concerns</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- From the next chapter onwards, we will only focus on the software side
- hardening. There are of course also non-software concerns that you
- should investigate.
- </description>
- <reference href="https://www.rfc-editor.org/info/rfc2196">Site Security
- Handbook (RFC2196)</reference>
- <Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-nonsoftware-physical">
- <title>Physical Security</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- Make sure that your system is only accessible (physically) by trusted
- people. Fully hardening your system, only to have a malicious person
- take out the harddisk and run away with your confidential data is not
- something you want to experience.
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- When physical security cannot be guaranteed (like with laptops), make
- sure that theft of the device only results in the loss of the hardware
- and not of the data and software on it (backups), and also that the
- data on it cannot be read by unauthorized people. We will come back on
- disk encryption later.
- </description>
- <reference href="http://www.sans.org/reading_room/whitepapers/awareness/data-center-physical-security-checklist_416">Data
- Center Physical Security Checklist (SANS, PDF)</reference>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-nonsoftware-policies">
- <title>Policies and Contractual Agreements</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- Create or validate the security policies in your organization. This is
- not only as a stick (against internal people who might want to abuse
- their powers) but also to document and describe why certain decisions
- are made (both architecturally as otherwise).
- </description>
- <reference href="http://www.sans.org/reading_room/whitepapers/policyissues/technical-writing-security-policies-easy-steps_492">Technical
- Writing for IT Security Policies in Five Easy Steps (SANS,
- PDF)</reference>
- <reference href="https://www.sans.org/security-resources/policies/">Information
- Security Policy Templates (SANS)</reference>
- </Group>
- </Group>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_installation">
- <title>Installation Configuration</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- Let's focus now on the OS hardening. Gentoo Linux allows you to update the
- system as you want after installation, but it might be interesting to
- consider the following aspects during installation if you do not want a
- huge migration project later.
- </description>
- <Group id="xccdf_org.gentoo.dev.swift_group_installation-storage">
- <title>Storage Configuration</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- Your storage is of utmost importance in any environment. It needs to be
- sufficiently fast, not to jeopardize performance, but also secure and
- manageable yet still remain flexible to handle future changes.
- </description>
- <Group id="xccdf_org.gentoo.dev.swift_group_installation-storage-partitioning">
- <title>Partitioning</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- Know which locations in your file system structure you want on a
- different partition or logical volume. Separate locations allow for a
- more distinct segregation (for instance, hard links between different
- file systems) and low-level protection (file system corruption impact,
- but also putting the right data on the right storage media).
- </description>
- <reference href="http://www.pathname.com/fhs/">Filesystem Hierarchy
- Standard</reference>
- <Group id="xccdf_org.gentoo.dev.swift_group_installation-storage-partitioning-home">
- <title>/home Location</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- The <h:code xmlns:h="http://www.w3.org/1999/xhtml">/home</h:code> location should be on its own partition,
- allowing the administrator to mount this location with specific
- options targetting the file systems' security settings or quota.
- </description>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="true">
- <title>Test if /home is a separate partition</title>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:2" href="gentoo-oval.xml"/>
- </check>
- </Rule>
- </Group>
- </Group>
- </Group>
- </Group>
- <TestResult id="xccdf_org.open-scap_testresult_default-profile" start-time="2013-09-17T20:24:00" end-time="2013-09-17T20:24:00">
- <title>OSCAP Scan Result</title>
- <identity authenticated="false" privileged="false">swift</identity>
- <target>hpl</target>
- <target-address>127.0.0.1</target-address>
- <target-address>192.168.1.3</target-address>
- <target-address>192.168.100.1</target-address>
- <target-address>::1</target-address>
- <target-address>fe80::f27b:cbff:fe0f:5a3b</target-address>
- <target-address>2001:db8:81:e2:0:26b5:365b:5072</target-address>
- <target-address>fe80::2045:eaff:fe47:e569</target-address>
- <target-facts>
- <fact name="urn:xccdf:fact:scanner:name" type="string">OpenSCAP</fact>
- <fact name="urn:xccdf:fact:scanner:version" type="string">0.9.8</fact>
- <fact name="urn:xccdf:fact:ethernet:MAC" type="string">00:00:00:00:00:00</fact>
- <fact name="urn:xccdf:fact:ethernet:MAC" type="string">F0:7B:CB:0F:5A:3B</fact>
- <fact name="urn:xccdf:fact:ethernet:MAC" type="string">22:45:EA:47:E5:69</fact>
- <fact name="urn:xccdf:fact:ethernet:MAC" type="string">00:00:00:00:00:00</fact>
- <fact name="urn:xccdf:fact:ethernet:MAC" type="string">F0:7B:CB:0F:5A:3B</fact>
- <fact name="urn:xccdf:fact:ethernet:MAC" type="string">22:45:EA:47:E5:69</fact>
- <fact name="urn:xccdf:fact:ethernet:MAC" type="string">22:45:EA:47:E5:69</fact>
- </target-facts>
- <rule-result idref="xccdf_org.gentoo.dev.swift_rule_partition-home" time="2013-09-17T20:24:00" weight="1.000000">
- <result>pass</result>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:2" href="gentoo-oval.xml"/>
- </check>
- </rule-result>
- <score system="urn:xccdf:scoring:default" maximum="100.000000">100.000000</score>
- </TestResult>
-</Benchmark>
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
@ 2013-09-17 19:07 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2013-09-17 19:07 UTC (permalink / raw
To: gentoo-commits
commit: d7945f41caa4ca5d197672b8decee20f3866e8b6
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Sep 17 19:06:35 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Sep 17 19:06:35 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=d7945f41
Adding common .gitignore
---
xml/SCAP/.gitignore | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/xml/SCAP/.gitignore b/xml/SCAP/.gitignore
new file mode 100644
index 0000000..f943490
--- /dev/null
+++ b/xml/SCAP/.gitignore
@@ -0,0 +1,5 @@
+guide.html
+report.html
+gentoo-oval.xml.result.xml
+results-xccdf.xml
+remediate.sh
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
@ 2013-09-18 13:51 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2013-09-18 13:51 UTC (permalink / raw
To: gentoo-commits
commit: 3d3194ac9b1b2ba298ceb126f022ac4100c0843b
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Sep 18 13:51:27 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Sep 18 13:51:27 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=3d3194ac
Add /tmp test
---
xml/SCAP/.gitignore | 3 +
xml/SCAP/Makefile | 13 +-
xml/SCAP/gentoo-oval.xml | 62 +++++++
xml/SCAP/gentoo-xccdf.xml | 446 ++++++++++++++++++++++++++++------------------
4 files changed, 347 insertions(+), 177 deletions(-)
diff --git a/xml/SCAP/.gitignore b/xml/SCAP/.gitignore
index f943490..d62a6b5 100644
--- a/xml/SCAP/.gitignore
+++ b/xml/SCAP/.gitignore
@@ -3,3 +3,6 @@ report.html
gentoo-oval.xml.result.xml
results-xccdf.xml
remediate.sh
+guide.docbook
+guide.fo
+guide.pdf
diff --git a/xml/SCAP/Makefile b/xml/SCAP/Makefile
index ac0b4e2..fcbf549 100644
--- a/xml/SCAP/Makefile
+++ b/xml/SCAP/Makefile
@@ -1,4 +1,4 @@
-all: report.html guide.html remediate.sh
+all: report.html guide.html remediate.sh #guide.pdf
report.html: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml
oscap xccdf eval --cpe gentoo-cpe.xml --profile xccdf_org.gentoo.dev.swift_profile_default --results results-xccdf.xml --oval-results --report report.html gentoo-xccdf.xml
@@ -6,6 +6,15 @@ report.html: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml
guide.html: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml
oscap xccdf generate guide --profile xccdf_org.gentoo.dev.swift_profile_default --output guide.html gentoo-xccdf.xml
+guide.docbook: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml
+ oscap xccdf generate guide --profile xccdf_org.gentoo.dev.swift_profile_default --format docbook --output guide.docbook gentoo-xccdf.xml
+
+guide.fo: guide.docbook
+ xsltproc --output guide.fo --stringparam paper.type A4 /usr/share/sgml/docbook/xsl-stylesheets/fo/docbook.xsl guide.docbook
+
+guide.pdf: guide.fo
+ fop guide.fo guide.pdf
+
remediate.sh: results-xccdf.xml
oscap xccdf generate fix --output remediate.sh results-xccdf.xml
chmod 0644 remediate.sh
@@ -14,6 +23,6 @@ eval:
oscap xccdf eval --cpe gentoo-cpe.xml --profile xccdf_org.gentoo.dev.swift_profile_default gentoo-xccdf.xml
clean:
- -rm results-xccdf.xml report.html guide.html gentoo-oval.xml.results.xml remediate.sh
+ -rm results-xccdf.xml report.html guide.html gentoo-oval.xml.results.xml remediate.sh guide.docbook guide.pdf guide.fo
.PHONY: all eval clean
diff --git a/xml/SCAP/gentoo-oval.xml b/xml/SCAP/gentoo-oval.xml
index b520353..9fa2c1e 100644
--- a/xml/SCAP/gentoo-oval.xml
+++ b/xml/SCAP/gentoo-oval.xml
@@ -71,6 +71,41 @@
</criteria>
</definition>
+ <definition id="oval:org.gentoo.dev.swift:def:4" version="1" class="compliance">
+ <metadata>
+ <title>The /home file system is mounted with the nodev option</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <description>
+ This definition tests whether the /home partition is mounted with the nodev
+ mount option.
+ </description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:2" comment="The /home location is on a separate partition" />
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:4" comment="The /home partition is mounted with nodev mount option" />
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:5" version="1" class="compliance">
+ <metadata>
+ <title>The /tmp location must be a separate file system</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14161-4"/>
+ <description>
+ This definition tests whether the /tmp location is a separate file
+ system.
+ </description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:5" comment="The /tmp location is on a separate partition" />
+ </criteria>
+ </definition>
+
+
</definitions>
<tests>
@@ -97,6 +132,22 @@
<!-- "nosuid" mount option -->
<lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:1" />
</lin-def:partition_test>
+
+ <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:4"
+ version="1" check="all" check_existence="all_exist"
+ comment="Tests that /home is mounted with nodev option">
+ <!-- /home partition -->
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:2" />
+ <!-- "nodev" mount option -->
+ <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:2" />
+ </lin-def:partition_test>
+
+ <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:5"
+ version="1" check="all" check_existence="all_exist"
+ comment="Tests that /tmp is a separate file system">
+ <!-- /home partition -->
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:3" />
+ </lin-def:partition_test>
</tests>
<objects>
@@ -110,6 +161,12 @@
version="1" comment="The /home partition">
<lin-def:mount_point>/home</lin-def:mount_point>
</lin-def:partition_object>
+
+ <lin-def:partition_object id="oval:org.gentoo.dev.swift:obj:3"
+ version="1" comment="The /tmp partition">
+ <lin-def:mount_point>/tmp</lin-def:mount_point>
+ </lin-def:partition_object>
+
</objects>
<states>
@@ -119,6 +176,11 @@
<lin-def:mount_options entity_check="at least one">nosuid</lin-def:mount_options>
</lin-def:partition_state>
+ <lin-def:partition_state id="oval:org.gentoo.dev.swift:ste:2"
+ version="1" comment="The file system is mounted with the nodev mount option">
+ <lin-def:mount_options entity_check="at least one">nodev</lin-def:mount_options>
+ </lin-def:partition_state>
+
</states>
<!--
diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml
index a501b53..39af64c 100644
--- a/xml/SCAP/gentoo-xccdf.xml
+++ b/xml/SCAP/gentoo-xccdf.xml
@@ -24,10 +24,15 @@
configurations. The tests that are enabled in this profile can be ran
without visibly impacting the performance of the system.
</description>
+ <!-- The /tmp location is a separate file system -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_partition-tmp" selected="true" />
<!-- The /home location is a separate file system -->
<select idref="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="true" />
<!-- The /home partition is mounted with nosuid -->
<select idref="xccdf_org.gentoo.dev.swift_rule_partition-home-nosuid" selected="true" />
+ <!-- The /home partition is mounted with nodev -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_partition-home-nodev" selected="true" />
+
</Profile>
<Group id="xccdf_org.gentoo.dev.swift_group_intro">
<title>Introduction</title>
@@ -58,31 +63,32 @@
<title>This is no security policy</title>
<description>
It is <h:em>very important</h:em> to realize that this document is not a
- policy. You are not obliged to follow this if you want a secure system
- nor do you need to agree with everything said in the document.
- <h:br />
- <h:br />
- The purpose of this document is to guide you in your quest to hardening
- your system. It will provide pointers that could help you decide in
- particular configuration settings and will do this hopefully using
- sufficient background information to make a good choice.
- <h:br />
- <h:br />
- You <h:em>will</h:em> find settings you don't agree with. That's fine, but
- if you disagree with <h:em>why</h:em> we do this, we would like to hear it
- and we'll add the feedback to the guide.
+ policy. There is no obligation to follow this to make a secure system
+ nor should everything in this document be agreed upon. What we document is
+ a set of common best practices with the explanation (why is it a best practice)
+ and method (how to implement the best practice).
+ <h:br />
+ <h:br />
+ The purpose of this document is to guide readers in their quest to hardening
+ their systems. It will provide pointers that could help in deciding
+ particular configuration settings and will do this hopefully using
+ sufficient background information to allow readers to make a good choice.
+ <h:br />
+ <h:br />
+ Readers might find settings they don't agree with. That's fine, but
+ if there is disagreement about <h:em>why</h:em> it is documented, we would
+ like to hear it so we can update the guide accordingly.
</description>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_intro-scap">
<title>A little more about SCAP and OVAL</title>
<description>
Within SCAP, NIST has defined some new standards of which XCCDF and OVAL
- are notably important in light of the guide you are currently using.
+ are notably important in light of this guide.
<h:ul>
<h:li>
XCCDF (Extensible Configuration Checklist Description Format) is
a specification language for writing security checklists and benchmarks
- (such as the one you are reading now)
</h:li>
<h:li>
OVAL (Open Vulnerability and Assessment Language) is a standard to describe
@@ -101,80 +107,77 @@
<Group id="xccdf_org.gentoo.dev.swift_group_intro-using">
<title>Using this guide</title>
<description>
- The guide you are currently reading is the guide generated from this SCAP
- content (more specifically, the XCCDF document) using <h:b>openscap</h:b>,
- a free software implementation for handling SCAP content. Within Gentoo,
- the package <h:code>app-forensics/openscap</h:code> provides the tools, and
- the following command is used to generate the HTML output:
+ This guide is generated from SCAP content (more specifically, the XCCDF document)
+ using <h:b>openscap</h:b>, a free software implementation for handling SCAP content.
+ Within Gentoo, the package <h:code>app-forensics/openscap</h:code> provides the tools,
+ and the following command is used to generate the HTML output:
<h:br />
- <h:pre>### Command to generate this guide ###
-# <h:b>oscap xccdf generate guide gentoo-xccdf.xml > output.html</h:b>
+ <h:pre># <h:b>oscap xccdf generate guide gentoo-xccdf.xml > output.html</h:b>
</h:pre>
<h:br />
- Secondly, together with this XCCDF XML, you will also find an OVAL XML file.
- The two files combined allow you to automatically validate various settings as
- documented in the benchmark.
- <h:br />
- <h:br />
- Now, to validate the tests, you can use the following commands:
- <h:pre>### Testing the rules mentioned in the XCCDF document ###
-# <h:b>oscap xccdf eval --profile xccdf_org.gentoo.dev.swift_profile_default gentoo-xccdf.xml</h:b></h:pre>
+ Secondly, together with this XCCDF XML, an OVAL XML file is made available.
+ The two files combined allow OVAL interpreters to automatically validate
+ various settings as documented in the benchmark.
+ <h:br />
+ <h:br />
+ To validate the tests, the following commands can be used:
+ <h:pre># <h:b>oscap xccdf eval --profile xccdf_org.gentoo.dev.swift_profile_default gentoo-xccdf.xml</h:b></h:pre>
<h:br />
To generate a full report in HTML as well, you can use the next command:
- <h:pre>### Testing the rules and generating an HTML report ###
-# <h:b>oscap xccdf eval --profile xccdf_org.gentoo.dev.swift_profile_default --results xccdf-results.xml --report report.html gentoo-xccdf.xml</h:b></h:pre>
+ <h:pre># <h:b>oscap xccdf eval --profile xccdf_org.gentoo.dev.swift_profile_default --results xccdf-results.xml --report report.html gentoo-xccdf.xml</h:b></h:pre>
<h:br />
- <h:br />
- Finally, this benchmark will suggest some settings which you do not want
- to enable. That is perfectly fine - even more, some settings might even
+ <h:br />
+ Finally, this benchmark will suggest some settings that do not reflect the
+ will of the reader. That is perfectly fine - even more, some settings might even
raise eyebrows left and right. We will try to document the reasoning behind
the settings but you are free to deviate from them. If that is the case,
- you might want to disable the rules in the XCCDF document so that they are
- not checked on your system.
+ disable the rules in the XCCDF document or, better yet, create a new profile
+ and only refer to the tests that are required.
</description>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_intro-profiles">
<title>Available XCCDF Profiles</title>
<description>
As mentioned earlier, the XCCDF document supports multiple profiles. For the time
- being, two profiles are defined:
- <h:br />
- <h:ul>
- <h:li>
- The <em>default</em> profile contains tests that are quick to validate
- </h:li>
- <h:li>
- The <em>intensive</em> profile contains all tests, including those that
- take a while (for instance because they perform full file system scans)
- </h:li>
- </h:ul>
- Substitute the profile information in the commands above with the profile you want to test on.
+ being, two profiles are defined:
+ <h:br />
+ <h:ul>
+ <h:li>
+ The <em>default</em> profile (xccdf_org.gentoo.dev.swift_profile_default) contains
+ tests that are quick to validate
+ </h:li>
+ <h:li>
+ The <em>intensive</em> profile (xccdf_org.gentoo.dev.swift_profile_intensive)
+ contains all tests, including those that take a while (for instance because they
+ perform full file system scans)
+ </h:li>
+ </h:ul>
+ Substitute the profile information in the commands above with the required profile.
</description>
</Group>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_preinstallation">
- <title>Before You Start</title>
+ <title>Before we start</title>
<description>
- Before you start deploying Gentoo Linux and start hardening it, it is wise
- to take a step back and think about what you want to accomplish. Setting
+ Before we start deploying Gentoo Linux and start hardening it, it is wise
+ to take a step back and think about what we want to accomplish. Setting
up a more secured Gentoo Linux isn't a goal, but a means to reach
something. Most likely, you are considering setting up a Gentoo Linux
powered server. What is this server for? Where will you put it? What other
services will you want to run on the same OS? Etc.
</description>
<Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-architecturing">
- <title>Infrastructure Architecturing</title>
+ <title>Infrastructure architecturing</title>
<description>
- When considering your entire IT architecture, many architecturing
- frameworks exist to write down and further design your infrastructure.
+ When considering the entire IT architecture, many architecturing
+ frameworks exist to write down and further design infrastructure.
There are very elaborate ones, like TOGAF (The Open Group Architecture
Framework), but smaller ones exist as well.
<h:br />
<h:br />
- A well written and maintained infrastructure architecture helps you
+ A well written and maintained infrastructure architecture helps to
position new services or consider the impact of changes on existing
- components. And the reason for mentioning such a well designed architecture
- in a hardening guide is not weird.
+ components.
<h:br />
<h:br />
Security is about reducing risks, not about harassing people or making
@@ -186,130 +189,223 @@
</description>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-requirements">
- <title>Mapping Requirements</title>
+ <title>Mapping requirements</title>
<description>
- When you design a service, you need to take both functional and
+ When designing a service, we need to take both functional and
non-functional requirements into account. That does sound like
- overshooting for a simple server installation, but it is not. Have you
- considered auditing? Where do the audit logs need to be sent to? What
- about authentication? Centrally managed, or manually set? And the server
- you are installing, will it only host a particular service, or will it
- provide several services?
+ overshooting for a simple server installation, but it is not. Is
+ auditing considered? Where should the audit logs be sent to? What
+ about authentication? Centrally managed, or manually set? And the server,
+ will it only host a particular service, or will it provide several services?
<h:br />
<h:br />
When hosting multiple services on the same server, make sure that the
- server is positioned within your network on an acceptable segment. It is
- not safe to host your central LDAP infrastructure on the same system as
- your web server that is facing the Internet.
+ server is positioned within the network on an acceptable segment. It is
+ not safe to host central LDAP infrastructure on the same system as
+ a web server that is facing the Internet.
</description>
<reference href="https://www.ibm.com/developerworks/rational/library/4706.html">IBM DeveloperWorks article on "Capturing Architectural Requirements"</reference>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-nonsoftware">
- <title>Non-Software Security Concerns</title>
+ <title>Non-software security concerns</title>
<description>
- From the next chapter onwards, we will only focus on the software side
- hardening. There are of course also non-software concerns that you
- should investigate.
+ From the next chapter onwards, our focus will be on the software side
+ hardening. There are of course also non-software concerns that need to be
+ taken care of.
</description>
- <reference href="https://www.rfc-editor.org/info/rfc2196">Site Security
- Handbook (RFC2196)</reference>
+ <reference href="https://www.rfc-editor.org/info/rfc2196">Site Security Handbook (RFC2196)</reference>
<Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-nonsoftware-physical">
- <title>Physical Security</title>
+ <title>Physical security</title>
<description>
- Make sure that your system is only accessible (physically) by trusted
- people. Fully hardening your system, only to have a malicious person
- take out the harddisk and run away with your confidential data is not
- something you want to experience.
+ Make sure that the system is only accessible (physically) by trusted
+ people. Fully hardening a system, only to have a malicious person
+ take out the harddisk and run away with the confidential data is not
+ something we want to experience.
<h:br />
<h:br />
When physical security cannot be guaranteed (like with laptops), make
sure that theft of the device only results in the loss of the hardware
- and not of the data and software on it (backups), and also that the
- data on it cannot be read by unauthorized people. We will come back on
- disk encryption later.
+ and not of the data and software on it (take backups!), and also that the
+ data on it cannot be read by unauthorized people.
+ We will describe disk encryption later.
</description>
<reference
- href="http://www.sans.org/reading_room/whitepapers/awareness/data-center-physical-security-checklist_416">Data
- Center Physical Security Checklist (SANS, PDF)</reference>
+ href="http://www.sans.org/reading_room/whitepapers/awareness/data-center-physical-security-checklist_416">Data Center Physical Security Checklist (SANS, PDF)</reference>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-nonsoftware-policies">
- <title>Policies and Contractual Agreements</title>
+ <title>Policies and contractual agreements</title>
<description>
- Create or validate the security policies in your organization. This is
+ Create or validate the security policies in the organization. This is
not only as a stick (against internal people who might want to abuse
their powers) but also to document and describe why certain decisions
are made (both architecturally as otherwise).
+ <h:br />
+ <h:br />
+ Make sure that the reasoning for the guidelines is clear. If the policies ever
+ need to be adjusted towards new environments or concepts (like "bring your own
+ device") having the reasons for the (old) guidelines documented will make it much
+ easier to write new ones.
</description>
<reference
- href="http://www.sans.org/reading_room/whitepapers/policyissues/technical-writing-security-policies-easy-steps_492">Technical
- Writing for IT Security Policies in Five Easy Steps (SANS,
- PDF)</reference>
+ href="http://www.sans.org/reading_room/whitepapers/policyissues/technical-writing-security-policies-easy-steps_492">Technical Writing for IT Security Policies in Five Easy Steps (SANS, PDF)</reference>
<reference
- href="https://www.sans.org/security-resources/policies/">Information
- Security Policy Templates (SANS)</reference>
+ href="https://www.sans.org/security-resources/policies/">Information Security Policy Templates (SANS)</reference>
</Group>
</Group>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_installation">
- <title>Installation Configuration</title>
+ <title>Installation configuration</title>
<description>
- Let's focus now on the OS hardening. Gentoo Linux allows you to update the
- system as you want after installation, but it might be interesting to
- consider the following aspects during installation if you do not want a
- huge migration project later.
+ Let's focus now on the OS hardening. Gentoo Linux allows us to update various
+ parts of the system after installation, but it might be interesting to
+ consider the following aspects during (or before) installation if we do not want
+ to risk a huge migration project later.
</description>
<Group id="xccdf_org.gentoo.dev.swift_group_installation-storage">
- <title>Storage Configuration</title>
+ <title>Storage configuration</title>
<description>
- Your storage is of utmost importance in any environment. It needs to be
- sufficiently fast, not to jeopardize performance, but also secure and
- manageable yet still remain flexible to handle future changes.
+ Storage is of utmost importance in any environment. It needs to be
+ sufficiently fast (performance), but also secure and
+ manageable while remaining flexible to handle future changes.
</description>
<Group id="xccdf_org.gentoo.dev.swift_group_installation-storage-partitioning">
<title>Partitioning</title>
<description>
- Know which locations in your file system structure you want on a
+ Know which locations in the file system structure need to be on a
different partition or logical volume. Separate locations allow for a
- more distinct segregation (for instance, hard links between different
+ more distinct segregation (for instance, no hard links between different
file systems) and low-level protection (file system corruption impact,
but also putting the right data on the right storage media).
</description>
<reference href="http://www.pathname.com/fhs/">Filesystem Hierarchy
Standard</reference>
+ <Group id="xccdf_org.gentoo.dev.swift_group_installation-storage-partitioning-separate">
+ <title>Separate file systems for important locations</title>
+ <description>
+ Having a separate file system for important locations has several advantages, but
+ we need to weigh those advantages against the disadvantages of separate file
+ systems.
+ <h:br />
+ <h:br />
+ Let's start with the disadvantages:
+ <h:ul>
+ <h:li>
+ Separate file systems mean that you need to do better disk space control
+ (governing free space). A file system that is given too much free space
+ means that disk space is being wasted, but a file system that is not given
+ enough free disk space will need to be grown quickly - if possibile. This
+ also means that creating a proper partitioning setup with many different
+ partitions (file systems) will take some time and calculations; many users
+ have no good idea how much space they need to make available for a file system.
+ </h:li>
+ <h:li>
+ Some file system locations need to be available early in the boot process.
+ If those locations reside on different file systems, special precautions need
+ to be taken to make those file systems available when the system is booted
+ (such as creating an initial ram file system).
+ </h:li>
+ </h:ul>
+ The advantages on the other hand:
+ <h:ul>
+ <h:li>
+ A sudden disk space growth will eventually be stopped by the limits of the
+ file system. If a non-critical file system is full, the impact on the overall
+ system is limited. Without separate file systems, a full file system might
+ jeopardise the availability of the entire system.
+ </h:li>
+ <h:li>
+ Specific mount options can be enabled on the file systems that improve the
+ security of the file system (permissions) as well as performance. Such mount
+ options include ownership details, allowing (or disallowing) setuid binaries,
+ device files and more.
+ </h:li>
+ <h:li>
+ Different file systems can be hosted on different devices (or even on network
+ shares), allowing administrators to pick the most efficient storage device
+ for a particular file system.
+ </h:li>
+ </h:ul>
+ Considering these pros and cons, it is recommended to have at least the following
+ file system locations to be on a different file system:
+ <h:ul>
+ <h:li>
+ <h:code>/tmp</h:code> as this is a world-writable location and requires
+ specific mount options. When possible, this location can be made a
+ <h:em>tmpfs</h:em> file system.
+ </h:li>
+ </h:ul>
+ </description>
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-tmp" selected="false">
+ <title>Test if /tmp is a separate file system</title>
+ <fixtext>
+ Create a file system for <h:code>/tmp</h:code>; make sure it is added in
+ the <h:code>/etc/fstab</h:code> file and reboot the system.
+ </fixtext>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:5" href="gentoo-oval.xml" />
+ </check>
+ </Rule>
+ </Group>
<Group id="xccdf_org.gentoo.dev.swift_group_installation-storage-partitioning-home">
<title>/home Location</title>
<description>
The <h:code>/home</h:code> location should be on its own partition,
allowing the administrator to mount this location with specific
- options targetting the file systems' security settings or quota.
- <h:br />
- <h:br />
- Next to the separate file system, it should also be mounted with
- the <h:em>nosuid</h:em> mount option. When a vulnerability in a
- software, or a rogue user, would somehow place a setuid binary in
- this home directory in order to create a simple backdoor to gain
- root privileges, this mount option disables the setuid ability.
+ options targetting the file systems' security settings or quota. It
+ also prevents the system to become unresponsive when a user starts
+ filling up his home directory, although quota support can be used
+ to mitigate this risk as well.
+ <h:br />
+ <h:br />
+ Next to the separate file system, it should also be mounted with
+ the <h:em>nosuid</h:em> mount option. When a vulnerability in a
+ software, or a rogue user, would somehow place a setuid binary in
+ this home directory in order to create a simple backdoor to gain
+ root privileges, this mount option disables the setuid ability.
+ <h:br />
+ <h:br />
+ There is also no reason for the <h:code>/home</h:code> location to
+ contain any device files, so mount it with <h:em>nodev</h:em> too.
+ If an attacker would somehow be able to create sensitive device files
+ with the rights for him to read/write to those device files, then he
+ might be able to impact the system security.
</description>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="false">
- <title>Test if /home is a separate partition</title>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="false">
+ <title>Test if /home is a separate partition</title>
+ <fixtext>
+ Create a file system for the user home files and mount it at <h:code>/home</h:code>
+ after migrating the users' files to it.
+ </fixtext>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.gentoo.dev.swift:def:2" href="gentoo-oval.xml" />
- </check>
- </Rule>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home-nosuid" selected="false">
- <title>Test if /home is mounted with nosuid</title>
- <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-home-nosuid">Mount /home with nosuid mount option</fixtext>
- <!-- TODO can we put in multiple fixes? I would like to add in one
- that asks the user (not automatically) to update fstab -->
- <fix id="xccdf_org.gentoo.dev.swift_fix_partition-home-nosuid"
- system="urn:xccdf:fix:system:commands"
- platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+ </check>
+ </Rule>
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home-nosuid" selected="false">
+ <title>Test if /home is mounted with nosuid</title>
+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-home-nosuid">Mount /home with nosuid mount option</fixtext>
+ <!-- TODO can we put in multiple fixes? I would like to add in one
+ that asks the user (not automatically) to update fstab -->
+ <fix id="xccdf_org.gentoo.dev.swift_fix_partition-home-nosuid"
+ system="urn:xccdf:fix:system:commands"
+ platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
mount -o remount,nosuid /home
- </fix>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:3" href="gentoo-oval.xml" />
- </check>
- </Rule>
+ </fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:3" href="gentoo-oval.xml" />
+ </check>
+ </Rule>
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home-nodev" selected="false">
+ <title>Test if /home is mounted with nodev</title>
+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-home-nodev">Mount /home with nodev mount option</fixtext>
+ <fix id="xccdf_org.gentoo.dev.swift_fix_partition-home-nodev"
+ system="urn:xccdf:fix:system:commands"
+ platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+mount -o remount,nodev /home
+ </fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:4" href="gentoo-oval.xml" />
+ </check>
+ </Rule>
</Group>
</Group>
</Group>
@@ -326,7 +422,7 @@ mount -o remount,nosuid /home
toolchain is selected, not one of the <h:code>-hardenedno*</h:code> as
those are toolchains where specific settings are disabled. The
<h:code>-vanilla</h:code> one is a toolchain with no hardened patches.
- <h:pre>### Using the appropriate hardened toolchain ###
+ <h:pre>
# <h:b>gcc-config -l</h:b>
[1] x86_64-pc-linux-gnu-4.4.5 *
[2] x86_64-pc-linux-gnu-4.4.5-hardenednopie
@@ -340,18 +436,18 @@ mount -o remount,nosuid /home
<title>Use a Mandatory Access Control system</title>
<description>
Linux uses, by default, what is called a <h:em>Discretionary Access Control</h:em>
- system. This means, amongst other things, that a user can control which files others
- can access, but also that he is able to leak information towards other users.
- <h:br />
- <h:br />
- With a <h:em>Mandatory Access Control</h:em> system in place, the security administrator
- of a system defines security policies to which the entire system should adhere to. Users
- then can "play" within the defined fields of this policy, but cannot extend this policy themselves.
- <h:br />
- <h:br />
- Linux supports a few of these MAC systems. SELinux is a popular one, grSecurity RBAC system
- is another, TOMOYO exists as well, etc. It is advisable to use such a MAC system, but its
- configuration and testing of these settings are beyond the scope of this benchmark for now.
+ system. This means, amongst other things, that a user can control which files others
+ can access, but also that he is able to leak information towards other users.
+ <h:br />
+ <h:br />
+ With a <h:em>Mandatory Access Control</h:em> system in place, the security administrator
+ of a system defines security policies to which the entire system should adhere to. Users
+ then can "play" within the defined fields of this policy, but cannot extend this policy themselves.
+ <h:br />
+ <h:br />
+ Linux supports a few of these MAC systems. SELinux is a popular one, grSecurity RBAC system
+ is another, TOMOYO exists as well, etc. It is advisable to use such a MAC system, but its
+ configuration and testing of these settings are beyond the scope of this benchmark for now.
</description>
<reference href="http://hardened.gentoo.org/selinux">Gentoo Hardened SELinux project page</reference>
</Group>
@@ -374,7 +470,7 @@ mount -o remount,nosuid /home
<h:br />
<h:br />
Mount options can be set in <h:code>/etc/fstab</h:code> in the fourth column.
- <h:pre>### Setting mount options###
+ <h:pre>
# <h:b>vim /etc/fstab</h:b>
[...]
tmpfs /tmp tmpfs defaults<h:b>,nosuid,noexec,nodev</h:b> 0 0</h:pre>
@@ -410,15 +506,15 @@ tmpfs /tmp tmpfs defaults<h:b>,nosuid,noexec,nodev</h:b> 0 0</h
cleared during shut down or reboot) and mounted with nosuid,noexec and
nodev mount options (to reduce the impact when an exploit is attempted from
within this location).
- <h:pre>### Sample /etc/fstab line for /tmp ###
+ <h:pre>
tmpfs /tmp tmpfs defaults,nosuid,noexec,nodev 0 0</h:pre>
Also, the location must have the sticky bit set (cfr the trailing 't' in the
- output of <h:b>ls -ld</h:b>).
- <h:pre>### Sticky bit for /tmp must be set ###
+ output of <h:b>ls -ld</h:b>).
+ <h:pre>
# <h:b>ls -ld /tmp</h:b>
drwxrwxrwt 9 root root 260 Dec 27 16:00 /tmp</h:pre>
Of course, using <h:code>tmpfs</h:code> does not give you freedom nor a
- secure means to write security sensitive information in <h:code>/tmp</h:code>.
+ secure means to write security sensitive information in <h:code>/tmp</h:code>.
</description>
</Group>
<Group id="gt-system-mounts-home">
@@ -428,7 +524,7 @@ drwxrwxrwt 9 root root 260 Dec 27 16:00 /tmp</h:pre>
To reduce the risk of an exploit being launched, it is adviseable to
mount this partition with the <h:code>nosuid,nodev</h:code> mount options.
<h:br />
- <h:pre>### Sample /etc/fstab line for /home ###
+ <h:pre>
/dev/mapper/volgrp-home /home ext4 noatime,nosuid,nodev,data=journal 0 2</h:pre>
</description>
</Group>
@@ -445,19 +541,19 @@ drwxrwxrwt 9 root root 260 Dec 27 16:00 /tmp</h:pre>
<h:br />
<h:br />
Next, install the <h:code>sys-fs/quota</h:code> package.
- <h:pre>### Installing quota ###
+ <h:pre>
# <h:b>emerge quota</h:b></h:pre>
Then add <h:code>usrquota</h:code> and <h:code>grpquota</h:code> to
the partitions (in <h:code>/etc/fstab</h:code>) where you want to
enable quotas on. For instance, the following snippet from
<h:code>/etc/fstab</h:code> enables quotas on <h:code>/var</h:code>
and <h:code>/home</h:code>.
- <h:pre>### Example quota definition in /etc/fstab ###
+ <h:pre>
/dev/mapper/volgrp-home /home ext4 noatime,nodev,nosuid,<h:b>usrquota,grpquota</h:b> 0 0
/dev/mapper/volgrp-var /var ext4 noatime,<h:b>usrquota,grpquota</h:b> 0 0
</h:pre>
Finally, add the <h:code>quota</h:code> service to the boot runlevel.
- <h:pre>### Adding quota to the boot runlevel ###
+ <h:pre>
# <h:b>rc-update add quota boot</h:b></h:pre>
Reboot the system so that the partitions are mounted with the correct
mount options and that the quota service is running. Then you can
@@ -466,7 +562,7 @@ drwxrwxrwt 9 root root 260 Dec 27 16:00 /tmp</h:pre>
<reference
href="http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch28_:_Managing_Disk_Usage_with_Quotas">Managing
Disk Usage with Quotas (LinuxHomeNetworking)</reference>
- <reference href="http://www.gentoo.org/doc/en/kernel-config.xml#shorthand">Gentoo Linux Kernel Configuration - shorthand notation information</reference>
+ <reference href="http://www.gentoo.org/doc/en/kernel-config.xml#shorthand">Gentoo Linux Kernel Configuration - shorthand notation information</reference>
</Group>
</Group>
<Group id="gt-system-services">
@@ -513,7 +609,7 @@ drwxrwxrwt 9 root root 260 Dec 27 16:00 /tmp</h:pre>
booting in single user mode requires the user to enter the root
password. This is already done by default in Gentoo and is part of
<h:code>/etc/inittab</h:code>'s definition:
- <h:pre>### Ensure sulogin is available for single user mode ###
+ <h:pre>
su0:S:wait:/sbin/rc single
<h:b>su1:S:wait:/sbin/sulogin</h:b></h:pre>
</description>
@@ -537,10 +633,10 @@ su0:S:wait:/sbin/rc single
<description>
The SSH service is used for secure remote access towards a system, but
also to provide secure file transfers. It is very commonly found on Unix/Linux
- systems to proper hardening is definitely in place.
- <h:br />
- <h:br />
- Please use the "Hardening OpenSSH" guide for the necessary instructions.
+ systems to proper hardening is definitely in place.
+ <h:br />
+ <h:br />
+ Please use the "Hardening OpenSSH" guide for the necessary instructions.
</description>
</Group>
<Group id="gt-system-services-cron">
@@ -650,7 +746,7 @@ su0:S:wait:/sbin/rc single
You should set the USE flags globally in
<h:code>/etc/make.conf</h:code>.
<h:br />
- <h:pre>### Setting the USE flag in /etc/make.conf ###
+ <h:pre>
USE="... pam tcpd ssl"</h:pre>
</description>
</Group>
@@ -659,15 +755,15 @@ USE="... pam tcpd ssl"</h:pre>
<description>
Gentoo Portage supports fetching signed tree snapshots using
<h:b>emerge-webrsync</h:b>. This is documented in the Gentoo Handbook,
- but as it is quite easy, here you can find the instructions again:
- <h:pre>### Using emerge-webrsync with GPG signatures ###
+ but as it is quite easy, here you can find the instructions again:
+ <h:pre>
# <h:b>mkdir -p /etc/portage/gpg</h:b>
# <h:b>chmod 0700 /etc/portage/gpg</h:b>
# <h:b>gpg - -homedir /etc/portage/gpg - -keyserver subkeys.pgp.net - -recv-keys 0x239C75C4 0x96D8BF6D</h:b>
# <h:b>gpg - -homedir /etc/portage/gpg - -edit-key 0x239C75C4 trust</h:b>
# <h:b>gpg - -homedir /etc/portage/gpg - -edit-key 0x96D8BF6D trust</h:b></h:pre>
After this, you can edit <h:code>/etc/make.conf</h:code>:
- <h:pre>### Editing make.conf for signed portage trees ###
+ <h:pre>
FEATURES="webrsync-gpg"
PORTAGE_GPG_DIR="/etc/portage/gpg"
SYNC=""</h:pre>
@@ -680,9 +776,9 @@ SYNC=""</h:pre>
The Linux kernel should be configured using a sane security standard in
mind. When using grSecurity, additional security-enhancing settings can
be enabled.
- <h:br />
- <h:br />
- For further details, I refer to the "Hardening the Linux kernel" guide.
+ <h:br />
+ <h:br />
+ For further details, I refer to the "Hardening the Linux kernel" guide.
</description>
<reference href="http://www.gentoo.org/doc/en/kernel-config.xml#shorthand">Gentoo Kernel Configuration Guide - Shorthand notation information</reference>
</Group>
@@ -708,7 +804,7 @@ SYNC=""</h:pre>
the configuration file, you can hash it. Just start <h:b>grub</h:b>
and, in the grub-shell, type <h:b>md5crypt</h:b>.
<h:br />
- <h:pre>### Getting a hashed password for GRUB ###
+ <h:pre>
# <h:b>grub</h:b>
GRUB version 0.92 (640K lower / 3072K upper memory)
@@ -740,7 +836,7 @@ grub> <h:b>quit</h:b></h:pre>
<h:code>/etc/lilo.conf</h:code> file. It is also possible to do this
on a per-image level.
<h:br />
- <h:pre>### Setting a password for LILO in /etc/lilo.conf ###
+ <h:pre>
password=abc123
restricted
delay=3
@@ -782,7 +878,7 @@ image=/boot/bzImage
<h:br />
A recommended setting is to only allow root user login through the
console and the physical terminals (<h:code>tty0-tty12</h:code>).
- <h:pre>### /etc/securetty ###
+ <h:pre>
console
tty0
tty1
@@ -840,7 +936,7 @@ tty12</h:pre>
<h:br />
More information on these files and their syntax can be obtained
through their manual pages.
- <h:pre>### Reading the limits manual pages ###
+ <h:pre>
# <h:b>man limits.conf</h:b>
# <h:b>man limits</h:b></h:pre>
</description>
@@ -866,7 +962,7 @@ tty12</h:pre>
<h:code>pam_cracklib.so</h:code> library. You can then use this in the
appropriate <h:code>/etc/pam.d/*</h:code> files. For instance, for the
<h:code>/etc/pam.d/passwd</h:code> definition:
- <h:pre>### Sample /etc/pam.d/passwd setting with cracklib ###
+ <h:pre>
auth required pam_unix.so shadow nullok
account required pam_unix.so
<h:b>password required pam_cracklib.so difok=3 retry=3 minlen=8 dcredit=-2 ocredit=-2</h:b>
@@ -934,19 +1030,19 @@ session required pam_unix.so</h:pre>
<h:br />
<h:br />
You can use <h:code>find</h:code> to locate such files or directories.
- <h:pre>### Using find to find world writable files and directories ###
+ <h:pre>
# <h:b>find / -perm +o=w ! \( -type d -perm +o=t \) ! -type l -print</h:b></h:pre>
The above command shows world writable files and locations, unless it
is a directory with the sticky bit set, or a symbolic link (whose
world writable privilege is not accessible anyhow).
</description>
- <Rule id="rule-world-writeable-sticky" selected="false">
+ <Rule id="rule-world-writeable-sticky" selected="false">
<title>World writeable directories must have sticky bit set</title>
- <description>World writeable directories must have sticky bit set</description>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref href="gentoo-oval.xml" name="oval:@@OVALNS@@.static:def:2" />
- </check>
- </Rule>
+ <description>World writeable directories must have sticky bit set</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref href="gentoo-oval.xml" name="oval:@@OVALNS@@.static:def:2" />
+ </check>
+ </Rule>
</Group>
<Group id="gt-system-fileprivileges-suidsgid">
<title>Limit Setuid and Setgid File and Directory Usage</title>
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
@ 2013-09-19 19:26 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2013-09-19 19:26 UTC (permalink / raw
To: gentoo-commits
commit: 42dacd2ae69a55fc5db020844e1150edc59a0955
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Sep 19 19:26:16 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Sep 19 19:26:16 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=42dacd2a
Finish off old document
---
xml/SCAP/gentoo-oval.xml | 55 +++++++
xml/SCAP/gentoo-xccdf.xml | 381 ++++++++++++++++++++++++----------------------
2 files changed, 252 insertions(+), 184 deletions(-)
diff --git a/xml/SCAP/gentoo-oval.xml b/xml/SCAP/gentoo-oval.xml
index 4fe52b9..8cc1398 100644
--- a/xml/SCAP/gentoo-oval.xml
+++ b/xml/SCAP/gentoo-oval.xml
@@ -396,6 +396,37 @@
<criterion test_ref="oval:org.gentoo.dev.swift:tst:23" comment="/etc/inittab single user settings refers only to '/sbin/rc single' or '/sbin/sulogin'" />
</criteria>
</definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:23" version="1" class="compliance">
+ <metadata>
+ <title>Verify that /etc/hosts.allow exists</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <description>
+ This definition tests if /etc/hosts.allow exists.
+ </description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:24" comment="/etc/hosts.allow exists" />
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:24" version="1" class="compliance">
+ <metadata>
+ <title>Verify that /etc/at/at.allow exists</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <description>
+ This definition tests if /etc/at/at.allow exists.
+ </description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:25" comment="/etc/at/at.allow exists" />
+ </criteria>
+ </definition>
+
</definitions>
<tests>
@@ -587,6 +618,20 @@
<ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:6" />
</ind-def:textfilecontent54_test>
+ <unix-def:file_test id="oval:org.gentoo.dev.swift:tst:24"
+ version="1" check="all" check_existence="all_exist"
+ comment="Tests that /etc/hosts.allow exists">
+ <!-- The /etc/hosts.allow file -->
+ <unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:14" />
+ </unix-def:file_test>
+
+ <unix-def:file_test id="oval:org.gentoo.dev.swift:tst:25"
+ version="1" check="all" check_existence="all_exist"
+ comment="Tests that /etc/at/at.allow exists">
+ <!-- The /etc/at/at.allow file -->
+ <unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:15" />
+ </unix-def:file_test>
+
</tests>
<objects>
@@ -664,6 +709,16 @@
<ind-def:instance operation="greater than or equal" datatype="int">1</ind-def:instance>
</ind-def:textfilecontent54_object>
+ <unix-def:file_object id="oval:org.gentoo.dev.swift:obj:14"
+ version="1" comment="The /etc/hosts.allow file">
+ <unix-def:filepath>/etc/hosts.allow</unix-def:filepath>
+ </unix-def:file_object>
+
+ <unix-def:file_object id="oval:org.gentoo.dev.swift:obj:15"
+ version="1" comment="The /etc/at/at.allow file">
+ <unix-def:filepath>/etc/at/at.allow</unix-def:filepath>
+ </unix-def:file_object>
+
</objects>
<states>
diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml
index bc6d977..6b3172e 100644
--- a/xml/SCAP/gentoo-xccdf.xml
+++ b/xml/SCAP/gentoo-xccdf.xml
@@ -71,6 +71,11 @@
<select idref="xccdf_org.gentoo.dev.swift_rule_rcconf-sulogin" selected="true" />
<!-- sulogin is used as shell for single user boot (definition /etc/inittab) -->
<select idref="xccdf_org.gentoo.dev.swift_rule_inittab-sulogin" selected="true" />
+ <!-- Verify that /etc/hosts.allow exists -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_hostsallow-exists" selected="true" />
+ <!-- Verify that /etc/at/at.allow exists -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_atallow-exists" selected="true" />
+
</Profile>
<Group id="xccdf_org.gentoo.dev.swift_group_intro">
<title>Introduction</title>
@@ -161,14 +166,14 @@
To validate the tests, the following commands can be used:
<h:pre># <h:b>oscap xccdf eval --profile xccdf_org.gentoo.dev.swift_profile_default gentoo-xccdf.xml</h:b></h:pre>
<h:br />
- To generate a full report in HTML as well, you can use the next command:
+ To generate a full report in HTML as well, use the next command:
<h:pre># <h:b>oscap xccdf eval --profile xccdf_org.gentoo.dev.swift_profile_default --results xccdf-results.xml --report report.html gentoo-xccdf.xml</h:b></h:pre>
<h:br />
<h:br />
Finally, this benchmark will suggest some settings that do not reflect the
will of the reader. That is perfectly fine - even more, some settings might even
- raise eyebrows left and right. We will try to document the reasoning behind
- the settings but you are free to deviate from them. If that is the case,
+ raise eyebrows left and right. This document will explain the reasoning behind
+ the settings but deviations are always possible. If that is the case,
disable the rules in the XCCDF document or, better yet, create a new profile
and only refer to the tests that are required.
</description>
@@ -278,9 +283,9 @@
Before we start deploying Gentoo Linux and start hardening it, it is wise
to take a step back and think about what we want to accomplish. Setting
up a more secured Gentoo Linux isn't a goal, but a means to reach
- something. Most likely, you are considering setting up a Gentoo Linux
- powered server. What is this server for? Where will you put it? What other
- services will you want to run on the same OS? Etc.
+ something. Most likely the system will become a Gentoo Linux powered server.
+ What is this server for? Where will it be hosted? What services are scheduled to run
+ on this operating system? Etc.
</description>
<Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-architecturing">
<title>Infrastructure architecturing</title>
@@ -298,10 +303,10 @@
<h:br />
Security is about reducing risks, not about harassing people or making
work for a system administrator harder. And reducing risks also means
- that you need to keep a clear eye out on your architecture and all its
- components. If you do not know what you are integrating, where you are
- putting it or why, then you have more issues to consider than hardening
- a system.
+ that a clear eye needs to be kept on the architecture and all its
+ components. If there is no knowledge as to what is being integrated, where
+ it is going to be installed or why, then hardening by itself will probably not
+ do much to the secure state of the system.
</description>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-requirements">
@@ -406,7 +411,7 @@
Let's start with the disadvantages:
<h:ul>
<h:li>
- Separate file systems mean that you need to do better disk space control
+ Separate file systems mean that better disk space control is needed
(governing free space). A file system that is given too much free space
means that disk space is being wasted, but a file system that is not given
enough free disk space will need to be grown quickly - if possibile. This
@@ -548,7 +553,7 @@
<Group id="xccdf_org.gentoo.dev.swift_group_installation-toolchain">
<title>Use a Hardened Toolchain</title>
<description>
- When you install Gentoo, use the hardened stages and hardened toolchain.
+ When Gentoo is installed, use the hardened stages and hardened toolchain.
The hardened toolchain includes additional security patches, such as
support for non-executable program stacks and buffer overflow detection.
<h:br />
@@ -839,19 +844,18 @@ mount -o remount,noexec /dev/shm
<title>Disk quota support</title>
<description>
Most file systems support the notion of <h:em>quotas</h:em> - limits
- on the amount of data / files you are allowed to have on that
- particular file system.
+ on the amount of data / files that are allowed on that particular file system.
<h:br />
<h:br />
- To enable quotas, first configure your Linux kernel to include
+ To enable quotas, first configure the Linux kernel to include
<h:code>CONFIG_QUOTA</h:code>.
<h:br />
<h:br />
Next, install the <h:code>sys-fs/quota</h:code> package.
<h:pre># <h:b>emerge quota</h:b></h:pre>
Then add <h:code>usrquota</h:code> and <h:code>grpquota</h:code> to
- the partitions (in <h:code>/etc/fstab</h:code>) where you want to
- enable quotas on. For instance, the following snippet from
+ the partitions (in <h:code>/etc/fstab</h:code>) where quotas need to be
+ enabled on. For instance, the following snippet from
<h:code>/etc/fstab</h:code> enables quotas on <h:code>/var</h:code>
and <h:code>/home</h:code>.
<h:pre>/dev/mapper/volgrp-home /home ext4 noatime,nodev,nosuid,<h:b>usrquota,grpquota</h:b> 0 0
@@ -861,8 +865,8 @@ mount -o remount,noexec /dev/shm
<h:pre>
# <h:b>rc-update add quota boot</h:b></h:pre>
Reboot the system so that the partitions are mounted with the correct
- mount options and that the quota service is running. Then you can
- setup quotas for users and groups.
+ mount options and that the quota service is running. Then the quotas for
+ users and groups can be set up.
</description>
<reference
href="http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch28_:_Managing_Disk_Usage_with_Quotas">Managing
@@ -970,7 +974,9 @@ sed -i -e 's:^rc_shell=.*:rc_shell="/sbin/sulogin":g' /etc/rc.conf
</Rule>
<Rule id="xccdf_org.gentoo.dev.swift_rule_inittab-sulogin" selected="false" severity="medium" weight="6.0">
<title>Test if sulogin is used for single-user boot (/etc/inittab)</title>
- <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_inittab-sulogin">Set /sbin/sulogin or '/sbin/rc single' for single-user boot</fixtext>
+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_inittab-sulogin">
+ Set /sbin/sulogin or '/sbin/rc single' for single-user boot in /etc/inittab
+ </fixtext>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.gentoo.dev.swift:def:22" href="gentoo-oval.xml" />
</check>
@@ -990,49 +996,82 @@ sed -i -e 's:^rc_shell=.*:rc_shell="/sbin/sulogin":g' /etc/rc.conf
More information on the format of these files can be obtained through
<h:b>man 5 hosts_access</h:b>.
</description>
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_hostsallow-exists" selected="false" severity="info" weight="0.0">
+ <title>Tests if /etc/hosts.allow exists</title>
+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_hostsallow-exists">
+ Create and properly configure /etc/hosts.allow
+ </fixtext>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:23" href="gentoo-oval.xml" />
+ </check>
+ </Rule>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_system-services-ssh">
- <title>SSH Service</title>
+ <title>SSH service</title>
<description>
The SSH service is used for secure remote access towards a system, but
also to provide secure file transfers. It is very commonly found on Unix/Linux
- systems to proper hardening is definitely in place.
+ systems so proper hardening is definitely in place.
<h:br />
<h:br />
Please use the "Hardening OpenSSH" guide for the necessary instructions.
</description>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_system-services-cron">
- <title>Cron Service</title>
+ <title>Cron service</title>
<description>
A cron service is used to schedule tasks and processes on predefined
times. Cron is most often used for regular maintenance tasks.
</description>
<Group id="xccdf_org.gentoo.dev.swift_group_system-services-cron-acl">
- <title>Only Allow Trusted Accounts Cron Access</title>
+ <title>Only allow trusted accounts cron access</title>
<description>
- Only allow trusted accounts to use cron. You should list trusted
- accounts in <h:code>/etc/cron.allow</h:code>.
+ Only allow trusted accounts to use cron. How to achieve this depends on the cron service
+ installed.
+ <h:br />
+ <h:br />
+ If vixie-cron is installed, then have (only) those users that need cron access take part in the
+ <h:em>cron</h:em> unix group.
+ <h:br />
+ <h:br />
+ If dcron is used, then make sure <h:code>/usr/sbin/crontab</h:code> is only executable by
+ root and the cron unix group, and make sure (only) those users that need cron access take part
+ in the <h:em>cron</h:em> unix group.
</description>
</Group>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_system-services-at">
- <title>At Service</title>
+ <title>At service</title>
<description>
The at service allows users to execute a task once on a given time.
Unlike cron, this is not scheduled repeatedly - once executed, the
task is considered completed and at will not invoke it again.
</description>
<Group id="xccdf_org.gentoo.dev.swift_group_system-services-at-acl">
- <title>Only Allow Trusted Accounts At Access</title>
+ <title>Only allow trusted accounts at access</title>
<description>
- Only allow trusted accounts to use at. You should list trusted
- accounts in <h:code>/etc/at.allow</h:code>.
+ Only allow trusted accounts to use at. Unlike cron access, at access is governed through
+ the <h:code>/etc/at/at.allow</h:code> file. If the <h:code>at.allow</h:code> file does not
+ exist but <h:code>/etc/at/at.deny</h:code> does, then all names <h:em>not</h:em> mentioned in
+ the file are allowed to run at. The most secure method is to use the <h:code>at.allow</h:code>
+ method.
+ <h:br />
+ <h:br />
+ The format of these files is one username per line.
</description>
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_atallow-exists" selected="false" severity="low" weight="0.0">
+ <title>Tests if /etc/at/at.allow exists</title>
+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_atsallow-exists">
+ Create and properly configure /etc/at/at.allow
+ </fixtext>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:24" href="gentoo-oval.xml" />
+ </check>
+ </Rule>
</Group>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_system-services-ntp">
- <title>NTP Service</title>
+ <title>NTP service</title>
<description>
With NTP, systems can synchronise their clocks, ensuring correct date
and time information. This is important as huge clock drift could
@@ -1040,26 +1079,21 @@ sed -i -e 's:^rc_shell=.*:rc_shell="/sbin/sulogin":g' /etc/rc.conf
commands.
</description>
<Group id="xccdf_org.gentoo.dev.swift_group_system-services-ntp-sync">
- <title>Synchronise The System Clock</title>
+ <title>Synchronise the system clock</title>
<description>
- Synchronise your systems' clock with an authorative NTP server, and
- use the same NTP service for all your systems.
+ Synchronise the systems' clock with an authorative NTP server, and
+ use the same NTP service for all other systems.
<h:br />
<h:br />
- You can accomplish this by regularly executing <h:b>ntpdate</h:b>,
- but you can also use a service like <h:code>net-misc/ntp</h:code>'s
+ This can be accomplished by regularly executing <h:b>ntpdate</h:b>,
+ but can also be handled using a service like <h:code>net-misc/ntp</h:code>'s
<h:b>ntpd</h:b>.
</description>
</Group>
</Group>
</Group>
- </Group> <!-- system -->
- <!--
- <Group id="gt-system-services">
-
- </Group>
- <Group id="gt-system-portage">
- <title>Portage Settings</title>
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-portage">
+ <title>Portage settings</title>
<description>
The package manager of any system is a very important tool. It is
responsible for handling proper software deployments, but also offers
@@ -1068,11 +1102,11 @@ sed -i -e 's:^rc_shell=.*:rc_shell="/sbin/sulogin":g' /etc/rc.conf
<h:br />
For Gentoo, the package manager offers a great deal of flexibility (as
that is the goal of Gentoo anyhow). As such, good settings for a more
- secure environment within Portage (assuming that you use Portage as
+ secure environment within Portage (assuming that Portage is used as
package manager) are important.
</description>
- <Group id="gt-system-portage-use">
- <title>USE Flags</title>
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-portage-use">
+ <title>USE flags</title>
<description>
USE flags in Gentoo are used to tune the functionality of many
components and enable or disable features.
@@ -1101,7 +1135,7 @@ sed -i -e 's:^rc_shell=.*:rc_shell="/sbin/sulogin":g' /etc/rc.conf
<h:br />
With <h:b>TCP wrappers</h:b>, services can be shielded from
unauthorized access on host level. It is an access control level
- mechanism which allows you to identify allowed (and denied) hosts or
+ mechanism which allows configuring allowed (and denied) hosts or
network segments on application level.
<h:br />
<h:br />
@@ -1111,26 +1145,24 @@ sed -i -e 's:^rc_shell=.*:rc_shell="/sbin/sulogin":g' /etc/rc.conf
client-certificate based authentication mechanism.
<h:br />
<h:br />
- You should set the USE flags globally in
- <h:code>/etc/make.conf</h:code>.
+ Set the USE flags globally in <h:code>/etc/portage/make.conf</h:code>
+ so they are applicable to all installed software.
<h:br />
- <h:pre>
-USE="... pam tcpd ssl"</h:pre>
+ <h:pre>USE="... pam tcpd ssl"</h:pre>
</description>
</Group>
- <Group id="gt-system-portage-webrsync">
- <title>Fetching Signed Portage Tree</title>
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-portage-webrsync">
+ <title>Fetching signed portage tree</title>
<description>
Gentoo Portage supports fetching signed tree snapshots using
<h:b>emerge-webrsync</h:b>. This is documented in the Gentoo Handbook,
- but as it is quite easy, here you can find the instructions again:
- <h:pre>
-# <h:b>mkdir -p /etc/portage/gpg</h:b>
+ but as it is quite easy, here are the instructions again:
+ <h:pre># <h:b>mkdir -p /etc/portage/gpg</h:b>
# <h:b>chmod 0700 /etc/portage/gpg</h:b>
-# <h:b>gpg - -homedir /etc/portage/gpg - -keyserver subkeys.pgp.net - -recv-keys 0x239C75C4 0x96D8BF6D</h:b>
-# <h:b>gpg - -homedir /etc/portage/gpg - -edit-key 0x239C75C4 trust</h:b>
-# <h:b>gpg - -homedir /etc/portage/gpg - -edit-key 0x96D8BF6D trust</h:b></h:pre>
- After this, you can edit <h:code>/etc/make.conf</h:code>:
+# <h:b>gpg --homedir /etc/portage/gpg --keyserver subkeys.pgp.net --recv-keys 0x239C75C4 0x96D8BF6D</h:b>
+# <h:b>gpg --homedir /etc/portage/gpg --edit-key 0x239C75C4 trust</h:b>
+# <h:b>gpg --homedir /etc/portage/gpg --edit-key 0x96D8BF6D trust</h:b></h:pre>
+ After this, edit <h:code>/etc/portage/make.conf</h:code>:
<h:pre>
FEATURES="webrsync-gpg"
PORTAGE_GPG_DIR="/etc/portage/gpg"
@@ -1138,42 +1170,40 @@ SYNC=""</h:pre>
</description>
</Group>
</Group>
- <Group id="gt-system-kernel">
- <title>Kernel Configuration</title>
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-kernel">
+ <title>Kernel configuration</title>
<description>
The Linux kernel should be configured using a sane security standard in
mind. When using grSecurity, additional security-enhancing settings can
be enabled.
<h:br />
<h:br />
- For further details, I refer to the "Hardening the Linux kernel" guide.
+ For further details, please refer to the "Hardening the Linux kernel" guide.
</description>
<reference href="http://www.gentoo.org/doc/en/kernel-config.xml#shorthand">Gentoo Kernel Configuration Guide - Shorthand notation information</reference>
</Group>
- <Group id="gt-system-bootloader">
- <title>Bootloader Configuration</title>
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-bootloader">
+ <title>Bootloader configuration</title>
<description>
The bootloader (be it GRUB or another tool) is responsible for loading
the Linux kernel and handing over system control to the kernel. But boot
loaders also allow for a flexible approach on kernel loading, which can
be (ab)used to work around security mechanisms.
</description>
- <Group id="gt-system-bootloader-grubpass">
- <title>Password Protect GRUB</title>
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-bootloader-grub1pass">
+ <title>Password protect GRUB (legacy)</title>
<description>
It is recommended to password-protect the GRUB configuration so that
- you cannot modify boot options during a boot without providing the
+ the boot options cannot be modified during a boot without providing the
valid password.
<h:br />
<h:br />
- You can accomplish this by inserting <h:code>password abc123</h:code>
+ This can be accomplished by inserting <h:code>password abc123</h:code>
in <h:code>/boot/grub/grub.conf</h:code> (which will set the password
- to "abc123"). But if you do not like having a clear-text password in
- the configuration file, you can hash it. Just start <h:b>grub</h:b>
+ to "abc123"). But as clear-text passwords in the configuration file are insecure as well,
+ hash the passwords. Just start <h:b>grub</h:b>
and, in the grub-shell, type <h:b>md5crypt</h:b>.
- <h:br />
- <h:pre>
-# <h:b>grub</h:b>
+ <h:pre># <h:b>grub</h:b>
GRUB version 0.92 (640K lower / 3072K upper memory)
@@ -1186,26 +1216,24 @@ Encrypted: $1$18u.M0$J8VbOsGXuoG9Fh3n7ZkqY.
grub> <h:b>quit</h:b></h:pre>
<h:br />
- You can then use this hashed password in <h:code>grub.conf</h:code>
- using <h:code>password - -md5
- $1$18u.M0$J8VbOsGXuoG9Fh3n7ZkqY.</h:code>.
+ This hashed password can now be used in <h:code>grub.conf</h:code>
+ using <h:code>password --md5 $1$18u.M0$J8VbOsGXuoG9Fh3n7ZkqY.</h:code>.
</description>
</Group>
- <Group id="gt-system-bootloader-lilopass">
- <title>Password Protect LILO</title>
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-bootloader-lilopass">
+ <title>Password protect LILO</title>
<description>
It is recommended to password-protect the LILO configuration so that
- you cannot modify boot options during a boot without providing the
- valid password.
+ modifying the boot options during a boot without providing the
+ valid password is not possible.
<h:br />
<h:br />
- You can accomplish this by inserting <h:code>password=abc123</h:code>
+ This can be accomplished by inserting <h:code>password=abc123</h:code>
followed by <h:code>restricted</h:code> in the
<h:code>/etc/lilo.conf</h:code> file. It is also possible to do this
on a per-image level.
<h:br />
- <h:pre>
-password=abc123
+ <h:pre>password=abc123
restricted
delay=3
@@ -1223,8 +1251,8 @@ image=/boot/bzImage
</description>
</Group>
</Group>
- <Group id="gt-system-auth">
- <title>Authentication and Authorization Settings</title>
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-auth">
+ <title>Authentication and authorization settings</title>
<description>
An important part in a servers' security is its authentication and
authorization support. We have already described how to build in PAM
@@ -1232,8 +1260,8 @@ image=/boot/bzImage
authorization settings are mode than just compiling in the necessary
functionality.
</description>
- <Group id="gt-system-auth-securetty">
- <title>Restrict root System Logon</title>
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-auth-securetty">
+ <title>Restrict root system logon</title>
<description>
To restrict where the root user can directly log on, edit
<h:code>/etc/securetty</h:code> and specify the supported terminals
@@ -1246,16 +1274,15 @@ image=/boot/bzImage
<h:br />
A recommended setting is to only allow root user login through the
console and the physical terminals (<h:code>tty0-tty12</h:code>).
- <h:pre>
-console
+ <h:pre>console
tty0
tty1
...
tty12</h:pre>
</description>
</Group>
- <Group id="gt-system-auth-userlogin">
- <title>Allow Only Known Users to Login</title>
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-auth-userlogin">
+ <title>Allow only known users to login</title>
<description>
When PAM is enabled, the <h:code>/etc/security/access.conf</h:code>
file is used to check which users are allowed to log on and not
@@ -1264,13 +1291,13 @@ tty12</h:pre>
log on from.
<h:br />
<h:br />
- By enabling these settings, you reduce the risk that a functional
+ By enabling these settings, the risk is reduced that a functional
account (say <h:code>apache</h:code>) is abused to log on with, or
that a new account is created as part of an exploit.
</description>
</Group>
- <Group id="gt-system-auth-resources">
- <title>Restrict User Resources</title>
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-auth-resources">
+ <title>Restrict user resources</title>
<description>
When facing a DoS (Denial-of-Service) attack, reducing the impact of
the attack can be done by limited resource consumption. Although the
@@ -1293,7 +1320,7 @@ tty12</h:pre>
PAM-aware.
</h:li>
</h:ul>
- Generally, you should suffice with setting
+ Generally, it should suffice to set up
<h:code>/etc/security/limits.conf</h:code>, which is the configuration
file used by the <h:code>pam_limits.so</h:code> module.
<h:br />
@@ -1309,8 +1336,8 @@ tty12</h:pre>
# <h:b>man limits</h:b></h:pre>
</description>
</Group>
- <Group id="gt-system-auth-password">
- <title>Enforce Password Policy</title>
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-auth-password">
+ <title>Enforce password policy</title>
<description>
Usually most organizations have a password policy, telling their users
how long their passwords should be and how often the passwords should
@@ -1322,16 +1349,14 @@ tty12</h:pre>
<h:code>sys-apps/shadow</h:code> package (which is installed by
default) and can be configured through the
<h:code>/etc/login.defs</h:code> file. This file is well documented
- (using comments) and it has a full manual page as well to help you en
- route.
+ (using comments) and it has a full manual page as well.
<h:br />
<h:br />
A second important player when dealing with password policies is the
- <h:code>pam_cracklib.so</h:code> library. You can then use this in the
+ <h:code>pam_cracklib.so</h:code> library. This can be used in the
appropriate <h:code>/etc/pam.d/*</h:code> files. For instance, for the
<h:code>/etc/pam.d/passwd</h:code> definition:
- <h:pre>
-auth required pam_unix.so shadow nullok
+ <h:pre>auth required pam_unix.so shadow nullok
account required pam_unix.so
<h:b>password required pam_cracklib.so difok=3 retry=3 minlen=8 dcredit=-2 ocredit=-2</h:b>
password required pam_unix.so md5 use_authok
@@ -1341,10 +1366,10 @@ session required pam_unix.so</h:pre>
password, contain 2 digits and 2 non-alphanumeric characters.
</description>
</Group>
- <Group id="gt-system-auth-ripper">
- <title>Review Password Strength Regularly</title>
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-auth-ripper">
+ <title>Review password strength regularly</title>
<description>
- Regularly check the strength of your users' passwords. There are tools
+ Regularly check the strength of the users' passwords. There are tools
out there, like <h:code>app-crypt/johntheripper</h:code> which, given
a <h:code>/etc/shadow</h:code> file (or sometimes even LDAP dump) try
to find the passwords for the users.
@@ -1356,15 +1381,15 @@ session required pam_unix.so</h:pre>
</description>
</Group>
</Group>
- <Group id="gt-system-session">
- <title>Session Settings</title>
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-session">
+ <title>Session settings</title>
<description>
Unlike authentication and authorization settings, a <h:em>session</h:em>
setting is one that is applicable to an authenticated and authorized
user when he is logged on to the system.
</description>
- <Group id="gt-system-session-mesg">
- <title>Disable Access to User Terminals</title>
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-session-mesg">
+ <title>Disable access to user terminals</title>
<description>
By default, user terminals are accessible by others to write messages
to (using <h:b>write</h:b>, <h:b>wall</h:b> or <h:b>talk</h:b>). It is
@@ -1375,45 +1400,37 @@ session required pam_unix.so</h:pre>
actions.
<h:br />
<h:br />
- You can disable this by setting <h:code>mesg n</h:code> in
+ This can be disabled by setting <h:code>mesg n</h:code> in
<h:code>/etc/profile</h:code>. A user-friendly method for doing so in
Gentoo is to create a file <h:code>/etc/profile.d/disable_mesg</h:code> which
contains this command.
</description>
</Group>
</Group>
- <Group id="gt-system-fileprivileges">
- <title>File and Directory Privileges and Integrity</title>
+ <Group id="xccdf_org.gentoo.dev_group_system-fileprivileges">
+ <title>File and directory privileges and integrity</title>
<description>
Proper privileges on files makes it far more difficult to malicious
users to obtain sensitive information or write/update files they should
not have access to.
</description>
- <Group id="gt-system-fileprivileges-worldrw">
- <title>Limit World Writable Files and Locations</title>
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-fileprivileges-worldrw">
+ <title>Limit world writable files and locations</title>
<description>
Limit (or even remove) the use of world writable files and locations.
- If a directory is world writable, you probably want to have the
+ If a directory is world writable, it makes sense to have the
sticky bit set on it as well (like with <h:code>/tmp</h:code>).
<h:br />
<h:br />
- You can use <h:code>find</h:code> to locate such files or directories.
- <h:pre>
-# <h:b>find / -perm +o=w ! \( -type d -perm +o=t \) ! -type l -print</h:b></h:pre>
+ Use <h:code>find</h:code> to locate such files or directories.
+ <h:pre># <h:b>find / -perm +o=w ! \( -type d -perm +o=t \) ! -type l -print</h:b></h:pre>
The above command shows world writable files and locations, unless it
is a directory with the sticky bit set, or a symbolic link (whose
world writable privilege is not accessible anyhow).
</description>
- <Rule id="rule-world-writeable-sticky" selected="false">
- <title>World writeable directories must have sticky bit set</title>
- <description>World writeable directories must have sticky bit set</description>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref href="gentoo-oval.xml" name="oval:@@OVALNS@@.static:def:2" />
- </check>
- </Rule>
</Group>
- <Group id="gt-system-fileprivileges-suidsgid">
- <title>Limit Setuid and Setgid File and Directory Usage</title>
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-fileprivileges-suidsgid">
+ <title>Limit setuid and setgid file and directory usage</title>
<description>
The <h:em>setuid</h:em> and <h:em>setgid</h:em> flags for files and
directories can be used to work around authentication and
@@ -1433,8 +1450,8 @@ session required pam_unix.so</h:pre>
the mentioned (parent) directory.
</description>
</Group>
- <Group id="gt-system-fileprivileges-logs">
- <title>Logs Only Readable By Proper Group</title>
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-fileprivileges-logs">
+ <title>Logs only readable by proper group</title>
<description>
No log file in <h:code>/var/log</h:code> should be world readable. Log
files should be limited by particular groups (either the group
@@ -1443,8 +1460,8 @@ session required pam_unix.so</h:pre>
<h:code>wheel</h:code>).
</description>
</Group>
- <Group id="gt-system-fileprivileges-rootonly">
- <title>Files Only Used By Root Should be Root-Only</title>
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-fileprivileges-rootonly">
+ <title>Files only used by root should be root-only</title>
<description>
Some files, like <h:code>/etc/shadow</h:code>, are meant to be read
(and perhaps modified) by root only. These files should never have
@@ -1464,44 +1481,44 @@ session required pam_unix.so</h:pre>
</h:ul>
</description>
</Group>
- <Group id="gt-system-fileprivileges-hids">
- <title>Review File Integrity Regularly</title>
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-fileprivileges-hids">
+ <title>Review file integrity regularly</title>
<description>
Deploy intrusion detection tool(s) to validate the integrity and
privileges on important files. <h:code>app-forensics/aide</h:code> is
an example of such a tool.
</description>
</Group>
- </Group>
- </Group>
- <Group id="gt-data">
- <title>Data Flows</title>
+ </Group>
+ </Group> <!-- system -->
+ <Group id="xccdf_org.gentoo.dev.swift_group_data">
+ <title>Data flows</title>
<description>
- Clearly map out how data flows in and out of your server (and which data
- this is). You will need this anyhow when you want to add firewalls, but it
+ Clearly map out how data flows in and out of the server (and which data
+ this is). This will be needed anyhow when firewalls are configured, but it
also improves integration of the server in a larger infrastructure.
</description>
- <Group id="gt-data-backup">
- <title>Backup Your Data</title>
+ <Group id="xccdf_org.gentoo.dev.swift_group_data-backup">
+ <title>Backup the data</title>
<description>
- Make sure that your data is backed up. This is not only in case of
- server loss, but also when you accidentally remove files or have an
+ Make sure that the data is backed up. This is not only in case of
+ server loss, but also to protect against accidental file removal or an
awkward bug in a service that deleted important information.
</description>
- <Group id="gt-data-backup-automate">
- <title>Automated Backups</title>
+ <Group id="xccdf_org.gentoo.dev.swift_group_data-backup-automate">
+ <title>Automated backups</title>
<description>
- Automate backups on the system. If you need to perform a backup
- manually, then you are doing it wrong and will start forgetting it.
+ Automate backups on the system. If the backups are performed manually
+ then they are done wrong and someone will eventually forget it.
<h:br />
<h:br />
- You can use scheduling software like <h:code>cron</h:code> to
+ Use scheduling software like <h:code>cron</h:code> to
automatically take backups on regular intervals, or use a central
backup solution like <h:code>bacula</h:code>.
</description>
</Group>
- <Group id="gt-data-backups-coverage">
- <title>Full Data Coverage</title>
+ <Group id="xccdf_org.gentoo.dev.swift_group_data-backups-coverage">
+ <title>Full data coverage</title>
<description>
Many users that do take backups only do this on what they seem as
important files. However, it is wise to make full system backups too
@@ -1509,22 +1526,21 @@ session required pam_unix.so</h:pre>
or even weeks.
</description>
</Group>
- <Group id="gt-data-backups-history">
+ <Group id="xccdf_org.gentoo.dev.swift_group_data-backups-history">
<title>Retention</title>
<description>
- Ensure that your backups use a long enough retention. It is not wise
+ Ensure that the backups use a long enough retention. It is not wise
to take a single backup and overwrite this one over and over again, as
- you might want to recover a file that was corrupted long before you
- took your last backup.
+ there will be a time that a file needs to be recovered that was corrupted
+ long before the last backup was taken.
<h:br />
<h:br />
- There is no perfect retention period however, as the more backups you
- keep, the more storage you require and the more you need to invest in
- managing your backups.
+ There is no perfect retention period however, as the more backups are
+ kept, the more storage is required and the more money or time needs to be invested in
+ managing the backups.
<h:br />
<h:br />
- In most cases, you will want to introduce a "layered" approach on
- retention. For instance, you can
+ In most cases, introduce a "layered" approach on retention. For instance:
<h:ul>
<h:li>keep daily backups for a week</h:li>
<h:li>
@@ -1539,38 +1555,38 @@ session required pam_unix.so</h:pre>
</h:ul>
</description>
</Group>
- <Group id="gt-data-backups-location">
- <title>Off-site Backups</title>
+ <Group id="xccdf_org.gentoo.dev.swift_group_data-backups-location">
+ <title>Off-site backups</title>
<description>
- Keep your backups off-site in case of disaster. But consider this
- location carefully. Investigate how fast you can put the backup there,
- but also retrieve it in case you need it. Also investigate if this
- location is juridically sane (are you allowed to put your location
- there, and do you trust this off-site location).
+ Keep the backups off-site in case of disaster. But consider this
+ location carefully. Investigate how fast the backup can be put there,
+ but also how fast it can be retrieved it in case of need. Also investigate if this
+ location is juridically sane (is it allowed to put the data on this location
+ and is this off-site location trusted).
<h:br />
<h:br />
Also ensure that the backups are stored securely. If necessary,
- encrypt your backups.
+ encrypt the backups.
</description>
</Group>
- <Group id="gt-data-backups-validate">
- <title>Validate and Test</title>
+ <Group id="xccdf_org.gentoo.dev.swift_group_data-backups-validate">
+ <title>Validate and test</title>
<description>
- Validate that your backup system works. Try recovering files (for
+ Validate that the backup system works. Try recovering files (for
instance on a second server or different location) or even entire
systems (virtualization is a great help here) and do this regularly.
</description>
</Group>
</Group>
- </Group>
- <Group id="gt-removal">
- <title>Decommissioning Servers</title>
+ </Group> <!-- Data flows -->
+ <Group id="xccdf_org.gentoo.dev.swift_group_removal">
+ <title>Decommissioning servers</title>
<description>
- When you want to decommission a server, you should take care that its data
+ When a server needs to be decommissioned, make sure that its data
is safeguarded from future extraction.
</description>
- <Group id="gt-removal-wipedisk">
- <title>Wipe Disks</title>
+ <Group id="xccdf_org.gentoo.dev.swift_group_removal-wipedisk">
+ <title>Wipe disks</title>
<description>
Clear all data from the disks on the server in a secure manner.
Applications like <h:b>shred</h:b> (part of
@@ -1579,14 +1595,11 @@ session required pam_unix.so</h:pre>
<h:br />
<h:br />
It is recommended to perform full disk wipes rather than file wipes.
- If you need to do this on file level, see if you can disable file system
- journaling during the wipe session as journaling might "buffer" the
+ If this needs to be done on file level, see if the file system
+ journaling can be disabled during the wipe session as journaling might "buffer" the
secure writes and only write the end result to the disk.
</description>
- <reference
- href="http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf">NIST
- Publication "Guidelines for Media Sanitization" (PDF)</reference>
+ <reference href="http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf">NIST Publication "Guidelines for Media Sanitization" (PDF)</reference>
</Group>
- </Group>
- -->
+ </Group> <!-- Removal -->
</Benchmark>
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
@ 2013-09-23 11:40 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2013-09-23 11:40 UTC (permalink / raw
To: gentoo-commits
commit: 133a6a5b0b5afed40fb8b258aa04254e4634a75d
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Sep 23 11:40:25 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 11:40:25 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=133a6a5b
Update comment for tst:5
---
xml/SCAP/gentoo-oval.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/xml/SCAP/gentoo-oval.xml b/xml/SCAP/gentoo-oval.xml
index 8cc1398..e2a7a83 100644
--- a/xml/SCAP/gentoo-oval.xml
+++ b/xml/SCAP/gentoo-oval.xml
@@ -223,7 +223,7 @@
</description>
</metadata>
<criteria operator="AND">
- <criterion test_ref="oval:org.gentoo.dev.swift:tst:5" comment="The /var/log/audit location is on a separate partition" />
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:5" comment="The /tmp location is on a separate partition" />
<criterion test_ref="oval:org.gentoo.dev.swift:tst:12" comment="The /var/log/audit partition is mounted with nodev mount option" />
</criteria>
</definition>
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
@ 2013-09-23 11:46 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2013-09-23 11:46 UTC (permalink / raw
To: gentoo-commits
commit: eef40ec6ddcb200e320aacc81d113eb29de79e13
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Sep 23 11:45:53 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 11:45:53 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=eef40ec6
Update tests for /tmp
---
xml/SCAP/gentoo-oval.xml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/xml/SCAP/gentoo-oval.xml b/xml/SCAP/gentoo-oval.xml
index e2a7a83..611d021 100644
--- a/xml/SCAP/gentoo-oval.xml
+++ b/xml/SCAP/gentoo-oval.xml
@@ -224,7 +224,7 @@
</metadata>
<criteria operator="AND">
<criterion test_ref="oval:org.gentoo.dev.swift:tst:5" comment="The /tmp location is on a separate partition" />
- <criterion test_ref="oval:org.gentoo.dev.swift:tst:12" comment="The /var/log/audit partition is mounted with nodev mount option" />
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:12" comment="The /tmp partition is mounted with nodev mount option" />
</criteria>
</definition>
@@ -522,7 +522,7 @@
version="1" check="all" check_existence="all_exist"
comment="Tests that /tmp is mounted with nodev option">
<!-- /tmp partition -->
- <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:2" />
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:3" />
<!-- "nodev" mount option -->
<lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:2" />
</lin-def:partition_test>
@@ -531,7 +531,7 @@
version="1" check="all" check_existence="all_exist"
comment="Tests that /tmp is mounted with nosuid option">
<!-- /tmp partition -->
- <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:2" />
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:3" />
<!-- "nosuid" mount option -->
<lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:1" />
</lin-def:partition_test>
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
@ 2013-09-24 17:10 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2013-09-24 17:10 UTC (permalink / raw
To: gentoo-commits
commit: c2f392c8fd80da7959c3ad574f038fcb7472402c
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Sep 24 13:46:27 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Sep 24 13:46:27 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=c2f392c8
Adding datastream creation
---
xml/SCAP/Makefile | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/xml/SCAP/Makefile b/xml/SCAP/Makefile
index 3de65fa..387ae3e 100644
--- a/xml/SCAP/Makefile
+++ b/xml/SCAP/Makefile
@@ -19,6 +19,10 @@ remediate.sh: results-xccdf.xml
oscap xccdf generate fix --output remediate.sh results-xccdf.xml
chmod 0644 remediate.sh
+ds:
+ oscap ds sds-compose gentoo-xccdf.xml ds.xml
+ oscap ds sds-add gentoo-cpe.xml ds.xml
+
eval:
oscap xccdf eval --cpe gentoo-cpe.xml --profile xccdf_org.gentoo.dev.swift_profile_default gentoo-xccdf.xml
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
@ 2013-12-11 20:53 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2013-12-11 20:53 UTC (permalink / raw
To: gentoo-commits
commit: 912cc3b552b8dd23ddccdca7f77a1beaa490d136
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Dec 11 20:51:06 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Dec 11 20:51:06 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=912cc3b5
Adding OpenSSH files
---
xml/SCAP/openssh-oval.xml | 354 +++++++++++++++++++++++++++
xml/SCAP/openssh-xccdf.xml | 579 +++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 933 insertions(+)
diff --git a/xml/SCAP/openssh-oval.xml b/xml/SCAP/openssh-oval.xml
new file mode 100644
index 0000000..ad1ca8c
--- /dev/null
+++ b/xml/SCAP/openssh-oval.xml
@@ -0,0 +1,354 @@
+<?xml version="1.0"?>
+<oval_definitions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5"
+ xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5"
+ xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5"
+ xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
+ xmlns:lin-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"
+ xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix">
+ <generator>
+ <oval:product_name>vim</oval:product_name>
+ <oval:schema_version>5.9</oval:schema_version>
+ <oval:timestamp>2011-10-31T12:00:00-04:00</oval:timestamp>
+ </generator>
+
+<definitions>
+<!-- @@GENOVAL START DEFINITIONS -->
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:1" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config must have a line that matches ^PermitRootLogin no</title>
+ <description>file /etc/ssh/sshd_config must have a line that matches ^PermitRootLogin no</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:1" comment="file /etc/ssh/sshd_config must have a line that matches ^PermitRootLogin no" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:2" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config must have a line that matches ^PasswordAuthentication no</title>
+ <description>file /etc/ssh/sshd_config must have a line that matches ^PasswordAuthentication no</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:2" comment="file /etc/ssh/sshd_config must have a line that matches ^PasswordAuthentication no" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:3" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config must have a line that matches ^ChallengeResponseAuthentication no</title>
+ <description>file /etc/ssh/sshd_config must have a line that matches ^ChallengeResponseAuthentication no</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:3" comment="file /etc/ssh/sshd_config must have a line that matches ^ChallengeResponseAuthentication no" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:5" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config must have a line that matches ^AllowGroup</title>
+ <description>file /etc/ssh/sshd_config must have a line that matches ^AllowGroup</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:5" comment="file /etc/ssh/sshd_config must have a line that matches ^AllowGroup" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:6" version="1">
+ <metadata>
+ <title>file /etc/hosts.allow must have a line that matches ^sshd:</title>
+ <description>file /etc/hosts.allow must have a line that matches ^sshd:</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:6" comment="file /etc/hosts.allow must have a line that matches ^sshd:" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:7" version="1">
+ <metadata>
+ <title>file /etc/hosts.deny must have a line that matches ^sshd: ALL</title>
+ <description>file /etc/hosts.deny must have a line that matches ^sshd: ALL</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:7" comment="file /etc/hosts.deny must have a line that matches ^sshd: ALL" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:8" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^IgnoreRhosts.*no</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^IgnoreRhosts.*no</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:8" comment="file /etc/ssh/sshd_config may not have a line that matches ^IgnoreRhosts.*no" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:9" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^RhostsRSAAuthentication.*yes</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^RhostsRSAAuthentication.*yes</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:9" comment="file /etc/ssh/sshd_config may not have a line that matches ^RhostsRSAAuthentication.*yes" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:10" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^HostbasedAuthentication.*yes</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^HostbasedAuthentication.*yes</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:10" comment="file /etc/ssh/sshd_config may not have a line that matches ^HostbasedAuthentication.*yes" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:11" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^PermitEmptyPasswords.*yes</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^PermitEmptyPasswords.*yes</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:11" comment="file /etc/ssh/sshd_config may not have a line that matches ^PermitEmptyPasswords.*yes" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:12" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^UsePAM.*no</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^UsePAM.*no</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:12" comment="file /etc/ssh/sshd_config may not have a line that matches ^UsePAM.*no" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:13" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^Protocol.*1</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^Protocol.*1</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:13" comment="file /etc/ssh/sshd_config may not have a line that matches ^Protocol.*1" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:14" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^UsePrivilegeSeparation.*no</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^UsePrivilegeSeparation.*no</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:14" comment="file /etc/ssh/sshd_config may not have a line that matches ^UsePrivilegeSeparation.*no" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:15" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^X11Forwarding.*yes</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^X11Forwarding.*yes</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:15" comment="file /etc/ssh/sshd_config may not have a line that matches ^X11Forwarding.*yes" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:16" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^StrictMode.*no</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^StrictMode.*no</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:16" comment="file /etc/ssh/sshd_config may not have a line that matches ^StrictMode.*no" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:17" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress.*0.0.0.0</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress.*0.0.0.0</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:17" comment="file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress.*0.0.0.0" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:18" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress[ ]*::$</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress[ ]*::$</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:18" comment="file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress[ ]*::$" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:19" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config must have a line that matches ^ListenAddress</title>
+ <description>file /etc/ssh/sshd_config must have a line that matches ^ListenAddress</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:19" comment="file /etc/ssh/sshd_config must have a line that matches ^ListenAddress" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:20" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config must have a line that matches ^AllowTcpForwarding.*no</title>
+ <description>file /etc/ssh/sshd_config must have a line that matches ^AllowTcpForwarding.*no</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:20" comment="file /etc/ssh/sshd_config must have a line that matches ^AllowTcpForwarding.*no" />
+ </criteria>
+</definition>
+<!-- @@GENOVAL END DEFINITIONS -->
+</definitions>
+
+<tests>
+<!-- @@GENOVAL START TESTS -->
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:1" version="1" check="at least one" comment="file /etc/ssh/sshd_config must have a line that matches ^PermitRootLogin no" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:1" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:2" version="1" check="at least one" comment="file /etc/ssh/sshd_config must have a line that matches ^PasswordAuthentication no" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:2" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:3" version="1" check="at least one" comment="file /etc/ssh/sshd_config must have a line that matches ^ChallengeResponseAuthentication no" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:3" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:5" version="1" check="at least one" comment="file /etc/ssh/sshd_config must have a line that matches ^AllowGroup" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:4" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:6" version="1" check="at least one" comment="file /etc/hosts.allow must have a line that matches ^sshd:" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:2" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:5" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:7" version="1" check="at least one" comment="file /etc/hosts.deny must have a line that matches ^sshd: ALL" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:3" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:6" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:8" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^IgnoreRhosts.*no" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:7" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:9" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^RhostsRSAAuthentication.*yes" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:8" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:10" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^HostbasedAuthentication.*yes" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:9" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:11" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^PermitEmptyPasswords.*yes" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:10" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:12" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^UsePAM.*no" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:11" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:13" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^Protocol.*1" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:12" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:14" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^UsePrivilegeSeparation.*no" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:13" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:15" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^X11Forwarding.*yes" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:14" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:16" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^StrictMode.*no" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:15" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:17" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress.*0.0.0.0" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:16" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:18" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress[ ]*::$" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:17" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:19" version="1" check="at least one" comment="file /etc/ssh/sshd_config must have a line that matches ^ListenAddress" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:18" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:20" version="1" check="at least one" comment="file /etc/ssh/sshd_config must have a line that matches ^AllowTcpForwarding.*no" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:19" />
+</ind-def:textfilecontent54_test>
+<!-- @@GENOVAL END TESTS -->
+</tests>
+
+<objects>
+<!-- @@GENOVAL START OBJECTS -->
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:1" version="1" comment="Non-comment lines in /etc/ssh/sshd_config">
+ <ind-def:filepath>/etc/ssh/sshd_config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:2" version="1" comment="Non-comment lines in /etc/hosts.allow">
+ <ind-def:filepath>/etc/hosts.allow</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:3" version="1" comment="Non-comment lines in /etc/hosts.deny">
+ <ind-def:filepath>/etc/hosts.deny</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<!-- @@GENOVAL END OBJECTS -->
+</objects>
+
+<states>
+<!-- @@GENOVAL START STATES -->
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:1" version="1" comment="The match of ^PermitRootLogin no">
+ <ind-def:subexpression operation="pattern match">^PermitRootLogin no</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:2" version="1" comment="The match of ^PasswordAuthentication no">
+ <ind-def:subexpression operation="pattern match">^PasswordAuthentication no</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:3" version="1" comment="The match of ^ChallengeResponseAuthentication no">
+ <ind-def:subexpression operation="pattern match">^ChallengeResponseAuthentication no</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:4" version="1" comment="The match of ^AllowGroup">
+ <ind-def:subexpression operation="pattern match">^AllowGroup</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:5" version="1" comment="The match of ^sshd">
+ <ind-def:subexpression operation="pattern match">^sshd</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:6" version="1" comment="The match of ^sshd">
+ <ind-def:subexpression operation="pattern match">^sshd</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:7" version="1" comment="The match of ^IgnoreRhosts.*no">
+ <ind-def:subexpression operation="pattern match">^IgnoreRhosts.*no</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:8" version="1" comment="The match of ^RhostsRSAAuthentication.*yes">
+ <ind-def:subexpression operation="pattern match">^RhostsRSAAuthentication.*yes</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:9" version="1" comment="The match of ^HostbasedAuthentication.*yes">
+ <ind-def:subexpression operation="pattern match">^HostbasedAuthentication.*yes</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:10" version="1" comment="The match of ^PermitEmptyPasswords.*yes">
+ <ind-def:subexpression operation="pattern match">^PermitEmptyPasswords.*yes</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:11" version="1" comment="The match of ^UsePAM.*no">
+ <ind-def:subexpression operation="pattern match">^UsePAM.*no</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:12" version="1" comment="The match of ^Protocol.*1">
+ <ind-def:subexpression operation="pattern match">^Protocol.*1</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:13" version="1" comment="The match of ^UsePrivilegeSeparation.*no">
+ <ind-def:subexpression operation="pattern match">^UsePrivilegeSeparation.*no</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:14" version="1" comment="The match of ^X11Forwarding.*yes">
+ <ind-def:subexpression operation="pattern match">^X11Forwarding.*yes</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:15" version="1" comment="The match of ^StrictMode.*no">
+ <ind-def:subexpression operation="pattern match">^StrictMode.*no</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:16" version="1" comment="The match of ^ListenAddress.*0.0.0.0">
+ <ind-def:subexpression operation="pattern match">^ListenAddress.*0.0.0.0</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:17" version="1" comment="The match of ^ListenAddress *">
+ <ind-def:subexpression operation="pattern match">^ListenAddress[ ]*</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:18" version="1" comment="The match of ^ListenAddress">
+ <ind-def:subexpression operation="pattern match">^ListenAddress</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:19" version="1" comment="The match of ^AllowTcpForwarding.*no">
+ <ind-def:subexpression operation="pattern match">^AllowTcpForwarding.*no</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<!-- @@GENOVAL END STATES -->
+</states>
+
+</oval_definitions>
diff --git a/xml/SCAP/openssh-xccdf.xml b/xml/SCAP/openssh-xccdf.xml
new file mode 100644
index 0000000..0230c63
--- /dev/null
+++ b/xml/SCAP/openssh-xccdf.xml
@@ -0,0 +1,579 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:h="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.gentoo.dev.swift_benchmark_Gentoo-Security-Benchmark-OpenSSH-1" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" resolved="0">
+ <status date="2012-07-14">draft</status>
+ <title>Hardening OpenSSH</title>
+ <description>
+ The OpenSSH server offers remote Secure Shell services towards your users. This benchmark
+ focuses on the hardening of OpenSSH within a Gentoo Hardened environment.
+ </description>
+ <platform idref="cpe:/o:gentoo:linux"/>
+ <version>1</version>
+ <model system="urn:xccdf:scoring:default"/>
+ <model system="urn:xccdf:scoring:flat"/>
+ <Profile id="xccdf_org.gentoo.dev.swift_profile_default">
+ <title>OpenSSH server setup settings</title>
+ <description>
+ Profile matching all OpenSSH hardening rules
+ </description>
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-rhosts" selected="true" />
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-rrsa" selected="true" />
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-hostbased" selected="true" />
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-empty" selected="true" />
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-pam" selected="true" />
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-protocol" selected="true" />
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-useprivsep" selected="true" />
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-nox11fwd" selected="true" />
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-strictmode" selected="true" />
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-norootlogin" selected="true" />
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-nopasswordauth" selected="true" />
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-nochallengeresponse" selected="true" />
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-allowgroup" selected="true" />
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-hostsallow" selected="true" />
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-hostsdeny" selected="true" />
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-listen" selected="true" />
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-listen4" selected="true" />
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-listen6" selected="true" />
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-notcpfwd" selected="true" />
+ </Profile>
+ <Group id="xccdf_org.gentoo.dev.swift_group_intro">
+ <title>Introduction</title>
+ <description>
+ The OpenSSH service is one of the most used SSH providing services.
+ </description>
+ <Group id="xccdf_org.gentoo.dev.swift_group_intro-using">
+ <title>Using this guide</title>
+ <description>
+ The guide you are currently reading is the guide generated from this SCAP
+ content (more specifically, the XCCDF document) using <h:b>openscap</h:b>,
+ a free software implementation for handling SCAP content. Within Gentoo,
+ the package <h:code>app-forensics/openscap</h:code> provides the tools, and
+ the following command is used to generate the HTML output:
+ <h:br />
+ <h:pre>### Command to generate this guide ###
+# <h:b>oscap xccdf generate guide scap-openssh-xccdf.xml > output.html</h:b>
+ </h:pre>
+ <h:br />
+ Secondly, together with this XCCDF XML, you will also find an OVAL XML file.
+ The two files combined allow you to automatically validate various settings as
+ documented in the benchmark.
+ <h:br />
+ <h:br />
+ You can test the benchmark against your configuration.
+ <h:pre>### Testing the rules mentioned in the XCCDF document ###
+# <h:b>oscap xccdf eval --profile Default scap-openssh-xccdf.xml</h:b></h:pre>
+ <h:br />
+ To generate a full report in HTML as well, you can use the next command:
+ <h:pre>### Testing the rules and generating an HTML report ###
+# <h:b>oscap xccdf eval --profile Default --results xccdf-results.xml --report report.html scap-openssh-xccdf.xml</h:b></h:pre>
+ <h:br />
+ Finally, this benchmark will suggest some settings which you do not want
+ to enable. That is perfectly fine - even more, some settings might even
+ raise eyebrows left and right. We'll try to document the reasoning behind
+ the settings but you are free to deviate from them. If that is the case,
+ you might want to create your own profile which only contains the rules
+ you want checked. You can then use that profile instead of the Default one.
+ </description>
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_intro-profiles">
+ <title>Available XCCDF Profiles</title>
+ <description>
+ As mentioned earlier, the XCCDF document supports multiple profiles. For the time
+ being, one profile is defined:
+ <h:br />
+ <h:ul>
+ <h:li>Default contains all mentioned tests</h:li>
+ </h:ul>
+ Substitute the profile information in the commands above with the profile you want to test on.
+ </description>
+ </Group>
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config">
+ <title>Configuration Settings</title>
+ <description>
+ In this section, we look at the configuration settings of an OpenSSH service
+ </description>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-default">
+ <title>Default OpenSSH settings</title>
+ <description>
+ OpenSSH comes with some sane defaults to start with. These should not be touched.
+ </description>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-default-rhosts">
+ <title>Ignore Rhosts</title>
+ <description>
+ Historically, users could define a <h:code>.rhosts</h:code> or <h:code>.shosts</h:code>
+ file in which they mention the systems from which they log on to the system (the client
+ hosts). When the user then logs on from one of these remote locations, the shell service
+ would not ask for password authentication and just automatically log in the user.
+ <h:br />
+ <h:br />
+ The shell service treats <h:code>.shosts</h:code> mentioned hosts a bit different: it first
+ checks that hosts identity using some public key authentication scheme (in which case the
+ host keys of the clients are placed in <h:code>/etc/ssh/ssh_known_hosts</h:code> or
+ <h:code>~/.ssh/known_hosts</h:code>).
+ <h:br />
+ <h:br />
+ This is however a very insecure setup and can be easily circumvented. It only performs
+ host-based authentication, not user authentication, and in case of the <h:code>.rhosts</h:code>
+ file this host-based authentication is only based on the hostname/IP matching.
+ <h:br />
+ <h:br />
+ For this reason, support for the <h:code>.rhosts</h:code> and <h:code>.shosts</h:code>
+ files is by default disabled.
+ <h:br />
+ <h:br />
+ <h:pre>### /etc/ssh/sshd_config : IgnoreRhosts
+# If set, IgnoreRhosts must be set to yes (which is the default)
+IgnoreRhosts yes</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-def-rhosts -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-rhosts" selected="false">
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^IgnoreRhosts.*no</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^IgnoreRhosts.*no</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:8" href="openssh-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-def-rhosts -->
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-default-rhostsrsa">
+ <title>Do not allow RSA Host Authentication</title>
+ <description>
+ As part of the Rhosts implementation, OpenSSH supports using RSA authentication for remote hosts.
+ With RSA authentication enabled, hosts mentioned in the <h:code>.rhosts</h:code> (or <h:code>/etc/hosts.equiv</h:code>)
+ files need to be authenticated based on their RSA key. This applies to the SSH protocol version 1 only.
+ <h:br />
+ <h:br />
+ As Rhosts is found insecure, this option does not make rhosts more feasible to use. For this reason,
+ this option is by default disabled.
+ <h:br />
+ <h:pre>### /etc/ssh/sshd_config : RhostsRSAAuthentication
+# If set, RhostsRSAAuthentication must be set to "no" (which is the default).
+RhostsRSAAuthentication no</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-def-rrsa -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-rrsa" selected="false">
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^RhostsRSAAuthentication.*yes</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^RhostsRSAAuthentication.*yes</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:9" href="openssh-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-def-rrsa -->
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-default-hostbased">
+ <title>Do not allow Host-based Authentication</title>
+ <description>
+ As part of the Rhosts implementation, Ope SSH supports using public key authenticatoin for remote hosts.
+ With this enabled, hosts mentioned in the <h:code>.rhosts</h:code> (or <h:code>/etc/hosts.equiv</h:code>)
+ files need to be authenticated based on their public key. This applies to the SSH protocol version 2 only.
+ <h:br />
+ <h:br />
+ As Rhosts is found insecure, this option does not make rhosts more feasible to use. For this reason,
+ this option is by default disabled.
+ <h:br />
+ <h:pre>### /etc/ssh/sshd_config : HostbasedAuthentication
+# If set, HostbasedAuthentication must be set to "no" (which is the default)
+HostbasedAuthentication no</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-def-hostbased -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-hostbased" selected="false">
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^HostbasedAuthentication.*yes</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^HostbasedAuthentication.*yes</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:10" href="openssh-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-def-hostbased -->
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-default-emptypassword">
+ <title>Do not Permit Empty Passwords</title>
+ <description>
+ If password-based authentication is used, it is wise not to allow empty passwords.
+ <h:br />
+ <h:br />
+ Allowing empty passwords within your network makes the services <h:em>very</h:em> vulnerable
+ to exploit, even when the software is fully up-to-date.
+ <h:br />
+ <h:pre>### /etc/ssh/sshd_config : PermitEmptyPasswords
+# If set, PermitEmptyPasswords must be set to "no" (which is the default).
+PermitEmptyPasswords no</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-def-empty -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-empty" selected="false">
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^PermitEmptyPasswords.*yes</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^PermitEmptyPasswords.*yes</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:11" href="openssh-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-def-empty -->
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-default-pam">
+ <title>Use PAM</title>
+ <description>
+ PAM (Pluggable Authentication Modules) is a powerful framework for managing
+ authentication of users and services in a flexible manner. By default, OpenSSH
+ uses PAM for the authentication of users.
+ <h:br />
+ <h:br />
+ One of the many advantages of PAM is that you can add in additional rules you want
+ to enforce during the authentication. You can limit access based on login count (or number of failures),
+ use centralized authentication repositories (like OpenLDAP), allow access only during specific
+ time windows, etc.
+ <h:br />
+ <h:br />
+ It is strongly advised to use PAM for SSH authentication too (but do manage the PAM configuration
+ properly!) Be aware though that the authentication services themselves (is the user who he sais
+ he is) of PAM are not used if public key authentication is used. The other services, which include
+ the access controls mentioned earlier, are still consulted though.
+ <h:br />
+ <h:pre>### /etc/ssh/sshd_config : UsePAM
+# If set, UsePAM must be set to "yes" (which is the default)
+UsePAM yes</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-def-pam -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-pam" selected="false">
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^UsePAM.*no</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^UsePAM.*no</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:12" href="openssh-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-def-pam -->
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-default-protocol2">
+ <title>Only use version 2 of the SSH protocol</title>
+ <description>
+ The first version of the SSH protocol has been found insecure: TODO.
+ <h:br />
+ <h:br />
+ For this reason, it is strongly advised to use version 2 of the protocol only. This is also
+ the default for OpenSSH.
+ <h:br />
+ <h:pre>### /etc/ssh/sshd_config : Protocol
+# If set, Protocol must be set to 2 only (which is the default)
+Protocol 2</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-def-protocol -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-protocol" selected="false">
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^Protocol.*1</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^Protocol.*1</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:13" href="openssh-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-def-protocol -->
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-default-privsep">
+ <title>Use privilege separation</title>
+ <description>
+ With privilege separation enabled, the SSH daemon has a tiny footprint running as root,
+ whereas the rest of the application runs as an unprivileged process to deal with the
+ incoming network traffic. This can be tuned with <h:code>UsePrivilegeSeparation yes</h:code>
+ which is the default for OpenSSH.
+ <h:br />
+ <h:pre>### /etc/ssh/sshd_config : UsePrivilegeSeparation
+# If set, UsePrivilegeSeparation must be set to yes (which is the default)
+UsePrivilegeSeparation yes</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-def-useprivsep -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-useprivsep" selected="false">
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^UsePrivilegeSeparation.*no</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^UsePrivilegeSeparation.*no</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:14" href="openssh-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-def-useprivsep -->
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-default-x11fwd">
+ <title>Disable X11 forwarding</title>
+ <description>
+ SSH supports forwarding X11 packets, so X11 applications started on the remote system have their
+ display shown on the client. This behavior is by default disabled.
+ <h:br />
+ <h:pre>### /etc/ssh/sshd_config : X11Forwarding
+# If set, X11Forwarding must be set to no (which is the default)
+X11Forwarding no</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-def-nox11fwd -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-nox11fwd" selected="false">
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^X11Forwarding.*yes</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^X11Forwarding.*yes</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:15" href="openssh-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-def-nox11fwd -->
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-default-strictmode">
+ <title>Enable strict mode</title>
+ <description>
+ When <h:code>StrictModes yes</h:code> is enabled, the SSH daemon will only allow a remote user to
+ log on when some of the important files in that users' home directory have the proper privileges and
+ ownership. This behavior is by default enabled.
+ <h:br />
+ <h:pre>### /etc/ssh/sshd_config : StrictModes
+# If set, StrictModes must be set to yes (which is the default)
+StrictModes yes</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-def-strictmode -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-strictmode" selected="false">
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^StrictMode.*no</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^StrictMode.*no</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:16" href="openssh-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-def-strictmode -->
+ </Group>
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-auth">
+ <title>Authentication-related settings</title>
+ <description>
+ Being a remote shell service, authentication is one of the main features that OpenSSH provides.
+ A few settings help us in hardening the SSH server even further.
+ </description>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-auth-noroot">
+ <title>Disable root logins</title>
+ <description>
+ As root is one of the most powerful accounts, direct access to root should be limited. It is
+ advised that, if a process needs root privileges, it uses a functional account which has the
+ right to call one or a few commands as root, but nothing else.
+ <h:br />
+ <h:br />
+ With OpenSSH, it is possible to prohibit direct root access towards the system if feasible within
+ your architecture. This can be accomplished using the <h:code>PermitRootLogin no</h:code> directive.
+ If you need root logins, consider only allowing specified command access (forced-commands-only).
+ <h:br />
+ <h:pre>### /etc/ssh/sshd_config : PermitRootLogin
+# Set this to "no" or, if needed, "forced-commands-only"
+PermitRootLogin no</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-norootlogin -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-norootlogin" selected="false">
+ <title>file /etc/ssh/sshd_config must have a line that matches ^PermitRootLogin no</title>
+ <description>file /etc/ssh/sshd_config must have a line that matches ^PermitRootLogin no</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:1" href="openssh-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-norootlogin -->
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-auth-nopassword">
+ <title>Use public key authentication</title>
+ <description>
+ By default, OpenSSH uses interactive, keyboard-based password logins. One intrinsic problem with
+ passwords is that they can be weak, but also that hacked passwords can be used from other locations.
+ <h:br />
+ <h:br />
+ A safer approach for remote shell invocation is to use a keypair: the key is much stronger than most
+ passwords, making brute-force improbably and dictionary-attacks useless. The private key is only
+ known by you (on your system) and optionally (but preferably) protected by a (strong) passphraze so that
+ adversaries that force access to your system can still not use your private key.
+ <h:br />
+ <h:br />
+ Such a keypair an be generated by the users using <h:b>ssh-keygen -t dsa</h:b> after which the private and
+ public keys are stored in <h:code>~/.ssh</h:code>
+ <h:br />
+ <h:br />
+ On the OpenSSH server level, you can force the use of public key authentication (and thus deny
+ keyboard-interactive password logins) using <h:code>PasswordAuthentication no</h:code>.
+ <h:br />
+ <h:pre>### /etc/ssh/sshd_config : PasswordAuthentication
+# Set this to "no"
+PasswordAuthentication no</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-nopasswordauth -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-nopasswordauth" selected="false">
+ <title>file /etc/ssh/sshd_config must have a line that matches ^PasswordAuthentication no</title>
+ <description>file /etc/ssh/sshd_config must have a line that matches ^PasswordAuthentication no</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:2" href="openssh-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-nopasswordauth -->
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-auth-nochallengeresponse">
+ <title>Disable ChallengeResponseAuthentication</title>
+ <description>
+ In OpenSSH, a (confusing) parameter called <h:code>ChallengeResponseAuthentication</h:code>
+ is available (and by default enabled). Many users might believe that this implements a more secure
+ authentication method (based on a challenge and a token that need to be verified - i.e. multi-factor
+ authentication). However, in case of this parameter, this isn't true.
+ <h:br />
+ <h:br />
+ The <h:code>ChallengeResponseAuthentication</h:code> setting enables <h:em>TIS Challenge/Response</h:em>
+ in SSH protocol version 1, and keyboard-interactive in SSH protocol v2. Hence, in our case, it is best
+ set disabled as we do not want regular password authentication to be enabled (and don't use protocol
+ version 1).
+ <h:br />
+ <h:pre>### /etc/ssh/sshd_config : ChallengeResponseAuthentication
+# Set this to "no"
+ChallengeResponseAuthentication no</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-nochallengeresponse -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-nochallengeresponse" selected="false">
+ <title>file /etc/ssh/sshd_config must have a line that matches ^ChallengeResponseAuthentication no</title>
+ <description>file /etc/ssh/sshd_config must have a line that matches ^ChallengeResponseAuthentication no</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:3" href="openssh-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-nochallengeresponse -->
+ </Group>
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-acl">
+ <title>Access control related settings</title>
+ <description>
+ By default, OpenSSH allows access from any location and by any user who gets authenticated properly.
+ However, it is safer if you can restrict access from hosts that are allowed to access the SSH service
+ (and not other hosts) as well as users that are known to access the system remotely.
+ </description>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-acl-allowgroup">
+ <title>Only allow specific group(s) access</title>
+ <description>
+ Not every user on your system needs to be able to remotely log on to the system. Many
+ users on your system are local-only, either because they are services accounts, or
+ because the users are only meant to log on directly (or through another service).
+ <h:br />
+ <h:br />
+ With OpenSSH, you can limit SSH access to users defined in a limited set of (Unix) groups.
+ It is recommended to define a Unix group (like <h:code>ssh</h:code> if that isn't used by the
+ service daemon itself) in which those users are defined, and then only allow SSH access
+ for this group.
+ <h:br />
+ <h:pre>### /etc/ssh/sshd_config : AllowGroup
+# Set this to the unix group whose members are allowed access
+AllowGroup ssh</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-allowgroup -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-allowgroup" selected="false">
+ <title>file /etc/ssh/sshd_config must have a line that matches ^AllowGroup</title>
+ <description>file /etc/ssh/sshd_config must have a line that matches ^AllowGroup</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:5" href="openssh-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-allowgroup -->
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-acl-hosts">
+ <title>Only allow specific host(s) access</title>
+ <description>
+ Not every host on your network (or beyond) needs access to your system. On the contrary, most
+ hosts probably shouldn't have SSH access to your system.
+ <h:br />
+ <h:br />
+ With a service called <h:em>tcpwrappers</h:em> OpenSSH allows administrators to define the hosts
+ allowed access (or explicitly not allowed access) in the <h:code>/etc/hosts.allow</h:code> and
+ <h:code>/etc/hosts.deny</h:code>.
+ <h:br />
+ <h:br />
+ For a good secure setting, it is recommended to disallow access from any host, and then explicitly grant
+ access from a select set of hosts (or subnetworks).
+ <h:br />
+ <h:pre>### /etc/hosts.allow
+# Give the list of allowed hosts or networks
+sshd: 192.168.1.0/24</h:pre><h:br />
+ <h:pre>### /etc/hosts.deny
+# Deny access by default from everywhere
+sshd: ALL</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-hostsallow -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-hostsallow" selected="false">
+ <title>file /etc/hosts.allow must have a line that matches ^sshd:</title>
+ <description>file /etc/hosts.allow must have a line that matches ^sshd:</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:6" href="openssh-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-hostsallow -->
+ <!-- @@GEN START rule-sshd-hostsdeny -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-hostsdeny" selected="false">
+ <title>file /etc/hosts.deny must have a line that matches ^sshd: ALL</title>
+ <description>file /etc/hosts.deny must have a line that matches ^sshd: ALL</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:7" href="openssh-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-hostsdeny -->
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-acl-listen">
+ <title>Only listen on proper interfaces</title>
+ <description>
+ By default, OpenSSH listens on all available interfaces. In many cases though, this isn't necessary.
+ <h:br />
+ <h:br />
+ Multihomed systems (i.e. systems with multiple network interfaces) usually only use a single interface
+ for the administrative access, whereas the other interface is to connect to the Internet or disclose the
+ "business applications".
+ <h:br />
+ <h:br />
+ On dual stack systems (i.e. systems with an IPv4 and IPv6 stack) the IPv6 (or IPv4) address might not be
+ in use, or not for the administrative access (like through OpenSSH). In these cases, it is wise not to have
+ OpenSSH listen on these addresses either.
+ <h:br />
+ <h:pre>## /etc/ssh/sshd_config : ListenAddress
+# Define a ListenAddress, but do not set it to "any address"
+# (which is 0.0.0.0 in IPv4 and :: in IPv6)
+ListenAddress 192.168.100.121</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-listen -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-listen" selected="false">
+ <title>file /etc/ssh/sshd_config must have a line that matches ^ListenAddress</title>
+ <description>file /etc/ssh/sshd_config must have a line that matches ^ListenAddress</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:19" href="openssh-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-listen -->
+ <!-- @@GEN START rule-sshd-listen4 -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-listen4" selected="false">
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress.*0.0.0.0</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress.*0.0.0.0</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:17" href="openssh-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-listen4 -->
+ <!-- @@GEN START rule-sshd-listen6 -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-listen6" selected="false">
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress[ ]*::$</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress[ ]*::$</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:18" href="openssh-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-listen6 -->
+ </Group>
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-use">
+ <title>Disable unused settings</title>
+ <description>
+ OpenSSH has a few more options that it supports. If you, however, have no need for these options,
+ it is safer to have them disabled. Potential vulnerabilities that might be discovered later on these
+ options then have no effect on your system.
+ </description>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-use-tcpfwd">
+ <title>Disable TCP forwarding</title>
+ <description>
+ SSH supports "tunneling", where packets are forwarded over a (partially) secure channel towards
+ another location. If you do not need this, disable TCP forwarding through <h:code>AllowTcpForwarding no</h:code>
+ <h:br />
+ <h:pre>### /etc/ssh/sshd_config : AllowTcpForwarding
+# If not needed, disable TCP forwarding
+AllowTcpForwarding no</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-notcpfwd -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-notcpfwd" selected="false">
+ <title>file /etc/ssh/sshd_config must have a line that matches ^AllowTcpForwarding.*no</title>
+ <description>file /etc/ssh/sshd_config must have a line that matches ^AllowTcpForwarding.*no</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:20" href="openssh-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-notcpfwd -->
+ </Group>
+ </Group>
+ </Group>
+</Benchmark>
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
@ 2013-12-11 20:53 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2013-12-11 20:53 UTC (permalink / raw
To: gentoo-commits
commit: a6f37929a49613d714cd9ff316084dc295f06928
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Dec 11 20:51:29 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Dec 11 20:51:29 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=a6f37929
Fix QUOTA check (better output)
---
xml/SCAP/gentoo-oval.xml | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/xml/SCAP/gentoo-oval.xml b/xml/SCAP/gentoo-oval.xml
index 611d021..693d59f 100644
--- a/xml/SCAP/gentoo-oval.xml
+++ b/xml/SCAP/gentoo-oval.xml
@@ -578,9 +578,9 @@
</lin-def:partition_test>
<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:19"
- version="1" check="at least one" check_existence="at_least_one_exists"
+ version="2" check="all" check_existence="at_least_one_exists"
comment="Tests that CONFIG_QUOTA is in the kernel configuration">
- <!-- The file containing kernel configuration -->
+ <!-- The file containing kernel configuration matching CONFIG_QUOTA -->
<ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:9" />
<!-- Match for "^CONFIG_QUOTA=[ym]" -->
<ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:4" />
@@ -677,9 +677,9 @@
</lin-def:partition_object>
<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:9"
- version="1" comment="The file containing kernel configuration">
+ version="2" comment="The file containing kernel configuration CONFIG_QUOTA">
<ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
- <ind-def:pattern operation="pattern match">^CONFIG_.*</ind-def:pattern>
+ <ind-def:pattern operation="pattern match">CONFIG_QUOTA.*</ind-def:pattern>
<ind-def:instance operation="greater than or equal" datatype="int">1</ind-def:instance>
</ind-def:textfilecontent54_object>
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
@ 2013-12-11 20:58 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2013-12-11 20:58 UTC (permalink / raw
To: gentoo-commits
commit: 47048684305f47c5fbe32da2c9cdc6e7f687cfaa
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Dec 11 20:57:13 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Dec 11 20:57:13 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=47048684
Adding datastream for OpenSSH
---
xml/SCAP/openssh-ds.xml | 1610 +++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 1610 insertions(+)
diff --git a/xml/SCAP/openssh-ds.xml b/xml/SCAP/openssh-ds.xml
new file mode 100644
index 0000000..84207bc
--- /dev/null
+++ b/xml/SCAP/openssh-ds.xml
@@ -0,0 +1,1610 @@
+<?xml version="1.0" encoding="utf-8"?>
+<ds:data-stream-collection xmlns:ds="http://scap.nist.gov/schema/scap/source/1.2" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog" id="scap_org.open-scap_collection_from_xccdf_openssh-xccdf.xml" schematron-version="1.0"><ds:data-stream id="scap_org.open-scap_datastream_from_xccdf_openssh-xccdf.xml" scap-version="1.2" use-case="OTHER"><ds:dictionaries><ds:component-ref id="scap_org.open-scap_cref_gentoo-cpe.xml" xlink:href="#scap_org.open-scap_comp_gentoo-cpe.xml"><cat:catalog><cat:uri name="gentoo-oval.xml" uri="#scap_org.open-scap_cref_gentoo-oval.xml"/></cat:catalog></ds:component-ref></ds:dictionaries><ds:checklists><ds:component-ref id="scap_org.open-scap_cref_openssh-xccdf.xml" xlink:href="#scap_org.open-scap_comp_openssh-xccdf.xml"><cat:catalog><cat:uri name="openssh-oval.xml" uri="#scap_org.open-scap_cref_openssh-oval.xml"/></cat:catalog></ds:component-ref></ds:checklists><ds:checks><ds:component-ref id="scap_org.open-scap_cre
f_openssh-oval.xml" xlink:href="#scap_org.open-scap_comp_openssh-oval.xml"/><ds:component-ref id="scap_org.open-scap_cref_gentoo-oval.xml" xlink:href="#scap_org.open-scap_comp_gentoo-oval.xml"/></ds:checks></ds:data-stream><ds:component id="scap_org.open-scap_comp_openssh-oval.xml" timestamp="2012-07-18T22:14:45"><oval_definitions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:lin-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix">
+ <generator>
+ <oval:product_name>vim</oval:product_name>
+ <oval:schema_version>5.9</oval:schema_version>
+ <oval:timestamp>2011-10-31T12:00:00-04:00</oval:timestamp>
+ </generator>
+
+<definitions>
+<!-- @@GENOVAL START DEFINITIONS -->
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:1" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config must have a line that matches ^PermitRootLogin no</title>
+ <description>file /etc/ssh/sshd_config must have a line that matches ^PermitRootLogin no</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:1" comment="file /etc/ssh/sshd_config must have a line that matches ^PermitRootLogin no"/>
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:2" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config must have a line that matches ^PasswordAuthentication no</title>
+ <description>file /etc/ssh/sshd_config must have a line that matches ^PasswordAuthentication no</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:2" comment="file /etc/ssh/sshd_config must have a line that matches ^PasswordAuthentication no"/>
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:3" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config must have a line that matches ^ChallengeResponseAuthentication no</title>
+ <description>file /etc/ssh/sshd_config must have a line that matches ^ChallengeResponseAuthentication no</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:3" comment="file /etc/ssh/sshd_config must have a line that matches ^ChallengeResponseAuthentication no"/>
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:5" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config must have a line that matches ^AllowGroup</title>
+ <description>file /etc/ssh/sshd_config must have a line that matches ^AllowGroup</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:5" comment="file /etc/ssh/sshd_config must have a line that matches ^AllowGroup"/>
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:6" version="1">
+ <metadata>
+ <title>file /etc/hosts.allow must have a line that matches ^sshd:</title>
+ <description>file /etc/hosts.allow must have a line that matches ^sshd:</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:6" comment="file /etc/hosts.allow must have a line that matches ^sshd:"/>
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:7" version="1">
+ <metadata>
+ <title>file /etc/hosts.deny must have a line that matches ^sshd: ALL</title>
+ <description>file /etc/hosts.deny must have a line that matches ^sshd: ALL</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:7" comment="file /etc/hosts.deny must have a line that matches ^sshd: ALL"/>
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:8" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^IgnoreRhosts.*no</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^IgnoreRhosts.*no</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:8" comment="file /etc/ssh/sshd_config may not have a line that matches ^IgnoreRhosts.*no"/>
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:9" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^RhostsRSAAuthentication.*yes</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^RhostsRSAAuthentication.*yes</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:9" comment="file /etc/ssh/sshd_config may not have a line that matches ^RhostsRSAAuthentication.*yes"/>
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:10" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^HostbasedAuthentication.*yes</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^HostbasedAuthentication.*yes</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:10" comment="file /etc/ssh/sshd_config may not have a line that matches ^HostbasedAuthentication.*yes"/>
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:11" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^PermitEmptyPasswords.*yes</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^PermitEmptyPasswords.*yes</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:11" comment="file /etc/ssh/sshd_config may not have a line that matches ^PermitEmptyPasswords.*yes"/>
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:12" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^UsePAM.*no</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^UsePAM.*no</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:12" comment="file /etc/ssh/sshd_config may not have a line that matches ^UsePAM.*no"/>
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:13" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^Protocol.*1</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^Protocol.*1</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:13" comment="file /etc/ssh/sshd_config may not have a line that matches ^Protocol.*1"/>
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:14" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^UsePrivilegeSeparation.*no</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^UsePrivilegeSeparation.*no</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:14" comment="file /etc/ssh/sshd_config may not have a line that matches ^UsePrivilegeSeparation.*no"/>
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:15" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^X11Forwarding.*yes</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^X11Forwarding.*yes</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:15" comment="file /etc/ssh/sshd_config may not have a line that matches ^X11Forwarding.*yes"/>
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:16" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^StrictMode.*no</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^StrictMode.*no</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:16" comment="file /etc/ssh/sshd_config may not have a line that matches ^StrictMode.*no"/>
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:17" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress.*0.0.0.0</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress.*0.0.0.0</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:17" comment="file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress.*0.0.0.0"/>
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:18" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress[ ]*::$</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress[ ]*::$</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:18" comment="file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress[ ]*::$"/>
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:19" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config must have a line that matches ^ListenAddress</title>
+ <description>file /etc/ssh/sshd_config must have a line that matches ^ListenAddress</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:19" comment="file /etc/ssh/sshd_config must have a line that matches ^ListenAddress"/>
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:20" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config must have a line that matches ^AllowTcpForwarding.*no</title>
+ <description>file /etc/ssh/sshd_config must have a line that matches ^AllowTcpForwarding.*no</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:20" comment="file /etc/ssh/sshd_config must have a line that matches ^AllowTcpForwarding.*no"/>
+ </criteria>
+</definition>
+<!-- @@GENOVAL END DEFINITIONS -->
+</definitions>
+
+<tests>
+<!-- @@GENOVAL START TESTS -->
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:1" version="1" check="at least one" comment="file /etc/ssh/sshd_config must have a line that matches ^PermitRootLogin no" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1"/>
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:1"/>
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:2" version="1" check="at least one" comment="file /etc/ssh/sshd_config must have a line that matches ^PasswordAuthentication no" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1"/>
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:2"/>
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:3" version="1" check="at least one" comment="file /etc/ssh/sshd_config must have a line that matches ^ChallengeResponseAuthentication no" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1"/>
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:3"/>
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:5" version="1" check="at least one" comment="file /etc/ssh/sshd_config must have a line that matches ^AllowGroup" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1"/>
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:4"/>
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:6" version="1" check="at least one" comment="file /etc/hosts.allow must have a line that matches ^sshd:" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:2"/>
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:5"/>
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:7" version="1" check="at least one" comment="file /etc/hosts.deny must have a line that matches ^sshd: ALL" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:3"/>
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:6"/>
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:8" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^IgnoreRhosts.*no" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1"/>
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:7"/>
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:9" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^RhostsRSAAuthentication.*yes" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1"/>
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:8"/>
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:10" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^HostbasedAuthentication.*yes" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1"/>
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:9"/>
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:11" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^PermitEmptyPasswords.*yes" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1"/>
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:10"/>
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:12" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^UsePAM.*no" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1"/>
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:11"/>
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:13" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^Protocol.*1" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1"/>
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:12"/>
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:14" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^UsePrivilegeSeparation.*no" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1"/>
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:13"/>
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:15" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^X11Forwarding.*yes" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1"/>
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:14"/>
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:16" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^StrictMode.*no" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1"/>
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:15"/>
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:17" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress.*0.0.0.0" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1"/>
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:16"/>
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:18" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress[ ]*::$" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1"/>
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:17"/>
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:19" version="1" check="at least one" comment="file /etc/ssh/sshd_config must have a line that matches ^ListenAddress" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1"/>
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:18"/>
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:20" version="1" check="at least one" comment="file /etc/ssh/sshd_config must have a line that matches ^AllowTcpForwarding.*no" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1"/>
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:19"/>
+</ind-def:textfilecontent54_test>
+<!-- @@GENOVAL END TESTS -->
+</tests>
+
+<objects>
+<!-- @@GENOVAL START OBJECTS -->
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:1" version="1" comment="Non-comment lines in /etc/ssh/sshd_config">
+ <ind-def:filepath>/etc/ssh/sshd_config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:2" version="1" comment="Non-comment lines in /etc/hosts.allow">
+ <ind-def:filepath>/etc/hosts.allow</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:3" version="1" comment="Non-comment lines in /etc/hosts.deny">
+ <ind-def:filepath>/etc/hosts.deny</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<!-- @@GENOVAL END OBJECTS -->
+</objects>
+
+<states>
+<!-- @@GENOVAL START STATES -->
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:1" version="1" comment="The match of ^PermitRootLogin no">
+ <ind-def:subexpression operation="pattern match">^PermitRootLogin no</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:2" version="1" comment="The match of ^PasswordAuthentication no">
+ <ind-def:subexpression operation="pattern match">^PasswordAuthentication no</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:3" version="1" comment="The match of ^ChallengeResponseAuthentication no">
+ <ind-def:subexpression operation="pattern match">^ChallengeResponseAuthentication no</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:4" version="1" comment="The match of ^AllowGroup">
+ <ind-def:subexpression operation="pattern match">^AllowGroup</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:5" version="1" comment="The match of ^sshd">
+ <ind-def:subexpression operation="pattern match">^sshd</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:6" version="1" comment="The match of ^sshd">
+ <ind-def:subexpression operation="pattern match">^sshd</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:7" version="1" comment="The match of ^IgnoreRhosts.*no">
+ <ind-def:subexpression operation="pattern match">^IgnoreRhosts.*no</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:8" version="1" comment="The match of ^RhostsRSAAuthentication.*yes">
+ <ind-def:subexpression operation="pattern match">^RhostsRSAAuthentication.*yes</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:9" version="1" comment="The match of ^HostbasedAuthentication.*yes">
+ <ind-def:subexpression operation="pattern match">^HostbasedAuthentication.*yes</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:10" version="1" comment="The match of ^PermitEmptyPasswords.*yes">
+ <ind-def:subexpression operation="pattern match">^PermitEmptyPasswords.*yes</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:11" version="1" comment="The match of ^UsePAM.*no">
+ <ind-def:subexpression operation="pattern match">^UsePAM.*no</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:12" version="1" comment="The match of ^Protocol.*1">
+ <ind-def:subexpression operation="pattern match">^Protocol.*1</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:13" version="1" comment="The match of ^UsePrivilegeSeparation.*no">
+ <ind-def:subexpression operation="pattern match">^UsePrivilegeSeparation.*no</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:14" version="1" comment="The match of ^X11Forwarding.*yes">
+ <ind-def:subexpression operation="pattern match">^X11Forwarding.*yes</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:15" version="1" comment="The match of ^StrictMode.*no">
+ <ind-def:subexpression operation="pattern match">^StrictMode.*no</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:16" version="1" comment="The match of ^ListenAddress.*0.0.0.0">
+ <ind-def:subexpression operation="pattern match">^ListenAddress.*0.0.0.0</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:17" version="1" comment="The match of ^ListenAddress *">
+ <ind-def:subexpression operation="pattern match">^ListenAddress[ ]*</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:18" version="1" comment="The match of ^ListenAddress">
+ <ind-def:subexpression operation="pattern match">^ListenAddress</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:19" version="1" comment="The match of ^AllowTcpForwarding.*no">
+ <ind-def:subexpression operation="pattern match">^AllowTcpForwarding.*no</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<!-- @@GENOVAL END STATES -->
+</states>
+
+</oval_definitions></ds:component><ds:component id="scap_org.open-scap_comp_openssh-xccdf.xml" timestamp="2013-12-11T21:54:25"><Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:h="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.gentoo.dev.swift_benchmark_Gentoo-Security-Benchmark-OpenSSH-1" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" resolved="0">
+ <status date="2012-07-14">draft</status>
+ <title>Hardening OpenSSH</title>
+ <description>
+ The OpenSSH server offers remote Secure Shell services towards your users. This benchmark
+ focuses on the hardening of OpenSSH within a Gentoo Hardened environment.
+ </description>
+ <platform idref="cpe:/o:gentoo:linux"/>
+ <version>1</version>
+ <model system="urn:xccdf:scoring:default"/>
+ <model system="urn:xccdf:scoring:flat"/>
+ <Profile id="xccdf_org.gentoo.dev.swift_profile_default">
+ <title>OpenSSH server setup settings</title>
+ <description>
+ Profile matching all OpenSSH hardening rules
+ </description>
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-rhosts" selected="true"/>
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-rrsa" selected="true"/>
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-hostbased" selected="true"/>
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-empty" selected="true"/>
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-pam" selected="true"/>
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-protocol" selected="true"/>
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-useprivsep" selected="true"/>
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-nox11fwd" selected="true"/>
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-strictmode" selected="true"/>
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-norootlogin" selected="true"/>
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-nopasswordauth" selected="true"/>
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-nochallengeresponse" selected="true"/>
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-allowgroup" selected="true"/>
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-hostsallow" selected="true"/>
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-hostsdeny" selected="true"/>
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-listen" selected="true"/>
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-listen4" selected="true"/>
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-listen6" selected="true"/>
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-notcpfwd" selected="true"/>
+ </Profile>
+ <Group id="xccdf_org.gentoo.dev.swift_group_intro">
+ <title>Introduction</title>
+ <description>
+ The OpenSSH service is one of the most used SSH providing services.
+ </description>
+ <Group id="xccdf_org.gentoo.dev.swift_group_intro-using">
+ <title>Using this guide</title>
+ <description>
+ The guide you are currently reading is the guide generated from this SCAP
+ content (more specifically, the XCCDF document) using <h:b>openscap</h:b>,
+ a free software implementation for handling SCAP content. Within Gentoo,
+ the package <h:code>app-forensics/openscap</h:code> provides the tools, and
+ the following command is used to generate the HTML output:
+ <h:br/>
+ <h:pre>### Command to generate this guide ###
+# <h:b>oscap xccdf generate guide openssh-xccdf.xml > guide-openssh-xccdf.html</h:b>
+ </h:pre>
+ <h:br/>
+ Secondly, together with this XCCDF XML, you will also find an OVAL XML file.
+ The two files combined allow you to automatically validate various settings as
+ documented in the benchmark.
+ <h:br/>
+ <h:br/>
+ You can test the benchmark against your configuration.
+ <h:pre>### Testing the rules mentioned in the XCCDF document ###
+# <h:b>oscap xccdf eval --cpe gentoo-cpe.xml --profile xccdf_org.gentoo.dev.swift_profile_default openssh-xccdf.xml</h:b></h:pre>
+ <h:br/>
+ To generate a full report in HTML as well, you can use the next command:
+ <h:pre>### Testing the rules and generating an HTML report ###
+# <h:b>oscap xccdf eval --cpe gentoo-cpe.xml --profile xccdf_org.gentoo.dev.swift_profile_default --results results-openssh-xccdf.xml --report report-openssh-xccdf.html openssh-xccdf.xml</h:b></h:pre>
+ <h:br/>
+ Finally, this benchmark will suggest some settings which you do not want
+ to enable. That is perfectly fine - even more, some settings might even
+ raise eyebrows left and right. We'll try to document the reasoning behind
+ the settings but you are free to deviate from them. If that is the case,
+ you might want to create your own profile which only contains the rules
+ you want checked. You can then use that profile instead of the Default one.
+ </description>
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_intro-profiles">
+ <title>Available XCCDF Profiles</title>
+ <description>
+ As mentioned earlier, the XCCDF document supports multiple profiles. For the time
+ being, one profile is defined:
+ <h:br/>
+ <h:ul>
+ <h:li>Default contains all mentioned tests</h:li>
+ </h:ul>
+ Substitute the profile information in the commands above with the profile you want to test on.
+ </description>
+ </Group>
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config">
+ <title>Configuration Settings</title>
+ <description>
+ In this section, we look at the configuration settings of an OpenSSH service
+ </description>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-default">
+ <title>Default OpenSSH settings</title>
+ <description>
+ OpenSSH comes with some sane defaults to start with. These should not be touched.
+ </description>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-default-rhosts">
+ <title>Ignore Rhosts</title>
+ <description>
+ Historically, users could define a <h:code>.rhosts</h:code> or <h:code>.shosts</h:code>
+ file in which they mention the systems from which they log on to the system (the client
+ hosts). When the user then logs on from one of these remote locations, the shell service
+ would not ask for password authentication and just automatically log in the user.
+ <h:br/>
+ <h:br/>
+ The shell service treats <h:code>.shosts</h:code> mentioned hosts a bit different: it first
+ checks that hosts identity using some public key authentication scheme (in which case the
+ host keys of the clients are placed in <h:code>/etc/ssh/ssh_known_hosts</h:code> or
+ <h:code>~/.ssh/known_hosts</h:code>).
+ <h:br/>
+ <h:br/>
+ This is however a very insecure setup and can be easily circumvented. It only performs
+ host-based authentication, not user authentication, and in case of the <h:code>.rhosts</h:code>
+ file this host-based authentication is only based on the hostname/IP matching.
+ <h:br/>
+ <h:br/>
+ For this reason, support for the <h:code>.rhosts</h:code> and <h:code>.shosts</h:code>
+ files is by default disabled.
+ <h:br/>
+ <h:br/>
+ <h:pre>### /etc/ssh/sshd_config : IgnoreRhosts
+# If set, IgnoreRhosts must be set to yes (which is the default)
+IgnoreRhosts yes</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-def-rhosts -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-rhosts" selected="false">
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^IgnoreRhosts.*no</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^IgnoreRhosts.*no</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:8" href="openssh-oval.xml"/>
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-def-rhosts -->
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-default-rhostsrsa">
+ <title>Do not allow RSA Host Authentication</title>
+ <description>
+ As part of the Rhosts implementation, OpenSSH supports using RSA authentication for remote hosts.
+ With RSA authentication enabled, hosts mentioned in the <h:code>.rhosts</h:code> (or <h:code>/etc/hosts.equiv</h:code>)
+ files need to be authenticated based on their RSA key. This applies to the SSH protocol version 1 only.
+ <h:br/>
+ <h:br/>
+ As Rhosts is found insecure, this option does not make rhosts more feasible to use. For this reason,
+ this option is by default disabled.
+ <h:br/>
+ <h:pre>### /etc/ssh/sshd_config : RhostsRSAAuthentication
+# If set, RhostsRSAAuthentication must be set to "no" (which is the default).
+RhostsRSAAuthentication no</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-def-rrsa -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-rrsa" selected="false">
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^RhostsRSAAuthentication.*yes</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^RhostsRSAAuthentication.*yes</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:9" href="openssh-oval.xml"/>
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-def-rrsa -->
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-default-hostbased">
+ <title>Do not allow Host-based Authentication</title>
+ <description>
+ As part of the Rhosts implementation, Ope SSH supports using public key authenticatoin for remote hosts.
+ With this enabled, hosts mentioned in the <h:code>.rhosts</h:code> (or <h:code>/etc/hosts.equiv</h:code>)
+ files need to be authenticated based on their public key. This applies to the SSH protocol version 2 only.
+ <h:br/>
+ <h:br/>
+ As Rhosts is found insecure, this option does not make rhosts more feasible to use. For this reason,
+ this option is by default disabled.
+ <h:br/>
+ <h:pre>### /etc/ssh/sshd_config : HostbasedAuthentication
+# If set, HostbasedAuthentication must be set to "no" (which is the default)
+HostbasedAuthentication no</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-def-hostbased -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-hostbased" selected="false">
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^HostbasedAuthentication.*yes</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^HostbasedAuthentication.*yes</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:10" href="openssh-oval.xml"/>
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-def-hostbased -->
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-default-emptypassword">
+ <title>Do not Permit Empty Passwords</title>
+ <description>
+ If password-based authentication is used, it is wise not to allow empty passwords.
+ <h:br/>
+ <h:br/>
+ Allowing empty passwords within your network makes the services <h:em>very</h:em> vulnerable
+ to exploit, even when the software is fully up-to-date.
+ <h:br/>
+ <h:pre>### /etc/ssh/sshd_config : PermitEmptyPasswords
+# If set, PermitEmptyPasswords must be set to "no" (which is the default).
+PermitEmptyPasswords no</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-def-empty -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-empty" selected="false">
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^PermitEmptyPasswords.*yes</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^PermitEmptyPasswords.*yes</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:11" href="openssh-oval.xml"/>
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-def-empty -->
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-default-pam">
+ <title>Use PAM</title>
+ <description>
+ PAM (Pluggable Authentication Modules) is a powerful framework for managing
+ authentication of users and services in a flexible manner. By default, OpenSSH
+ uses PAM for the authentication of users.
+ <h:br/>
+ <h:br/>
+ One of the many advantages of PAM is that you can add in additional rules you want
+ to enforce during the authentication. You can limit access based on login count (or number of failures),
+ use centralized authentication repositories (like OpenLDAP), allow access only during specific
+ time windows, etc.
+ <h:br/>
+ <h:br/>
+ It is strongly advised to use PAM for SSH authentication too (but do manage the PAM configuration
+ properly!) Be aware though that the authentication services themselves (is the user who he sais
+ he is) of PAM are not used if public key authentication is used. The other services, which include
+ the access controls mentioned earlier, are still consulted though.
+ <h:br/>
+ <h:pre>### /etc/ssh/sshd_config : UsePAM
+# If set, UsePAM must be set to "yes" (which is the default)
+UsePAM yes</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-def-pam -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-pam" selected="false">
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^UsePAM.*no</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^UsePAM.*no</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:12" href="openssh-oval.xml"/>
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-def-pam -->
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-default-protocol2">
+ <title>Only use version 2 of the SSH protocol</title>
+ <description>
+ The first version of the SSH protocol has been found insecure: TODO.
+ <h:br/>
+ <h:br/>
+ For this reason, it is strongly advised to use version 2 of the protocol only. This is also
+ the default for OpenSSH.
+ <h:br/>
+ <h:pre>### /etc/ssh/sshd_config : Protocol
+# If set, Protocol must be set to 2 only (which is the default)
+Protocol 2</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-def-protocol -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-protocol" selected="false">
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^Protocol.*1</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^Protocol.*1</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:13" href="openssh-oval.xml"/>
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-def-protocol -->
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-default-privsep">
+ <title>Use privilege separation</title>
+ <description>
+ With privilege separation enabled, the SSH daemon has a tiny footprint running as root,
+ whereas the rest of the application runs as an unprivileged process to deal with the
+ incoming network traffic. This can be tuned with <h:code>UsePrivilegeSeparation yes</h:code>
+ which is the default for OpenSSH.
+ <h:br/>
+ <h:pre>### /etc/ssh/sshd_config : UsePrivilegeSeparation
+# If set, UsePrivilegeSeparation must be set to yes (which is the default)
+UsePrivilegeSeparation yes</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-def-useprivsep -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-useprivsep" selected="false">
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^UsePrivilegeSeparation.*no</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^UsePrivilegeSeparation.*no</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:14" href="openssh-oval.xml"/>
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-def-useprivsep -->
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-default-x11fwd">
+ <title>Disable X11 forwarding</title>
+ <description>
+ SSH supports forwarding X11 packets, so X11 applications started on the remote system have their
+ display shown on the client. This behavior is by default disabled.
+ <h:br/>
+ <h:pre>### /etc/ssh/sshd_config : X11Forwarding
+# If set, X11Forwarding must be set to no (which is the default)
+X11Forwarding no</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-def-nox11fwd -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-nox11fwd" selected="false">
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^X11Forwarding.*yes</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^X11Forwarding.*yes</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:15" href="openssh-oval.xml"/>
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-def-nox11fwd -->
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-default-strictmode">
+ <title>Enable strict mode</title>
+ <description>
+ When <h:code>StrictModes yes</h:code> is enabled, the SSH daemon will only allow a remote user to
+ log on when some of the important files in that users' home directory have the proper privileges and
+ ownership. This behavior is by default enabled.
+ <h:br/>
+ <h:pre>### /etc/ssh/sshd_config : StrictModes
+# If set, StrictModes must be set to yes (which is the default)
+StrictModes yes</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-def-strictmode -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-strictmode" selected="false">
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^StrictMode.*no</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^StrictMode.*no</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:16" href="openssh-oval.xml"/>
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-def-strictmode -->
+ </Group>
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-auth">
+ <title>Authentication-related settings</title>
+ <description>
+ Being a remote shell service, authentication is one of the main features that OpenSSH provides.
+ A few settings help us in hardening the SSH server even further.
+ </description>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-auth-noroot">
+ <title>Disable root logins</title>
+ <description>
+ As root is one of the most powerful accounts, direct access to root should be limited. It is
+ advised that, if a process needs root privileges, it uses a functional account which has the
+ right to call one or a few commands as root, but nothing else.
+ <h:br/>
+ <h:br/>
+ With OpenSSH, it is possible to prohibit direct root access towards the system if feasible within
+ your architecture. This can be accomplished using the <h:code>PermitRootLogin no</h:code> directive.
+ If you need root logins, consider only allowing specified command access (forced-commands-only).
+ <h:br/>
+ <h:pre>### /etc/ssh/sshd_config : PermitRootLogin
+# Set this to "no" or, if needed, "forced-commands-only"
+PermitRootLogin no</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-norootlogin -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-norootlogin" selected="false">
+ <title>file /etc/ssh/sshd_config must have a line that matches ^PermitRootLogin no</title>
+ <description>file /etc/ssh/sshd_config must have a line that matches ^PermitRootLogin no</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:1" href="openssh-oval.xml"/>
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-norootlogin -->
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-auth-nopassword">
+ <title>Use public key authentication</title>
+ <description>
+ By default, OpenSSH uses interactive, keyboard-based password logins. One intrinsic problem with
+ passwords is that they can be weak, but also that hacked passwords can be used from other locations.
+ <h:br/>
+ <h:br/>
+ A safer approach for remote shell invocation is to use a keypair: the key is much stronger than most
+ passwords, making brute-force improbably and dictionary-attacks useless. The private key is only
+ known by you (on your system) and optionally (but preferably) protected by a (strong) passphraze so that
+ adversaries that force access to your system can still not use your private key.
+ <h:br/>
+ <h:br/>
+ Such a keypair an be generated by the users using <h:b>ssh-keygen -t dsa</h:b> after which the private and
+ public keys are stored in <h:code>~/.ssh</h:code>
+ <h:br/>
+ <h:br/>
+ On the OpenSSH server level, you can force the use of public key authentication (and thus deny
+ keyboard-interactive password logins) using <h:code>PasswordAuthentication no</h:code>.
+ <h:br/>
+ <h:pre>### /etc/ssh/sshd_config : PasswordAuthentication
+# Set this to "no"
+PasswordAuthentication no</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-nopasswordauth -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-nopasswordauth" selected="false">
+ <title>file /etc/ssh/sshd_config must have a line that matches ^PasswordAuthentication no</title>
+ <description>file /etc/ssh/sshd_config must have a line that matches ^PasswordAuthentication no</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:2" href="openssh-oval.xml"/>
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-nopasswordauth -->
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-auth-nochallengeresponse">
+ <title>Disable ChallengeResponseAuthentication</title>
+ <description>
+ In OpenSSH, a (confusing) parameter called <h:code>ChallengeResponseAuthentication</h:code>
+ is available (and by default enabled). Many users might believe that this implements a more secure
+ authentication method (based on a challenge and a token that need to be verified - i.e. multi-factor
+ authentication). However, in case of this parameter, this isn't true.
+ <h:br/>
+ <h:br/>
+ The <h:code>ChallengeResponseAuthentication</h:code> setting enables <h:em>TIS Challenge/Response</h:em>
+ in SSH protocol version 1, and keyboard-interactive in SSH protocol v2. Hence, in our case, it is best
+ set disabled as we do not want regular password authentication to be enabled (and don't use protocol
+ version 1).
+ <h:br/>
+ <h:pre>### /etc/ssh/sshd_config : ChallengeResponseAuthentication
+# Set this to "no"
+ChallengeResponseAuthentication no</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-nochallengeresponse -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-nochallengeresponse" selected="false">
+ <title>file /etc/ssh/sshd_config must have a line that matches ^ChallengeResponseAuthentication no</title>
+ <description>file /etc/ssh/sshd_config must have a line that matches ^ChallengeResponseAuthentication no</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:3" href="openssh-oval.xml"/>
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-nochallengeresponse -->
+ </Group>
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-acl">
+ <title>Access control related settings</title>
+ <description>
+ By default, OpenSSH allows access from any location and by any user who gets authenticated properly.
+ However, it is safer if you can restrict access from hosts that are allowed to access the SSH service
+ (and not other hosts) as well as users that are known to access the system remotely.
+ </description>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-acl-allowgroup">
+ <title>Only allow specific group(s) access</title>
+ <description>
+ Not every user on your system needs to be able to remotely log on to the system. Many
+ users on your system are local-only, either because they are services accounts, or
+ because the users are only meant to log on directly (or through another service).
+ <h:br/>
+ <h:br/>
+ With OpenSSH, you can limit SSH access to users defined in a limited set of (Unix) groups.
+ It is recommended to define a Unix group (like <h:code>ssh</h:code> if that isn't used by the
+ service daemon itself) in which those users are defined, and then only allow SSH access
+ for this group.
+ <h:br/>
+ <h:pre>### /etc/ssh/sshd_config : AllowGroup
+# Set this to the unix group whose members are allowed access
+AllowGroup ssh</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-allowgroup -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-allowgroup" selected="false">
+ <title>file /etc/ssh/sshd_config must have a line that matches ^AllowGroup</title>
+ <description>file /etc/ssh/sshd_config must have a line that matches ^AllowGroup</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:5" href="openssh-oval.xml"/>
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-allowgroup -->
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-acl-hosts">
+ <title>Only allow specific host(s) access</title>
+ <description>
+ Not every host on your network (or beyond) needs access to your system. On the contrary, most
+ hosts probably shouldn't have SSH access to your system.
+ <h:br/>
+ <h:br/>
+ With a service called <h:em>tcpwrappers</h:em> OpenSSH allows administrators to define the hosts
+ allowed access (or explicitly not allowed access) in the <h:code>/etc/hosts.allow</h:code> and
+ <h:code>/etc/hosts.deny</h:code>.
+ <h:br/>
+ <h:br/>
+ For a good secure setting, it is recommended to disallow access from any host, and then explicitly grant
+ access from a select set of hosts (or subnetworks).
+ <h:br/>
+ <h:pre>### /etc/hosts.allow
+# Give the list of allowed hosts or networks
+sshd: 192.168.1.0/24</h:pre><h:br/>
+ <h:pre>### /etc/hosts.deny
+# Deny access by default from everywhere
+sshd: ALL</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-hostsallow -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-hostsallow" selected="false">
+ <title>file /etc/hosts.allow must have a line that matches ^sshd:</title>
+ <description>file /etc/hosts.allow must have a line that matches ^sshd:</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:6" href="openssh-oval.xml"/>
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-hostsallow -->
+ <!-- @@GEN START rule-sshd-hostsdeny -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-hostsdeny" selected="false">
+ <title>file /etc/hosts.deny must have a line that matches ^sshd: ALL</title>
+ <description>file /etc/hosts.deny must have a line that matches ^sshd: ALL</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:7" href="openssh-oval.xml"/>
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-hostsdeny -->
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-acl-listen">
+ <title>Only listen on proper interfaces</title>
+ <description>
+ By default, OpenSSH listens on all available interfaces. In many cases though, this isn't necessary.
+ <h:br/>
+ <h:br/>
+ Multihomed systems (i.e. systems with multiple network interfaces) usually only use a single interface
+ for the administrative access, whereas the other interface is to connect to the Internet or disclose the
+ "business applications".
+ <h:br/>
+ <h:br/>
+ On dual stack systems (i.e. systems with an IPv4 and IPv6 stack) the IPv6 (or IPv4) address might not be
+ in use, or not for the administrative access (like through OpenSSH). In these cases, it is wise not to have
+ OpenSSH listen on these addresses either.
+ <h:br/>
+ <h:pre>## /etc/ssh/sshd_config : ListenAddress
+# Define a ListenAddress, but do not set it to "any address"
+# (which is 0.0.0.0 in IPv4 and :: in IPv6)
+ListenAddress 192.168.100.121</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-listen -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-listen" selected="false">
+ <title>file /etc/ssh/sshd_config must have a line that matches ^ListenAddress</title>
+ <description>file /etc/ssh/sshd_config must have a line that matches ^ListenAddress</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:19" href="openssh-oval.xml"/>
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-listen -->
+ <!-- @@GEN START rule-sshd-listen4 -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-listen4" selected="false">
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress.*0.0.0.0</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress.*0.0.0.0</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:17" href="openssh-oval.xml"/>
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-listen4 -->
+ <!-- @@GEN START rule-sshd-listen6 -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-listen6" selected="false">
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress[ ]*::$</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress[ ]*::$</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:18" href="openssh-oval.xml"/>
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-listen6 -->
+ </Group>
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-use">
+ <title>Disable unused settings</title>
+ <description>
+ OpenSSH has a few more options that it supports. If you, however, have no need for these options,
+ it is safer to have them disabled. Potential vulnerabilities that might be discovered later on these
+ options then have no effect on your system.
+ </description>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-use-tcpfwd">
+ <title>Disable TCP forwarding</title>
+ <description>
+ SSH supports "tunneling", where packets are forwarded over a (partially) secure channel towards
+ another location. If you do not need this, disable TCP forwarding through <h:code>AllowTcpForwarding no</h:code>
+ <h:br/>
+ <h:pre>### /etc/ssh/sshd_config : AllowTcpForwarding
+# If not needed, disable TCP forwarding
+AllowTcpForwarding no</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-notcpfwd -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-notcpfwd" selected="false">
+ <title>file /etc/ssh/sshd_config must have a line that matches ^AllowTcpForwarding.*no</title>
+ <description>file /etc/ssh/sshd_config must have a line that matches ^AllowTcpForwarding.*no</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:20" href="openssh-oval.xml"/>
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-notcpfwd -->
+ </Group>
+ </Group>
+ </Group>
+</Benchmark></ds:component><ds:component id="scap_org.open-scap_comp_gentoo-oval.xml" timestamp="2013-09-23T20:37:59"><oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:lin-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xsi:schemaLocation=" http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent
independent-definitions-schema.xsd http://standards.iso.org/iso/19770/-2/2009/schema.xsd schema.xsd">
+
+<generator>
+ <oval:product_name>OVAL Gentoo Linux</oval:product_name>
+ <oval:product_version>20130917.1</oval:product_version>
+ <oval:schema_version>5.10</oval:schema_version>
+ <oval:timestamp>2013-09-17T19:42:00</oval:timestamp>
+</generator>
+
+<definitions>
+
+ <definition id="oval:org.gentoo.dev.swift:def:1" version="1" class="inventory">
+ <metadata>
+ <title>Gentoo Linux is installed</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <description>
+ This definition tests whether Gentoo Linux is installed.
+ </description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:1" comment="The /etc/gentoo-release file exists"/>
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:2" version="1" class="compliance">
+ <metadata>
+ <title>The /home location must be a separate file system</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14559-9"/>
+ <description>
+ This definition tests whether the /home location is a separate file
+ system.
+ </description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:2" comment="The /home location is on a separate partition"/>
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:3" version="1" class="compliance">
+ <metadata>
+ <title>The /home file system is mounted with the nosuid option</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <description>
+ This definition tests whether the /home partition is mounted with the nosuid
+ mount option.
+ </description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:2" comment="The /home location is on a separate partition"/>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:3" comment="The /home partition is mounted with nosuid mount option"/>
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:4" version="1" class="compliance">
+ <metadata>
+ <title>The /home file system is mounted with the nodev option</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <description>
+ This definition tests whether the /home partition is mounted with the nodev
+ mount option.
+ </description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:2" comment="The /home location is on a separate partition"/>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:4" comment="The /home partition is mounted with nodev mount option"/>
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:5" version="1" class="compliance">
+ <metadata>
+ <title>The /tmp location must be a separate file system</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14161-4"/>
+ <description>
+ This definition tests whether the /tmp location is a separate file
+ system.
+ </description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:5" comment="The /tmp location is on a separate partition"/>
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:6" version="1" class="compliance">
+ <metadata>
+ <title>The /var location must be a separate file system</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14777-7"/>
+ <description>
+ This definition tests whether the /var location is a separate file
+ system.
+ </description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:6" comment="The /var location is on a separate partition"/>
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:7" version="1" class="compliance">
+ <metadata>
+ <title>The /var/log location must be a separate file system</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14011-1"/>
+ <description>
+ This definition tests whether the /var/log location is a separate file
+ system.
+ </description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:7" comment="The /var/log location is on a separate partition"/>
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:8" version="1" class="compliance">
+ <metadata>
+ <title>The /var/log/audit location must be a separate file system</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14171-3"/>
+ <description>
+ This definition tests whether the /var/log/audit location is a separate file
+ system.
+ </description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:8" comment="The /var/log/audit location is on a separate partition"/>
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:9" version="1" class="compliance">
+ <metadata>
+ <title>The /var file system is mounted with the nodev option</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-4249-9"/>
+ <description>
+ This definition tests whether the /var partition is mounted with the nodev
+ mount option.
+ </description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:6" comment="The /var location is on a separate partition"/>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:9" comment="The /var partition is mounted with nodev mount option"/>
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:10" version="1" class="compliance">
+ <metadata>
+ <title>The /var/log file system is mounted with the nodev option</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-4249-9"/>
+ <description>
+ This definition tests whether the /var/log partition is mounted with the nodev
+ mount option.
+ </description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:7" comment="The /var/log location is on a separate partition"/>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:10" comment="The /var/log partition is mounted with nodev mount option"/>
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:11" version="1" class="compliance">
+ <metadata>
+ <title>The /var/log/audit file system is mounted with the nodev option</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-4249-9"/>
+ <description>
+ This definition tests whether the /var/log/audit partition is mounted with the nodev
+ mount option.
+ </description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:8" comment="The /var/log/audit location is on a separate partition"/>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:11" comment="The /var/log/audit partition is mounted with nodev mount option"/>
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:12" version="1" class="compliance">
+ <metadata>
+ <title>The /tmp file system is mounted with the nodev option</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-4249-9"/>
+ <description>
+ This definition tests whether the /tmp partition is mounted with the nodev
+ mount option.
+ </description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:5" comment="The /tmp location is on a separate partition"/>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:12" comment="The /tmp partition is mounted with nodev mount option"/>
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:13" version="1" class="compliance">
+ <metadata>
+ <title>The /tmp file system is mounted with the nosuid option</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14940-1"/>
+ <description>
+ This definition tests whether the /tmp partition is mounted with the nosuid
+ mount option.
+ </description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:5" comment="The /tmp location is on a separate partition"/>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:13" comment="The /tmp partition is mounted with nosuid mount option"/>
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:14" version="1" class="compliance">
+ <metadata>
+ <title>The /dev/shm file system is mounted with the nosuid option</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14306-5"/>
+ <description>
+ This definition tests whether the /dev/shm partition is mounted with the nosuid
+ mount option.
+ </description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:14" comment="The /dev/shm location is a separate file system"/>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:15" comment="The /dev/shm file system is mounted with nosuid mount option"/>
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:15" version="1" class="compliance">
+ <metadata>
+ <title>The /tmp file system is mounted with the noexec option</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14927-8"/>
+ <description>
+ This definition tests whether the /tmp partition is mounted with the noexec
+ mount option.
+ </description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:5" comment="The /tmp location is on a separate partition"/>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:16" comment="The /tmp partition is mounted with noexec mount option"/>
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:16" version="1" class="compliance">
+ <metadata>
+ <title>The /dev/shm file system is mounted with the noexec option</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14703-3"/>
+ <description>
+ This definition tests whether the /dev/shm partition is mounted with the noexec
+ mount option.
+ </description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:14" comment="The /dev/shm location is a separate file system"/>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:17" comment="The /dev/shm file system is mounted with nosuid mount option"/>
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:17" version="1" class="compliance">
+ <metadata>
+ <title>The /var/tmp location is on a separate file system</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14584-7"/>
+ <description>
+ This definition tests whether the /var/tmp location is on its own file system.
+ </description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:18" comment="The /var/tmp location is a separate file system"/>
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:18" version="1" class="compliance">
+ <metadata>
+ <title>The kernel is build with quota support (CONFIG_QUOTA)</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <description>
+ This definition tests whether the Linux kernel is build with quota support (CONFIG_QUOTA).
+ </description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:19" comment="The Linux kernel is build with CONFIG_QUOTA"/>
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:19" version="1" class="compliance">
+ <metadata>
+ <title>No process matching "telnetd" is running</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-3390-2"/>
+ <description>
+ This definition tests if no telnet daemon processes are running.
+ </description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:20" comment="No telnet daemons are running"/>
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:20" version="1" class="compliance">
+ <metadata>
+ <title>No process matching "ftpd" is running</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-4273-9"/>
+ <description>
+ This definition tests if no FTP daemon processes are running.
+ </description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:21" comment="No FTP daemons are running"/>
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:21" version="1" class="compliance">
+ <metadata>
+ <title>rc.conf's rc_shell should be set to /sbin/sulogin</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-4241-6"/>
+ <description>
+ This definition tests if rc_shell in /etc/rc.conf is set to /sbin/sulogin, ensuring
+ that single user boots still require the root password to be provided.
+ </description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:22" comment="/etc/rc.conf rc_shell is set to /sbin/sulogin"/>
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:22" version="1" class="compliance">
+ <metadata>
+ <title>Single user definitions in inittab should only refer to '/sbin/rc single' or '/sbin/sulogin'</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-4241-6"/>
+ <description>
+ This definition tests if /etc/inittab single user login settings only refers
+ to '/sbin/rc single' or '/sbin/sulogin'.
+ </description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:23" comment="/etc/inittab single user settings refers only to '/sbin/rc single' or '/sbin/sulogin'"/>
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:23" version="1" class="compliance">
+ <metadata>
+ <title>Verify that /etc/hosts.allow exists</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <description>
+ This definition tests if /etc/hosts.allow exists.
+ </description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:24" comment="/etc/hosts.allow exists"/>
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:24" version="1" class="compliance">
+ <metadata>
+ <title>Verify that /etc/at/at.allow exists</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <description>
+ This definition tests if /etc/at/at.allow exists.
+ </description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:25" comment="/etc/at/at.allow exists"/>
+ </criteria>
+ </definition>
+
+</definitions>
+
+<tests>
+
+ <unix-def:file_test id="oval:org.gentoo.dev.swift:tst:1" version="1" check="all" check_existence="all_exist" comment="Tests that /etc/gentoo-release exists">
+ <!-- /etc/gentoo-release file -->
+ <unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:1"/>
+ </unix-def:file_test>
+
+ <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:2" version="1" check="all" check_existence="all_exist" comment="Tests that /home is a separate file system">
+ <!-- /home partition -->
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:2"/>
+ </lin-def:partition_test>
+
+ <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:3" version="1" check="all" check_existence="all_exist" comment="Tests that /home is mounted with nosuid option">
+ <!-- /home partition -->
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:2"/>
+ <!-- "nosuid" mount option -->
+ <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:1"/>
+ </lin-def:partition_test>
+
+ <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:4" version="1" check="all" check_existence="all_exist" comment="Tests that /home is mounted with nodev option">
+ <!-- /home partition -->
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:2"/>
+ <!-- "nodev" mount option -->
+ <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:2"/>
+ </lin-def:partition_test>
+
+ <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:5" version="1" check="all" check_existence="all_exist" comment="Tests that /tmp is a separate file system">
+ <!-- /tmp partition -->
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:3"/>
+ </lin-def:partition_test>
+
+ <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:6" version="1" check="all" check_existence="all_exist" comment="Tests that /var is a separate file system">
+ <!-- /var partition -->
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:4"/>
+ </lin-def:partition_test>
+
+ <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:7" version="1" check="all" check_existence="all_exist" comment="Tests that /var/log is a separate file system">
+ <!-- /var/log partition -->
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:5"/>
+ </lin-def:partition_test>
+
+ <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:8" version="1" check="all" check_existence="all_exist" comment="Tests that /var/log/audit is a separate file system">
+ <!-- /var/log/audit partition -->
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:6"/>
+ </lin-def:partition_test>
+
+ <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:9" version="1" check="all" check_existence="all_exist" comment="Tests that /var is mounted with nodev option">
+ <!-- /var partition -->
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:4"/>
+ <!-- "nodev" mount option -->
+ <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:2"/>
+ </lin-def:partition_test>
+
+ <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:10" version="1" check="all" check_existence="all_exist" comment="Tests that /var/log is mounted with nodev option">
+ <!-- /var/log partition -->
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:5"/>
+ <!-- "nodev" mount option -->
+ <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:2"/>
+ </lin-def:partition_test>
+
+ <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:11" version="1" check="all" check_existence="all_exist" comment="Tests that /var/log/audit is mounted with nodev option">
+ <!-- /var/log/audit partition -->
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:6"/>
+ <!-- "nodev" mount option -->
+ <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:2"/>
+ </lin-def:partition_test>
+
+ <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:12" version="1" check="all" check_existence="all_exist" comment="Tests that /tmp is mounted with nodev option">
+ <!-- /tmp partition -->
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:3"/>
+ <!-- "nodev" mount option -->
+ <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:2"/>
+ </lin-def:partition_test>
+
+ <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:13" version="1" check="all" check_existence="all_exist" comment="Tests that /tmp is mounted with nosuid option">
+ <!-- /tmp partition -->
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:3"/>
+ <!-- "nosuid" mount option -->
+ <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:1"/>
+ </lin-def:partition_test>
+
+ <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:14" version="1" check="all" check_existence="all_exist" comment="Tests that /dev/shm is a separate file system">
+ <!-- /dev/shm file system -->
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:7"/>
+ </lin-def:partition_test>
+
+ <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:15" version="1" check="all" check_existence="all_exist" comment="Tests that /dev/shm is mounted with nosuid option">
+ <!-- /dev/shm file system -->
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:7"/>
+ <!-- "nosuid" mount option -->
+ <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:1"/>
+ </lin-def:partition_test>
+
+ <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:16" version="1" check="all" check_existence="all_exist" comment="Tests that /tmp is mounted with noexec option">
+ <!-- /tmp file system -->
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:3"/>
+ <!-- "noexec" mount option -->
+ <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:3"/>
+ </lin-def:partition_test>
+
+ <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:17" version="1" check="all" check_existence="all_exist" comment="Tests that /dev/shm is mounted with noexec option">
+ <!-- /dev/shm file system -->
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:7"/>
+ <!-- "noexec" mount option -->
+ <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:3"/>
+ </lin-def:partition_test>
+
+ <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:18" version="1" check="all" check_existence="all_exist" comment="Tests that /var/tmp is on its own file system">
+ <!-- /var/tmp file system -->
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:8"/>
+ </lin-def:partition_test>
+
+ <ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:19" version="2" check="all" check_existence="at_least_one_exists" comment="Tests that CONFIG_QUOTA is in the kernel configuration">
+ <!-- The file containing kernel configuration matching CONFIG_QUOTA -->
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:9"/>
+ <!-- Match for "^CONFIG_QUOTA=[ym]" -->
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:4"/>
+ </ind-def:textfilecontent54_test>
+
+ <unix-def:process58_test id="oval:org.gentoo.dev.swift:tst:20" version="1" check="all" check_existence="none_exist" comment="Tests that no telnet daemons are running">
+ <!-- Process matching "telnetd" -->
+ <unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:10"/>
+ </unix-def:process58_test>
+
+ <unix-def:process58_test id="oval:org.gentoo.dev.swift:tst:21" version="1" check="all" check_existence="none_exist" comment="Tests that no FTP daemons are running">
+ <!-- Process matching "ftpd" -->
+ <unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:11"/>
+ </unix-def:process58_test>
+
+ <ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:22" version="1" check="at least one" check_existence="all_exist" comment="Tests that rc_shell in /etc/rc.conf is set to /sbin/sulogin">
+ <!-- The variable settings in /etc/rc.conf -->
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:12"/>
+ <!-- Match for rc_shell=/sbin/sulogin -->
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:5"/>
+ </ind-def:textfilecontent54_test>
+
+ <ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:23" version="1" check="all" check_existence="at_least_one_exists" comment="Tests that single-user boot only triggers '/sbin/rc single' or '/sbin/sulogin'">
+ <!-- The single-user boot rules in /etc/inittab -->
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:13"/>
+ <!-- The '/sbin/rc single' or '/sbin/sulogin' matches -->
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:6"/>
+ </ind-def:textfilecontent54_test>
+
+ <unix-def:file_test id="oval:org.gentoo.dev.swift:tst:24" version="1" check="all" check_existence="all_exist" comment="Tests that /etc/hosts.allow exists">
+ <!-- The /etc/hosts.allow file -->
+ <unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:14"/>
+ </unix-def:file_test>
+
+ <unix-def:file_test id="oval:org.gentoo.dev.swift:tst:25" version="1" check="all" check_existence="all_exist" comment="Tests that /etc/at/at.allow exists">
+ <!-- The /etc/at/at.allow file -->
+ <unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:15"/>
+ </unix-def:file_test>
+
+</tests>
+
+<objects>
+
+ <unix-def:file_object id="oval:org.gentoo.dev.swift:obj:1" version="1" comment="The /etc/gentoo-release file">
+ <unix-def:filepath>/etc/gentoo-release</unix-def:filepath>
+ </unix-def:file_object>
+
+ <lin-def:partition_object id="oval:org.gentoo.dev.swift:obj:2" version="1" comment="The /home partition">
+ <lin-def:mount_point>/home</lin-def:mount_point>
+ </lin-def:partition_object>
+
+ <lin-def:partition_object id="oval:org.gentoo.dev.swift:obj:3" version="1" comment="The /tmp partition">
+ <lin-def:mount_point>/tmp</lin-def:mount_point>
+ </lin-def:partition_object>
+
+ <lin-def:partition_object id="oval:org.gentoo.dev.swift:obj:4" version="1" comment="The /var partition">
+ <lin-def:mount_point>/var</lin-def:mount_point>
+ </lin-def:partition_object>
+
+ <lin-def:partition_object id="oval:org.gentoo.dev.swift:obj:5" version="1" comment="The /var/log partition">
+ <lin-def:mount_point>/var/log</lin-def:mount_point>
+ </lin-def:partition_object>
+
+ <lin-def:partition_object id="oval:org.gentoo.dev.swift:obj:6" version="1" comment="The /var/log/audit partition">
+ <lin-def:mount_point>/var/log/audit</lin-def:mount_point>
+ </lin-def:partition_object>
+
+ <lin-def:partition_object id="oval:org.gentoo.dev.swift:obj:7" version="1" comment="The /dev/shm file system">
+ <lin-def:mount_point>/dev/shm</lin-def:mount_point>
+ </lin-def:partition_object>
+
+ <lin-def:partition_object id="oval:org.gentoo.dev.swift:obj:8" version="1" comment="The /var/tmp file system">
+ <lin-def:mount_point>/var/tmp</lin-def:mount_point>
+ </lin-def:partition_object>
+
+ <ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:9" version="2" comment="The file containing kernel configuration CONFIG_QUOTA">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">CONFIG_QUOTA.*</ind-def:pattern>
+ <ind-def:instance operation="greater than or equal" datatype="int">1</ind-def:instance>
+ </ind-def:textfilecontent54_object>
+
+ <unix-def:process58_object id="oval:org.gentoo.dev.swift:obj:10" version="1" comment="Process matching telnetd in its command name">
+ <unix-def:command_line operation="pattern match">.*[Tt][Ee][Ll][Nn][Ee][Tt][Dd].*</unix-def:command_line>
+ <unix-def:pid datatype="int" operation="greater than">0</unix-def:pid>
+ </unix-def:process58_object>
+
+ <unix-def:process58_object id="oval:org.gentoo.dev.swift:obj:11" version="1" comment="Process matching ftpd in its command name">
+ <unix-def:command_line operation="pattern match">.*[Ff][Tt][Pp][Dd].*</unix-def:command_line>
+ <unix-def:pid datatype="int" operation="greater than">0</unix-def:pid>
+ </unix-def:process58_object>
+
+ <ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:12" version="1" comment="The /etc/rc.conf variable declarations">
+ <ind-def:filepath>/etc/rc.conf</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^[[:space:]]*[\S]+[[:space:]]*=[[:space:]]*[\S]+</ind-def:pattern>
+ <ind-def:instance operation="greater than or equal" datatype="int">1</ind-def:instance>
+ </ind-def:textfilecontent54_object>
+
+ <ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:13" version="1" comment="The /etc/inittab contents">
+ <ind-def:filepath>/etc/inittab</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^[\S]+:S:[\S]+:.*</ind-def:pattern>
+ <ind-def:instance operation="greater than or equal" datatype="int">1</ind-def:instance>
+ </ind-def:textfilecontent54_object>
+
+ <unix-def:file_object id="oval:org.gentoo.dev.swift:obj:14" version="1" comment="The /etc/hosts.allow file">
+ <unix-def:filepath>/etc/hosts.allow</unix-def:filepath>
+ </unix-def:file_object>
+
+ <unix-def:file_object id="oval:org.gentoo.dev.swift:obj:15" version="1" comment="The /etc/at/at.allow file">
+ <unix-def:filepath>/etc/at/at.allow</unix-def:filepath>
+ </unix-def:file_object>
+
+</objects>
+
+<states>
+
+ <lin-def:partition_state id="oval:org.gentoo.dev.swift:ste:1" version="1" comment="The file system is mounted with the nosuid mount option">
+ <lin-def:mount_options entity_check="at least one">nosuid</lin-def:mount_options>
+ </lin-def:partition_state>
+
+ <lin-def:partition_state id="oval:org.gentoo.dev.swift:ste:2" version="1" comment="The file system is mounted with the nodev mount option">
+ <lin-def:mount_options entity_check="at least one">nodev</lin-def:mount_options>
+ </lin-def:partition_state>
+
+ <lin-def:partition_state id="oval:org.gentoo.dev.swift:ste:3" version="1" comment="The file system is mounted with the noexec mount option">
+ <lin-def:mount_options entity_check="at least one">noexec</lin-def:mount_options>
+ </lin-def:partition_state>
+
+ <ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:4" version="1" comment="Matching ^CONFIG_QUOTA=[ym]">
+ <ind-def:text datatype="string" operation="pattern match" entity_check="all">^CONFIG_QUOTA=[ym]</ind-def:text>
+ </ind-def:textfilecontent54_state>
+
+ <ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:5" version="1" comment="Matching rc_shell=/sbin/sulogin">
+ <ind-def:text datatype="string" operation="pattern match" entity_check="all">rc_shell[[:space:]]*=[[:space:]]*["]?/sbin/sulogin["]?</ind-def:text>
+ </ind-def:textfilecontent54_state>
+
+ <ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:6" version="1" comment="Single user boot lines may only match '/sbin/rc single' or '/sbin/sulogin'">
+ <ind-def:text datatype="string" operation="pattern match" entity_check="all">su[[:digit:]]+:S:[\S]+:(/sbin/rc single|/sbin/sulogin)</ind-def:text>
+ </ind-def:textfilecontent54_state>
+
+</states>
+
+<!--
+<variables>
+</variables>
+-->
+</oval_definitions></ds:component><ds:component id="scap_org.open-scap_comp_gentoo-cpe.xml" timestamp="2013-09-17T20:21:19"><cpe-list xmlns="http://cpe.mitre.org/dictionary/2.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd">
+ <cpe-item name="cpe:/o:gentoo:linux">
+ <title>Gentoo Linux</title>
+ <notes>
+ <note>This CPE Name represents Gentoo Linux</note>
+ </notes>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="gentoo-oval.xml">oval:org.gentoo.dev.swift:def:1</check>
+ </cpe-item>
+</cpe-list></ds:component></ds:data-stream-collection>
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
@ 2013-12-11 20:58 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2013-12-11 20:58 UTC (permalink / raw
To: gentoo-commits
commit: e2889daaff3266ba8ce6e595ca6cd03a7a00a9a6
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Dec 11 20:57:04 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Dec 11 20:57:04 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=e2889daa
Use XCCDF 1.2 in explanation
---
xml/SCAP/openssh-xccdf.xml | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/xml/SCAP/openssh-xccdf.xml b/xml/SCAP/openssh-xccdf.xml
index 0230c63..7d031b1 100644
--- a/xml/SCAP/openssh-xccdf.xml
+++ b/xml/SCAP/openssh-xccdf.xml
@@ -50,7 +50,7 @@
the following command is used to generate the HTML output:
<h:br />
<h:pre>### Command to generate this guide ###
-# <h:b>oscap xccdf generate guide scap-openssh-xccdf.xml > output.html</h:b>
+# <h:b>oscap xccdf generate guide openssh-xccdf.xml > guide-openssh-xccdf.html</h:b>
</h:pre>
<h:br />
Secondly, together with this XCCDF XML, you will also find an OVAL XML file.
@@ -60,12 +60,19 @@
<h:br />
You can test the benchmark against your configuration.
<h:pre>### Testing the rules mentioned in the XCCDF document ###
-# <h:b>oscap xccdf eval --profile Default scap-openssh-xccdf.xml</h:b></h:pre>
+# <h:b>oscap xccdf eval --cpe gentoo-cpe.xml --profile xccdf_org.gentoo.dev.swift_profile_default openssh-xccdf.xml</h:b></h:pre>
<h:br />
To generate a full report in HTML as well, you can use the next command:
<h:pre>### Testing the rules and generating an HTML report ###
-# <h:b>oscap xccdf eval --profile Default --results xccdf-results.xml --report report.html scap-openssh-xccdf.xml</h:b></h:pre>
+# <h:b>oscap xccdf eval --cpe gentoo-cpe.xml --profile xccdf_org.gentoo.dev.swift_profile_default --results results-openssh-xccdf.xml --report report-openssh-xccdf.html openssh-xccdf.xml</h:b></h:pre>
<h:br />
+ <h:br />
+ The benchmark is also available as data stream. In this case, you do not
+ need to provide the various files - all you need is the benchmark file.
+ For instance:
+ <h:pre>### Testing the rules based on the data stream
+# <h:b>oscap xccdf eval --profile xccdf_org.gentoo.dev.swift_profile_default openssh-ds.xml</h:b></h:pre>
+ <h:br />
Finally, this benchmark will suggest some settings which you do not want
to enable. That is perfectly fine - even more, some settings might even
raise eyebrows left and right. We'll try to document the reasoning behind
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
@ 2013-12-20 10:59 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2013-12-20 10:59 UTC (permalink / raw
To: gentoo-commits
commit: 327c9ee7d8b0bb54aa951fafa7fa10dc666d0bb2
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Dec 20 10:57:33 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec 20 10:57:33 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=327c9ee7
Update HTML code in descriptions, anonimize text
---
xml/SCAP/gentoo-xccdf.xml | 645 ++++++++++++++++++++++++++++------------------
1 file changed, 401 insertions(+), 244 deletions(-)
diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml
index 6b3172e..e51a0ab 100644
--- a/xml/SCAP/gentoo-xccdf.xml
+++ b/xml/SCAP/gentoo-xccdf.xml
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8"?>
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:h="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.gentoo.dev.swift_benchmark_gentoo-20130917-1" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" resolved="0">
- <status date="2013-09-17">draft</status>
+ <status date="2013-12-20">draft</status>
<title>Gentoo Security Benchmark</title>
<description>
This benchmarks helps people in improving their system configuration to be
more resilient against attacks and vulnerabilities.
</description>
<platform idref="cpe:/o:gentoo:linux"/>
- <version>20130917.1</version>
+ <version>20131220.1</version>
<model system="urn:xccdf:scoring:default" />
<model system="urn:xccdf:scoring:flat" />
<model system="urn:xccdf:scoring:flat-unweighted" />
@@ -17,15 +17,27 @@
This profile extends the default server profile by including tests that
are more intensive to run on a system. Tests such as full file system
scans to find world-writable files or directories have an otherwise too
- large impact on the performance of a server.
+ large impact on the performance of a server. Tests include scripted
+ validationn.
</description>
</Profile>
- <Profile id="xccdf_org.gentoo.dev.swift_profile_default">
- <title>Default server setup settings</title>
+ <Profile id="xccdf_org.gentoo.dev.swift_profile_intensive-oval" extends="xccdf_org.gentoo.dev.swift_profile_default-oval">
+ <title>Intensive validation profile (non-scripted)</title>
+ <description>
+ This profile extends the default server profile by including tests that
+ are more intensive to run on a system. Tests such as full file system
+ scans to find world-writable files or directories have an otherwise too
+ large impact on the performance of a server. Tests do not include
+ scripted validation.
+ </description>
+ </Profile>
+ <Profile id="xccdf_org.gentoo.dev.swift_profile_default-oval">
+ <title>Default server setup settings (non-scripted)</title>
<description>
In this profile, we verify common settings for Gentoo Linux
configurations. The tests that are enabled in this profile can be ran
- without visibly impacting the performance of the system.
+ without visibly impacting the performance of the system. No scripted
+ checks are executed.
</description>
<!-- The /tmp location is a separate file system -->
<select idref="xccdf_org.gentoo.dev.swift_rule_partition-tmp" selected="true" />
@@ -59,8 +71,6 @@
<select idref="xccdf_org.gentoo.dev.swift_rule_partition-tmp-noexec" selected="true" />
<!-- The /dev/shm partition is mounted with noexec -->
<select idref="xccdf_org.gentoo.dev.swift_rule_partition-devshm-noexec" selected="true" />
- <!-- The hardened toolchain must be installated and used -->
- <select idref="xccdf_org.gentoo.dev.swift_rule_installation-toolchain-hardened" selected="true" />
<!-- Kernel quota support must be enabled -->
<select idref="xccdf_org.gentoo.dev.swift_rule_kernel-quota" selected="true" />
<!-- No telnetd process is running -->
@@ -75,59 +85,75 @@
<select idref="xccdf_org.gentoo.dev.swift_rule_hostsallow-exists" selected="true" />
<!-- Verify that /etc/at/at.allow exists -->
<select idref="xccdf_org.gentoo.dev.swift_rule_atallow-exists" selected="true" />
-
+ </Profile>
+ <Profile id="xccdf_org.gentoo.dev.swift_profile_default" extends="xccdf_org.gentoo.dev.swift_profile_default-oval">
+ <title>Default server setup settings</title>
+ <description>
+ In this profile, common settings for Gentoo Linux configurations are validated.
+ The tests can be ran without visibly impacting the performance of the system, and
+ also includes the scripted evaluation checks (SCE).
+ </description>
+ <!-- The hardened toolchain must be installated and used -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_installation-toolchain-hardened" selected="true" />
</Profile>
<Group id="xccdf_org.gentoo.dev.swift_group_intro">
<title>Introduction</title>
<description>
+ <h:p>
Since years, Gentoo Linux has a Gentoo Security Handbook
which provides a good insight in secure system
configuration for a Gentoo systems. Although this is important, an
improved method for describing and tuning a systems' security state has
emerged: SCAP, or the <h:em>Security Content Automation Protocol</h:em>.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
As such, this benchmark is an update on the security
handbook, including both the in-depth explanation of settings as well as
the means to validate if a system complies with this or not. Now, during
- the development of this benchmark document, we did not include all
- information from the Gentoo Security Handbook as some of the settings are
- specific to a service that is not all that default on a Gentoo Linux
- system. Although these settings are important as well, it is our believe
- that this is best done in separate benchmarks for those services instead.
- <h:br />
- <h:br />
+ the development of this benchmark document, not include all
+ information from the Gentoo Security Handbook is included as some of the
+ settings are specific to a service that is not all that default on a
+ Gentoo Linux system or sufficiently separate that can benefit other
+ distributions as well. Although these settings are important as well, it is
+ best done in separate benchmarks for those services instead.
+ </h:p>
+ <h:p>
Where applicable, this benchmark will refer to a different hardening guide
for specific purposes (such as the Hardening OpenSSH benchmark).
+ </h:p>
</description>
<reference href="http://www.gentoo.org/doc/en/security/security-handbook.xml">Gentoo
Security Handbook</reference>
<Group id="xccdf_org.gentoo.dev.swift_group_intro-security">
<title>This is no security policy</title>
<description>
+ <h:p>
It is <h:em>very important</h:em> to realize that this document is not a
policy. There is no obligation to follow this to make a secure system
- nor should everything in this document be agreed upon. What we document is
+ nor should everything in this document be agreed upon. This document is
a set of common best practices with the explanation (why is it a best practice)
and method (how to implement the best practice).
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
The purpose of this document is to guide readers in their quest to hardening
their systems. It will provide pointers that could help in deciding
particular configuration settings and will do this hopefully using
sufficient background information to allow readers to make a good choice.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
Readers might find settings they don't agree with. That's fine, but
if there is disagreement about <h:em>why</h:em> it is documented, we would
like to hear it so we can update the guide accordingly.
+ </h:p>
</description>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_intro-scap">
<title>A little more about SCAP and OVAL</title>
<description>
+ <h:p>
Within SCAP, NIST has defined some new standards of which XCCDF and OVAL
are notably important in light of this guide.
+ </h:p>
<h:ul>
<h:li>
XCCDF (Extensible Configuration Checklist Description Format) is
@@ -138,74 +164,104 @@
and validate system settings
</h:li>
</h:ul>
- <h:br />
+ <h:p>
Thanks to the OVAL and XCCDF standards, a security engineer can now describe
how the state of a system should be configured, how this can be checked
automatically and even report on these settings. Furthermore, within the
description, the engineer can make "profiles" of different states (such as
a profile for a workstation, server (generic), webserver, LDAP server,
...) and reusing the states (rules) identified in a more global scope.
+ </h:p>
</description>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_intro-using">
<title>Using this guide</title>
<description>
+ <h:p>
This guide is generated from SCAP content (more specifically, the XCCDF document)
using <h:b>openscap</h:b>, a free software implementation for handling SCAP content.
Within Gentoo, the package <h:code>app-forensics/openscap</h:code> provides the tools,
and the following command is used to generate the HTML output:
- <h:br />
- <h:pre># <h:b>oscap xccdf generate guide gentoo-xccdf.xml > output.html</h:b>
- </h:pre>
- <h:br />
+ </h:p>
+ <h:pre>
+# <h:b>oscap xccdf generate guide gentoo-xccdf.xml > output.html</h:b></h:pre>
+ <h:p>
Secondly, together with this XCCDF XML, an OVAL XML file is made available.
The two files combined allow OVAL interpreters to automatically validate
various settings as documented in the benchmark.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
+ Finally, if certain tests are not available in OVAL yet, scripts are provided
+ that can be executed through the SCE (Script Check Engine) support in openscap.
+ As scripts are not guaranteed to have no impact on the system (or leave traces),
+ <h:code>-oval</h:code> profiles are available that only enable the OVAL (and not SCE)
+ checks.
+ </h:p>
+ <h:p>
To validate the tests, the following commands can be used:
- <h:pre># <h:b>oscap xccdf eval --profile xccdf_org.gentoo.dev.swift_profile_default gentoo-xccdf.xml</h:b></h:pre>
- <h:br />
+ </h:p>
+ <h:pre>
+# <h:b>export PROFILE="xccdf_org.gentoo.dev.swift_profile_default"</h:b>
+# <h:b>oscap xccdf eval --profile ${PROFILE} gentoo-xccdf.xml</h:b></h:pre>
+ <h:p>
To generate a full report in HTML as well, use the next command:
- <h:pre># <h:b>oscap xccdf eval --profile xccdf_org.gentoo.dev.swift_profile_default --results xccdf-results.xml --report report.html gentoo-xccdf.xml</h:b></h:pre>
- <h:br />
- <h:br />
+ </h:p>
+ <h:pre>
+# <h:b>oscap xccdf eval --profile ${PROFILE} --results xccdf-results.xml \
+ --report report.html gentoo-xccdf.xml</h:b></h:pre>
+ <h:p>
Finally, this benchmark will suggest some settings that do not reflect the
will of the reader. That is perfectly fine - even more, some settings might even
raise eyebrows left and right. This document will explain the reasoning behind
the settings but deviations are always possible. If that is the case,
disable the rules in the XCCDF document or, better yet, create a new profile
and only refer to the tests that are required.
+ </h:p>
</description>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_intro-profiles">
<title>Available XCCDF Profiles</title>
<description>
+ <h:p>
As mentioned earlier, the XCCDF document supports multiple profiles. For the time
being, two profiles are defined:
- <h:br />
+ </h:p>
<h:ul>
<h:li>
- The <em>default</em> profile (xccdf_org.gentoo.dev.swift_profile_default) contains
+ The <h:em>default</h:em> profile (xccdf_org.gentoo.dev.swift_profile_default) contains
tests that are quick to validate
</h:li>
+ <h:li>
+ The <h:em>default-oval</h:em> profile (xccdf_org.gentoo.dev.swift_profile_default-oval)
+ is like the default one, but does not call any other checker than OVAL
+ (so no scripts).
+ </h:li>
<h:li>
- The <em>intensive</em> profile (xccdf_org.gentoo.dev.swift_profile_intensive)
+ The <h:em>intensive</h:em> profile (xccdf_org.gentoo.dev.swift_profile_intensive)
contains all tests, including those that take a while (for instance because they
perform full file system scans)
</h:li>
+ <h:li>
+ The <h:em>intensive-oval</h:em> profile (xccdf_org.gentoo.dev.swift_profile_intensive-oval)
+ is like the intensive one, but does not call any other checker than OVAL
+ (so no scripts).
+ </h:li>
</h:ul>
+ <h:p>
Substitute the profile information in the commands above with the required profile.
+ </h:p>
</description>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_intro-weights">
<title>About the rule weights</title>
<description>
+ <h:p>
Within this guide, weights are assigned to tests to give some importance to
the rule (higher weight is more important) as well as a severity.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
The severity is one of the following:
+ </h:p>
<h:ul>
<h:li>
<h:em>high</h:em> constitutes a grave or critical problem. A rule with this severity
@@ -227,29 +283,31 @@
does not mean failure to comply with the document itself.
</h:li>
</h:ul>
+ <h:p>
It is important to understand though that rules with a low severity can still lead to
grave security problems if they are not met. Chaining of vulnerabilities or
misconfiguration can still lead to full system compromise.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
For this reason, weights are added to rules as well. A higher weight has a more
severe potential impact.
- <h:br />
- <h:br />
- Weights are the CVSS score that the author assumes is the case for a misconfiguration.
+ </h:p>
+ <h:p>
+ Weights are the CVSS (or CCSS) score that is thought to be the case for a misconfiguration.
They are calculated by NVD's CVSS calculator. Each rule is scored individually; a
"chain" of misconfigurations might lead to a significantly higher issue, but this would
make it very hard to make proper scoring.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
As an example, take the rule that says <h:code>/var</h:code> has to be on its own
partition. The metrics we fill in in the calculator are currently based on the risk
that the root file system is filled (no more free space), which can halt the system.
+ </h:p>
<h:ul>
<h:li>
The <h:em>related exploit range</h:em> (access vector) is "Local", because this is
by itself not exploitable remotely - unless of course certain services are running
- that can fill up <h:code>/var</h:code>, but we do not take such assumptions.
+ that can fill up <h:code>/var</h:code>, but such assumptions are not taken.
</h:li>
<h:li>
The <h:em>attack complexity</h:em> (access complexity) is "Low", as all that is
@@ -270,18 +328,21 @@
The <h:em>availability impact</h:em> is "Complete" (system crash or halt).
</h:li>
</h:ul>
+ <h:p>
This results in the CVSS base score of 4.6. The environmental score metrics and
temporal score metrics are ignored as those are too specific for environments
and organizations.
+ </h:p>
</description>
<reference href="https://nvd.nist.gov/cvss.cfm?calculator&version=2">NVD CVSS calculator</reference>
+ <reference href="http://csrc.nist.gov/publications/nistir/ir7502/nistir-7502_CCSS.pdf">The Common Configuration Scoring System (PDF)</reference>
</Group>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_preinstallation">
- <title>Before we start</title>
+ <title>Before startng</title>
<description>
- Before we start deploying Gentoo Linux and start hardening it, it is wise
- to take a step back and think about what we want to accomplish. Setting
+ Before starting to deploy Gentoo Linux and start hardening it, it is wise
+ to take a step back and think about what to accomplish. Setting
up a more secured Gentoo Linux isn't a goal, but a means to reach
something. Most likely the system will become a Gentoo Linux powered server.
What is this server for? Where will it be hosted? What services are scheduled to run
@@ -290,47 +351,51 @@
<Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-architecturing">
<title>Infrastructure architecturing</title>
<description>
+ <h:p>
When considering the entire IT architecture, many architecturing
frameworks exist to write down and further design infrastructure.
There are very elaborate ones, like TOGAF (The Open Group Architecture
Framework), but smaller ones exist as well.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
A well written and maintained infrastructure architecture helps to
position new services or consider the impact of changes on existing
components.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
Security is about reducing risks, not about harassing people or making
work for a system administrator harder. And reducing risks also means
that a clear eye needs to be kept on the architecture and all its
components. If there is no knowledge as to what is being integrated, where
it is going to be installed or why, then hardening by itself will probably not
do much to the secure state of the system.
+ </h:p>
</description>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-requirements">
<title>Mapping requirements</title>
<description>
+ <h:p>
When designing a service, we need to take both functional and
non-functional requirements into account. That does sound like
overshooting for a simple server installation, but it is not. Is
auditing considered? Where should the audit logs be sent to? What
about authentication? Centrally managed, or manually set? And the server,
will it only host a particular service, or will it provide several services?
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
When hosting multiple services on the same server, make sure that the
server is positioned within the network on an acceptable segment. It is
not safe to host central LDAP infrastructure on the same system as
a web server that is facing the Internet.
+ </h:p>
</description>
<reference href="https://www.ibm.com/developerworks/rational/library/4706.html">IBM DeveloperWorks article on "Capturing Architectural Requirements"</reference>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-nonsoftware">
<title>Non-software security concerns</title>
<description>
- From the next chapter onwards, our focus will be on the software side
+ From the next chapter onwards, the focus will be on the software side
hardening. There are of course also non-software concerns that need to be
taken care of.
</description>
@@ -338,17 +403,18 @@
<Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-nonsoftware-physical">
<title>Physical security</title>
<description>
+ <h:p>
Make sure that the system is only accessible (physically) by trusted
people. Fully hardening a system, only to have a malicious person
take out the harddisk and run away with the confidential data is not
- something we want to experience.
- <h:br />
- <h:br />
+ something fun to experience.
+ </h:p>
+ <h:p>
When physical security cannot be guaranteed (like with laptops), make
sure that theft of the device only results in the loss of the hardware
and not of the data and software on it (take backups!), and also that the
data on it cannot be read by unauthorized people.
- We will describe disk encryption later.
+ </h:p>
</description>
<reference
href="http://www.sans.org/reading_room/whitepapers/awareness/data-center-physical-security-checklist_416">Data Center Physical Security Checklist (SANS, PDF)</reference>
@@ -356,16 +422,18 @@
<Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-nonsoftware-policies">
<title>Policies and contractual agreements</title>
<description>
+ <h:p>
Create or validate the security policies in the organization. This is
not only as a stick (against internal people who might want to abuse
their powers) but also to document and describe why certain decisions
are made (both architecturally as otherwise).
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
Make sure that the reasoning for the guidelines is clear. If the policies ever
need to be adjusted towards new environments or concepts (like "bring your own
device") having the reasons for the (old) guidelines documented will make it much
easier to write new ones.
+ </h:p>
</description>
<reference
href="http://www.sans.org/reading_room/whitepapers/policyissues/technical-writing-security-policies-easy-steps_492">Technical Writing for IT Security Policies in Five Easy Steps (SANS, PDF)</reference>
@@ -377,10 +445,9 @@
<Group id="xccdf_org.gentoo.dev.swift_group_installation">
<title>Installation configuration</title>
<description>
- Let's focus now on the OS hardening. Gentoo Linux allows us to update various
- parts of the system after installation, but it might be interesting to
- consider the following aspects during (or before) installation if we do not want
- to risk a huge migration project later.
+ Gentoo Linux allows us to update various parts of the system after installation,
+ but it might be interesting to consider the following aspects during (or before)
+ installation to not risk a huge migration project later.
</description>
<Group id="xccdf_org.gentoo.dev.swift_group_installation-storage">
<title>Storage configuration</title>
@@ -403,12 +470,14 @@
<Group id="xccdf_org.gentoo.dev.swift_group_installation-storage-partitioning-separate">
<title>Separate file systems for important locations</title>
<description>
+ <h:p>
Having a separate file system for important locations has several advantages, but
- we need to weigh those advantages against the disadvantages of separate file
+ those advantages need to be weighted against the disadvantages of separate file
systems.
- <h:br />
- <h:br />
- Let's start with the disadvantages:
+ </h:p>
+ <h:p>
+ These disadvantages are:
+ </h:p>
<h:ul>
<h:li>
Separate file systems mean that better disk space control is needed
@@ -426,7 +495,9 @@
(such as creating an initial ram file system).
</h:li>
</h:ul>
+ <h:p>
The advantages on the other hand:
+ </h:p>
<h:ul>
<h:li>
A sudden disk space growth will eventually be stopped by the limits of the
@@ -446,8 +517,10 @@
for a particular file system.
</h:li>
</h:ul>
+ <h:p>
Considering these pros and cons, it is recommended to have at least the following
file system locations to be on a different file system:
+ </h:p>
<h:ul>
<h:li>
<h:code>/tmp</h:code> as this is a world-writable location and requires
@@ -488,7 +561,7 @@
</h:ul>
</description>
<Rule id="xccdf_org.gentoo.dev.swift_rule_partition-tmp" selected="false" severity="medium" weight="4.6">
- <title>Test if /tmp is a separate file system</title>
+ <title>/tmp is a separate file system</title>
<fixtext>
Create a file system for <h:code>/tmp</h:code>; make sure it is added in
the <h:code>/etc/fstab</h:code> file and reboot the system.
@@ -498,7 +571,7 @@
</check>
</Rule>
<Rule id="xccdf_org.gentoo.dev.swift_rule_partition-var" selected="false" severity="medium" weight="4.6">
- <title>Test if /var is a separate file system</title>
+ <title>/var is a separate file system</title>
<fixtext>
Create a file system for <h:code>/var</h:code>; make sure it is added in
the <h:code>/etc/fstab</h:code> file and reboot the system.
@@ -508,7 +581,7 @@
</check>
</Rule>
<Rule id="xccdf_org.gentoo.dev.swift_rule_partition-varlog" selected="false" severity="low" weight="2.1">
- <title>Test if /var/log is a separate file system</title>
+ <title>/var/log is a separate file system</title>
<fixtext>
Create a file system for <h:code>/var/log</h:code>; make sure it is added in
the <h:code>/etc/fstab</h:code> file and reboot the system.
@@ -518,7 +591,7 @@
</check>
</Rule>
<Rule id="xccdf_org.gentoo.dev.swift_rule_partition-varlogaudit" selected="false" severity="low" weight="2.1">
- <title>Test if /var/log/audit is a separate file system</title>
+ <title>/var/log/audit is a separate file system</title>
<fixtext>
Create a file system for <h:code>/var/log/audit</h:code>; make sure it is added in
the <h:code>/etc/fstab</h:code> file and reboot the system.
@@ -528,7 +601,7 @@
</check>
</Rule>
<Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="false" severity="medium" weight="4.6">
- <title>Test if /home is a separate file system</title>
+ <title>/home is a separate file system</title>
<fixtext>
Create a file system for <h:code>/home</h:code>; make sure it is added in
the <h:code>/etc/fstab</h:code> file and reboot the system.
@@ -538,7 +611,7 @@
</check>
</Rule>
<Rule id="xccdf_org.gentoo.dev.swift_rule_partition-vartmp" selected="false" severity="low" weight="2.1">
- <title>Test if /var/tmp is a separate file system</title>
+ <title>/var/tmp is a separate file system</title>
<fixtext>
Create a file system for <h:code>/var/tmp</h:code>; make sure it is added in
the <h:code>/etc/fstab</h:code> file and reboot the system.
@@ -553,11 +626,11 @@
<Group id="xccdf_org.gentoo.dev.swift_group_installation-toolchain">
<title>Use a Hardened Toolchain</title>
<description>
+ <h:p>
When Gentoo is installed, use the hardened stages and hardened toolchain.
The hardened toolchain includes additional security patches, such as
support for non-executable program stacks and buffer overflow detection.
- <h:br />
- <h:br />
+ </h:p>
<h:ul>
<h:li>
<h:em>Position Independent Executables (PIE)</h:em> and <h:em>Position Independent
@@ -572,11 +645,14 @@
having the overflow succeed.
</h:li>
</h:ul>
+ <h:p>
During installation, make sure that the <h:em>default</h:em> hardened
toolchain is selected, not one of the <h:code>-hardenedno*</h:code> as
those are toolchains where specific settings are disabled. The
<h:code>-vanilla</h:code> one is a toolchain with no hardened patches.
- <h:pre># <h:b>gcc-config -l</h:b>
+ </h:p>
+ <h:pre>
+# <h:b>gcc-config -l</h:b>
[1] x86_64-pc-linux-gnu-4.4.5 *
[2] x86_64-pc-linux-gnu-4.4.5-hardenednopie
[3] x86_64-pc-linux-gnu-4.4.5-hardenednopie.gcc-config-ref
@@ -585,7 +661,7 @@
[6] x86_64-pc-linux-gnu-4.4.5-vanilla</h:pre>
</description>
<Rule id="xccdf_org.gentoo.dev.swift_rule_installation-toolchain-hardened" selected="false" severity="low" weight="0.0">
- <title>Test if the hardened toolchain is used</title>
+ <title>The hardened toolchain is used</title>
<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_installation-toolchain-hardened">
Use a hardened Gentoo profile and select the default compiler (not vanilla
nor any of the hardenedno* ones).
@@ -596,27 +672,6 @@
</check>
</Rule>
</Group> <!-- installation-toolchain -->
- <!--
- <Group id="gt-installation-selinux">
- <title>Use a Mandatory Access Control system</title>
- <description>
- Linux uses, by default, what is called a <h:em>Discretionary Access Control</h:em>
- system. This means, amongst other things, that a user can control which files others
- can access, but also that he is able to leak information towards other users.
- <h:br />
- <h:br />
- With a <h:em>Mandatory Access Control</h:em> system in place, the security administrator
- of a system defines security policies to which the entire system should adhere to. Users
- then can "play" within the defined fields of this policy, but cannot extend this policy themselves.
- <h:br />
- <h:br />
- Linux supports a few of these MAC systems. SELinux is a popular one, grSecurity RBAC system
- is another, TOMOYO exists as well, etc. It is advisable to use such a MAC system, but its
- configuration and testing of these settings are beyond the scope of this benchmark for now.
- </description>
- <reference href="http://hardened.gentoo.org/selinux">Gentoo Hardened SELinux project page</reference>
- </Group>
- -->
</Group> <!-- installation -->
<Group id="xccdf_org.gentoo.dev.swift_group_system">
<title>System settings</title>
@@ -634,24 +689,26 @@
<Group id="xccdf_org.gentoo.dev.swift_group_system-fs-mountoptions">
<title>Appropriate mount options for the file systems</title>
<description>
+ <h:p>
Non-root file systems should be mounted with the <h:em>nodev</h:em> mount option.
This mount option ensures that device files are not allowed on these file systems
(and if they are there, they are ignored by the Linux kernel for any device
operation).
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
Having device files on non-root file systems could allow unauthorized people access
to sensitive data (for instance when having a readable raw disk device files) or
even manipulate the system.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
The privilege to create special device files (beyond regular sockets) such as
character and block device files is handled through the CAP_MKNOD capability
which is not granted to regular users. As such, the risk is when more privileged
users or processes are tricked to create such device files.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
This setting is appropriate for file systems such as (non-exhaustive list):
+ </h:p>
<h:ul>
<h:li>
<h:code>/var</h:code> (as it is recommended to be a separate file system)
@@ -669,10 +726,12 @@
<h:code>/tmp</h:code> (as it is recommended to be a separate file system)
</h:li>
</h:ul>
+ <h:p>
Specific file systems should also be mounted with the <h:em>nosuid</h:em> mount
option. This prevents setuid binaries to run as a different user when hosted
on this file system. As there are several locations where setuid binaries might
be needed, this only affects particular file systems:
+ </h:p>
<h:ul>
<h:li>
The <h:code>/tmp</h:code> file system should not be used for setuid binaries
@@ -687,19 +746,21 @@
(shared memory region).
</h:li>
</h:ul>
+ <h:p>
Specific file systems should also be mounted with the <h:em>noexec</h:em> mount
option. This prevents some automated attacks to execute certain payload (exploits)
from these locations.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
This is just one of the many "layers" though, as executing payload can still be
done using different methods. For instance, scripts can be invoked through the
shell itself (rather than directly) and in the past, binaries could even be
executed through the <h:code>ld-linux.so</h:code> binary (although this has
been fixed).
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
File systems for which <h:em>noexec</h:em> is recommended are:
+ </h:p>
<h:ul>
<h:li>
The <h:code>/tmp</h:code> file system as it is a popular target to store exploit
@@ -716,7 +777,7 @@
Multiple authentication (one to create device file, one to log on)
-->
<Rule id="xccdf_org.gentoo.dev.swift_rule_partition-var-nodev" selected="false" severity="low" weight="5.9">
- <title>Test if /var is mounted with nodev</title>
+ <title>/var is mounted with nodev</title>
<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-var-nodev">Mount /var with nodev mount option</fixtext>
<fix id="xccdf_org.gentoo.dev.swift_fix_partition-var-nodev"
system="urn:xccdf:fix:system:commands"
@@ -728,7 +789,7 @@ mount -o remount,nodev /var
</check>
</Rule>
<Rule id="xccdf_org.gentoo.dev.swift_rule_partition-varlog-nodev" selected="false" severity="low" weight="5.9">
- <title>Test if /var/log is mounted with nodev</title>
+ <title>/var/log is mounted with nodev</title>
<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-varlog-nodev">Mount /var/log with nodev mount option</fixtext>
<fix id="xccdf_org.gentoo.dev.swift_fix_partition-varlog-nodev"
system="urn:xccdf:fix:system:commands"
@@ -740,7 +801,7 @@ mount -o remount,nodev /var/log
</check>
</Rule>
<Rule id="xccdf_org.gentoo.dev.swift_rule_partition-varlogaudit-nodev" selected="false" severity="low" weight="5.9">
- <title>Test if /var/log/audit is mounted with nodev</title>
+ <title>/var/log/audit is mounted with nodev</title>
<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-varlogaudit-nodev">Mount /var/log/audit with nodev mount option</fixtext>
<fix id="xccdf_org.gentoo.dev.swift_fix_partition-varlogaudit-nodev"
system="urn:xccdf:fix:system:commands"
@@ -752,7 +813,7 @@ mount -o remount,nodev /var/log/audit
</check>
</Rule>
<Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home-nodev" selected="false" severity="low" weight="5.9">
- <title>Test if /home is mounted with nodev</title>
+ <title>/home is mounted with nodev</title>
<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-home-nodev">Mount /home with nodev mount option</fixtext>
<fix id="xccdf_org.gentoo.dev.swift_fix_partition-home-nodev"
system="urn:xccdf:fix:system:commands"
@@ -766,7 +827,7 @@ mount -o remount,nodev /home
<!-- Higher severity due to more best practices and world writeable,
also more likely that exploit of process is done towards /tmp -->
<Rule id="xccdf_org.gentoo.dev.swift_rule_partition-tmp-nodev" selected="false" severity="medium" weight="5.9">
- <title>Test if /tmp is mounted with nodev</title>
+ <title>/tmp is mounted with nodev</title>
<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-tmp-nodev">Mount /tmp with nodev mount option</fixtext>
<fix id="xccdf_org.gentoo.dev.swift_fix_partition-tmp-nodev"
system="urn:xccdf:fix:system:commands"
@@ -778,7 +839,7 @@ mount -o remount,nodev /tmp
</check>
</Rule>
<Rule id="xccdf_org.gentoo.dev.swift_rule_partition-tmp-nosuid" selected="false" severity="medium" weight="5.9">
- <title>Test if /tmp is mounted with nosuid</title>
+ <title>/tmp is mounted with nosuid</title>
<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-tmp-nosuid">Mount /tmp with nosuid mount option</fixtext>
<fix id="xccdf_org.gentoo.dev.swift_fix_partition-tmp-nosuid"
system="urn:xccdf:fix:system:commands"
@@ -790,7 +851,7 @@ mount -o remount,nosuid /tmp
</check>
</Rule>
<Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home-nosuid" selected="false" severity="low" weight="5.9">
- <title>Test if /home is mounted with nosuid</title>
+ <title>/home is mounted with nosuid</title>
<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-home-nosuid">Mount /home with nosuid mount option</fixtext>
<fix id="xccdf_org.gentoo.dev.swift_fix_partition-home-nosuid"
system="urn:xccdf:fix:system:commands"
@@ -802,7 +863,7 @@ mount -o remount,nosuid /home
</check>
</Rule>
<Rule id="xccdf_org.gentoo.dev.swift_rule_partition-devshm-nosuid" selected="false" severity="medium" weight="5.9">
- <title>Test if /dev/shm is mounted with nosuid</title>
+ <title>/dev/shm is mounted with nosuid</title>
<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-devshm-nosuid">Mount /dev/shm with nosuid mount option</fixtext>
<fix id="xccdf_org.gentoo.dev.swift_fix_partition-devshm-nosuid"
system="urn:xccdf:fix:system:commands"
@@ -816,7 +877,7 @@ mount -o remount,nosuid /dev/shm
<!-- Weight is 0 as this is a means to exploit, not exploitable by
itself -->
<Rule id="xccdf_org.gentoo.dev.swift_rule_partition-tmp-noexec" selected="false" severity="medium" weight="0.0">
- <title>Test if /tmp is mounted with noexec</title>
+ <title>/tmp is mounted with noexec</title>
<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-tmp-noexec">Mount /tmp with noexec mount option</fixtext>
<fix id="xccdf_org.gentoo.dev.swift_fix_partition-tmp-noexec"
system="urn:xccdf:fix:system:commands"
@@ -828,7 +889,7 @@ mount -o remount,noexec /tmp
</check>
</Rule>
<Rule id="xccdf_org.gentoo.dev.swift_rule_partition-devshm-noexec" selected="false" severity="medium" weight="0.0">
- <title>Test if /dev/shm is mounted with noexec</title>
+ <title>/dev/shm is mounted with noexec</title>
<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-devshm-noexec">Mount /dev/shm with nosuid mount option</fixtext>
<fix id="xccdf_org.gentoo.dev.swift_fix_partition-devshm-noexec"
system="urn:xccdf:fix:system:commands"
@@ -843,37 +904,46 @@ mount -o remount,noexec /dev/shm
<Group id="xccdf_org.gentoo.dev.swift_group_system-fs-quotas">
<title>Disk quota support</title>
<description>
+ <h:p>
Most file systems support the notion of <h:em>quotas</h:em> - limits
on the amount of data / files that are allowed on that particular file system.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
To enable quotas, first configure the Linux kernel to include
<h:code>CONFIG_QUOTA</h:code>.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
Next, install the <h:code>sys-fs/quota</h:code> package.
- <h:pre># <h:b>emerge quota</h:b></h:pre>
+ </h:p>
+ <h:pre>
+# <h:b>emerge quota</h:b></h:pre>
+ <h:p>
Then add <h:code>usrquota</h:code> and <h:code>grpquota</h:code> to
the partitions (in <h:code>/etc/fstab</h:code>) where quotas need to be
enabled on. For instance, the following snippet from
<h:code>/etc/fstab</h:code> enables quotas on <h:code>/var</h:code>
and <h:code>/home</h:code>.
- <h:pre>/dev/mapper/volgrp-home /home ext4 noatime,nodev,nosuid,<h:b>usrquota,grpquota</h:b> 0 0
-/dev/mapper/volgrp-var /var ext4 noatime,<h:b>usrquota,grpquota</h:b> 0 0
-</h:pre>
+ </h:p>
+ <h:pre>
+/dev/mapper/volgrp-home /home ext4 noatime,nodev,nosuid,<h:b>usrquota,grpquota</h:b> 0 0
+/dev/mapper/volgrp-var /var ext4 noatime,<h:b>usrquota,grpquota</h:b> 0 0</h:pre>
+ <h:p>
Finally, add the <h:code>quota</h:code> service to the boot runlevel.
+ </h:p>
<h:pre>
# <h:b>rc-update add quota boot</h:b></h:pre>
+ <h:p>
Reboot the system so that the partitions are mounted with the correct
mount options and that the quota service is running. Then the quotas for
users and groups can be set up.
+ </h:p>
</description>
<reference
href="http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch28_:_Managing_Disk_Usage_with_Quotas">Managing
Disk Usage with Quotas (LinuxHomeNetworking)</reference>
<reference href="http://www.gentoo.org/doc/en/kernel-config.xml#shorthand">Gentoo Linux Kernel Configuration - shorthand notation information</reference>
<Rule id="xccdf_org.gentoo.dev.swift_rule_kernel-quota" selected="false" severity="low" weight="1.7">
- <title>Test if the kernel supports quota (CONFIG_QUOTA)</title>
+ <title>The kernel supports quota (CONFIG_QUOTA)</title>
<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_kernel-quota">Rebuild the Linux kernel with quota support (CONFIG_QUOTA)</fixtext>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.gentoo.dev.swift:def:18" href="gentoo-oval.xml" />
@@ -884,42 +954,48 @@ mount -o remount,noexec /dev/shm
<Group id="xccdf_org.gentoo.dev.swift_group_system-services">
<title>System services</title>
<description>
+ <h:p>
Services (daemons) are the primary reason for a server to exist.
They represent the function of the server. For instance, a web server
will run the apache2 or lighttpd service. A name server will run the
named service.
- <h:br />
- <h:br />
- In this benchmark, the focus is on those services that are either
- default available on a Gentoo installation (like SSHd) or that are
- commonly used in Gentoo server architectures (like rsync). For the other
- services it is wise to consult other hardening guides specific for those
- services.
+ </h:p>
+ <h:p>
+ In this benchmark, the focus is on a limited set of system services. For
+ the other services it is wise to consult other hardening guides specific
+ for those services.
+ </h:p>
</description>
<reference href="http://www.cisecurity.org">Center for Internet Security,
host of many service benchmarks</reference>
<Group id="xccdf_org.gentoo.dev.swift_group_system-services-disable">
<title>Disable unsafe services</title>
<description>
+ <h:p>
It is recommended to disable (or even uninstall) the following services unless
absolutely necessary. These services use plain-text protocols and are as such unsafe
to use on (untrusted) networks.
+ </h:p>
<h:ul>
<h:li>Telnet service</h:li>
<h:li>FTP Service</h:li>
</h:ul>
- <h:br />
+ <h:p>
It is recommended to substitute these services with their more secure
counterparts (like sFTP, SSH, ...).
+ </h:p>
</description>
<!-- Max score: password in clear text and your system is compromised (if it is root) -->
<Rule id="xccdf_org.gentoo.dev.swift_rule_telnetd-notrunning" selected="false" severity="high" weight="10.0">
- <title>Test if no telnet daemons are running</title>
+ <title>No telnet daemons are running</title>
<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_telnetd-notrunning">Stop telnet services</fixtext>
<fix id="xccdf_org.gentoo.dev.swift_fix_telnetd-notrunning"
system="urn:xccdf:fix:system:commands"
platform="cpe:/o:gentoo:linux" complexity="low" disruption="high" reboot="false">
-for service in /etc/init.d/*telnet*; do test -f ${service} && run_init rc-service ${service##*/} stop; done
+for service in /etc/init.d/*telnet*;
+do
+ test -f ${service} && run_init rc-service ${service##*/} stop;
+done
</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.gentoo.dev.swift:def:19" href="gentoo-oval.xml" />
@@ -927,12 +1003,15 @@ for service in /etc/init.d/*telnet*; do test -f ${service} && run_init r
</Rule>
<!-- Partial breach, assuming accounts are not system accounts -->
<Rule id="xccdf_org.gentoo.dev.swift_rule_ftpd-notrunning" selected="false" severity="medium" weight="7.5">
- <title>Test if no FTP daemons are running</title>
+ <title>No FTP daemons are running</title>
<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_ftpd-notrunning">Stop FTPd services</fixtext>
<fix id="xccdf_org.gentoo.dev.swift_fix_ftpd-notrunning"
system="urn:xccdf:fix:system:commands"
platform="cpe:/o:gentoo:linux" complexity="low" disruption="high" reboot="false">
-for service in /etc/init.d/*ftp*; do test -f ${service} && run_init rc-service ${service##*/} stop; done
+for service in /etc/init.d/*ftp*;
+do
+ test -f ${service} && run_init rc-service ${service##*/} stop;
+done
</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.gentoo.dev.swift:def:20" href="gentoo-oval.xml" />
@@ -942,26 +1021,29 @@ for service in /etc/init.d/*ftp*; do test -f ${service} && run_init rc-s
<Group id="xccdf_org.gentoo.dev.swift_group_system-services-sulogin">
<title>Require single-user boot to give root password</title>
<description>
+ <h:p>
When a system is booted in single user mode, some users might find it
handy to immediately get a root prompt; many even have a specific
bootloader entry to boot in single user mode.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
It is important that, for a more secure server environment, even
booting in single user mode requires the user to enter the root
password. This is already done by default in Gentoo through the
<h:code>rc_shell</h:code> variable in <h:code>/etc/rc.conf</h:code>.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
Administrators should also make sure that no direct shells are provided
in <h:code>/etc/inittab</h:code> for single-user mode. Gentoo's
<h:code>/etc/inittab</h:code> definition should look like so:
- <h:pre>su0:S:wait:/sbin/rc single
+ </h:p>
+ <h:pre>
+su0:S:wait:/sbin/rc single
<h:b>su1:S:wait:/sbin/sulogin</h:b></h:pre>
</description>
<!-- CVSS2: AV:L/AC:H/Au:S/C:C/I:C/A:C (high attack complexity due to console access) -->
<Rule id="xccdf_org.gentoo.dev.swift_rule_rcconf-sulogin" selected="false" severity="medium" weight="6.0">
- <title>Test if sulogin is used for single-user boot (/etc/rc.conf)</title>
+ <title>sulogin is used for single-user boot (/etc/rc.conf)</title>
<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_rcconf-sulogin">Set /sbin/sulogin for rc_shell</fixtext>
<fix id="xccdf_org.gentoo.dev.swift_fix_rcconf-sulogin"
system="urn:xccdf:fix:system:commands"
@@ -973,7 +1055,7 @@ sed -i -e 's:^rc_shell=.*:rc_shell="/sbin/sulogin":g' /etc/rc.conf
</check>
</Rule>
<Rule id="xccdf_org.gentoo.dev.swift_rule_inittab-sulogin" selected="false" severity="medium" weight="6.0">
- <title>Test if sulogin is used for single-user boot (/etc/inittab)</title>
+ <title>sulogin is used for single-user boot (/etc/inittab)</title>
<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_inittab-sulogin">
Set /sbin/sulogin or '/sbin/rc single' for single-user boot in /etc/inittab
</fixtext>
@@ -981,23 +1063,24 @@ sed -i -e 's:^rc_shell=.*:rc_shell="/sbin/sulogin":g' /etc/rc.conf
<check-content-ref name="oval:org.gentoo.dev.swift:def:22" href="gentoo-oval.xml" />
</check>
</Rule>
-
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_system-services-tcpwrappers">
<title>Properly Configure TCP Wrappers</title>
<description>
+ <h:p>
With TCP wrappers, services that support TCP wrappers (or those
started through <h:b>xinetd</h:b>) should be configured to only accept
communication with trusted hosts. With the use of
<h:code>/etc/hosts.allow</h:code> and <h:code>/etc/hosts.deny</h:code>,
proper access control lists can be created.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
More information on the format of these files can be obtained through
<h:b>man 5 hosts_access</h:b>.
+ </h:p>
</description>
<Rule id="xccdf_org.gentoo.dev.swift_rule_hostsallow-exists" selected="false" severity="info" weight="0.0">
- <title>Tests if /etc/hosts.allow exists</title>
+ <title>/etc/hosts.allow exists</title>
<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_hostsallow-exists">
Create and properly configure /etc/hosts.allow
</fixtext>
@@ -1009,12 +1092,14 @@ sed -i -e 's:^rc_shell=.*:rc_shell="/sbin/sulogin":g' /etc/rc.conf
<Group id="xccdf_org.gentoo.dev.swift_group_system-services-ssh">
<title>SSH service</title>
<description>
+ <h:p>
The SSH service is used for secure remote access towards a system, but
also to provide secure file transfers. It is very commonly found on Unix/Linux
systems so proper hardening is definitely in place.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
Please use the "Hardening OpenSSH" guide for the necessary instructions.
+ </h:p>
</description>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_system-services-cron">
@@ -1026,17 +1111,19 @@ sed -i -e 's:^rc_shell=.*:rc_shell="/sbin/sulogin":g' /etc/rc.conf
<Group id="xccdf_org.gentoo.dev.swift_group_system-services-cron-acl">
<title>Only allow trusted accounts cron access</title>
<description>
+ <h:p>
Only allow trusted accounts to use cron. How to achieve this depends on the cron service
installed.
- <h:br />
- <h:br />
- If vixie-cron is installed, then have (only) those users that need cron access take part in the
- <h:em>cron</h:em> unix group.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
+ If vixie-cron or cronie is installed, then have (only) those users that need cron access
+ take part in the <h:em>cron</h:em> unix group.
+ </h:p>
+ <h:p>
If dcron is used, then make sure <h:code>/usr/sbin/crontab</h:code> is only executable by
root and the cron unix group, and make sure (only) those users that need cron access take part
in the <h:em>cron</h:em> unix group.
+ </h:p>
</description>
</Group>
</Group>
@@ -1050,17 +1137,19 @@ sed -i -e 's:^rc_shell=.*:rc_shell="/sbin/sulogin":g' /etc/rc.conf
<Group id="xccdf_org.gentoo.dev.swift_group_system-services-at-acl">
<title>Only allow trusted accounts at access</title>
<description>
+ <h:p>
Only allow trusted accounts to use at. Unlike cron access, at access is governed through
the <h:code>/etc/at/at.allow</h:code> file. If the <h:code>at.allow</h:code> file does not
exist but <h:code>/etc/at/at.deny</h:code> does, then all names <h:em>not</h:em> mentioned in
the file are allowed to run at. The most secure method is to use the <h:code>at.allow</h:code>
method.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
The format of these files is one username per line.
+ </h:p>
</description>
<Rule id="xccdf_org.gentoo.dev.swift_rule_atallow-exists" selected="false" severity="low" weight="0.0">
- <title>Tests if /etc/at/at.allow exists</title>
+ <title>/etc/at/at.allow exists</title>
<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_atsallow-exists">
Create and properly configure /etc/at/at.allow
</fixtext>
@@ -1073,21 +1162,25 @@ sed -i -e 's:^rc_shell=.*:rc_shell="/sbin/sulogin":g' /etc/rc.conf
<Group id="xccdf_org.gentoo.dev.swift_group_system-services-ntp">
<title>NTP service</title>
<description>
+ <h:p>
With NTP, systems can synchronise their clocks, ensuring correct date
and time information. This is important as huge clock drift could
cause misinterpretation of log files or even unwanted execution of
commands.
+ </h:p>
</description>
<Group id="xccdf_org.gentoo.dev.swift_group_system-services-ntp-sync">
<title>Synchronise the system clock</title>
<description>
+ <h:p>
Synchronise the systems' clock with an authorative NTP server, and
use the same NTP service for all other systems.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
This can be accomplished by regularly executing <h:b>ntpdate</h:b>,
but can also be handled using a service like <h:code>net-misc/ntp</h:code>'s
<h:b>ntpd</h:b>.
+ </h:p>
</description>
</Group>
</Group>
@@ -1095,25 +1188,29 @@ sed -i -e 's:^rc_shell=.*:rc_shell="/sbin/sulogin":g' /etc/rc.conf
<Group id="xccdf_org.gentoo.dev.swift_group_system-portage">
<title>Portage settings</title>
<description>
+ <h:p>
The package manager of any system is a very important tool. It is
responsible for handling proper software deployments, but also offers
features that should not be neglected, like security patch roll-out.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
For Gentoo, the package manager offers a great deal of flexibility (as
that is the goal of Gentoo anyhow). As such, good settings for a more
secure environment within Portage (assuming that Portage is used as
package manager) are important.
+ </h:p>
</description>
<Group id="xccdf_org.gentoo.dev.swift_group_system-portage-use">
<title>USE flags</title>
<description>
+ <h:p>
USE flags in Gentoo are used to tune the functionality of many
components and enable or disable features.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
For a well secured environment, there are a couple of USE flags that
should be set in a global manner. These USE flags are
+ </h:p>
<h:ul>
<h:li>
<h:code>pam</h:code> to enable Pluggable Authentication
@@ -1126,43 +1223,51 @@ sed -i -e 's:^rc_shell=.*:rc_shell="/sbin/sulogin":g' /etc/rc.conf
<h:code>ssl</h:code> for SSL/TLS support
</h:li>
</h:ul>
+ <h:p>
<h:b>Pluggable Authentication Modules</h:b> are a powerful mechanism
to manage authentication, authorization and user sessions.
Applications that support PAM can be tuned to the liking of the
organization, leveraging central authentication, password policies,
auditing and more.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
With <h:b>TCP wrappers</h:b>, services can be shielded from
unauthorized access on host level. It is an access control level
mechanism which allows configuring allowed (and denied) hosts or
network segments on application level.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
Finally, leveraging <h:b>Secure Sockets Layer</h:b> (or the
standardized <h:b>Transport Layer Security</h:b>) allows applications
to encrypt network communication or even implement a
client-certificate based authentication mechanism.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
Set the USE flags globally in <h:code>/etc/portage/make.conf</h:code>
so they are applicable to all installed software.
- <h:br />
- <h:pre>USE="... pam tcpd ssl"</h:pre>
+ </h:p>
+ <h:pre>
+USE="... pam tcpd ssl"</h:pre>
</description>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_system-portage-webrsync">
<title>Fetching signed portage tree</title>
<description>
+ <h:p>
Gentoo Portage supports fetching signed tree snapshots using
<h:b>emerge-webrsync</h:b>. This is documented in the Gentoo Handbook,
but as it is quite easy, here are the instructions again:
- <h:pre># <h:b>mkdir -p /etc/portage/gpg</h:b>
+ </h:p>
+ <h:pre>
+# <h:b>mkdir -p /etc/portage/gpg</h:b>
# <h:b>chmod 0700 /etc/portage/gpg</h:b>
-# <h:b>gpg --homedir /etc/portage/gpg --keyserver subkeys.pgp.net --recv-keys 0x239C75C4 0x96D8BF6D</h:b>
-# <h:b>gpg --homedir /etc/portage/gpg --edit-key 0x239C75C4 trust</h:b>
-# <h:b>gpg --homedir /etc/portage/gpg --edit-key 0x96D8BF6D trust</h:b></h:pre>
+# <h:b>export SRV="subkeys.pgp.net"</h:b>
+# <h:b>export KEY="0x96D8BF6D"</h:b>
+# <h:b>gpg --homedir /etc/portage/gpg --keyserver ${SRV} --recv-keys ${KEY}</h:b>
+# <h:b>gpg --homedir /etc/portage/gpg --edit-key ${KEY} trust</h:b></h:pre>
+ <h:p>
After this, edit <h:code>/etc/portage/make.conf</h:code>:
+ </h:p>
<h:pre>
FEATURES="webrsync-gpg"
PORTAGE_GPG_DIR="/etc/portage/gpg"
@@ -1173,37 +1278,44 @@ SYNC=""</h:pre>
<Group id="xccdf_org.gentoo.dev.swift_group_system-kernel">
<title>Kernel configuration</title>
<description>
+ <h:p>
The Linux kernel should be configured using a sane security standard in
mind. When using grSecurity, additional security-enhancing settings can
be enabled.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
For further details, please refer to the "Hardening the Linux kernel" guide.
+ </h:p>
</description>
<reference href="http://www.gentoo.org/doc/en/kernel-config.xml#shorthand">Gentoo Kernel Configuration Guide - Shorthand notation information</reference>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_system-bootloader">
<title>Bootloader configuration</title>
<description>
+ <h:p>
The bootloader (be it GRUB or another tool) is responsible for loading
the Linux kernel and handing over system control to the kernel. But boot
loaders also allow for a flexible approach on kernel loading, which can
be (ab)used to work around security mechanisms.
+ </h:p>
</description>
<Group id="xccdf_org.gentoo.dev.swift_group_system-bootloader-grub1pass">
<title>Password protect GRUB (legacy)</title>
<description>
+ <h:p>
It is recommended to password-protect the GRUB configuration so that
the boot options cannot be modified during a boot without providing the
valid password.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
This can be accomplished by inserting <h:code>password abc123</h:code>
in <h:code>/boot/grub/grub.conf</h:code> (which will set the password
to "abc123"). But as clear-text passwords in the configuration file are insecure as well,
hash the passwords. Just start <h:b>grub</h:b>
and, in the grub-shell, type <h:b>md5crypt</h:b>.
- <h:pre># <h:b>grub</h:b>
+ </h:p>
+ <h:pre>
+# <h:b>grub</h:b>
GRUB version 0.92 (640K lower / 3072K upper memory)
@@ -1215,25 +1327,28 @@ Password: <h:em>abc123</h:em>
Encrypted: $1$18u.M0$J8VbOsGXuoG9Fh3n7ZkqY.
grub> <h:b>quit</h:b></h:pre>
- <h:br />
+ <h:p>
This hashed password can now be used in <h:code>grub.conf</h:code>
using <h:code>password --md5 $1$18u.M0$J8VbOsGXuoG9Fh3n7ZkqY.</h:code>.
+ </h:p>
</description>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_system-bootloader-lilopass">
<title>Password protect LILO</title>
<description>
+ <h:p>
It is recommended to password-protect the LILO configuration so that
modifying the boot options during a boot without providing the
valid password is not possible.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
This can be accomplished by inserting <h:code>password=abc123</h:code>
followed by <h:code>restricted</h:code> in the
<h:code>/etc/lilo.conf</h:code> file. It is also possible to do this
on a per-image level.
- <h:br />
- <h:pre>password=abc123
+ </h:p>
+ <h:pre>
+password=abc123
restricted
delay=3
@@ -1241,40 +1356,46 @@ image=/boot/bzImage
read-only
password=def456
restricted</h:pre>
- <h:br />
+ <h:p>
The <h:code>restricted</h:code> keyword is needed to have LILO only
ask for the password if a modification is given. If the defaults are
used, then no password needs to be provided.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
Rerun <h:code>lilo</h:code> after updating the configuration file.
+ </h:p>
</description>
</Group>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_system-auth">
<title>Authentication and authorization settings</title>
<description>
+ <h:p>
An important part in a servers' security is its authentication and
authorization support. We have already described how to build in PAM
support (through the Portage USE flags), but proper authentication and
authorization settings are mode than just compiling in the necessary
functionality.
+ </h:p>
</description>
<Group id="xccdf_org.gentoo.dev.swift_group_system-auth-securetty">
<title>Restrict root system logon</title>
<description>
+ <h:p>
To restrict where the root user can directly log on, edit
<h:code>/etc/securetty</h:code> and specify the supported terminals
for the root user.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
When properly configured, any attempt to log on as the root user from
a non-defined terminal will result in logon failure.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
A recommended setting is to only allow root user login through the
console and the physical terminals (<h:code>tty0-tty12</h:code>).
- <h:pre>console
+ </h:p>
+ <h:pre>
+console
tty0
tty1
...
@@ -1284,30 +1405,34 @@ tty12</h:pre>
<Group id="xccdf_org.gentoo.dev.swift_group_system-auth-userlogin">
<title>Allow only known users to login</title>
<description>
+ <h:p>
When PAM is enabled, the <h:code>/etc/security/access.conf</h:code>
file is used to check which users are allowed to log on and not
(through the <h:b>login</h:b> application). These limits are based on
username, group and host, network or tty that the user is trying to
log on from.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
By enabling these settings, the risk is reduced that a functional
account (say <h:code>apache</h:code>) is abused to log on with, or
that a new account is created as part of an exploit.
+ </h:p>
</description>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_system-auth-resources">
<title>Restrict user resources</title>
<description>
+ <h:p>
When facing a DoS (Denial-of-Service) attack, reducing the impact of
the attack can be done by limited resource consumption. Although the
component that is under attack will even more quickly fail, the impact
towards the other services on the system (including remote logon to
fix things) is more limited.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
In Gentoo Linux, the following methods are available to limit
resources.
+ </h:p>
<h:ul>
<h:li>
<h:code>/etc/security/limits.conf</h:code> defines the
@@ -1320,17 +1445,19 @@ tty12</h:pre>
PAM-aware.
</h:li>
</h:ul>
+ <h:p>
Generally, it should suffice to set up
<h:code>/etc/security/limits.conf</h:code>, which is the configuration
file used by the <h:code>pam_limits.so</h:code> module.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
Note that the settings are applicable on a <h:em>per login
session</h:em> basis.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
More information on these files and their syntax can be obtained
through their manual pages.
+ </h:p>
<h:pre>
# <h:b>man limits.conf</h:b>
# <h:b>man limits</h:b></h:pre>
@@ -1339,71 +1466,84 @@ tty12</h:pre>
<Group id="xccdf_org.gentoo.dev.swift_group_system-auth-password">
<title>Enforce password policy</title>
<description>
+ <h:p>
Usually most organizations have a password policy, telling their users
how long their passwords should be and how often the passwords should
be changed. Most users see this as an annoying aspect, so it might be
best to enforce this policy.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
Enforcing password policies is (partially) part of the
<h:code>sys-apps/shadow</h:code> package (which is installed by
default) and can be configured through the
<h:code>/etc/login.defs</h:code> file. This file is well documented
(using comments) and it has a full manual page as well.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
A second important player when dealing with password policies is the
<h:code>pam_cracklib.so</h:code> library. This can be used in the
appropriate <h:code>/etc/pam.d/*</h:code> files. For instance, for the
<h:code>/etc/pam.d/passwd</h:code> definition:
- <h:pre>auth required pam_unix.so shadow nullok
-account required pam_unix.so
-<h:b>password required pam_cracklib.so difok=3 retry=3 minlen=8 dcredit=-2 ocredit=-2</h:b>
-password required pam_unix.so md5 use_authok
-session required pam_unix.so</h:pre>
+ </h:p>
+ <h:pre>
+auth required pam_unix.so shadow nullok
+account required pam_unix.so
+<h:b>password required pam_cracklib.so difok=3 retry=3 \
+ minlen=8 dcredit=-2 \
+ ocredit=-2</h:b>
+password required pam_unix.so md5 use_authok
+session required pam_unix.so</h:pre>
+ <h:p>
In the above example, the password is required to be at least 8
characters long, differ more than 3 characters from the previous
password, contain 2 digits and 2 non-alphanumeric characters.
+ </h:p>
</description>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_system-auth-ripper">
<title>Review password strength regularly</title>
<description>
+ <h:p>
Regularly check the strength of the users' passwords. There are tools
out there, like <h:code>app-crypt/johntheripper</h:code> which, given
a <h:code>/etc/shadow</h:code> file (or sometimes even LDAP dump) try
to find the passwords for the users.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
When such a tool can guess a users' password, that users' password
should be expired and the user should be notified and asked to change
his password.
+ </h:p>
</description>
</Group>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_system-session">
<title>Session settings</title>
<description>
+ <h:p>
Unlike authentication and authorization settings, a <h:em>session</h:em>
setting is one that is applicable to an authenticated and authorized
user when he is logged on to the system.
+ </h:p>
</description>
<Group id="xccdf_org.gentoo.dev.swift_group_system-session-mesg">
<title>Disable access to user terminals</title>
<description>
+ <h:p>
By default, user terminals are accessible by others to write messages
to (using <h:b>write</h:b>, <h:b>wall</h:b> or <h:b>talk</h:b>). It is
adviseable to disable this unless explicitly necessary.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
Messages can confuse users and trick them into performing malicious
actions.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
This can be disabled by setting <h:code>mesg n</h:code> in
<h:code>/etc/profile</h:code>. A user-friendly method for doing so in
Gentoo is to create a file <h:code>/etc/profile.d/disable_mesg</h:code> which
contains this command.
+ </h:p>
</description>
</Group>
</Group>
@@ -1417,37 +1557,44 @@ session required pam_unix.so</h:pre>
<Group id="xccdf_org.gentoo.dev.swift_group_system-fileprivileges-worldrw">
<title>Limit world writable files and locations</title>
<description>
+ <h:p>
Limit (or even remove) the use of world writable files and locations.
If a directory is world writable, it makes sense to have the
sticky bit set on it as well (like with <h:code>/tmp</h:code>).
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
Use <h:code>find</h:code> to locate such files or directories.
- <h:pre># <h:b>find / -perm +o=w ! \( -type d -perm +o=t \) ! -type l -print</h:b></h:pre>
+ </h:p>
+ <h:pre>
+# <h:b>find / -perm +o=w ! \( -type d -perm +o=t \) ! -type l -print</h:b></h:pre>
+ <h:p>
The above command shows world writable files and locations, unless it
is a directory with the sticky bit set, or a symbolic link (whose
world writable privilege is not accessible anyhow).
+ </h:p>
</description>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_system-fileprivileges-suidsgid">
<title>Limit setuid and setgid file and directory usage</title>
<description>
+ <h:p>
The <h:em>setuid</h:em> and <h:em>setgid</h:em> flags for files and
directories can be used to work around authentication and
authorization measures taken on the system. So their use should be
carefully guarded.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
In case of files, the setuid or setgid bit causes the application (if
the file is marked as executable) to run with the privileges of the
file owner (setuid) or group owner (setgid). It is necessary for
applications that need elevated privileges, like <h:b>su</h:b> or
<h:b>sudo</h:b>.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
In case of directories, the setgit bit causes newly created
files in that directory to automatically be owned by the same group as
the mentioned (parent) directory.
+ </h:p>
</description>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_system-fileprivileges-logs">
@@ -1463,12 +1610,14 @@ session required pam_unix.so</h:pre>
<Group id="xccdf_org.gentoo.dev.swift_group_system-fileprivileges-rootonly">
<title>Files only used by root should be root-only</title>
<description>
+ <h:p>
Some files, like <h:code>/etc/shadow</h:code>, are meant to be read
(and perhaps modified) by root only. These files should never have
privileges for group- or others.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
A nonexhaustive list of such files is:
+ </h:p>
<h:ul>
<h:li>
<h:code>/etc/shadow</h:code> which contains account password
@@ -1508,13 +1657,15 @@ session required pam_unix.so</h:pre>
<Group id="xccdf_org.gentoo.dev.swift_group_data-backup-automate">
<title>Automated backups</title>
<description>
+ <h:p>
Automate backups on the system. If the backups are performed manually
then they are done wrong and someone will eventually forget it.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
Use scheduling software like <h:code>cron</h:code> to
automatically take backups on regular intervals, or use a central
backup solution like <h:code>bacula</h:code>.
+ </h:p>
</description>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_data-backups-coverage">
@@ -1529,18 +1680,20 @@ session required pam_unix.so</h:pre>
<Group id="xccdf_org.gentoo.dev.swift_group_data-backups-history">
<title>Retention</title>
<description>
+ <h:p>
Ensure that the backups use a long enough retention. It is not wise
to take a single backup and overwrite this one over and over again, as
there will be a time that a file needs to be recovered that was corrupted
long before the last backup was taken.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
There is no perfect retention period however, as the more backups are
kept, the more storage is required and the more money or time needs to be invested in
managing the backups.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
In most cases, introduce a "layered" approach on retention. For instance:
+ </h:p>
<h:ul>
<h:li>keep daily backups for a week</h:li>
<h:li>
@@ -1558,15 +1711,17 @@ session required pam_unix.so</h:pre>
<Group id="xccdf_org.gentoo.dev.swift_group_data-backups-location">
<title>Off-site backups</title>
<description>
+ <h:p>
Keep the backups off-site in case of disaster. But consider this
location carefully. Investigate how fast the backup can be put there,
but also how fast it can be retrieved it in case of need. Also investigate if this
location is juridically sane (is it allowed to put the data on this location
and is this off-site location trusted).
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
Also ensure that the backups are stored securely. If necessary,
encrypt the backups.
+ </h:p>
</description>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_data-backups-validate">
@@ -1588,16 +1743,18 @@ session required pam_unix.so</h:pre>
<Group id="xccdf_org.gentoo.dev.swift_group_removal-wipedisk">
<title>Wipe disks</title>
<description>
+ <h:p>
Clear all data from the disks on the server in a secure manner.
Applications like <h:b>shred</h:b> (part of
<h:code>sys-apps/coreutils</h:code>) can be used to security wipe data
or even entire partitions or disks.
- <h:br />
- <h:br />
+ </h:p>
+ <h:p>
It is recommended to perform full disk wipes rather than file wipes.
If this needs to be done on file level, see if the file system
journaling can be disabled during the wipe session as journaling might "buffer" the
secure writes and only write the end result to the disk.
+ </h:p>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf">NIST Publication "Guidelines for Media Sanitization" (PDF)</reference>
</Group>
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
@ 2013-12-20 13:56 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2013-12-20 13:56 UTC (permalink / raw
To: gentoo-commits
commit: ba0efd919ff2b536cba4588eed154c01482bf200
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Dec 20 13:38:35 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec 20 13:38:35 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=ba0efd91
Move generated docs to tmp location
---
xml/SCAP/Makefile | 40 ++++++++++++++--------------------------
1 file changed, 14 insertions(+), 26 deletions(-)
diff --git a/xml/SCAP/Makefile b/xml/SCAP/Makefile
index 387ae3e..42028e0 100644
--- a/xml/SCAP/Makefile
+++ b/xml/SCAP/Makefile
@@ -1,32 +1,20 @@
-all: report.html guide.html remediate.sh #guide.pdf
+all: report-gentoo-xccdf.html guide-gentoo-xccdf.html remediate-gentoo-xccdf.sh guide-gentoo-xccdf.docbook
-report.html: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml
- -oscap xccdf eval --cpe gentoo-cpe.xml --profile xccdf_org.gentoo.dev.swift_profile_default --results results-xccdf.xml --oval-results --report report.html gentoo-xccdf.xml
+report-gentoo-xccdf.html: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml
+ -oscap xccdf eval --cpe gentoo-cpe.xml --profile xccdf_org.gentoo.dev.swift_profile_default-oval --results ~/tmp/results-gentoo-xccdf.xml --oval-results --report ~/tmp/report-gentoo-xccdf.html gentoo-xccdf.xml
-guide.html: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml
- oscap xccdf generate guide --profile xccdf_org.gentoo.dev.swift_profile_default --output guide.html gentoo-xccdf.xml
+guide-gentoo-xccdf.html: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml
+ oscap xccdf generate guide --profile xccdf_org.gentoo.dev.swift_profile_default-oval --output ~/tmp/guide-gentoo-xccdf.html gentoo-xccdf.xml
-guide.docbook: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml
- oscap xccdf generate guide --profile xccdf_org.gentoo.dev.swift_profile_default --format docbook --output guide.docbook gentoo-xccdf.xml
+guide-gentoo-xccdf.docbook: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml
+ oscap xccdf generate guide --profile xccdf_org.gentoo.dev.swift_profile_default-oval --format docbook --output ~/tmp/guide-gentoo-xccdf.docbook gentoo-xccdf.xml
-guide.fo: guide.docbook
- xsltproc --output guide.fo --stringparam paper.type A4 /usr/share/sgml/docbook/xsl-stylesheets/fo/docbook.xsl guide.docbook
+remediate-gentoo-xccdf.sh:
+ oscap xccdf generate fix --output ~/tmp/remediate-gentoo-xccdf.sh ~/tmp/results-gentoo-xccdf.xml
+ chmod 0644 ~/tmp/remediate-gentoo-xccdf.sh
-guide.pdf: guide.fo
- fop guide.fo guide.pdf
+gentoo-ds.xml:
+ oscap ds sds-compose gentoo-xccdf.xml ~/tmp/gentoo-ds.xml
+ oscap ds sds-add gentoo-cpe.xml ~/tmp/gentoo-ds.xml
-remediate.sh: results-xccdf.xml
- oscap xccdf generate fix --output remediate.sh results-xccdf.xml
- chmod 0644 remediate.sh
-
-ds:
- oscap ds sds-compose gentoo-xccdf.xml ds.xml
- oscap ds sds-add gentoo-cpe.xml ds.xml
-
-eval:
- oscap xccdf eval --cpe gentoo-cpe.xml --profile xccdf_org.gentoo.dev.swift_profile_default gentoo-xccdf.xml
-
-clean:
- -rm results-xccdf.xml report.html guide.html gentoo-oval.xml.results.xml remediate.sh guide.docbook guide.pdf guide.fo
-
-.PHONY: all eval clean
+.PHONY: all
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
@ 2013-12-20 13:56 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2013-12-20 13:56 UTC (permalink / raw
To: gentoo-commits
commit: 690de9d64b0e276bd79bc0201bd6659d63ffdf5a
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Dec 20 13:32:36 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec 20 13:32:36 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=690de9d6
Add test for global USE flag declarations (ssl, tcpd, pam)
---
xml/SCAP/gentoo-oval.xml | 94 +++++++++++++++++++++++++++++++++++++++++++++++
xml/SCAP/gentoo-xccdf.xml | 33 +++++++++++++++++
2 files changed, 127 insertions(+)
diff --git a/xml/SCAP/gentoo-oval.xml b/xml/SCAP/gentoo-oval.xml
index 3fb4adb..8e64c26 100644
--- a/xml/SCAP/gentoo-oval.xml
+++ b/xml/SCAP/gentoo-oval.xml
@@ -457,6 +457,51 @@
</criteria>
</definition>
+ <definition id="oval:org.gentoo.dev.swift:def:27" version="1" class="compliance">
+ <metadata>
+ <title>In make.conf 'pam' is declared as a global USE flag</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <description>
+ The USE declaration in make.conf should have 'pam' set as a global USE flag.
+ </description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:28" comment="'pam' is set as a global USE flag in make.conf" />
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:28" version="1" class="compliance">
+ <metadata>
+ <title>In make.conf 'tcpd' is declared as a global USE flag</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <description>
+ The USE declaration in make.conf should have 'tcpd' set as a global USE flag.
+ </description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:29" comment="'tcpd' is set as a global USE flag in make.conf" />
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:29" version="1" class="compliance">
+ <metadata>
+ <title>In make.conf 'ssl' is declared as a global USE flag</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <description>
+ The USE declaration in make.conf should have 'ssl' set as a global USE flag.
+ </description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:30" comment="'ssl' is set as a global USE flag in make.conf" />
+ </criteria>
+ </definition>
+
</definitions>
<tests>
@@ -680,6 +725,33 @@
<lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:7" />
</lin-def:partition_test>
+ <ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:28"
+ version="1" check="at least one" check_existence="all_exist"
+ comment="Tests that 'pam' is set as a global USE flag in make.conf">
+ <!-- USE declaration in make.conf -->
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:17" />
+ <!-- Match for pam -->
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:8" />
+ </ind-def:textfilecontent54_test>
+
+ <ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:29"
+ version="1" check="at least one" check_existence="all_exist"
+ comment="Tests that 'tcpd' is set as a global USE flag in make.conf">
+ <!-- USE declaration in make.conf -->
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:17" />
+ <!-- Match for tcpd -->
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:9" />
+ </ind-def:textfilecontent54_test>
+
+ <ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:30"
+ version="1" check="at least one" check_existence="all_exist"
+ comment="Tests that 'ssl' is set as a global USE flag in make.conf">
+ <!-- USE declaration in make.conf -->
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:17" />
+ <!-- Match for ssl -->
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:10" />
+ </ind-def:textfilecontent54_test>
+
</tests>
<objects>
@@ -772,6 +844,13 @@
<lin-def:mount_point>/var</lin-def:mount_point>
</lin-def:partition_object>
+ <ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:17"
+ version="2" comment="Portage make.conf global USE settings">
+ <ind-def:filepath>/etc/portage/make.conf</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^USE=.*</ind-def:pattern>
+ <ind-def:instance operation="greater than or equal" datatype="int">1</ind-def:instance>
+ </ind-def:textfilecontent54_object>
+
</objects>
<states>
@@ -811,6 +890,21 @@
<lin-def:mount_options entity_check="at least one" operation="pattern match">(usr|grp)quota</lin-def:mount_options>
</lin-def:partition_state>
+ <ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:8"
+ version="1" comment="Matching pam">
+ <ind-def:text datatype="string" operation="pattern match" entity_check="all">( |")pam( |")</ind-def:text>
+ </ind-def:textfilecontent54_state>
+
+ <ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:9"
+ version="1" comment="Matching tcpd">
+ <ind-def:text datatype="string" operation="pattern match" entity_check="all">( |")tcpd( |")</ind-def:text>
+ </ind-def:textfilecontent54_state>
+
+ <ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:10"
+ version="1" comment="Matching ssl">
+ <ind-def:text datatype="string" operation="pattern match" entity_check="all">( |")ssl( |")</ind-def:text>
+ </ind-def:textfilecontent54_state>
+
</states>
<!--
diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml
index 1057fb3..b53b1e8 100644
--- a/xml/SCAP/gentoo-xccdf.xml
+++ b/xml/SCAP/gentoo-xccdf.xml
@@ -89,6 +89,12 @@
<select idref="xccdf_org.gentoo.dev.swift_rule_hostsallow-exists" selected="true" />
<!-- Verify that /etc/at/at.allow exists -->
<select idref="xccdf_org.gentoo.dev.swift_rule_atallow-exists" selected="true" />
+ <!-- Make sure USE=pam is set -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_USE-pam" selected="true" />
+ <!-- Make sure USE=tcpd is set -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_USE-tcpd" selected="true" />
+ <!-- Make sure USE=ssl is set -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_USE-ssl" selected="true" />
</Profile>
<Profile id="xccdf_org.gentoo.dev.swift_profile_default" extends="xccdf_org.gentoo.dev.swift_profile_default-oval">
<title>Default server setup settings</title>
@@ -1271,6 +1277,33 @@ sed -i -e 's:^rc_shell=.*:rc_shell="/sbin/sulogin":g' /etc/rc.conf
<h:pre>
USE="... pam tcpd ssl"</h:pre>
</description>
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_USE-pam" selected="false" severity="low" weight="0.0">
+ <title>USE="pam" is set</title>
+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_USE-pam">
+ Edit /etc/portage/make.conf and make sure that 'pam' is in the USE declaration
+ </fixtext>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:27" href="gentoo-oval.xml" />
+ </check>
+ </Rule>
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_USE-tcpd" selected="false" severity="low" weight="0.0">
+ <title>USE="tcpd" is set</title>
+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_USE-tcpd">
+ Edit /etc/portage/make.conf and make sure that 'tcpd' is in the USE declaration
+ </fixtext>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:28" href="gentoo-oval.xml" />
+ </check>
+ </Rule>
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_USE-ssl" selected="false" severity="low" weight="0.0">
+ <title>USE="ssl" is set</title>
+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_USE-ssl">
+ Edit /etc/portage/make.conf and make sure that 'ssl' is in the USE declaration
+ </fixtext>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:29" href="gentoo-oval.xml" />
+ </check>
+ </Rule>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_system-portage-webrsync">
<title>Fetching signed portage tree</title>
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
@ 2013-12-20 13:56 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2013-12-20 13:56 UTC (permalink / raw
To: gentoo-commits
commit: 117fc65c426f7342ca2f947f8f4a286be0f341aa
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Dec 20 13:07:05 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec 20 13:07:05 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=117fc65c
Add /var and /home quota mount options check
---
xml/SCAP/gentoo-oval.xml | 58 +++++++++++++++++++++++++++++++++++++++++++++++
xml/SCAP/gentoo-xccdf.xml | 22 ++++++++++++++++++
2 files changed, 80 insertions(+)
diff --git a/xml/SCAP/gentoo-oval.xml b/xml/SCAP/gentoo-oval.xml
index 693d59f..3fb4adb 100644
--- a/xml/SCAP/gentoo-oval.xml
+++ b/xml/SCAP/gentoo-oval.xml
@@ -427,6 +427,36 @@
</criteria>
</definition>
+ <definition id="oval:org.gentoo.dev.swift:def:25" version="1" class="compliance">
+ <metadata>
+ <title>/var is mounted with quota option(s)</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <description>
+ The /var mount should be mounted with usrquota or grpquota mount option.
+ </description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:26" comment="/var is mounted with usrquota or grpquota" />
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:26" version="1" class="compliance">
+ <metadata>
+ <title>/home is mounted with quota option(s)</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <description>
+ The /home mount should be mounted with usrquota or grpquota mount option.
+ </description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:27" comment="/home is mounted with usrquota or grpquota" />
+ </criteria>
+ </definition>
+
</definitions>
<tests>
@@ -632,6 +662,24 @@
<unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:15" />
</unix-def:file_test>
+ <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:26"
+ version="1" check="all" check_existence="all_exist"
+ comment="Tests that /var is mounted with usrquota or grpquota option">
+ <!-- /var file system -->
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:16" />
+ <!-- "usrquota" or "grpquota" mount option -->
+ <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:7" />
+ </lin-def:partition_test>
+
+ <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:27"
+ version="1" check="all" check_existence="all_exist"
+ comment="Tests that /home is mounted with usrquota or grpquota option">
+ <!-- /home file system -->
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:2" />
+ <!-- "usrquota" or "grpquota" mount option -->
+ <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:7" />
+ </lin-def:partition_test>
+
</tests>
<objects>
@@ -719,6 +767,11 @@
<unix-def:filepath>/etc/at/at.allow</unix-def:filepath>
</unix-def:file_object>
+ <lin-def:partition_object id="oval:org.gentoo.dev.swift:obj:16"
+ version="1" comment="The /var file system">
+ <lin-def:mount_point>/var</lin-def:mount_point>
+ </lin-def:partition_object>
+
</objects>
<states>
@@ -753,6 +806,11 @@
<ind-def:text datatype="string" operation="pattern match" entity_check="all">su[[:digit:]]+:S:[\S]+:(/sbin/rc single|/sbin/sulogin)</ind-def:text>
</ind-def:textfilecontent54_state>
+ <lin-def:partition_state id="oval:org.gentoo.dev.swift:ste:7"
+ version="1" comment="The file system is mounted with quota support option">
+ <lin-def:mount_options entity_check="at least one" operation="pattern match">(usr|grp)quota</lin-def:mount_options>
+ </lin-def:partition_state>
+
</states>
<!--
diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml
index e51a0ab..1057fb3 100644
--- a/xml/SCAP/gentoo-xccdf.xml
+++ b/xml/SCAP/gentoo-xccdf.xml
@@ -73,6 +73,10 @@
<select idref="xccdf_org.gentoo.dev.swift_rule_partition-devshm-noexec" selected="true" />
<!-- Kernel quota support must be enabled -->
<select idref="xccdf_org.gentoo.dev.swift_rule_kernel-quota" selected="true" />
+ <!-- /var is mounted with usrquota or grpquota -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_var-quota" selected="true" />
+ <!-- /home is mounted with usrquota or grpquota -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_home-quota" selected="true" />
<!-- No telnetd process is running -->
<select idref="xccdf_org.gentoo.dev.swift_rule_telnetd-notrunning" selected="true" />
<!-- No ftpd process is running -->
@@ -949,6 +953,24 @@ mount -o remount,noexec /dev/shm
<check-content-ref name="oval:org.gentoo.dev.swift:def:18" href="gentoo-oval.xml" />
</check>
</Rule>
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_var-quota" selected="false" severity="low" weight="1.7">
+ <title>The /var file system is mounted with usrquota or grpquota</title>
+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_var-quota">Mount /var with usrquota and/or grpquota</fixtext>
+ <fix id="xccdf_org.gentoo.dev.swift_fix_partition-var-quota"
+ system="urn:xccdf:fix:system:commands"
+ platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+mount -o remount,usrquota,grpquota /var
+ </fix>
+ </Rule>
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_home-quota" selected="false" severity="low" weight="1.7">
+ <title>The /home file system is mounted with usrquota or grpquota</title>
+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_home-quota">Mount /home with usrquota and/or grpquota</fixtext>
+ <fix id="xccdf_org.gentoo.dev.swift_fix_partition-home-quota"
+ system="urn:xccdf:fix:system:commands"
+ platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+mount -o remount,usrquota,grpquota /home
+ </fix>
+ </Rule>
</Group> <!-- system-fs-quotas -->
</Group> <!-- system-fs -->
<Group id="xccdf_org.gentoo.dev.swift_group_system-services">
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
@ 2013-12-20 13:56 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2013-12-20 13:56 UTC (permalink / raw
To: gentoo-commits
commit: a6aa7065ba85da8af326989ebb8987730c0fb7b2
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Dec 20 13:52:20 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec 20 13:52:20 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=a6aa7065
Generate oval results/report
---
xml/SCAP/Makefile | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/xml/SCAP/Makefile b/xml/SCAP/Makefile
index 42028e0..93cd449 100644
--- a/xml/SCAP/Makefile
+++ b/xml/SCAP/Makefile
@@ -1,4 +1,4 @@
-all: report-gentoo-xccdf.html guide-gentoo-xccdf.html remediate-gentoo-xccdf.sh guide-gentoo-xccdf.docbook
+all: report-gentoo-xccdf.html guide-gentoo-xccdf.html remediate-gentoo-xccdf.sh guide-gentoo-xccdf.docbook report-gentoo-oval.xml
report-gentoo-xccdf.html: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml
-oscap xccdf eval --cpe gentoo-cpe.xml --profile xccdf_org.gentoo.dev.swift_profile_default-oval --results ~/tmp/results-gentoo-xccdf.xml --oval-results --report ~/tmp/report-gentoo-xccdf.html gentoo-xccdf.xml
@@ -17,4 +17,7 @@ gentoo-ds.xml:
oscap ds sds-compose gentoo-xccdf.xml ~/tmp/gentoo-ds.xml
oscap ds sds-add gentoo-cpe.xml ~/tmp/gentoo-ds.xml
+report-gentoo-oval.xml:
+ oscap oval eval --report ~/tmp/report-gentoo-oval.html --results ~/tmp/results-gentoo-oval.xml gentoo-oval.xml
+
.PHONY: all
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
@ 2013-12-20 13:56 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2013-12-20 13:56 UTC (permalink / raw
To: gentoo-commits
commit: 74d55749d92d96f50c09c277041d6bb9fa0a969f
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Dec 20 13:54:24 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec 20 13:54:24 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=74d55749
Forgot to reference oval checks for quota mounts
---
xml/SCAP/gentoo-xccdf.xml | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml
index 3c331eb..fa9c357 100644
--- a/xml/SCAP/gentoo-xccdf.xml
+++ b/xml/SCAP/gentoo-xccdf.xml
@@ -969,6 +969,9 @@ mount -o remount,noexec /dev/shm
platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
mount -o remount,usrquota,grpquota /var
</fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:25" href="gentoo-oval.xml" />
+ </check>
</Rule>
<Rule id="xccdf_org.gentoo.dev.swift_rule_home-quota" selected="false" severity="low" weight="1.7">
<title>The /home file system is mounted with usrquota or grpquota</title>
@@ -978,6 +981,9 @@ mount -o remount,usrquota,grpquota /var
platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
mount -o remount,usrquota,grpquota /home
</fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:26" href="gentoo-oval.xml" />
+ </check>
</Rule>
</Group> <!-- system-fs-quotas -->
</Group> <!-- system-fs -->
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
@ 2013-12-20 13:56 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2013-12-20 13:56 UTC (permalink / raw
To: gentoo-commits
commit: 0b26865160ba673db1744027ddec5f625847661e
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Dec 20 13:52:33 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec 20 13:52:33 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=0b268651
Add checks for webrsync-gpg FEATURES setting
---
xml/SCAP/gentoo-oval.xml | 36 ++++++++++++++++++++++++++++++++++++
xml/SCAP/gentoo-xccdf.xml | 11 +++++++++++
2 files changed, 47 insertions(+)
diff --git a/xml/SCAP/gentoo-oval.xml b/xml/SCAP/gentoo-oval.xml
index 8e64c26..73b5ec8 100644
--- a/xml/SCAP/gentoo-oval.xml
+++ b/xml/SCAP/gentoo-oval.xml
@@ -502,6 +502,21 @@
</criteria>
</definition>
+ <definition id="oval:org.gentoo.dev.swift:def:30" version="1" class="compliance">
+ <metadata>
+ <title>In make.conf 'webrsync-gpg' is set in FEATURES</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <description>
+ The FEATURES declaration in make.conf should have 'webrsync-gpg' set.
+ </description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:31" comment="'webrsync-gpg' is set in make.conf FEATURES" />
+ </criteria>
+ </definition>
+
</definitions>
<tests>
@@ -752,6 +767,15 @@
<ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:10" />
</ind-def:textfilecontent54_test>
+ <ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:31"
+ version="1" check="at least one" check_existence="all_exist"
+ comment="Tests that webrsync-gpg is set in make.conf FEATURES">
+ <!-- FEATURES declaration in make.conf -->
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:18" />
+ <!-- Match for webrsync-gpg -->
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:11" />
+ </ind-def:textfilecontent54_test>
+
</tests>
<objects>
@@ -851,6 +875,13 @@
<ind-def:instance operation="greater than or equal" datatype="int">1</ind-def:instance>
</ind-def:textfilecontent54_object>
+ <ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:18"
+ version="1" comment="Portage make.conf FEATURES settings">
+ <ind-def:filepath>/etc/portage/make.conf</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^FEATURES=.*</ind-def:pattern>
+ <ind-def:instance operation="greater than or equal" datatype="int">1</ind-def:instance>
+ </ind-def:textfilecontent54_object>
+
</objects>
<states>
@@ -905,6 +936,11 @@
<ind-def:text datatype="string" operation="pattern match" entity_check="all">( |")ssl( |")</ind-def:text>
</ind-def:textfilecontent54_state>
+ <ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:11"
+ version="1" comment="Matching webrsync-gpg">
+ <ind-def:text datatype="string" operation="pattern match" entity_check="all">( |")webrsync-gpg( |")</ind-def:text>
+ </ind-def:textfilecontent54_state>
+
</states>
<!--
diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml
index b53b1e8..3c331eb 100644
--- a/xml/SCAP/gentoo-xccdf.xml
+++ b/xml/SCAP/gentoo-xccdf.xml
@@ -95,6 +95,8 @@
<select idref="xccdf_org.gentoo.dev.swift_rule_USE-tcpd" selected="true" />
<!-- Make sure USE=ssl is set -->
<select idref="xccdf_org.gentoo.dev.swift_rule_USE-ssl" selected="true" />
+ <!-- Make sure FEATURES=webrsync-gpg is set -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_FEATURES-webrsync-gpg" selected="true" />
</Profile>
<Profile id="xccdf_org.gentoo.dev.swift_profile_default" extends="xccdf_org.gentoo.dev.swift_profile_default-oval">
<title>Default server setup settings</title>
@@ -1328,6 +1330,15 @@ FEATURES="webrsync-gpg"
PORTAGE_GPG_DIR="/etc/portage/gpg"
SYNC=""</h:pre>
</description>
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_FEATURES-webrsync-gpg" selected="false" severity="low" weight="0.0">
+ <title>FEATURES="webrsync-gpg" is set</title>
+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_FEATURES-webrsync-gpg">
+ Edit /etc/portage/make.conf and make sure that 'webrsync-gpg' is in the FEATURES declaration.
+ </fixtext>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:30" href="gentoo-oval.xml" />
+ </check>
+ </Rule>
</Group>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_system-kernel">
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
@ 2013-12-20 14:15 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2013-12-20 14:15 UTC (permalink / raw
To: gentoo-commits
commit: 544b76229debef4bb6489933d07e3c933acc85dc
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Dec 20 14:08:44 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec 20 14:08:44 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=544b7622
Run oscap in tmp dir as well
---
xml/SCAP/Makefile | 34 +++++++++++++++++++---------------
1 file changed, 19 insertions(+), 15 deletions(-)
diff --git a/xml/SCAP/Makefile b/xml/SCAP/Makefile
index 93cd449..8b54a28 100644
--- a/xml/SCAP/Makefile
+++ b/xml/SCAP/Makefile
@@ -1,23 +1,27 @@
all: report-gentoo-xccdf.html guide-gentoo-xccdf.html remediate-gentoo-xccdf.sh guide-gentoo-xccdf.docbook report-gentoo-oval.xml
-report-gentoo-xccdf.html: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml
- -oscap xccdf eval --cpe gentoo-cpe.xml --profile xccdf_org.gentoo.dev.swift_profile_default-oval --results ~/tmp/results-gentoo-xccdf.xml --oval-results --report ~/tmp/report-gentoo-xccdf.html gentoo-xccdf.xml
+report-gentoo-xccdf.html: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml prep
+ -pushd ~/tmp; oscap xccdf eval --cpe gentoo-cpe.xml --profile xccdf_org.gentoo.dev.swift_profile_default-oval --results results-gentoo-xccdf.xml --oval-results --check-engine-results --report report-gentoo-xccdf.html gentoo-xccdf.xml; popd
-guide-gentoo-xccdf.html: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml
- oscap xccdf generate guide --profile xccdf_org.gentoo.dev.swift_profile_default-oval --output ~/tmp/guide-gentoo-xccdf.html gentoo-xccdf.xml
+guide-gentoo-xccdf.html: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml prep
+ -pushd ~/tmp; oscap xccdf generate guide --profile xccdf_org.gentoo.dev.swift_profile_default-oval --output guide-gentoo-xccdf.html gentoo-xccdf.xml; popd
-guide-gentoo-xccdf.docbook: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml
- oscap xccdf generate guide --profile xccdf_org.gentoo.dev.swift_profile_default-oval --format docbook --output ~/tmp/guide-gentoo-xccdf.docbook gentoo-xccdf.xml
+guide-gentoo-xccdf.docbook: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml prep
+ -pushd ~/tmp; oscap xccdf generate guide --profile xccdf_org.gentoo.dev.swift_profile_default-oval --format docbook --output guide-gentoo-xccdf.docbook gentoo-xccdf.xml; popd
-remediate-gentoo-xccdf.sh:
- oscap xccdf generate fix --output ~/tmp/remediate-gentoo-xccdf.sh ~/tmp/results-gentoo-xccdf.xml
- chmod 0644 ~/tmp/remediate-gentoo-xccdf.sh
+remediate-gentoo-xccdf.sh: prep
+ -pushd ~/tmp; oscap xccdf generate fix --output remediate-gentoo-xccdf.sh results-gentoo-xccdf.xml chmod 0644 remediate-gentoo-xccdf.sh; popd
-gentoo-ds.xml:
- oscap ds sds-compose gentoo-xccdf.xml ~/tmp/gentoo-ds.xml
- oscap ds sds-add gentoo-cpe.xml ~/tmp/gentoo-ds.xml
+gentoo-ds.xml: prep
+ -pushd ~/tmp; oscap ds sds-compose gentoo-xccdf.xml gentoo-ds.xml; popd
+ -pushd ~/tmp; oscap ds sds-add gentoo-cpe.xml gentoo-ds.xml; popd
-report-gentoo-oval.xml:
- oscap oval eval --report ~/tmp/report-gentoo-oval.html --results ~/tmp/results-gentoo-oval.xml gentoo-oval.xml
+report-gentoo-oval.xml: prep
+ -pushd ~/tmp; oscap oval eval --report report-gentoo-oval.html --results results-gentoo-oval.xml gentoo-oval.xml; popd
-.PHONY: all
+prep:
+ -cp gentoo-cpe.xml ~/tmp
+ -cp gentoo-xccdf.xml ~/tmp
+ -cp gentoo-oval.xml ~/tmp
+
+.PHONY: all prep
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
@ 2013-12-20 14:15 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2013-12-20 14:15 UTC (permalink / raw
To: gentoo-commits
commit: ac90f2453879ce0a62ac9675d73b6885913f198c
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Dec 20 14:13:11 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec 20 14:13:11 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=ac90f245
Make make.conf a variable
---
xml/SCAP/gentoo-oval.xml | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/xml/SCAP/gentoo-oval.xml b/xml/SCAP/gentoo-oval.xml
index 73b5ec8..7e1a184 100644
--- a/xml/SCAP/gentoo-oval.xml
+++ b/xml/SCAP/gentoo-oval.xml
@@ -870,14 +870,14 @@
<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:17"
version="2" comment="Portage make.conf global USE settings">
- <ind-def:filepath>/etc/portage/make.conf</ind-def:filepath>
+ <ind-def:filepath var_ref="oval:org.gentoo.dev.swift:var:1" />
<ind-def:pattern operation="pattern match">^USE=.*</ind-def:pattern>
<ind-def:instance operation="greater than or equal" datatype="int">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:18"
version="1" comment="Portage make.conf FEATURES settings">
- <ind-def:filepath>/etc/portage/make.conf</ind-def:filepath>
+ <ind-def:filepath var_ref="oval:org.gentoo.dev.swift:var:1" />
<ind-def:pattern operation="pattern match">^FEATURES=.*</ind-def:pattern>
<ind-def:instance operation="greater than or equal" datatype="int">1</ind-def:instance>
</ind-def:textfilecontent54_object>
@@ -943,8 +943,12 @@
</states>
-<!--
<variables>
+
+ <constant_variable id="oval:org.gentoo.dev.swift:var:1" version="1" datatype="string" comment="Path to Portage make.conf">
+ <value>/etc/portage/make.conf</value>
+ </constant_variable>
+
</variables>
--->
+
</oval_definitions>
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
@ 2013-12-20 14:25 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2013-12-20 14:25 UTC (permalink / raw
To: gentoo-commits
commit: 3de2a55862c4aac01ae2e7e5e858e89104970fa5
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Dec 20 14:23:48 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec 20 14:23:48 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=3de2a558
Add test for PORTAGE_GPG_DIR
---
xml/SCAP/gentoo-oval.xml | 36 ++++++++++++++++++++++++++++++++++++
xml/SCAP/gentoo-xccdf.xml | 12 ++++++++++++
2 files changed, 48 insertions(+)
diff --git a/xml/SCAP/gentoo-oval.xml b/xml/SCAP/gentoo-oval.xml
index 7e1a184..5bd0272 100644
--- a/xml/SCAP/gentoo-oval.xml
+++ b/xml/SCAP/gentoo-oval.xml
@@ -517,6 +517,21 @@
</criteria>
</definition>
+ <definition id="oval:org.gentoo.dev.swift:def:31" version="1" class="compliance">
+ <metadata>
+ <title>In make.conf PORTAGE_GPG_DIR is set</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <description>
+ The PORTAGE_GPG_DIR declaration in make.conf has a non-empty value.
+ </description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:32" comment="In make.conf PORTAGE_GPG_DIR is non-empty" />
+ </criteria>
+ </definition>
+
</definitions>
<tests>
@@ -776,6 +791,15 @@
<ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:11" />
</ind-def:textfilecontent54_test>
+ <ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:32"
+ version="1" check="at least one" check_existence="all_exist"
+ comment="Tests that PORTAGE_GPG_DIR is non-empty">
+ <!-- PORTAGE_GPG_DIR declaration in make.conf -->
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:19" />
+ <!-- Match for non-empty value -->
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:12" />
+ </ind-def:textfilecontent54_test>
+
</tests>
<objects>
@@ -882,6 +906,13 @@
<ind-def:instance operation="greater than or equal" datatype="int">1</ind-def:instance>
</ind-def:textfilecontent54_object>
+ <ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:19"
+ version="1" comment="Portage make.conf PORTAGE_GPG_DIR settings">
+ <ind-def:filepath var_ref="oval:org.gentoo.dev.swift:var:1" />
+ <ind-def:pattern operation="pattern match">^PORTAGE_GPG_DIR="(.*)"</ind-def:pattern>
+ <ind-def:instance operation="greater than or equal" datatype="int">1</ind-def:instance>
+ </ind-def:textfilecontent54_object>
+
</objects>
<states>
@@ -941,6 +972,11 @@
<ind-def:text datatype="string" operation="pattern match" entity_check="all">( |")webrsync-gpg( |")</ind-def:text>
</ind-def:textfilecontent54_state>
+ <ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:12"
+ version="1" comment="Has a non-empty value">
+ <ind-def:subexpression datatype="string" operation="pattern match" entity_check="all">[\S]+</ind-def:subexpression>
+ </ind-def:textfilecontent54_state>
+
</states>
<variables>
diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml
index fa9c357..548993c 100644
--- a/xml/SCAP/gentoo-xccdf.xml
+++ b/xml/SCAP/gentoo-xccdf.xml
@@ -97,6 +97,8 @@
<select idref="xccdf_org.gentoo.dev.swift_rule_USE-ssl" selected="true" />
<!-- Make sure FEATURES=webrsync-gpg is set -->
<select idref="xccdf_org.gentoo.dev.swift_rule_FEATURES-webrsync-gpg" selected="true" />
+ <!-- Make sure PORTAGE_GPG_DIR is set -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_PORTAGE_GPG_DIR-nonempty" selected="true" />
</Profile>
<Profile id="xccdf_org.gentoo.dev.swift_profile_default" extends="xccdf_org.gentoo.dev.swift_profile_default-oval">
<title>Default server setup settings</title>
@@ -1345,6 +1347,16 @@ SYNC=""</h:pre>
<check-content-ref name="oval:org.gentoo.dev.swift:def:30" href="gentoo-oval.xml" />
</check>
</Rule>
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_PORTAGE_GPG_DIR-nonempty" selected="false" severity="low" weight="0.0">
+ <title>PORTAGE_GPG_DIR is set</title>
+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_PORTAGE_GPG_DIR-nonempty">
+ Edit /etc/portage/make.conf and make sure that PORTAGE_GPG_DIR is set correctly.
+ </fixtext>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:31" href="gentoo-oval.xml" />
+ </check>
+ </Rule>
+
</Group>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_system-kernel">
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
@ 2013-12-20 14:38 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2013-12-20 14:38 UTC (permalink / raw
To: gentoo-commits
commit: 138a5f9575ec713ec3aac9584d844bc135e68248
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Dec 20 14:36:38 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec 20 14:36:38 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=138a5f95
Add workaround for OVAL interference
---
xml/SCAP/Makefile | 2 ++
1 file changed, 2 insertions(+)
diff --git a/xml/SCAP/Makefile b/xml/SCAP/Makefile
index 8b54a28..59a0d0e 100644
--- a/xml/SCAP/Makefile
+++ b/xml/SCAP/Makefile
@@ -23,5 +23,7 @@ prep:
-cp gentoo-cpe.xml ~/tmp
-cp gentoo-xccdf.xml ~/tmp
-cp gentoo-oval.xml ~/tmp
+ -cp ~/tmp/gentoo-oval.xml ~/tmp/cpe-oval.xml
+ -sed -i 's|gentoo-oval.xml|cpe-oval.xml|g' ~/tmp/gentoo-cpe.xml
.PHONY: all prep
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
@ 2013-12-20 14:41 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2013-12-20 14:41 UTC (permalink / raw
To: gentoo-commits
commit: 07d5db48409c0978b71cb61cc5c10fa2e4838b5b
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Dec 20 14:40:07 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec 20 14:40:07 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=07d5db48
Update timestamp
---
xml/SCAP/gentoo-oval.xml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/xml/SCAP/gentoo-oval.xml b/xml/SCAP/gentoo-oval.xml
index 5bd0272..e4d183c 100644
--- a/xml/SCAP/gentoo-oval.xml
+++ b/xml/SCAP/gentoo-oval.xml
@@ -15,9 +15,9 @@
<generator>
<oval:product_name>OVAL Gentoo Linux</oval:product_name>
- <oval:product_version>20130917.1</oval:product_version>
+ <oval:product_version>20130920.1</oval:product_version>
<oval:schema_version>5.10</oval:schema_version>
- <oval:timestamp>2013-09-17T19:42:00</oval:timestamp>
+ <oval:timestamp>2013-09-20T15:39:00</oval:timestamp>
</generator>
<definitions>
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
@ 2013-12-20 14:47 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2013-12-20 14:47 UTC (permalink / raw
To: gentoo-commits
commit: cfd86980c8d1075cb5d7a5408da5dde8a87e6e7f
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Dec 20 14:45:21 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec 20 14:45:21 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=cfd86980
Copy binary scripts
---
xml/SCAP/Makefile | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/xml/SCAP/Makefile b/xml/SCAP/Makefile
index 59a0d0e..3e1b440 100644
--- a/xml/SCAP/Makefile
+++ b/xml/SCAP/Makefile
@@ -1,4 +1,4 @@
-all: report-gentoo-xccdf.html guide-gentoo-xccdf.html remediate-gentoo-xccdf.sh guide-gentoo-xccdf.docbook report-gentoo-oval.xml
+all: report-gentoo-xccdf.html guide-gentoo-xccdf.html remediate-gentoo-xccdf.sh guide-gentoo-xccdf.docbook report-gentoo-oval.xml gentoo-ds.xml
report-gentoo-xccdf.html: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml prep
-pushd ~/tmp; oscap xccdf eval --cpe gentoo-cpe.xml --profile xccdf_org.gentoo.dev.swift_profile_default-oval --results results-gentoo-xccdf.xml --oval-results --check-engine-results --report report-gentoo-xccdf.html gentoo-xccdf.xml; popd
@@ -23,6 +23,7 @@ prep:
-cp gentoo-cpe.xml ~/tmp
-cp gentoo-xccdf.xml ~/tmp
-cp gentoo-oval.xml ~/tmp
+ -cp -R bin/ ~/tmp/
-cp ~/tmp/gentoo-oval.xml ~/tmp/cpe-oval.xml
-sed -i 's|gentoo-oval.xml|cpe-oval.xml|g' ~/tmp/gentoo-cpe.xml
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
@ 2013-12-20 14:48 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2013-12-20 14:48 UTC (permalink / raw
To: gentoo-commits
commit: 4f81eed1db661c0070b52097ef2bd8d67cf17152
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Dec 20 14:47:00 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec 20 14:47:00 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=4f81eed1
Switch from SYNC to sync-uri
---
xml/SCAP/gentoo-xccdf.xml | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml
index 548993c..d38c83f 100644
--- a/xml/SCAP/gentoo-xccdf.xml
+++ b/xml/SCAP/gentoo-xccdf.xml
@@ -1336,7 +1336,12 @@ USE="... pam tcpd ssl"</h:pre>
<h:pre>
FEATURES="webrsync-gpg"
PORTAGE_GPG_DIR="/etc/portage/gpg"
-SYNC=""</h:pre>
+</h:pre>
+ <h:p>
+ In the repository configuration (<h:code>/etc/portage/repos.conf</h:code> or a
+ file inside it) <h:code>sync-uri</h:code> has to be commented out, or set to an
+ empty value.
+ </h:p>
</description>
<Rule id="xccdf_org.gentoo.dev.swift_rule_FEATURES-webrsync-gpg" selected="false" severity="low" weight="0.0">
<title>FEATURES="webrsync-gpg" is set</title>
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
@ 2014-02-01 14:24 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2014-02-01 14:24 UTC (permalink / raw
To: gentoo-commits
commit: 378d7c06df134396bfb673430f5c8b85259511c0
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Dec 20 14:51:53 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec 20 14:51:53 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=378d7c06
Add block for GRUB2 password protection (still TODO)
---
xml/SCAP/gentoo-xccdf.xml | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml
index d38c83f..25621c0 100644
--- a/xml/SCAP/gentoo-xccdf.xml
+++ b/xml/SCAP/gentoo-xccdf.xml
@@ -1388,6 +1388,20 @@ PORTAGE_GPG_DIR="/etc/portage/gpg"
be (ab)used to work around security mechanisms.
</h:p>
</description>
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-bootloader-grub2pass">
+ <title>Password protect GRUB 2</title>
+ <description>
+ <h:p>
+ It is recommended to password-protect the GRUB configuration so that the
+ boot options cannot be modified during a boot without providing the valid
+ password.
+ </h:p>
+ <h:p>
+ TODO looks like this has become a lot more difficult to obtain
+ </h:p>
+ <reference href="https://help.ubuntu.com/community/Grub2/Passwords">GRUB2 Passwords (Ubuntu wiki)</reference>
+ </description>
+ </Group>
<Group id="xccdf_org.gentoo.dev.swift_group_system-bootloader-grub1pass">
<title>Password protect GRUB (legacy)</title>
<description>
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
@ 2014-02-01 14:24 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2014-02-01 14:24 UTC (permalink / raw
To: gentoo-commits
commit: 5537d423834693b5b9eb704f5ae6fba34b068e98
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Feb 1 14:22:43 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Feb 1 14:22:43 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=5537d423
Fix check values
---
xml/SCAP/gentoo-oval.xml | 40 ++++++++++++++++++++++++++++++++++++++--
1 file changed, 38 insertions(+), 2 deletions(-)
diff --git a/xml/SCAP/gentoo-oval.xml b/xml/SCAP/gentoo-oval.xml
index e4d183c..a031348 100644
--- a/xml/SCAP/gentoo-oval.xml
+++ b/xml/SCAP/gentoo-oval.xml
@@ -532,6 +532,21 @@
</criteria>
</definition>
+ <definition id="oval:org.gentoo.dev.swift:def:32" version="1" class="compliance">
+ <metadata>
+ <title>In /etc/securetty only console and tty# exists</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <description>
+ The /etc/securetty file only contains console and tty# entries
+ </description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:33" comment="In /etc/securetty, only console and tty# are defined" />
+ </criteria>
+ </definition>
+
</definitions>
<tests>
@@ -783,7 +798,7 @@
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:31"
- version="1" check="at least one" check_existence="all_exist"
+ version="1" check="all" check_existence="all_exist"
comment="Tests that webrsync-gpg is set in make.conf FEATURES">
<!-- FEATURES declaration in make.conf -->
<ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:18" />
@@ -792,7 +807,7 @@
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:32"
- version="1" check="at least one" check_existence="all_exist"
+ version="1" check="all" check_existence="all_exist"
comment="Tests that PORTAGE_GPG_DIR is non-empty">
<!-- PORTAGE_GPG_DIR declaration in make.conf -->
<ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:19" />
@@ -800,6 +815,15 @@
<ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:12" />
</ind-def:textfilecontent54_test>
+ <ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:33"
+ version="1" check="all" check_existence="all_exist"
+ comment="Tests that securetty only contains console and tty#">
+ <!-- /etc/securetty file -->
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:20" />
+ <!-- console or tty# -->
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:13" />
+ </ind-def:textfilecontent54_test>
+
</tests>
<objects>
@@ -913,6 +937,13 @@
<ind-def:instance operation="greater than or equal" datatype="int">1</ind-def:instance>
</ind-def:textfilecontent54_object>
+ <ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:20"
+ version="1" comment="/etc/securetty contains only console and tty##">
+ <ind-def:filepath>/etc/securetty</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^[^#]+</ind-def:pattern>
+ <ind-def:instance operation="greater than or equal" datatype="int">1</ind-def:instance>
+ </ind-def:textfilecontent54_object>
+
</objects>
<states>
@@ -977,6 +1008,11 @@
<ind-def:subexpression datatype="string" operation="pattern match" entity_check="all">[\S]+</ind-def:subexpression>
</ind-def:textfilecontent54_state>
+ <ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:13"
+ version="1" comment="Matches console or tty[0-9]">
+ <ind-def:text datatype="string" operation="pattern match" entity_check="all">(console|tty[[:digit:]]+)</ind-def:text>
+ </ind-def:textfilecontent54_state>
+
</states>
<variables>
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
@ 2014-02-01 14:24 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2014-02-01 14:24 UTC (permalink / raw
To: gentoo-commits
commit: 9b2ba0b21a29addbe49dd8bffb82c245f37cc65f
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Feb 1 14:23:27 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Feb 1 14:23:27 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=9b2ba0b2
Add in hidepid information (yes I know, grsec can also do this)
---
xml/SCAP/gentoo-xccdf.xml | 41 ++++++++++++++++++++++++++++++++++++-----
1 file changed, 36 insertions(+), 5 deletions(-)
diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml
index 25621c0..d2bf154 100644
--- a/xml/SCAP/gentoo-xccdf.xml
+++ b/xml/SCAP/gentoo-xccdf.xml
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8"?>
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:h="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.gentoo.dev.swift_benchmark_gentoo-20130917-1" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" resolved="0">
- <status date="2013-12-20">draft</status>
+ <status date="2014-02-01">draft</status>
<title>Gentoo Security Benchmark</title>
<description>
This benchmarks helps people in improving their system configuration to be
more resilient against attacks and vulnerabilities.
</description>
<platform idref="cpe:/o:gentoo:linux"/>
- <version>20131220.1</version>
+ <version>20140201.1</version>
<model system="urn:xccdf:scoring:default" />
<model system="urn:xccdf:scoring:flat" />
<model system="urn:xccdf:scoring:flat-unweighted" />
@@ -57,7 +57,7 @@
<select idref="xccdf_org.gentoo.dev.swift_rule_partition-varlog-nodev" selected="true" />
<!-- The /var/log/audit partition is mounted with nodev -->
<select idref="xccdf_org.gentoo.dev.swift_rule_partition-varlogaudit-nodev" selected="true" />
- <!-- The /home partition is mounted with nodev -->
+ <!-- The /home partition is moounted with nodev -->
<select idref="xccdf_org.gentoo.dev.swift_rule_partition-home-nodev" selected="true" />
<!-- The /tmp partition is mounted with nodev -->
<select idref="xccdf_org.gentoo.dev.swift_rule_partition-tmp-nodev" selected="true" />
@@ -99,6 +99,8 @@
<select idref="xccdf_org.gentoo.dev.swift_rule_FEATURES-webrsync-gpg" selected="true" />
<!-- Make sure PORTAGE_GPG_DIR is set -->
<select idref="xccdf_org.gentoo.dev.swift_rule_PORTAGE_GPG_DIR-nonempty" selected="true" />
+ <!-- Make sure /etc/securetty only contains console and tty's -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_securetty-limitentries" selected="true" />
</Profile>
<Profile id="xccdf_org.gentoo.dev.swift_profile_default" extends="xccdf_org.gentoo.dev.swift_profile_default-oval">
<title>Default server setup settings</title>
@@ -701,7 +703,7 @@
for file systems are explained.
</description>
<Group id="xccdf_org.gentoo.dev.swift_group_system-fs-mountoptions">
- <title>Appropriate mount options for the file systems</title>
+ <title>Using no* mount options for the file systems</title>
<description>
<h:p>
Non-root file systems should be mounted with the <h:em>nodev</h:em> mount option.
@@ -988,6 +990,26 @@ mount -o remount,usrquota,grpquota /home
</check>
</Rule>
</Group> <!-- system-fs-quotas -->
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-fs-hidepid">
+ <title>Hiding process information through hidepid</title>
+ <description>
+ <h:p>
+ In order to hide process information from other users, the <h:code>/proc</h:code> file system needs to be
+ mounted with the <h:code>hidepid</h:code> option. With value 0, the default behavior is used, meaning that
+ all process information is world readable.
+ </h:p>
+ <h:p>
+ When the value 1 is passed, the process information is not readable, but process directories are still shown
+ in the <h:code>/proc</h:code> mount. In order to truly hide this information, pass on the value 2.
+ </h:p>
+ <h:p>
+ In order to allow a particular group of people to see other people's processes, the <h:code>gid=</h:code>
+ option can be used to exempt this group from the PID hiding.
+ </h:p>
+ </description>
+ <reference href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0499680a42141d86417a8fbaa8c8db806bea1201">Kernel commit introducing
+ the hidepid support</reference>
+ </Group>
</Group> <!-- system-fs -->
<Group id="xccdf_org.gentoo.dev.swift_group_system-services">
<title>System services</title>
@@ -1399,8 +1421,8 @@ PORTAGE_GPG_DIR="/etc/portage/gpg"
<h:p>
TODO looks like this has become a lot more difficult to obtain
</h:p>
- <reference href="https://help.ubuntu.com/community/Grub2/Passwords">GRUB2 Passwords (Ubuntu wiki)</reference>
</description>
+ <reference href="https://help.ubuntu.com/community/Grub2/Passwords">GRUB2 Passwords (Ubuntu wiki)</reference>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_system-bootloader-grub1pass">
<title>Password protect GRUB (legacy)</title>
@@ -1504,6 +1526,15 @@ tty1
...
tty12</h:pre>
</description>
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_securetty-limitentries" selected="false" severity="low" weight="0.0">
+ <title>/etc/securetty is limited to console and tty's</title>
+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_securetty-limitentries">
+ Edit /etc/securetty and make sure only 'console' and 'tty[0-9]*' are defined.
+ </fixtext>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:32" href="gentoo-oval.xml" />
+ </check>
+ </Rule>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_system-auth-userlogin">
<title>Allow only known users to login</title>
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
@ 2014-02-01 14:24 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2014-02-01 14:24 UTC (permalink / raw
To: gentoo-commits
commit: c5fc8e7c31f333a8885419a95a9ec76525350b66
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Feb 1 14:22:18 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Feb 1 14:22:18 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=c5fc8e7c
Add upload to Makefile
---
xml/SCAP/Makefile | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/xml/SCAP/Makefile b/xml/SCAP/Makefile
index 3e1b440..f0b8628 100644
--- a/xml/SCAP/Makefile
+++ b/xml/SCAP/Makefile
@@ -1,3 +1,5 @@
+location = "dev.gentoo.org:public_html/docs/security_benchmarks"
+
all: report-gentoo-xccdf.html guide-gentoo-xccdf.html remediate-gentoo-xccdf.sh guide-gentoo-xccdf.docbook report-gentoo-oval.xml gentoo-ds.xml
report-gentoo-xccdf.html: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml prep
@@ -27,4 +29,7 @@ prep:
-cp ~/tmp/gentoo-oval.xml ~/tmp/cpe-oval.xml
-sed -i 's|gentoo-oval.xml|cpe-oval.xml|g' ~/tmp/gentoo-cpe.xml
-.PHONY: all prep
+upload:
+ -pushd ~/tmp; scp gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml gentoo-ds.xml guide-gentoo-xccdf.html report-gentoo-oval.html report-gentoo-xccdf.html $(location)/; popd;
+
+.PHONY: all prep upload
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
@ 2014-03-26 21:07 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2014-03-26 21:07 UTC (permalink / raw
To: gentoo-commits
commit: e776b21bb7b10d185eeaebb8a97686a932a3b78c
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Mar 26 21:06:50 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Mar 26 21:06:50 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=e776b21b
Add syslog rules and enhance security/access.conf with an example
---
xml/SCAP/gentoo-xccdf.xml | 80 ++++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 76 insertions(+), 4 deletions(-)
diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml
index d2bf154..5fe590d 100644
--- a/xml/SCAP/gentoo-xccdf.xml
+++ b/xml/SCAP/gentoo-xccdf.xml
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8"?>
-<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:h="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.gentoo.dev.swift_benchmark_gentoo-20130917-1" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" resolved="0">
- <status date="2014-02-01">draft</status>
+<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:h="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.gentoo.dev.swift_benchmark_gentoo-20140326-1" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" resolved="0">
+ <status date="2014-03-26">draft</status>
<title>Gentoo Security Benchmark</title>
<description>
This benchmarks helps people in improving their system configuration to be
more resilient against attacks and vulnerabilities.
</description>
<platform idref="cpe:/o:gentoo:linux"/>
- <version>20140201.1</version>
+ <version>20140326.1</version>
<model system="urn:xccdf:scoring:default" />
<model system="urn:xccdf:scoring:flat" />
<model system="urn:xccdf:scoring:flat-unweighted" />
@@ -355,7 +355,7 @@
</Group>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_preinstallation">
- <title>Before startng</title>
+ <title>Before starting</title>
<description>
Before starting to deploy Gentoo Linux and start hardening it, it is wise
to take a step back and think about what to accomplish. Setting
@@ -1244,6 +1244,48 @@ sed -i -e 's:^rc_shell=.*:rc_shell="/sbin/sulogin":g' /etc/rc.conf
</description>
</Group>
</Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-services-syslog">
+ <title>Syslog service</title>
+ <description>
+ <h:p>
+ The system logger handles all non-audit related logging generated by applications
+ and daemons. In order to ensure proper forensic analysis if it would ever be needed,
+ the system logger should be properly configured.
+ </h:p>
+ </description>
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-services-syslog-logintervals">
+ <title>Configure the system logger to log intervals</title>
+ <description>
+ <h:p>
+ Have the system logger log every 10 minutes or so. Without interval logging,
+ administrators might think nothing is wrong although in reality the system
+ logger is malfunctioning and not writing any log events.
+ </h:p>
+ </description>
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-services-syslog-remotelogging">
+ <title>Enable remote logging</title>
+ <description>
+ <h:p>
+ If possible, have vital (or all) logs sent to a remote system logger as well.
+ In home deployments, off-the-shelf (wifi) routers often have a logging daemon
+ that can receive syslog events. For larger environments, a dedicated centralized
+ log server is recommended.
+ </h:p>
+ </description>
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-services-syslog-terminal">
+ <title>Decide which events to send to user terminals</title>
+ <description>
+ <h:p>
+ On Linux and Unix systems, events can be sent to user terminals to
+ make those users immediately aware of what is happening. It is
+ recommended to send emergency-level events to everyone and have
+ alerts sent to specific administrative user terminals.
+ </h:p>
+ </description>
+ </Group>
+ </Group>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_system-portage">
<title>Portage settings</title>
@@ -1551,6 +1593,14 @@ tty12</h:pre>
account (say <h:code>apache</h:code>) is abused to log on with, or
that a new account is created as part of an exploit.
</h:p>
+ <h:p>
+ The following example setting allows only local root logins on tty1,
+ and only the <h:em>swift</h:em> account to log on on the system.
+ </h:p>
+ <h:pre>
++ : root : tty1
+- : ALL EXCEPT swift : ALL
+ </h:pre>
</description>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_system-auth-resources">
@@ -1731,6 +1781,28 @@ session required pam_unix.so</h:pre>
</h:p>
</description>
</Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-fileprivileges-caps">
+ <title>Limit capability enabled files</title>
+ <description>
+ <h:p>
+ Capabilities within Linux allow users to perform certain privileged tasks.
+ </h:p>
+ <h:p>
+ Unlike <h:em>setuid</h:em> flags, the allowed privileges can be defined
+ in a more granular approach (although one can still add in all possible
+ capabilities and thus gain similar privileges as through <h:em>setuid</h:em>
+ binaries).
+ </h:p>
+ <h:p>
+ Files with particular capabilities set (through the <h:b>setcap</h:b>
+ application) should be regularly reviewed. Capability-enabled files
+ can be found through the following command:
+ </h:p>
+ <h:pre>
+# <h:b>getcap -r /</h:b>
+ </h:pre>
+ </description>
+ </Group>
<Group id="xccdf_org.gentoo.dev.swift_group_system-fileprivileges-logs">
<title>Logs only readable by proper group</title>
<description>
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
@ 2014-03-30 18:29 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2014-03-30 18:29 UTC (permalink / raw
To: gentoo-commits
commit: 68e7c5b954197805e82752021032cf8e0fc97a96
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Mar 30 15:43:55 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Mar 30 15:43:55 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=68e7c5b9
Handle version and add in hidepid check
---
xml/SCAP/Makefile | 2 ++
xml/SCAP/gentoo-oval.xml | 35 +++++++++++++++++++++++++++++++++++
xml/SCAP/gentoo-xccdf.xml | 20 +++++++++++++++++---
3 files changed, 54 insertions(+), 3 deletions(-)
diff --git a/xml/SCAP/Makefile b/xml/SCAP/Makefile
index f0b8628..1a48ecf 100644
--- a/xml/SCAP/Makefile
+++ b/xml/SCAP/Makefile
@@ -28,6 +28,8 @@ prep:
-cp -R bin/ ~/tmp/
-cp ~/tmp/gentoo-oval.xml ~/tmp/cpe-oval.xml
-sed -i 's|gentoo-oval.xml|cpe-oval.xml|g' ~/tmp/gentoo-cpe.xml
+ -sed -i "s|@@VERSION@@|`date +%Y%m%d`|g" ~/tmp/gentoo-xccdf.xml
+ -sed -i "s|@@DATE@@|`date +%Y-%m-%d`|g" ~/tmp/gentoo-xccdf.xml
upload:
-pushd ~/tmp; scp gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml gentoo-ds.xml guide-gentoo-xccdf.html report-gentoo-oval.html report-gentoo-xccdf.html $(location)/; popd;
diff --git a/xml/SCAP/gentoo-oval.xml b/xml/SCAP/gentoo-oval.xml
index a031348..7f6e674 100644
--- a/xml/SCAP/gentoo-oval.xml
+++ b/xml/SCAP/gentoo-oval.xml
@@ -547,6 +547,21 @@
</criteria>
</definition>
+ <definition id="oval:org.gentoo.dev.swift:def:33" version="1" class="compliance">
+ <metadata>
+ <title>/proc is mounted with hidepid=1 or hidepid=2</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <description>
+ The /proc file system should be mounted with hidepid=1 or 2 so that other users' processes are not visible to non-authorized accounts.
+ </description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:34" comment="/proc is mounted with hidepid=1 or hidepid=2" />
+ </criteria>
+ </definition>
+
</definitions>
<tests>
@@ -824,6 +839,16 @@
<ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:13" />
</ind-def:textfilecontent54_test>
+ <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:34"
+ version="1" check="all" check_existence="all_exist"
+ comment="Tests that /proc is mounted with hidepid=1 or hidepid=2 option">
+ <!-- /proc partition -->
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:21" />
+ <!-- "hidepid=[12]" mount option -->
+ <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:14" />
+ </lin-def:partition_test>
+
+
</tests>
<objects>
@@ -944,6 +969,11 @@
<ind-def:instance operation="greater than or equal" datatype="int">1</ind-def:instance>
</ind-def:textfilecontent54_object>
+ <lin-def:partition_object id="oval:org.gentoo.dev.swift:obj:21"
+ version="1" comment="The /proc file system">
+ <lin-def:mount_point>/proc</lin-def:mount_point>
+ </lin-def:partition_object>
+
</objects>
<states>
@@ -1013,6 +1043,11 @@
<ind-def:text datatype="string" operation="pattern match" entity_check="all">(console|tty[[:digit:]]+)</ind-def:text>
</ind-def:textfilecontent54_state>
+ <lin-def:partition_state id="oval:org.gentoo.dev.swift:ste:14"
+ version="1" comment="hidepid=1 or hidepid=2 mount option">
+ <lin-def:mount_options entity_check="at least one" operation="pattern match">hidepid=[12]</lin-def:mount_options>
+ </lin-def:partition_state>
+
</states>
<variables>
diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml
index 5fe590d..3c3afcd 100644
--- a/xml/SCAP/gentoo-xccdf.xml
+++ b/xml/SCAP/gentoo-xccdf.xml
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8"?>
-<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:h="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.gentoo.dev.swift_benchmark_gentoo-20140326-1" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" resolved="0">
- <status date="2014-03-26">draft</status>
+<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:h="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.gentoo.dev.swift_benchmark_gentoo-@@VERSION@@-1" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" resolved="0">
+ <status date="@@DATE@@">draft</status>
<title>Gentoo Security Benchmark</title>
<description>
This benchmarks helps people in improving their system configuration to be
more resilient against attacks and vulnerabilities.
</description>
<platform idref="cpe:/o:gentoo:linux"/>
- <version>20140326.1</version>
+ <version>@@VERSION@@</version>
<model system="urn:xccdf:scoring:default" />
<model system="urn:xccdf:scoring:flat" />
<model system="urn:xccdf:scoring:flat-unweighted" />
@@ -101,6 +101,8 @@
<select idref="xccdf_org.gentoo.dev.swift_rule_PORTAGE_GPG_DIR-nonempty" selected="true" />
<!-- Make sure /etc/securetty only contains console and tty's -->
<select idref="xccdf_org.gentoo.dev.swift_rule_securetty-limitentries" selected="true" />
+ <!-- Make sure /proc is mounted with hidepid=1 or hidepid=2 -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_proc-hidepid" selected="true" />
</Profile>
<Profile id="xccdf_org.gentoo.dev.swift_profile_default" extends="xccdf_org.gentoo.dev.swift_profile_default-oval">
<title>Default server setup settings</title>
@@ -1009,6 +1011,18 @@ mount -o remount,usrquota,grpquota /home
</description>
<reference href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0499680a42141d86417a8fbaa8c8db806bea1201">Kernel commit introducing
the hidepid support</reference>
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_proc-hidepid" selected="false" severity="medium" weight="1.7">
+ <title>The /proc file system is mounted with hidepid=1 or hidepid=2</title>
+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_proc-hidepid">Mount /proc with hidepid=1 or hidepid=2</fixtext>
+ <fix id="xccdf_org.gentoo.dev.swift_fix_proc-hidepid"
+ system="urn:xccdf:fix:system:commands"
+ platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+mount -o remount,hidepid=2 /proc
+ </fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:33" href="gentoo-oval.xml" />
+ </check>
+ </Rule>
</Group>
</Group> <!-- system-fs -->
<Group id="xccdf_org.gentoo.dev.swift_group_system-services">
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
@ 2014-03-30 18:29 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2014-03-30 18:29 UTC (permalink / raw
To: gentoo-commits
commit: e85228a786ea2041715e8e2193d93411261f1950
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Mar 30 18:29:27 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Mar 30 18:29:27 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=e85228a7
Check grub.conf with password md5 hash
---
xml/SCAP/gentoo-oval.xml | 62 +++++++++++++++++++++++++++++++++++++++++++++++
xml/SCAP/gentoo-xccdf.xml | 11 +++++++++
2 files changed, 73 insertions(+)
diff --git a/xml/SCAP/gentoo-oval.xml b/xml/SCAP/gentoo-oval.xml
index 7f6e674..f873701 100644
--- a/xml/SCAP/gentoo-oval.xml
+++ b/xml/SCAP/gentoo-oval.xml
@@ -562,6 +562,25 @@
</criteria>
</definition>
+ <definition id="oval:org.gentoo.dev.swift:def:34" version="1" class="compliance">
+ <metadata>
+ <title>/boot/grub/grub.conf has a password set</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <description>
+ If /boot/grub/grub.conf exists, then it must have a password set.
+ </description>
+ </metadata>
+ <criteria operator="OR">
+ <criteria operator="AND">
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:37" comment="/boot/grub exists" />
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:35" comment="/boot/grub/grub.conf does not exist" />
+ </criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:36" comment="GRUB Legacy configuration has a password set" />
+ </criteria>
+ </definition>
+
</definitions>
<tests>
@@ -848,6 +867,27 @@
<lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:14" />
</lin-def:partition_test>
+ <unix-def:file_test id="oval:org.gentoo.dev.swift:tst:35"
+ version="1" check="all" check_existence="none_exist"
+ comment="/boot/grub/grub.conf does not exist">
+ <!-- The /boot/grub/grub.conf file -->
+ <unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:22" />
+ </unix-def:file_test>
+
+ <ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:36"
+ comment="The grub.conf file has a password --md5 entry"
+ version="1" check="at least one" check_existence="at_least_one_exists">
+ <!-- The /boot/grub/grub.conf file content -->
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:23" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:15" />
+ </ind-def:textfilecontent54_test>
+
+ <unix-def:file_test id="oval:org.gentoo.dev.swift:tst:37"
+ version="1" check="all" check_existence="all_exist"
+ comment="/boot/grub exists">
+ <!-- The /boot/grub location exists -->
+ <unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:24" />
+ </unix-def:file_test>
</tests>
@@ -974,6 +1014,23 @@
<lin-def:mount_point>/proc</lin-def:mount_point>
</lin-def:partition_object>
+ <unix-def:file_object id="oval:org.gentoo.dev.swift:obj:22"
+ version="1" comment="The /boot/grub/grub.conf file">
+ <unix-def:filepath>/boot/grub/grub.conf</unix-def:filepath>
+ </unix-def:file_object>
+
+ <ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:23"
+ version="1" comment="The /boot/grub/grub.conf content">
+ <ind-def:filepath>/boot/grub/grub.conf</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^([^#\n]*)(?#.*)?$</ind-def:pattern>
+ <ind-def:instance operation="greater than or equal" datatype="int">1</ind-def:instance>
+ </ind-def:textfilecontent54_object>
+
+ <unix-def:file_object id="oval:org.gentoo.dev.swift:obj:24"
+ version="1" comment="The /boot/grub location">
+ <unix-def:filepath>/boot/grub</unix-def:filepath>
+ </unix-def:file_object>
+
</objects>
<states>
@@ -1048,6 +1105,11 @@
<lin-def:mount_options entity_check="at least one" operation="pattern match">hidepid=[12]</lin-def:mount_options>
</lin-def:partition_state>
+ <ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:15"
+ version="1" comment="Has a password --md5 entry">
+ <ind-def:subexpression datatype="string" operation="pattern match" entity_check="all">[\s]*password --md5 [\S]+</ind-def:subexpression>
+ </ind-def:textfilecontent54_state>
+
</states>
<variables>
diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml
index 3c3afcd..732bde3 100644
--- a/xml/SCAP/gentoo-xccdf.xml
+++ b/xml/SCAP/gentoo-xccdf.xml
@@ -103,6 +103,8 @@
<select idref="xccdf_org.gentoo.dev.swift_rule_securetty-limitentries" selected="true" />
<!-- Make sure /proc is mounted with hidepid=1 or hidepid=2 -->
<select idref="xccdf_org.gentoo.dev.swift_rule_proc-hidepid" selected="true" />
+ <!-- Make sure /boot/grub/grub.conf has a password entry with md5 hash -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_grubconf-password-md5" selected="true" />
</Profile>
<Profile id="xccdf_org.gentoo.dev.swift_profile_default" extends="xccdf_org.gentoo.dev.swift_profile_default-oval">
<title>Default server setup settings</title>
@@ -1513,6 +1515,15 @@ grub> <h:b>quit</h:b></h:pre>
using <h:code>password --md5 $1$18u.M0$J8VbOsGXuoG9Fh3n7ZkqY.</h:code>.
</h:p>
</description>
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_grubconf-password-md5" selected="false" severity="low" weight="6.9">
+ <title>Grub legacy has a password entry with md5 hash</title>
+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_grubconf-password-md5">
+ Edit /boot/grub/grub.conf and set a password entry with md5 hash
+ </fixtext>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:34" href="gentoo-oval.xml" />
+ </check>
+ </Rule>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_system-bootloader-lilopass">
<title>Password protect LILO</title>
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
@ 2014-03-30 20:08 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2014-03-30 20:08 UTC (permalink / raw
To: gentoo-commits
commit: 128dc9720b9c8ca2c5638b2bc8cb4e33db82b653
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Mar 30 20:06:21 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Mar 30 20:06:21 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=128dc972
Use really_all to really run the heavy stuff as well
---
xml/SCAP/Makefile | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/xml/SCAP/Makefile b/xml/SCAP/Makefile
index 1a48ecf..208cd01 100644
--- a/xml/SCAP/Makefile
+++ b/xml/SCAP/Makefile
@@ -1,6 +1,8 @@
location = "dev.gentoo.org:public_html/docs/security_benchmarks"
-all: report-gentoo-xccdf.html guide-gentoo-xccdf.html remediate-gentoo-xccdf.sh guide-gentoo-xccdf.docbook report-gentoo-oval.xml gentoo-ds.xml
+all: report-gentoo-xccdf.html guide-gentoo-xccdf.html remediate-gentoo-xccdf.sh guide-gentoo-xccdf.docbook gentoo-ds.xml
+
+really_all: all report-gentoo-oval.xml
report-gentoo-xccdf.html: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml prep
-pushd ~/tmp; oscap xccdf eval --cpe gentoo-cpe.xml --profile xccdf_org.gentoo.dev.swift_profile_default-oval --results results-gentoo-xccdf.xml --oval-results --check-engine-results --report report-gentoo-xccdf.html gentoo-xccdf.xml; popd
@@ -34,4 +36,4 @@ prep:
upload:
-pushd ~/tmp; scp gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml gentoo-ds.xml guide-gentoo-xccdf.html report-gentoo-oval.html report-gentoo-xccdf.html $(location)/; popd;
-.PHONY: all prep upload
+.PHONY: all prep upload really_all
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
@ 2014-03-30 20:08 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2014-03-30 20:08 UTC (permalink / raw
To: gentoo-commits
commit: 15f31c8d487f24d0d6971801531ebfc9e06161ec
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Mar 30 20:06:31 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Mar 30 20:06:31 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=15f31c8d
Add test for world writable directories
---
xml/SCAP/gentoo-oval.xml | 101 ++++++++++++++++++++++++++++++++++++++++++++++
xml/SCAP/gentoo-xccdf.xml | 29 ++++++++++++-
2 files changed, 128 insertions(+), 2 deletions(-)
diff --git a/xml/SCAP/gentoo-oval.xml b/xml/SCAP/gentoo-oval.xml
index f873701..427e5c1 100644
--- a/xml/SCAP/gentoo-oval.xml
+++ b/xml/SCAP/gentoo-oval.xml
@@ -581,6 +581,37 @@
</criteria>
</definition>
+ <definition id="oval:org.gentoo.dev.swift:def:35" version="1" class="compliance">
+ <metadata>
+ <title>/etc/lilo.conf has a password set</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <description>
+ If /etc/lilo.conf exists, then it must have a password set.
+ </description>
+ </metadata>
+ <criteria operator="OR">
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:38" comment="/etc/lilo.conf does not exist" />
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:39" comment="/etc/lilo.conf has a password set" />
+ </criteria>
+ </definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:36" version="1" class="compliance">
+ <metadata>
+ <title>All world writable directories have the sticky bit set</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <description>
+ All world writable directories must have the sticky bit set.
+ </description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:40" comment="All world writable directories have the sticky bit set" />
+ </criteria>
+ </definition>
+
</definitions>
<tests>
@@ -879,6 +910,7 @@
version="1" check="at least one" check_existence="at_least_one_exists">
<!-- The /boot/grub/grub.conf file content -->
<ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:23" />
+ <!-- A "password - -md5 somevalue" match -->
<ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:15" />
</ind-def:textfilecontent54_test>
@@ -889,6 +921,31 @@
<unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:24" />
</unix-def:file_test>
+ <unix-def:file_test id="oval:org.gentoo.dev.swift:tst:38"
+ version="1" check="all" check_existence="none_exist"
+ comment="/etc/lilo.conf does not exist">
+ <!-- The /etc/lilo.conf file -->
+ <unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:25" />
+ </unix-def:file_test>
+
+ <ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:39"
+ comment="lilo.conf has a password set"
+ version="1" check="at least one" check_existence="at_least_one_exists">
+ <!-- The /etc/lilo.conf content -->
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:26" />
+ <!-- A password=somevalue match -->
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:16" />
+ </ind-def:textfilecontent54_test>
+
+ <unix-def:file_test id="oval:org.gentoo.dev.swift:tst:40"
+ comment="All world writable directories have the sticky bit set"
+ version="1" check="all" check_existence="all_exist">
+ <!-- All world writable directories -->
+ <unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:27" />
+ <!-- sticky bit is set -->
+ <unix-def:state state_ref="oval:org.gentoo.dev.swift:ste:17" />
+ </unix-def:file_test>
+
</tests>
<objects>
@@ -1031,6 +1088,35 @@
<unix-def:filepath>/boot/grub</unix-def:filepath>
</unix-def:file_object>
+ <unix-def:file_object id="oval:org.gentoo.dev.swift:obj:25"
+ version="1" comment="The /etc/lilo.conf file">
+ <unix-def:filepath>/etc/lilo.conf</unix-def:filepath>
+ </unix-def:file_object>
+
+ <ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:26"
+ version="1" comment="The /etc/lilo.conf content">
+ <ind-def:filepath>/etc/lilo.conf</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^([^#\n]*)(?#.*)?$</ind-def:pattern>
+ <ind-def:instance operation="greater than or equal" datatype="int">1</ind-def:instance>
+ </ind-def:textfilecontent54_object>
+
+ <unix-def:file_object id="oval:org.gentoo.dev.swift:obj:27"
+ version="1" comment="All world writable directories">
+ <set set_operator="UNION" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <!-- All local directories -->
+ <object_reference>oval:org.gentoo.dev.swift:obj:28</object_reference>
+ <!-- filter out just those with the world-writable bit set -->
+ <filter action="exclude">oval:org.gentoo.dev.swift:ste:18</filter> <!-- exclude is default but this is more readable -->
+ </set>
+ </unix-def:file_object>
+
+ <unix-def:file_object id="oval:org.gentoo.dev.swift:obj:28"
+ version="1" comment="All local directories">
+ <unix-def:behaviors recurse_direction="down" recurse_file_system="local" recurse="directories"/>
+ <unix-def:path>/</unix-def:path>
+ <unix-def:filename xsi:nil="true"/>
+ </unix-def:file_object>
+
</objects>
<states>
@@ -1110,6 +1196,21 @@
<ind-def:subexpression datatype="string" operation="pattern match" entity_check="all">[\s]*password --md5 [\S]+</ind-def:subexpression>
</ind-def:textfilecontent54_state>
+ <ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:16"
+ version="1" comment="Has a password=... entry">
+ <ind-def:subexpression datatype="string" operation="pattern match" entity_check="all">[\s]*password=[\S]+</ind-def:subexpression>
+ </ind-def:textfilecontent54_state>
+
+ <unix-def:file_state id="oval:org.gentoo.dev.swift:ste:17"
+ version="1" comment="The sticky bit is set">
+ <unix-def:sticky datatype="boolean">1</unix-def:sticky>
+ </unix-def:file_state>
+
+ <unix-def:file_state id="oval:org.gentoo.dev.swift:ste:18"
+ version="1" comment="Not world writable">
+ <unix-def:owrite datatype="boolean">0</unix-def:owrite>
+ </unix-def:file_state>
+
</states>
<variables>
diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml
index 732bde3..aa85c1e 100644
--- a/xml/SCAP/gentoo-xccdf.xml
+++ b/xml/SCAP/gentoo-xccdf.xml
@@ -20,6 +20,8 @@
large impact on the performance of a server. Tests include scripted
validationn.
</description>
+ <!-- Make sure all world-writable directories have the sticky bit set -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_worldwritedir-stickybit" selected="true" />
</Profile>
<Profile id="xccdf_org.gentoo.dev.swift_profile_intensive-oval" extends="xccdf_org.gentoo.dev.swift_profile_default-oval">
<title>Intensive validation profile (non-scripted)</title>
@@ -30,6 +32,8 @@
large impact on the performance of a server. Tests do not include
scripted validation.
</description>
+ <!-- Make sure all world-writable directories have the sticky bit set -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_worldwritedir-stickybit" selected="true" />
</Profile>
<Profile id="xccdf_org.gentoo.dev.swift_profile_default-oval">
<title>Default server setup settings (non-scripted)</title>
@@ -103,8 +107,10 @@
<select idref="xccdf_org.gentoo.dev.swift_rule_securetty-limitentries" selected="true" />
<!-- Make sure /proc is mounted with hidepid=1 or hidepid=2 -->
<select idref="xccdf_org.gentoo.dev.swift_rule_proc-hidepid" selected="true" />
- <!-- Make sure /boot/grub/grub.conf has a password entry with md5 hash -->
+ <!-- Make sure /boot/grub/grub.conf (if it exists) has a password entry with md5 hash -->
<select idref="xccdf_org.gentoo.dev.swift_rule_grubconf-password-md5" selected="true" />
+ <!-- Make sure /etc/lilo.conf (if it exists) has a password entry -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_liloconf-password" selected="true" />
</Profile>
<Profile id="xccdf_org.gentoo.dev.swift_profile_default" extends="xccdf_org.gentoo.dev.swift_profile_default-oval">
<title>Default server setup settings</title>
@@ -1516,7 +1522,7 @@ grub> <h:b>quit</h:b></h:pre>
</h:p>
</description>
<Rule id="xccdf_org.gentoo.dev.swift_rule_grubconf-password-md5" selected="false" severity="low" weight="6.9">
- <title>Grub legacy has a password entry with md5 hash</title>
+ <title>Grub legacy (if it exists) has a password entry with md5 hash</title>
<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_grubconf-password-md5">
Edit /boot/grub/grub.conf and set a password entry with md5 hash
</fixtext>
@@ -1557,6 +1563,15 @@ image=/boot/bzImage
Rerun <h:code>lilo</h:code> after updating the configuration file.
</h:p>
</description>
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_liloconf-password" selected="false" severity="low" weight="6.9">
+ <title>LILO (if it exists) has a password entry</title>
+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_liloconf-password">
+ Edit /etc/lilo.conf and set a password entry
+ </fixtext>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:35" href="gentoo-oval.xml" />
+ </check>
+ </Rule>
</Group>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_system-auth">
@@ -1782,6 +1797,16 @@ session required pam_unix.so</h:pre>
world writable privilege is not accessible anyhow).
</h:p>
</description>
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_worldwritedir-stickybit" selected="false" severity="medium" weight="4.3">
+ <title>All world writable directories have the sticky bit set</title>
+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_worldwritedirs-stickybit">
+ Make sure all world-writable directories have the sticky bit set
+ </fixtext>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:36" href="gentoo-oval.xml" />
+ </check>
+ </Rule>
+
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_system-fileprivileges-suidsgid">
<title>Limit setuid and setgid file and directory usage</title>
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
@ 2015-09-02 20:24 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2015-09-02 20:24 UTC (permalink / raw
To: gentoo-commits
commit: ec36b14065b253f45eaf9992b9b87cb22b52561c
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Sep 2 20:24:14 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Sep 2 20:24:14 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-docs.git/commit/?id=ec36b140
Adding kernel files
xml/SCAP/kernel-oval.xml | 1129 +++++++++++++++++++++++++++++++++++++++++++++
xml/SCAP/kernel-xccdf.xml | 967 ++++++++++++++++++++++++++++++++++++++
2 files changed, 2096 insertions(+)
diff --git a/xml/SCAP/kernel-oval.xml b/xml/SCAP/kernel-oval.xml
new file mode 100644
index 0000000..7ea2238
--- /dev/null
+++ b/xml/SCAP/kernel-oval.xml
@@ -0,0 +1,1129 @@
+<?xml version="1.0"?>
+<oval_definitions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5"
+ xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5"
+ xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5"
+ xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
+ xmlns:lin-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"
+ xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix">
+ <generator>
+ <oval:product_name>vim</oval:product_name>
+ <oval:schema_version>5.9</oval:schema_version>
+ <oval:timestamp>2011-10-31T12:00:00-04:00</oval:timestamp>
+ </generator>
+
+<definitions>
+<!-- @@GENOVAL START DEFINITIONS -->
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:2" version="1">
+ <metadata>
+ <title>sysctl net.ipv4.ip_forward must be 0</title>
+ <description>sysctl net.ipv4.ip_forward must be 0</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:2" comment="sysctl net.ipv4.ip_forward must be 0" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:4" version="1">
+ <metadata>
+ <title>sysctl net.ipv4.conf.all.rp_filter must be 1</title>
+ <description>sysctl net.ipv4.conf.all.rp_filter must be 1</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:4" comment="sysctl net.ipv4.conf.all.rp_filter must be 1" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:6" version="1">
+ <metadata>
+ <title>sysctl net.ipv4.conf.default.rp_filter must be 1</title>
+ <description>sysctl net.ipv4.conf.default.rp_filter must be 1</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:6" comment="sysctl net.ipv4.conf.default.rp_filter must be 1" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:8" version="1">
+ <metadata>
+ <title>sysctl net.ipv4.conf.all.accept_source_route must be 0</title>
+ <description>sysctl net.ipv4.conf.all.accept_source_route must be 0</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:8" comment="sysctl net.ipv4.conf.all.accept_source_route must be 0" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:10" version="1">
+ <metadata>
+ <title>sysctl net.ipv4.conf.default.accept_source_route must be 0</title>
+ <description>sysctl net.ipv4.conf.default.accept_source_route must be 0</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:10" comment="sysctl net.ipv4.conf.default.accept_source_route must be 0" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:12" version="1">
+ <metadata>
+ <title>sysctl net.ipv4.conf.all.accept_redirects must be 0</title>
+ <description>sysctl net.ipv4.conf.all.accept_redirects must be 0</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:12" comment="sysctl net.ipv4.conf.all.accept_redirects must be 0" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:14" version="1">
+ <metadata>
+ <title>sysctl net.ipv4.conf.default.accept_redirects must be 0</title>
+ <description>sysctl net.ipv4.conf.default.accept_redirects must be 0</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:14" comment="sysctl net.ipv4.conf.default.accept_redirects must be 0" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:16" version="1">
+ <metadata>
+ <title>sysctl net.ipv4.icmp_echo_ignore_broadcasts must be 1</title>
+ <description>sysctl net.ipv4.icmp_echo_ignore_broadcasts must be 1</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:16" comment="sysctl net.ipv4.icmp_echo_ignore_broadcasts must be 1" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:18" version="1">
+ <metadata>
+ <title>sysctl net.ipv4.icmp_ignore_bogus_error_responses must be 1</title>
+ <description>sysctl net.ipv4.icmp_ignore_bogus_error_responses must be 1</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:18" comment="sysctl net.ipv4.icmp_ignore_bogus_error_responses must be 1" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:20" version="1">
+ <metadata>
+ <title>sysctl net.ipv4.conf.all.log_martians must be 1</title>
+ <description>sysctl net.ipv4.conf.all.log_martians must be 1</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:20" comment="sysctl net.ipv4.conf.all.log_martians must be 1" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:22" version="1">
+ <metadata>
+ <title>sysctl net.ipv4.conf.default.log_martians must be 1</title>
+ <description>sysctl net.ipv4.conf.default.log_martians must be 1</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:22" comment="sysctl net.ipv4.conf.default.log_martians must be 1" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:24" version="1">
+ <metadata>
+ <title>sysctl net.ipv4.tcp_syncookies must be 1</title>
+ <description>sysctl net.ipv4.tcp_syncookies must be 1</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:24" comment="sysctl net.ipv4.tcp_syncookies must be 1" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:27" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:27" comment="kernel config CONFIG_GRKERNSEC must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:29" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_TPE must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_TPE must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:29" comment="kernel config CONFIG_GRKERNSEC_TPE must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:31" version="1">
+ <metadata>
+ <title>kernel config CONFIG_PAX must be y</title>
+ <description>kernel config CONFIG_PAX must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:31" comment="kernel config CONFIG_PAX must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:32" version="1">
+ <metadata>
+ <title>kernel config CONFIG_PAX_NOEXEC must be y</title>
+ <description>kernel config CONFIG_PAX_NOEXEC must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:32" comment="kernel config CONFIG_PAX_NOEXEC must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:33" version="1">
+ <metadata>
+ <title>kernel config CONFIG_PAX_....EXEC must be y</title>
+ <description>kernel config CONFIG_PAX_....EXEC must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:33" comment="kernel config CONFIG_PAX_....EXEC must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:34" version="1">
+ <metadata>
+ <title>kernel config CONFIG_PAX_MPROTECT must be y</title>
+ <description>kernel config CONFIG_PAX_MPROTECT must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:34" comment="kernel config CONFIG_PAX_MPROTECT must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:35" version="1">
+ <metadata>
+ <title>kernel config CONFIG_PAX_ASLR must be y</title>
+ <description>kernel config CONFIG_PAX_ASLR must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:35" comment="kernel config CONFIG_PAX_ASLR must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:36" version="1">
+ <metadata>
+ <title>kernel config CONFIG_PAX_RANDKSTACK must be y</title>
+ <description>kernel config CONFIG_PAX_RANDKSTACK must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:36" comment="kernel config CONFIG_PAX_RANDKSTACK must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:37" version="1">
+ <metadata>
+ <title>kernel config CONFIG_PAX_RANDUSTACK must be y</title>
+ <description>kernel config CONFIG_PAX_RANDUSTACK must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:37" comment="kernel config CONFIG_PAX_RANDUSTACK must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:38" version="1">
+ <metadata>
+ <title>kernel config CONFIG_PAX_RANDMMAP must be y</title>
+ <description>kernel config CONFIG_PAX_RANDMMAP must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:38" comment="kernel config CONFIG_PAX_RANDMMAP must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:39" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_PROC must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_PROC must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:39" comment="kernel config CONFIG_GRKERNSEC_PROC must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:40" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_PROC_USER must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_PROC_USER must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:40" comment="kernel config CONFIG_GRKERNSEC_PROC_USER must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:41" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_PROC_USERGROUP must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_PROC_USERGROUP must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:41" comment="kernel config CONFIG_GRKERNSEC_PROC_USERGROUP must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:42" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_PROC_ADD must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_PROC_ADD must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:42" comment="kernel config CONFIG_GRKERNSEC_PROC_ADD must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:43" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_LINK must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_LINK must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:43" comment="kernel config CONFIG_GRKERNSEC_LINK must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:44" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_FIFO must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_FIFO must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:44" comment="kernel config CONFIG_GRKERNSEC_FIFO must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:45" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:45" comment="kernel config CONFIG_GRKERNSEC_CHROOT must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:46" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_MOUNT must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_MOUNT must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:46" comment="kernel config CONFIG_GRKERNSEC_CHROOT_MOUNT must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:47" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_DOUBLE must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_DOUBLE must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:47" comment="kernel config CONFIG_GRKERNSEC_CHROOT_DOUBLE must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:48" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_PIVOT must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_PIVOT must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:48" comment="kernel config CONFIG_GRKERNSEC_CHROOT_PIVOT must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:49" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_CHDIR must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_CHDIR must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:49" comment="kernel config CONFIG_GRKERNSEC_CHROOT_CHDIR must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:50" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_CHMOD must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_CHMOD must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:50" comment="kernel config CONFIG_GRKERNSEC_CHROOT_CHMOD must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:51" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_FCHDIR must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_FCHDIR must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:51" comment="kernel config CONFIG_GRKERNSEC_CHROOT_FCHDIR must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:52" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_MKNOD must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_MKNOD must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:52" comment="kernel config CONFIG_GRKERNSEC_CHROOT_MKNOD must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:53" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_SHMAT must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_SHMAT must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:53" comment="kernel config CONFIG_GRKERNSEC_CHROOT_SHMAT must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:54" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_UNIX must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_UNIX must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:54" comment="kernel config CONFIG_GRKERNSEC_CHROOT_UNIX must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:55" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_FINDTASK must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_FINDTASK must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:55" comment="kernel config CONFIG_GRKERNSEC_CHROOT_FINDTASK must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:56" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_NICE must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_NICE must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:56" comment="kernel config CONFIG_GRKERNSEC_CHROOT_NICE must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:57" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_SYSCTL must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_SYSCTL must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:57" comment="kernel config CONFIG_GRKERNSEC_CHROOT_SYSCTL must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:58" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_CAPS must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_CAPS must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:58" comment="kernel config CONFIG_GRKERNSEC_CHROOT_CAPS must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:59" version="1">
+ <metadata>
+ <title>kernel config CONFIG_SYN_COOKIES must be y</title>
+ <description>kernel config CONFIG_SYN_COOKIES must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:59" comment="kernel config CONFIG_SYN_COOKIES must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:61" version="1">
+ <metadata>
+ <title>kernel config CONFIG_CC_STACKPROTECTOR must be y</title>
+ <description>kernel config CONFIG_CC_STACKPROTECTOR must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:61" comment="kernel config CONFIG_CC_STACKPROTECTOR must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:63" version="1">
+ <metadata>
+ <title>kernel config CONFIG_DEBUG_RODATA must be y</title>
+ <description>kernel config CONFIG_DEBUG_RODATA must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:63" comment="kernel config CONFIG_DEBUG_RODATA must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:65" version="1">
+ <metadata>
+ <title>kernel config CONFIG_STRICT_DEVMEM must be y</title>
+ <description>kernel config CONFIG_STRICT_DEVMEM must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:65" comment="kernel config CONFIG_STRICT_DEVMEM must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:67" version="1">
+ <metadata>
+ <title>kernel config CONFIG_PROC_KCORE must not be set</title>
+ <description>kernel config CONFIG_PROC_KCORE must not be set</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:67" comment="kernel config CONFIG_PROC_KCORE must not be set" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:69" version="1">
+ <metadata>
+ <title>kernel config CONFIG_SECURITY_DMESG_RESTRICT must be y</title>
+ <description>kernel config CONFIG_SECURITY_DMESG_RESTRICT must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:69" comment="kernel config CONFIG_SECURITY_DMESG_RESTRICT must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:71" version="1">
+ <metadata>
+ <title>kernel config CONFIG_ARCH_RANDOM must be y</title>
+ <description>kernel config CONFIG_ARCH_RANDOM must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:71" comment="kernel config CONFIG_ARCH_RANDOM must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:73" version="1">
+ <metadata>
+ <title>kernel config CONFIG_HW_RANDOM must be y</title>
+ <description>kernel config CONFIG_HW_RANDOM must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:73" comment="kernel config CONFIG_HW_RANDOM must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:75" version="1">
+ <metadata>
+ <title>kernel config CONFIG_HW_RANDOM_* must be y</title>
+ <description>kernel config CONFIG_HW_RANDOM_* must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:75" comment="kernel config CONFIG_HW_RANDOM_* must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:77" version="1">
+ <metadata>
+ <title>kernel config CONFIG_AUDIT must be y</title>
+ <description>kernel config CONFIG_AUDIT must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:77" comment="kernel config CONFIG_AUDIT must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:79" version="1">
+ <metadata>
+ <title>kernel config CONFIG_AUDITSYSCALL must be y</title>
+ <description>kernel config CONFIG_AUDITSYSCALL must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:79" comment="kernel config CONFIG_AUDITSYSCALL must be y" />
+ </criteria>
+</definition>
+<!-- @@GENOVAL END DEFINITIONS -->
+</definitions>
+
+<tests>
+<!-- @@GENOVAL START TESTS -->
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:2" version="1" check="at least one" comment="sysctl net.ipv4.ip_forward must be 0" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:1" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:4" version="1" check="at least one" comment="sysctl net.ipv4.conf.all.rp_filter must be 1" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:2" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:2" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:6" version="1" check="at least one" comment="sysctl net.ipv4.conf.default.rp_filter must be 1" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:3" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:2" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:8" version="1" check="at least one" comment="sysctl net.ipv4.conf.all.accept_source_route must be 0" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:4" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:1" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:10" version="1" check="at least one" comment="sysctl net.ipv4.conf.default.accept_source_route must be 0" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:5" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:1" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:12" version="1" check="at least one" comment="sysctl net.ipv4.conf.all.accept_redirects must be 0" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:6" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:1" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:14" version="1" check="at least one" comment="sysctl net.ipv4.conf.default.accept_redirects must be 0" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:7" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:1" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:16" version="1" check="at least one" comment="sysctl net.ipv4.icmp_echo_ignore_broadcasts must be 1" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:8" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:2" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:18" version="1" check="at least one" comment="sysctl net.ipv4.icmp_ignore_bogus_error_responses must be 1" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:9" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:2" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:20" version="1" check="at least one" comment="sysctl net.ipv4.conf.all.log_martians must be 1" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:10" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:2" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:22" version="1" check="at least one" comment="sysctl net.ipv4.conf.default.log_martians must be 1" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:11" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:2" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:24" version="1" check="at least one" comment="sysctl net.ipv4.tcp_syncookies must be 1" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:12" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:2" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:27" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:13" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:3" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:29" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_TPE must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:14" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:4" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:31" version="1" check="at least one" comment="kernel config CONFIG_PAX must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:15" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:5" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:32" version="1" check="at least one" comment="kernel config CONFIG_PAX_NOEXEC must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:16" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:6" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:33" version="1" check="at least one" comment="kernel config CONFIG_PAX_....EXEC must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:17" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:7" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:34" version="1" check="at least one" comment="kernel config CONFIG_PAX_MPROTECT must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:18" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:8" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:35" version="1" check="at least one" comment="kernel config CONFIG_PAX_ASLR must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:19" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:9" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:36" version="1" check="at least one" comment="kernel config CONFIG_PAX_RANDKSTACK must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:20" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:10" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:37" version="1" check="at least one" comment="kernel config CONFIG_PAX_RANDUSTACK must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:21" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:11" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:38" version="1" check="at least one" comment="kernel config CONFIG_PAX_RANDMMAP must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:22" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:12" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:39" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_PROC must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:23" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:13" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:40" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_PROC_USER must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:24" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:14" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:41" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_PROC_USERGROUP must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:25" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:15" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:42" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_PROC_ADD must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:26" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:16" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:43" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_LINK must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:27" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:17" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:44" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_FIFO must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:28" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:18" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:45" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:29" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:19" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:46" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT_MOUNT must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:30" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:20" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:47" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT_DOUBLE must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:31" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:21" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:48" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT_PIVOT must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:32" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:22" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:49" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT_CHDIR must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:33" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:23" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:50" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT_CHMOD must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:34" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:24" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:51" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT_FCHDIR must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:35" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:25" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:52" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT_MKNOD must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:36" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:26" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:53" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT_SHMAT must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:37" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:27" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:54" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT_UNIX must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:38" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:28" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:55" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT_FINDTASK must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:39" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:29" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:56" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT_NICE must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:40" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:30" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:57" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT_SYSCTL must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:41" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:31" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:58" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT_CAPS must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:42" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:32" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:59" version="1" check="at least one" comment="kernel config CONFIG_SYN_COOKIES must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:43" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:33" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:61" version="1" check="at least one" comment="kernel config CONFIG_CC_STACKPROTECTOR must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:49" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:39" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:63" version="1" check="at least one" comment="kernel config CONFIG_DEBUG_RODATA must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:50" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:40" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:65" version="1" check="at least one" comment="kernel config CONFIG_STRICT_DEVMEM must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:51" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:41" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:67" version="1" check="at least one" comment="kernel config CONFIG_PROC_KCORE must not be set" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:52" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:42" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:69" version="1" check="at least one" comment="kernel config CONFIG_SECURITY_DMESG_RESTRICT must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:53" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:43" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:71" version="1" check="at least one" comment="kernel config CONFIG_ARCH_RANDOM must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:44" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:34" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:73" version="1" check="at least one" comment="kernel config CONFIG_HW_RANDOM must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:45" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:35" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:75" version="1" check="at least one" comment="kernel config CONFIG_HW_RANDOM_* must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:46" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:36" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:77" version="1" check="at least one" comment="kernel config CONFIG_AUDIT must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:47" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:37" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:79" version="1" check="at least one" comment="kernel config CONFIG_AUDITSYSCALL must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:48" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:38" />
+</ind-def:textfilecontent54_test>
+<!-- @@GENOVAL END TESTS -->
+</tests>
+
+<objects>
+<!-- @@GENOVAL START OBJECTS -->
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:1" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/ip_forward">
+ <ind-def:filepath>/proc/sys/net/ipv4/ip_forward</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:2" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/conf/all/rp_filter">
+ <ind-def:filepath>/proc/sys/net/ipv4/conf/all/rp_filter</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:3" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/conf/default/rp_filter">
+ <ind-def:filepath>/proc/sys/net/ipv4/conf/default/rp_filter</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:4" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/conf/all/accept_source_route">
+ <ind-def:filepath>/proc/sys/net/ipv4/conf/all/accept_source_route</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:5" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/conf/default/accept_source_route">
+ <ind-def:filepath>/proc/sys/net/ipv4/conf/default/accept_source_route</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:6" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/conf/all/accept_redirects">
+ <ind-def:filepath>/proc/sys/net/ipv4/conf/all/accept_redirects</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:7" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/conf/default/accept_redirects">
+ <ind-def:filepath>/proc/sys/net/ipv4/conf/default/accept_redirects</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:8" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts">
+ <ind-def:filepath>/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:9" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses">
+ <ind-def:filepath>/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:10" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/conf/all/log_martians">
+ <ind-def:filepath>/proc/sys/net/ipv4/conf/all/log_martians</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:11" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/conf/default/log_martians">
+ <ind-def:filepath>/proc/sys/net/ipv4/conf/default/log_martians</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:12" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/tcp_syncookies">
+ <ind-def:filepath>/proc/sys/net/ipv4/tcp_syncookies</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:13" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:14" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_TPE">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_TPE.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:15" version="1" comment="Kernel configuration entry CONFIG_PAX">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_PAX.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:16" version="1" comment="Kernel configuration entry CONFIG_PAX_NOEXEC">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_PAX_NOEXEC.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:17" version="1" comment="Kernel configuration entry CONFIG_PAX_....EXEC">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_PAX_....EXEC.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:18" version="1" comment="Kernel configuration entry CONFIG_PAX_MPROTECT">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_PAX_MPROTECT.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:19" version="1" comment="Kernel configuration entry CONFIG_PAX_ASLR">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_PAX_ASLR.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:20" version="1" comment="Kernel configuration entry CONFIG_PAX_RANDKSTACK">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_PAX_RANDKSTACK.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:21" version="1" comment="Kernel configuration entry CONFIG_PAX_RANDUSTACK">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_PAX_RANDUSTACK.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:22" version="1" comment="Kernel configuration entry CONFIG_PAX_RANDMMAP">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_PAX_RANDMMAP.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:23" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_PROC">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_PROC.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:24" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_PROC_USER">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_PROC_USER.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:25" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_PROC_USERGROUP">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_PROC_USERGROUP.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:26" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_PROC_ADD">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_PROC_ADD.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:27" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_LINK">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_LINK.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:28" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_FIFO">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_FIFO.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:29" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:30" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT_MOUNT">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT_MOUNT.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:31" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT_DOUBLE">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT_DOUBLE.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:32" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT_PIVOT">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT_PIVOT.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:33" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT_CHDIR">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT_CHDIR.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:34" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT_CHMOD">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT_CHMOD.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:35" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT_FCHDIR">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT_FCHDIR.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:36" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT_MKNOD">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT_MKNOD.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:37" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT_SHMAT">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT_SHMAT.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:38" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT_UNIX">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT_UNIX.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:39" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT_FINDTASK">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT_FINDTASK.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:40" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT_NICE">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT_NICE.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:41" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT_SYSCTL">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT_SYSCTL.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:42" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT_CAPS">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT_CAPS.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:43" version="1" comment="Kernel configuration entry CONFIG_SYN_COOKIES">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_SYN_COOKIES.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:44" version="1" comment="Kernel configuration entry CONFIG_ARCH_RANDOM">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_ARCH_RANDOM.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:45" version="1" comment="Kernel configuration entry CONFIG_HW_RANDOM">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_HW_RANDOM.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:46" version="1" comment="Kernel configuration entry CONFIG_HW_RANDOM_*">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_HW_RANDOM_*.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:47" version="1" comment="Kernel configuration entry CONFIG_AUDIT">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_AUDIT.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:48" version="1" comment="Kernel configuration entry CONFIG_AUDITSYSCALL">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_AUDITSYSCALL.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:49" version="1" comment="Kernel configuration entry CONFIG_CC_STACKPROTECTOR">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_CC_STACKPROTECTOR.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:50" version="1" comment="Kernel configuration entry CONFIG_DEBUG_RODATA">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_DEBUG_RODATA.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:51" version="1" comment="Kernel configuration entry CONFIG_STRICT_DEVMEM">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_STRICT_DEVMEM.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:52" version="1" comment="Kernel configuration entry CONFIG_PROC_KCORE">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_PROC_KCORE.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:53" version="1" comment="Kernel configuration entry CONFIG_SECURITY_DMESG_RESTRICT">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_SECURITY_DMESG_RESTRICT.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<!-- @@GENOVAL END OBJECTS -->
+</objects>
+
+<states>
+<!-- @@GENOVAL START STATES -->
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:1" version="1" comment="The match of 0">
+ <ind-def:subexpression operation="pattern match">0</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:2" version="1" comment="The match of 1">
+ <ind-def:subexpression operation="pattern match">1</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:3" version="1" comment="The match of CONFIG_GRKERNSEC=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:4" version="1" comment="The match of CONFIG_GRKERNSEC_TPE=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_TPE=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:5" version="1" comment="The match of CONFIG_PAX=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_PAX=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:6" version="1" comment="The match of CONFIG_PAX_NOEXEC=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_PAX_NOEXEC=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:7" version="1" comment="The match of CONFIG_PAX_....EXEC=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_PAX_....EXEC=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:8" version="1" comment="The match of CONFIG_PAX_MPROTECT=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_PAX_MPROTECT=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:9" version="1" comment="The match of CONFIG_PAX_ASLR=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_PAX_ASLR=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:10" version="1" comment="The match of CONFIG_PAX_RANDKSTACK=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_PAX_RANDKSTACK=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:11" version="1" comment="The match of CONFIG_PAX_RANDUSTACK=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_PAX_RANDUSTACK=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:12" version="1" comment="The match of CONFIG_PAX_RANDMMAP=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_PAX_RANDMMAP=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:13" version="1" comment="The match of CONFIG_GRKERNSEC_PROC=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_PROC=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:14" version="1" comment="The match of CONFIG_GRKERNSEC_PROC_USER=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_PROC_USER=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:15" version="1" comment="The match of CONFIG_GRKERNSEC_PROC_USERGROUP=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_PROC_USERGROUP=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:16" version="1" comment="The match of CONFIG_GRKERNSEC_PROC_ADD=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_PROC_ADD=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:17" version="1" comment="The match of CONFIG_GRKERNSEC_LINK=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_LINK=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:18" version="1" comment="The match of CONFIG_GRKERNSEC_FIFO=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_FIFO=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:19" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:20" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT_MOUNT=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT_MOUNT=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:21" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT_DOUBLE=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT_DOUBLE=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:22" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT_PIVOT=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT_PIVOT=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:23" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT_CHDIR=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT_CHDIR=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:24" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT_CHMOD=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT_CHMOD=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:25" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT_FCHDIR=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT_FCHDIR=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:26" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT_MKNOD=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT_MKNOD=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:27" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT_SHMAT=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT_SHMAT=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:28" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT_UNIX=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT_UNIX=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:29" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT_FINDTASK=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT_FINDTASK=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:30" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT_NICE=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT_NICE=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:31" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT_SYSCTL=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT_SYSCTL=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:32" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT_CAPS=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT_CAPS=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:33" version="1" comment="The match of CONFIG_SYN_COOKIES=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_SYN_COOKIES=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:34" version="1" comment="The match of CONFIG_ARCH_RANDOM=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_ARCH_RANDOM=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:35" version="1" comment="The match of CONFIG_HW_RANDOM=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_HW_RANDOM=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:36" version="1" comment="The match of CONFIG_HW_RANDOM_*=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_HW_RANDOM_*=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:37" version="1" comment="The match of CONFIG_AUDIT=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_AUDIT=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:38" version="1" comment="The match of CONFIG_AUDITSYSCALL=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_AUDITSYSCALL=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:39" version="1" comment="The match of CONFIG_CC_STACKPROTECTOR=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_CC_STACKPROTECTOR=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:40" version="1" comment="The match of CONFIG_DEBUG_RODATA=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_DEBUG_RODATA=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:41" version="1" comment="The match of CONFIG_STRICT_DEVMEM=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_STRICT_DEVMEM=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:42" version="1" comment="The match of # CONFIG_PROC_KCORE is not set">
+ <ind-def:subexpression operation="pattern match"># CONFIG_PROC_KCORE is not set</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:43" version="1" comment="The match of CONFIG_SECURITY_DMESG_RESTRICT=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_SECURITY_DMESG_RESTRICT=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<!-- @@GENOVAL END STATES -->
+</states>
+
+<!--
+<variables>
+-->
+<!-- @@GENOVAL START VARIABLES -->
+<!-- @@GENOVAL END VARIABLES -->
+<!--
+<local_variable id="oval:org.gentoo.dev.swift.genoval:var:1" version="1" datatype="string" comment="Location where the helper scripts output is stored">
+ <object_component item_field="value" object_ref="oval:org.gentoo.dev.swift.genoval:obj:1"/>
+</local_variable>
+</variables>
+-->
+</oval_definitions>
diff --git a/xml/SCAP/kernel-xccdf.xml b/xml/SCAP/kernel-xccdf.xml
new file mode 100644
index 0000000..4cfdbe8
--- /dev/null
+++ b/xml/SCAP/kernel-xccdf.xml
@@ -0,0 +1,967 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:h="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="Gentoo-Security-Benchmark-Kernel-1" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 xccdf-1.1.4.xsd" resolved="0">
+ <status date="2012-07-21">draft</status>
+ <title>Hardening Linux Kernel</title>
+ <description>
+ The Linux kernel is at the heart of every Linux system. With its extensive configuration
+ options, it comes to no surprise that specific settings can be enabled to further harden
+ your system.
+ <h:br />
+ <h:br />
+ In this guide, we focus on Linux kernel configuration entries that support additional
+ hardening of your system, as well as the configuration through the <h:em>syctl</h:em>
+ settings.
+ </description>
+ <platform idref="cpe:/o:gentoo:linux"/>
+ <version>1</version>
+ <model system="urn:xccdf:scoring:default"/>
+ <model system="urn:xccdf:scoring:flat"/>
+ <Profile id="Default">
+ <title>Default vanilla kernel hardening</title>
+ <description>
+ Profile matching all standard (vanilla-kernel) hardening rules
+ </description>
+ <select idref="rule-sysctl-ipv4-forward" selected="true" />
+ <select idref="rule-sysctl-ipv4-all-rp_filter" selected="true" />
+ <select idref="rule-sysctl-ipv4-default-rp_filter" selected="true" />
+ <select idref="rule-sysctl-ipv4-all-asr" selected="true" />
+ <select idref="rule-sysctl-ipv4-default-asr" selected="true" />
+ <select idref="rule-sysctl-ipv4-all-aredirect" selected="true" />
+ <select idref="rule-sysctl-ipv4-default-aredirect" selected="true" />
+ <select idref="rule-sysctl-ipv4-echobroadcast" selected="true" />
+ <select idref="rule-sysctl-icmpboguserror" selected="true" />
+ <select idref="rule-sysctl-ipv4-all-logmartians" selected="true" />
+ <select idref="rule-sysctl-ipv4-default-logmartians" selected="true" />
+ <select idref="rule-sysctl-ipv4-tcpsyncookies" selected="true" />
+ <select idref="rule-kernel-syncookies" selected="true" />
+ <select idref="rule-kernel-config-rand" selected="true" />
+ <select idref="rule-kernel-config-hwrand" selected="true" />
+ <select idref="rule-kernel-config-hwrand-detail" selected="true" />
+ <select idref="rule-kernel-config-audit" selected="true" />
+ <select idref="rule-kernel-config-audit-syscall" selected="true" />
+ <select idref="rule-kernel-ccstackprotect" selected="true" />
+ <select idref="rule-kernel-rodata" selected="true" />
+ <select idref="rule-kernel-strictdevmem" selected="true" />
+ <select idref="rule-kernel-prockcore" selected="true" />
+ <select idref="rule-kernel-nodmesg" selected="true" />
+ </Profile>
+ <Profile id="Full" extends="grSecurity">
+ <title>grSecurity (incl. PaX) kernel hardening</title>
+ <description>
+ Profile matching the recommended PaX settings and grSecurity
+ settings
+ </description>
+ <select idref="rule-kernel-grsec" selected="true" />
+ <select idref="rule-kernel-grsec-pax" selected="true" />
+ <select idref="rule-kernel-grsec-pax-noexec" selected="true" />
+ <select idref="rule-kernel-grsec-pax-anyexec" selected="true" />
+ <select idref="rule-kernel-grsec-pax-mprotect" selected="true" />
+ <select idref="rule-kernel-grsec-pax-aslr" selected="true" />
+ <select idref="rule-kernel-grsec-pax-randkstack" selected="true" />
+ <select idref="rule-kernel-grsec-pax-randustack" selected="true" />
+ <select idref="rule-kernel-grsec-pax-randmmap" selected="true" />
+ </Profile>
+ <Profile id="grSecurity" extends="Default">
+ <title>grSecurity specific kernel hardening</title>
+ <description>
+ Profile matching the recommended grSecurity settings (except PaX)
+ </description>
+ <select idref="rule-kernel-grsec" selected="true" />
+ <select idref="rule-kernel-tpe" selected="true" />
+ <select idref="rule-kernel-grsec-proc" selected="true" />
+ <select idref="rule-kernel-grsec-proc-user" selected="true" />
+ <select idref="rule-kernel-grsec-proc-usergroup" selected="true" />
+ <select idref="rule-kernel-grsec-proc-add" selected="true" />
+ <select idref="rule-kernel-grsec-link" selected="true" />
+ <select idref="rule-kernel-grsec-fifo" selected="true" />
+ <select idref="rule-kernel-grsec-chroot" selected="true" />
+ <select idref="rule-kernel-grsec-chroot-mount" selected="true" />
+ <select idref="rule-kernel-grsec-chroot-double" selected="true" />
+ <select idref="rule-kernel-grsec-chroot-pivot" selected="true" />
+ <select idref="rule-kernel-grsec-chroot-chdir" selected="true" />
+ <select idref="rule-kernel-grsec-chroot-chmod" selected="true" />
+ <select idref="rule-kernel-grsec-chroot-fchdir" selected="true" />
+ <select idref="rule-kernel-grsec-chroot-mknod" selected="true" />
+ <select idref="rule-kernel-grsec-chroot-shmat" selected="true" />
+ <select idref="rule-kernel-grsec-chroot-unix" selected="true" />
+ <select idref="rule-kernel-grsec-chroot-findtask" selected="true" />
+ <select idref="rule-kernel-grsec-chroot-nice" selected="true" />
+ <select idref="rule-kernel-grsec-chroot-sysctl" selected="true" />
+ <select idref="rule-kernel-grsec-chroot-caps" selected="true" />
+ </Profile>
+ <Group id="gt-kernelconfig">
+ <title>Kernel Configuration</title>
+ <description>
+ The Linux kernel should be configured using a sane security standard in
+ mind. When using grSecurity, additional security-enhancing settings can
+ be enabled.
+ <h:br />
+ <h:br />
+ In this guide, kernel configuration is shown in the short-hand notation.
+ This allows us to document configuration settings in a way that is somewhat more
+ future proof, since the position of the settings in the kernel configuration changes
+ often. In the resources below you will find instructions on how to convert short-hand
+ notation to the current, right location in the configuration.
+ <h:br />
+ <h:br />
+ Kernel configuration can be handled through <h:b>make menuconfig</h:b> within
+ the Linux kernel source code repository (usually <h:code>/usr/src/linux</h:code>).
+ </description>
+ <reference href="http://www.gentoo.org/doc/en/kernel-config.xml#shorthand">Gentoo Kernel Configuration Guide - Shorthand notation information</reference>
+ <Group id="gt-kernelconfig-general">
+ <title>General kernel configuration settings</title>
+ <description>
+ Next to the grSecurity-related settings, general Linux kernel configuration entries have a positive
+ influence on the security of your system. These settings are described further in this section
+ </description>
+ <Group id="gt-kernelconfig-general-random">
+ <title>Enable random number generator</title>
+ <description>
+ If supported by your platform, enable the random number generator to provide
+ a high bandwidth, secure source of random numbers (which is important for cryptographic
+ functions). This can be accomplished using the <h:code>CONFIG_ARCH_RANDOM</h:code> setting.
+ <h:br />
+ <h:br />
+ Next, enable hardware-supported random generators (<h:code>CONFIG_HW_RANDOM</h:code>) and
+ select the random number generator for your platform. Examples are the Intel i8xx-based
+ random number generator (<h:code>CONFIG_HW_RANDOM_INTEL</h:code>) or the AMD 76x-based
+ ones (<h:code>CONFIG_HW_RANDOM_AMD</h:code>) but others exist as well.
+ </description>
+ <!-- @@GEN START rule-kernel-config-rand -->
+<Rule id="rule-kernel-config-rand" selected="false">
+ <title>kernel config CONFIG_ARCH_RANDOM must be y</title>
+ <description>Enable a secure random number generator</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:71" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-config-rand -->
+ <!-- @@GEN START rule-kernel-config-hwrand -->
+<Rule id="rule-kernel-config-hwrand" selected="false">
+ <title>kernel config CONFIG_HW_RANDOM must be y</title>
+ <description>Enable hardware-supported random number generator</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:73" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-config-hwrand -->
+ <!-- @@GEN START rule-kernel-config-hwrand-detail -->
+<Rule id="rule-kernel-config-hwrand-detail" selected="false">
+ <title>kernel config CONFIG_HW_RANDOM_* must be y</title>
+ <description>Enable specific hardware supported random number generators</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:75" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-config-hwrand-detail -->
+ </Group>
+ <!-- Do not enable, only works on systemd systems
+ <Group id="gt-kernelconfig-general-immutableuid">
+ <title>Make audit loginuid immutable</title>
+ <description>
+ </description>
+ </Group>
+ -->
+ <Group id="gt-kernelconfig-general-audit">
+ <title>Enable audit support</title>
+ <description>
+ If you need to enable auditing on the system (which definitely is a best practice to follow), you
+ will need to enable auditing in the kernel configuration (<h:code>CONFIG_AUDIT</h:code>) together
+ with support for auditing system calls (<h:code>CONFIG_AUDITSYSCALL</h:code>)
+ </description>
+ <!-- @@GEN START rule-kernel-config-audit -->
+<Rule id="rule-kernel-config-audit" selected="false">
+ <title>kernel config CONFIG_AUDIT must be y</title>
+ <description>Enable audit support</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:77" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-config-audit -->
+ <!-- @@GEN START rule-kernel-config-audit-syscall -->
+<Rule id="rule-kernel-config-audit-syscall" selected="false">
+ <title>kernel config CONFIG_AUDITSYSCALL must be y</title>
+ <description>Enable system call auditing support</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:79" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-config-audit-syscall -->
+ </Group>
+ <Group id="gt-kernelconfig-general-syncookie">
+ <title>Enable TCP SYN cookie protection support</title>
+ <description>
+ To support SYN cookies (a method to work around a denial-of-service attack using a flood
+ of SYN requests) the Linux kernel first needs to be configured to support the method. This
+ is handled through the <h:code>CONFIG_SYN_COOKIES</h:code> parameter.
+ <h:br />
+ <h:br />
+ Further configuration of this setting is then handled by the <h:b>sysctl</h:b> settings (which
+ we describe later in this guide).
+ </description>
+ <!-- @@GEN START rule-kernel-syncookies -->
+<Rule id="rule-kernel-syncookies" selected="false">
+ <title>kernel config CONFIG_SYN_COOKIES must be y</title>
+ <description>kernel config CONFIG_SYN_COOKIES must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:59" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-syncookies -->
+ </Group>
+ <Group id="gt-kernelconfig-general-stackprotect">
+ <title>Enable compiler-driven stack protection</title>
+ <description>
+ In Gentoo Hardened, the use of stack protection in the compiler is by default enabled, but for
+ the Linux kernel, this feature is only selectable through the <h:code>CONFIG_CC_STACKPROTECTOR</h:code>
+ selection.
+ <h:br />
+ <h:br />
+ Enabling this will provide some level of protection against stack based buffer overflows within
+ the Linux kernel memory (not the user processes). If detected, the kernel will die with a kernel panic.
+ <!--
+ This is not available if UDEREF is setµ
+ https://forums.grsecurity.net/viewtopic.php?t=2725
+ -->
+ </description>
+ <!-- @@GEN START rule-kernel-ccstackprotect -->
+<Rule id="rule-kernel-ccstackprotect" selected="false">
+ <title>kernel config CONFIG_CC_STACKPROTECTOR must be y</title>
+ <description>Enable kernel stack protection through compiler directive</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:61" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-ccstackprotect -->
+ </Group>
+ <Group id="gt-kernelconfig-general-rodata">
+ <title>Mark read-only data pages as write-protected</title>
+ <description>
+ When <h:code>CONFIG_DEBUG_RODATA</h:code> is set, the memory pages containing the Linux
+ kernel read-only data are marked as write-protected, so that any attempt to update the data is
+ trapped, prevented and reported.
+ </description>
+ <!-- @@GEN START rule-kernel-rodata -->
+<Rule id="rule-kernel-rodata" selected="false">
+ <title>kernel config CONFIG_DEBUG_RODATA must be y</title>
+ <description>Write-protect kernel read-only data structures</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:63" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-rodata -->
+ </Group>
+ <Group id="gt-kernelconfig-restrictmemaccess">
+ <title>Restrict memory access through /dev/mem</title>
+ <description>
+ Do not allow root processes full access to all of the systems' memory through <h:code>/dev/mem</h:code>
+ (which includes kernel memory and process memory). This should only be needed for kernel programmers or
+ kernel debugging.
+ <h:br />
+ <h:br />
+ By enabling <h:code>CONFIG_STRICT_DEVMEM</h:code> the (root) user can only access memory regions expected
+ for all legitimate common usage of <h:code>/dev/mem</h:code>.
+ </description>
+ <!-- @@GEN START rule-kernel-strictdevmem -->
+<Rule id="rule-kernel-strictdevmem" selected="false">
+ <title>kernel config CONFIG_STRICT_DEVMEM must be y</title>
+ <description>Filter access to /dev/mem</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:65" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-strictdevmem -->
+ </Group>
+ <Group id="gt-kernelconfig-prockcore">
+ <title>Disable /proc/kcore support</title>
+ <description>
+ When <h:code>CONFIG_PROC_KCORE</h:code> is selected, the system will have a <h:code>/proc/kcore</h:code>
+ pseudo-file which corresponds to the system memory. As we do not want users snooping around in our
+ memory, support for this must be disabled.
+ </description>
+ <!-- @@GEN START rule-kernel-prockcore -->
+<Rule id="rule-kernel-prockcore" selected="false">
+ <title>kernel config CONFIG_PROC_KCORE must not be set</title>
+ <description>Disable support for /proc/kcore</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:67" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-prockcore -->
+ </Group>
+ <Group id="gt-kernelconfig-nodmesg">
+ <title>Restrict access to the kernel syslog</title>
+ <description>
+ Users that hold no administrator function on the system should not need to access the
+ kernel system logs (through <h:b>dmesg</h:b>). You can enforce this through the
+ <h:code>CONFIG_SECURITY_DMESG_RESTRICT</h:code> option, but if you chose not to,
+ you can still enable it through the sysctl <h:code>kernel.dmesg_restrict</h:code>.
+ <h:br />
+ <h:br />
+ Also, grSecurity has a related kernel setting for this (<h:code>CONFIG_GRKERNSEC_DMESG</h:code>)
+ which accomplishes the same. As a matter of fact, the <h:code>CONFIG_SECURITY_DMESG_RESTRICT</h:code>
+ setting is somewhat based on the grSecurity patch and available in the main kernel tree.
+ </description>
+ <!-- @@GEN START rule-kernel-nodmesg -->
+<Rule id="rule-kernel-nodmesg" selected="false">
+ <title>kernel config CONFIG_SECURITY_DMESG_RESTRICT must be y</title>
+ <description>Restrict unprivileged access to dmesg (kernel syslog)</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:69" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-nodmesg -->
+ </Group>
+ </Group>
+ <Group id="gt-kernelconfig-grsec">
+ <title>Use grSecurity</title>
+ <description>
+ grSecurity is a set of kernel patches that provides additional countermeasures
+ against popular exploit methods and common vulnerabilities. Although the patchset
+ is not part of the mainstream Linux kernel sources, Gentoo offers grSecurity through
+ the <h:code>hardened-sources</h:code> kernel package.
+ <h:br />
+ <h:br />
+ If you do not intend to use grSecurity, then you can ignore the rest of this section.
+ </description>
+ <reference href="https://grsecurity.net">grSecurity Homepage</reference>
+ <reference href="http://www.gentoo.org/proj/en/hardened/grsecurity.xml">Gentoo grSecurity v2 Guide</reference>
+ <!-- @@GEN START rule-kernel-grsec -->
+<Rule id="rule-kernel-grsec" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC must be y</title>
+ <description>Enable grSecurity</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:27" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec -->
+ <Group id="gt-kernelconfig-grsec-pax">
+ <title>Use PaX</title>
+ <description>
+ With PaX, additional protection against memory corruption bugs and exploits
+ is enabled. We recommend to enable the following settings:
+ <h:ul>
+ <h:li>
+ <h:em>Use legacy ELF header marking</h:em> (<h:code>CONFIG_PAX_EI_PAX</h:code>) and
+ <h:em>Use ELF program header marking</h:em> (<h:code>CONFIG_PAX_PT_PAX_FLAGS</h:code>) so that
+ you can enable/disable PaX settings on a per-binary basis.
+ </h:li>
+ <h:li>
+ <h:em>Enforce non-executable pages</h:em> (<h:code>CONFIG_PAX_NOEXEC</h:code>) to disable allocation of
+ memory that is both executable (contains runnable code) and writeable. Write- and executable
+ pages are risky as it allows attackers to introduce code (through overflows or other methods)
+ in memory and then execute that code. However, the downside is that there are still applications
+ (or drivers) that depend on RWX memory.
+ </h:li>
+ <h:li>
+ <h:em>Segmentation based non-executable pages</h:em> (<h:code>CONFIG_PAX_SEGMEXEC</h:code>) or
+ <h:em>Paging based non-executable pages</h:em> (<h:code>CONFIG_PAX_PAGEEXEC</h:code>) will support the
+ non-executable pages through memory segmentation or paging rules.
+ </h:li>
+ <h:li>
+ <h:em>Emulate trampolines</h:em> (<h:code>CONFIG_PAX_EMUTRAMP</h:code>) if you are on x86_32 architecture (the option
+ is not available for x86_64). This will enable emulation of trampolines (small bits of code in
+ non-executable memory pages) for those applications that you enable this on (which can be triggered
+ through <h:b>chpax</h:b> or <h:b>paxctl</h:b>).
+ </h:li>
+ <h:li>
+ <h:em>Restrict mprotect()</h:em> (<h:code>CONFIG_PAX_MPROTECT</h:code>) will restrict the use of <h:em>mprotect()</h:em>
+ so that applications cannot switch the purpose of pages (executable vs non-executable and such) after
+ creating them.
+ </h:li>
+ <h:li>
+ <h:em>Address Space Layout Randomization</h:em> (<h:code>CONFIG_PAX_ASLR</h:code>) to introduce some randomization
+ in the memory allocation so that attackers will find it much more difficult to guess the address
+ of specific pages correctly.
+ </h:li>
+ <h:li>
+ <h:em>Randomize kernel stack base</h:em> (<h:code>CONFIG_PAX_RANDKSTACK</h:code>) to randomize every task's kernel
+ stack on each system call, making it more difficult to both guess locations as well as use leaked
+ information from previous calls.
+ </h:li>
+ <h:li>
+ <h:em>Randomize user stack base</h:em> (<h:code>CONFIG_PAX_RANDUSTACK</h:code>) to randomize every task's userland
+ stack, providing similar protection as mentioned earlier but for user applications.
+ </h:li>
+ <h:li>
+ <h:em>Randomize mmap() base</h:em> (<h:code>CONFIG_PAX_RANDMMAP</h:code>) to randomize the base address of
+ mmap() requests (unless the requests specify an address themselves). This will cause dynamically
+ loaded libraries to appear at random addresses.
+ </h:li>
+ </h:ul>
+ </description>
+ <!-- @@GEN START rule-kernel-grsec-pax -->
+<Rule id="rule-kernel-grsec-pax" selected="false">
+ <title>kernel config CONFIG_PAX must be y</title>
+ <description>Enable PaX protection</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:31" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-pax -->
+ <!-- @@GEN START rule-kernel-grsec-pax-noexec -->
+<Rule id="rule-kernel-grsec-pax-noexec" selected="false">
+ <title>kernel config CONFIG_PAX_NOEXEC must be y</title>
+ <description>kernel config CONFIG_PAX_NOEXEC must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:32" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-pax-noexec -->
+ <!-- @@GEN START rule-kernel-grsec-pax-anyexec -->
+<Rule id="rule-kernel-grsec-pax-anyexec" selected="false">
+ <title>kernel config CONFIG_PAX_....EXEC must be y</title>
+ <description>kernel config CONFIG_PAX_....EXEC must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:33" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-pax-anyexec -->
+ <!-- @@GEN START rule-kernel-grsec-pax-mprotect -->
+<Rule id="rule-kernel-grsec-pax-mprotect" selected="false">
+ <title>kernel config CONFIG_PAX_MPROTECT must be y</title>
+ <description>kernel config CONFIG_PAX_MPROTECT must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:34" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-pax-mprotect -->
+ <!-- @@GEN START rule-kernel-grsec-pax-aslr -->
+<Rule id="rule-kernel-grsec-pax-aslr" selected="false">
+ <title>kernel config CONFIG_PAX_ASLR must be y</title>
+ <description>kernel config CONFIG_PAX_ASLR must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:35" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-pax-aslr -->
+ <!-- @@GEN START rule-kernel-grsec-pax-randkstack -->
+<Rule id="rule-kernel-grsec-pax-randkstack" selected="false">
+ <title>kernel config CONFIG_PAX_RANDKSTACK must be y</title>
+ <description>kernel config CONFIG_PAX_RANDKSTACK must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:36" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-pax-randkstack -->
+ <!-- @@GEN START rule-kernel-grsec-pax-randustack -->
+<Rule id="rule-kernel-grsec-pax-randustack" selected="false">
+ <title>kernel config CONFIG_PAX_RANDUSTACK must be y</title>
+ <description>kernel config CONFIG_PAX_RANDUSTACK must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:37" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-pax-randustack -->
+ <!-- @@GEN START rule-kernel-grsec-pax-randmmap -->
+<Rule id="rule-kernel-grsec-pax-randmmap" selected="false">
+ <title>kernel config CONFIG_PAX_RANDMMAP must be y</title>
+ <description>kernel config CONFIG_PAX_RANDMMAP must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:38" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-pax-randmmap -->
+ </Group>
+ <Group id="gt-kernelconfig-grsec-filesystem">
+ <title>Enable file system protection measures</title>
+ <description>
+ In the grSecurity patches, a set of additional protections are included to thwart information
+ leakage as well as further limit chroot environments. We recommend to enable the following settings:
+ <h:ul>
+ <h:li>
+ <h:em>Proc restrictions</h:em> (<h:code>CONFIG_GRKERNSEC_PROC</h:code>) so that the <h:code>/proc</h:code> file system
+ will be altered to enhance privacy (prevent information leakage).
+ </h:li>
+ <h:li>
+ <h:em>Restrict /proc to user only</h:em> (<h:code>CONFIG_GRKERNSEC_PROC_USER</h:code>) so that non-root users cannot
+ see processes of other users.
+ </h:li>
+ <h:li>
+ <h:em>Allow special group</h:em> (<h:code>CONFIG_GRKERNSEC_PROC_USERGROUP</h:code>) so that the members of a specific
+ group can see other users' processes and network-related information.
+ </h:li>
+ <h:li>
+ <h:em>Additional restrictions</h:em> (<h:code>CONFIG_GRKERNSEC_PROC_ADD</h:code>) will prevent non-root users to
+ see device information and memory information which can be (ab)used for exploit purposes.
+ </h:li>
+ <h:li>
+ <h:em>Linking restrictions</h:em> (<h:code>CONFIG_GRKERNSEC_LINK</h:code>) will prevent users to follow
+ symlinks that are owned by other users in world-writeable sticky directories such as <h:code>/tmp</h:code>
+ (unless that user is the owner of that directory). This prevents a certain kind of race conditions.
+ </h:li>
+ <h:li>
+ <h:em>FIFO restrictions</h:em> (<h:code>CONFIG_GRKERNSEC_FIFO</h:code>) will prevent users to write into
+ FIFOs in world-writeable sticky directories (like <h:code>/tmp</h:code> if they do not own
+ these FIFOs themselves.
+ </h:li>
+ <h:li>
+ <h:em>Chroot jail restrictions</h:em> (<h:code>CONFIG_GRKERNSEC_CHROOT</h:code> and all chroot-related options) to
+ make the chroot jails more strict and less easy to break out from.
+ </h:li>
+ </h:ul>
+ </description>
+ <!-- @@GEN START rule-kernel-grsec-proc -->
+<Rule id="rule-kernel-grsec-proc" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_PROC must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_PROC must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:39" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-proc -->
+ <!-- @@GEN START rule-kernel-grsec-proc-user -->
+<Rule id="rule-kernel-grsec-proc-user" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_PROC_USER must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_PROC_USER must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:40" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-proc-user -->
+ <!-- @@GEN START rule-kernel-grsec-proc-usergroup -->
+<Rule id="rule-kernel-grsec-proc-usergroup" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_PROC_USERGROUP must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_PROC_USERGROUP must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:41" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-proc-usergroup -->
+ <!-- @@GEN START rule-kernel-grsec-proc-add -->
+<Rule id="rule-kernel-grsec-proc-add" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_PROC_ADD must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_PROC_ADD must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:42" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-proc-add -->
+ <!-- @@GEN START rule-kernel-grsec-link -->
+<Rule id="rule-kernel-grsec-link" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_LINK must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_LINK must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:43" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-link -->
+ <!-- @@GEN START rule-kernel-grsec-fifo -->
+<Rule id="rule-kernel-grsec-fifo" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_FIFO must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_FIFO must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:44" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-fifo -->
+ <!-- @@GEN START rule-kernel-grsec-chroot -->
+<Rule id="rule-kernel-grsec-chroot" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:45" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-chroot -->
+ <!-- @@GEN START rule-kernel-grsec-chroot-mount -->
+<Rule id="rule-kernel-grsec-chroot-mount" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_MOUNT must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_MOUNT must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:46" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-chroot-mount -->
+ <!-- @@GEN START rule-kernel-grsec-chroot-double -->
+<Rule id="rule-kernel-grsec-chroot-double" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_DOUBLE must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_DOUBLE must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:47" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-chroot-double -->
+ <!-- @@GEN START rule-kernel-grsec-chroot-pivot -->
+<Rule id="rule-kernel-grsec-chroot-pivot" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_PIVOT must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_PIVOT must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:48" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-chroot-pivot -->
+ <!-- @@GEN START rule-kernel-grsec-chroot-chdir -->
+<Rule id="rule-kernel-grsec-chroot-chdir" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_CHDIR must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_CHDIR must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:49" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-chroot-chdir -->
+ <!-- @@GEN START rule-kernel-grsec-chroot-chmod -->
+<Rule id="rule-kernel-grsec-chroot-chmod" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_CHMOD must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_CHMOD must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:50" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-chroot-chmod -->
+ <!-- @@GEN START rule-kernel-grsec-chroot-fchdir -->
+<Rule id="rule-kernel-grsec-chroot-fchdir" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_FCHDIR must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_FCHDIR must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:51" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-chroot-fchdir -->
+ <!-- @@GEN START rule-kernel-grsec-chroot-mknod -->
+<Rule id="rule-kernel-grsec-chroot-mknod" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_MKNOD must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_MKNOD must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:52" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-chroot-mknod -->
+ <!-- @@GEN START rule-kernel-grsec-chroot-shmat -->
+<Rule id="rule-kernel-grsec-chroot-shmat" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_SHMAT must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_SHMAT must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:53" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-chroot-shmat -->
+ <!-- @@GEN START rule-kernel-grsec-chroot-unix -->
+<Rule id="rule-kernel-grsec-chroot-unix" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_UNIX must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_UNIX must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:54" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-chroot-unix -->
+ <!-- @@GEN START rule-kernel-grsec-chroot-findtask -->
+<Rule id="rule-kernel-grsec-chroot-findtask" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_FINDTASK must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_FINDTASK must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:55" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-chroot-findtask -->
+ <!-- @@GEN START rule-kernel-grsec-chroot-nice -->
+<Rule id="rule-kernel-grsec-chroot-nice" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_NICE must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_NICE must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:56" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-chroot-nice -->
+ <!-- @@GEN START rule-kernel-grsec-chroot-sysctl -->
+<Rule id="rule-kernel-grsec-chroot-sysctl" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_SYSCTL must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_SYSCTL must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:57" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-chroot-sysctl -->
+ <!-- @@GEN START rule-kernel-grsec-chroot-caps -->
+<Rule id="rule-kernel-grsec-chroot-caps" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_CAPS must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_CAPS must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:58" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-chroot-caps -->
+ </Group>
+ <Group id="gt-kernelconfig-grsec-tpe">
+ <title>Enable Trusted Path Execution</title>
+ <description>
+ When using <h:code>sys-kernel/hardened-sources</h:code>, enable
+ <h:code>CONFIG_GRKERNSEC_TPE</h:code>, which enabled <h:em>Trusted
+ Path Execution</h:em>, a safety measure that ensures that, for a set
+ of users, these users can only execute binaries and scripts from
+ root-owned directories.
+ </description>
+ <reference href="http://www.gentoo.org/proj/en/hardened/grsec-tpe.xml">Gentoo Hardened grSecurity TPE Guide</reference>
+ <!-- @@GEN START rule-kernel-tpe -->
+<Rule id="rule-kernel-tpe" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_TPE must be y</title>
+ <description>Enable Trusted Path Execution</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:29" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-tpe -->
+ </Group>
+ </Group>
+
+ </Group>
+ <Group id="gt-sysctl">
+ <title>Kernel Tunables (Sysctl)</title>
+ <description>
+ The Linux kernel offers an interface, called <h:b>sysctl</h:b>,
+ allowing to fine-tune kernel parameters (and even changing its
+ behavior). Many parameters offered through sysctl allow an
+ administrator to further strengthen his systems' security.
+ <h:br />
+ <h:br />
+ To read and change sysctl parameters, you can use the
+ <h:b>sysctl</h:b> command or the <h:code>/etc/sysctl.conf</h:code>
+ file (which is used by the <h:code>sysctl</h:code> service (init
+ script), part of the default boot process.
+ <h:pre>### Using sysctl command to read and set variables ###
+# <h:b>sysctl net.ipv4.ip_forward</h:b>
+net.ipv4.ip_forward = 1
+# <h:b>sysctl -w net.ipv4.ip_forward=0</h:b></h:pre>
+ The sysctl values can also be read through the
+ <h:code>/proc/sys</h:code> file system.
+ </description>
+ <Group id="gt-sysctl-ipv4forward">
+ <title>Disable IPv4 Forwarding</title>
+ <description>
+ The <h:code>net.ipv4.ip_forward</h:code> sysctl setting controls if
+ IP forwarding is allowed or not on the system.
+ <h:br />
+ <h:br />
+ Unless the system is used as a router or gateway, IPv4 forwarding
+ should be disabled.
+ </description>
+ <!-- @@GEN START rule-sysctl-ipv4-forward -->
+<Rule id="rule-sysctl-ipv4-forward" selected="false">
+ <title>sysctl net.ipv4.ip_forward must be 0</title>
+ <description>Disable IPv4 forwarding</description>
+ <fix>echo 0 > /proc/sys/net/ipv4/ip_forward</fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:2" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sysctl-ipv4-forward -->
+ </Group>
+ <Group id="gt-sysctl-sourceroute">
+ <title>Enable Source Route Verification</title>
+ <description>
+ To offer additional protection against IP spoofing, enable source
+ route verification on all interfaces. This is governed through the
+ <h:code>net.ipv4.conf.*.rp_filter=1</h:code> setting.
+ <h:br />
+ <h:br />
+ With source route verification, the Linux kernel validates that an IP
+ packet comes from the right interface. In other words, on a multi-homed
+ system, packets that claim to be from your internal network on your external
+ interface are dropped (and vice versa).
+ </description>
+ <!-- @@GEN START rule-sysctl-ipv4-all-rp_filter -->
+<Rule id="rule-sysctl-ipv4-all-rp_filter" selected="false">
+ <title>sysctl net.ipv4.conf.all.rp_filter must be 1</title>
+ <description>Enable source route verification</description>
+ <fix>echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter</fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:4" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sysctl-ipv4-all-rp_filter -->
+ <!-- @@GEN START rule-sysctl-ipv4-default-rp_filter -->
+<Rule id="rule-sysctl-ipv4-default-rp_filter" selected="false">
+ <title>sysctl net.ipv4.conf.default.rp_filter must be 1</title>
+ <description>Enable source route verification</description>
+ <fix>echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter</fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:6" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sysctl-ipv4-default-rp_filter -->
+ </Group>
+ <Group id="gt-sysctl-ipsrcroute">
+ <title>Disable IP Source Routing</title>
+ <description>
+ Disable IP source routing on all interfaces through the
+ <h:code>net.ipv4.conf.*.accept_source_route=0</h:code> setting.
+ <h:br />
+ <h:br />
+ IP source routing would allow a remote user (the sender) to specify
+ the route that the packet should take, rather than use the
+ (default) routing tables used by the routers between the sender and
+ the destination. This could be (ab)used to spoof IP addresses and still
+ get the replies (rather than sending the replies to the real owner
+ of the IP address).
+ </description>
+ <!-- @@GEN START rule-sysctl-ipv4-all-asr -->
+<Rule id="rule-sysctl-ipv4-all-asr" selected="false">
+ <title>sysctl net.ipv4.conf.all.accept_source_route must be 0</title>
+ <description>Enable IP source routing</description>
+ <fix>echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route</fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:8" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sysctl-ipv4-all-asr -->
+ <!-- @@GEN START rule-sysctl-ipv4-default-asr -->
+<Rule id="rule-sysctl-ipv4-default-asr" selected="false">
+ <title>sysctl net.ipv4.conf.default.accept_source_route must be 0</title>
+ <description>Enable IP source routing</description>
+ <fix>echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route</fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:10" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sysctl-ipv4-default-asr -->
+ </Group>
+ <Group id="gt-sysctl-redirect">
+ <title>Disable ICMP Redirects</title>
+ <description>
+ Set <h:code>net.ipv4.conf.*.accept_redirects=0</h:code> to disable
+ ICMP redirect support on the interfaces.
+ <h:br />
+ <h:br />
+ ICMP redirect messages are used by routers to inform hosts to use a
+ different gateway than the one used. These packets should only be
+ sent by the gateway of the system, but since you control that
+ gateway and know when this gateway is changed, there is no point in
+ allowing ICMP redirect messages on your system. After all, this would
+ allow for "remote" updating of your routing table, which could allow
+ an attacker to get all packets you want to send to the outside first
+ (rather than the packets immediately going to the real gateway).
+ </description>
+ <!-- @@GEN START rule-sysctl-ipv4-all-aredirect -->
+<Rule id="rule-sysctl-ipv4-all-aredirect" selected="false">
+ <title>sysctl net.ipv4.conf.all.accept_redirects must be 0</title>
+ <description>Disable ICMP redirects</description>
+ <fix>echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects</fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:12" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sysctl-ipv4-all-aredirect -->
+ <!-- @@GEN START rule-sysctl-ipv4-default-aredirect -->
+<Rule id="rule-sysctl-ipv4-default-aredirect" selected="false">
+ <title>sysctl net.ipv4.conf.default.accept_redirects must be 0</title>
+ <description>Disable ICMP redirects</description>
+ <fix>echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects</fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:14" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sysctl-ipv4-default-aredirect -->
+ </Group>
+ <Group id="gt-sysctl-echobroadcast">
+ <title>Ignore ICMP Echo Broadcasts</title>
+ <description>
+ When <h:code>net.ipv4.icmp_echo_ignore_broadcasts=1</h:code> is set,
+ then your system will not reply to broadcast 'ping' requests (a ping
+ is an ICMP Echo request). Similar to hiding a WIFI SSID, this makes
+ your system just a tiny bit more hidden from scanners.
+ </description>
+ <!-- @@GEN START rule-sysctl-ipv4-echobroadcast -->
+<Rule id="rule-sysctl-ipv4-echobroadcast" selected="false">
+ <title>sysctl net.ipv4.icmp_echo_ignore_broadcasts must be 1</title>
+ <description>Ignore ICMP broadcasts</description>
+ <fix>echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts</fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:16" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sysctl-ipv4-echobroadcast -->
+ </Group>
+ <Group id="gt-sysctl-icmpboguserror">
+ <title>Ignore ICMP Bogus Error Responses</title>
+ <description>
+ When an invalid response is given to broadcast frames (which occurs
+ sometimes in erronous routers), the Linux kernel will by default log this
+ event. To ensure that these (harmless) reports do not clutter your logs,
+ you can disable this through <h:code>net.ipv4.icmp_ignore_bogus_error_responses</h:code>
+ by setting it to 1.
+ </description>
+ <!-- @@GEN START rule-sysctl-icmpboguserror -->
+<Rule id="rule-sysctl-icmpboguserror" selected="false">
+ <title>sysctl net.ipv4.icmp_ignore_bogus_error_responses must be 1</title>
+ <description>Ignore ICMP Bogus Error Responses</description>
+ <fix>echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses</fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:18" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sysctl-icmpboguserror -->
+ </Group>
+ <Group id="gt-sysctl-martians">
+ <title>Enable Logging of Martians</title>
+ <description>
+ When you receive a packet that seemingly originates from a location where
+ you have no route for, this packet is dropped silently. You can enable logging
+ of these packets (which are called <h:em>martians</h:em>) so that you at least
+ are aware of them.
+ <h:br />
+ <h:br />
+ Note that martians can only exist if you do not use a "default gateway", since
+ a default gateway always matches (if no other route does) for any IP address.
+ <h:br />
+ <h:br />
+ Logging of martians can be enabled through <h:code>net.ipv4.conf.*.log_martians=1</h:code>.
+ </description>
+ <!-- @@GEN START rule-sysctl-ipv4-all-logmartians -->
+<Rule id="rule-sysctl-ipv4-all-logmartians" selected="false">
+ <title>sysctl net.ipv4.conf.all.log_martians must be 1</title>
+ <description>Log all packages that originate from an unknown, unroutable network</description>
+ <fix>echo 1 > /proc/sys/net/ipv4/conf/all/log_martians</fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:20" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sysctl-ipv4-all-logmartians -->
+ <!-- @@GEN START rule-sysctl-ipv4-default-logmartians -->
+<Rule id="rule-sysctl-ipv4-default-logmartians" selected="false">
+ <title>sysctl net.ipv4.conf.default.log_martians must be 1</title>
+ <description>Log all packages that originate from an unknown, unroutable network</description>
+ <fix>echo 1 > /proc/sys/net/ipv4/conf/default/log_martians</fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:22" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sysctl-ipv4-default-logmartians -->
+ </Group>
+ <Group id="gt-sysctl-tcpsyncookies">
+ <title>Enable TCP SYN Cookie Protection</title>
+ <description>
+ One denial of service attack against a service would be to flood the server with SYN requests
+ (the TCP packet that starts a handshake for a connection). Such a flood can easily lead to a
+ service disruption as connection state handling would consume a lot of resources in a small timeframe.
+ <h:br />
+ <h:br />
+ By enabling <h:code>net.ipv4.tcp_syncookies</h:code>, the Linux kernel will change its handshake
+ behavior when its SYN backlog queue overflows: it replies to SYN requests with the appropriate
+ SYN+ACK reply, but it does not store the connection in its backlog queue. Instead, it will only
+ do that when it gets the ACK reply on his SYN+ACK. Based on the information in this reply, the
+ Linux kernel can then reconstruct the necessary information to generate an entry in the backlog
+ queue.
+ <h:br />
+ <h:br />
+ It should be noted that enabling TCP cookies is a last-resort. It changes the TCP stack behavior
+ of the Linux kernel, violating TCP protocol and dropping support for certain TCP extensions whose
+ information is only available in a SYN packet.
+ <h:br />
+ <h:br />
+ To enable TCP SYN cookie protection, enable <h:code>CONFIG_SYN_COOKIES</h:code> in the kernel,
+ set <h:code>net.ipv4.tcp_syncookies=1</h:code> and set proper values for <h:code>net.ipv4.tcp_max_syn_backlog</h:code>,
+ <h:code>net.ipv4.tcp_synack_retries</h:code> and <h:code>net.ipv4.tcp_abort_on_overflow</h:code>.
+ </description>
+ <!-- @@GEN START rule-sysctl-ipv4-tcpsyncookies -->
+<Rule id="rule-sysctl-ipv4-tcpsyncookies" selected="false">
+ <title>sysctl net.ipv4.tcp_syncookies must be 1</title>
+ <description>Enable TCP SYN cookie protection</description>
+ <fix>echo 1 > /proc/sys/net/ipv4/tcp_syncookies</fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:24" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sysctl-ipv4-tcpsyncookies -->
+ </Group>
+ </Group>
+</Benchmark>
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
@ 2015-09-04 19:50 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2015-09-04 19:50 UTC (permalink / raw
To: gentoo-commits
commit: 6c9db61696a9fd392340949543e32af8b82c537f
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Sep 4 19:50:42 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Sep 4 19:50:42 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-docs.git/commit/?id=6c9db616
Update on Gentoo hardening guide
xml/SCAP/Makefile | 16 +-
xml/SCAP/gentoo-oval.xml | 30 +
xml/SCAP/gentoo-xccdf.xml | 4158 ++++++++++++++++++++++++---------------------
3 files changed, 2239 insertions(+), 1965 deletions(-)
diff --git a/xml/SCAP/Makefile b/xml/SCAP/Makefile
index 208cd01..ad08a66 100644
--- a/xml/SCAP/Makefile
+++ b/xml/SCAP/Makefile
@@ -1,17 +1,12 @@
-location = "dev.gentoo.org:public_html/docs/security_benchmarks"
+gentoo: report-gentoo-xccdf.html guide-gentoo-xccdf.html remediate-gentoo-xccdf.sh gentoo-ds.xml
-all: report-gentoo-xccdf.html guide-gentoo-xccdf.html remediate-gentoo-xccdf.sh guide-gentoo-xccdf.docbook gentoo-ds.xml
-
-really_all: all report-gentoo-oval.xml
+all_gentoo: gentoo report-gentoo-oval.xml
report-gentoo-xccdf.html: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml prep
-pushd ~/tmp; oscap xccdf eval --cpe gentoo-cpe.xml --profile xccdf_org.gentoo.dev.swift_profile_default-oval --results results-gentoo-xccdf.xml --oval-results --check-engine-results --report report-gentoo-xccdf.html gentoo-xccdf.xml; popd
guide-gentoo-xccdf.html: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml prep
- -pushd ~/tmp; oscap xccdf generate guide --profile xccdf_org.gentoo.dev.swift_profile_default-oval --output guide-gentoo-xccdf.html gentoo-xccdf.xml; popd
-
-guide-gentoo-xccdf.docbook: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml prep
- -pushd ~/tmp; oscap xccdf generate guide --profile xccdf_org.gentoo.dev.swift_profile_default-oval --format docbook --output guide-gentoo-xccdf.docbook gentoo-xccdf.xml; popd
+ -pushd ~/tmp; oscap xccdf generate guide --profile xccdf_org.gentoo.dev.swift_profile_default --output guide-gentoo-xccdf.html gentoo-xccdf.xml; popd
remediate-gentoo-xccdf.sh: prep
-pushd ~/tmp; oscap xccdf generate fix --output remediate-gentoo-xccdf.sh results-gentoo-xccdf.xml chmod 0644 remediate-gentoo-xccdf.sh; popd
@@ -33,7 +28,4 @@ prep:
-sed -i "s|@@VERSION@@|`date +%Y%m%d`|g" ~/tmp/gentoo-xccdf.xml
-sed -i "s|@@DATE@@|`date +%Y-%m-%d`|g" ~/tmp/gentoo-xccdf.xml
-upload:
- -pushd ~/tmp; scp gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml gentoo-ds.xml guide-gentoo-xccdf.html report-gentoo-oval.html report-gentoo-xccdf.html $(location)/; popd;
-
-.PHONY: all prep upload really_all
+.PHONY: gentoo prep all_gentoo
diff --git a/xml/SCAP/gentoo-oval.xml b/xml/SCAP/gentoo-oval.xml
index 427e5c1..c4a9da5 100644
--- a/xml/SCAP/gentoo-oval.xml
+++ b/xml/SCAP/gentoo-oval.xml
@@ -612,6 +612,22 @@
</criteria>
</definition>
+ <definition id="oval:org.gentoo.dev.swift:def:37" version="1" class="compliance">
+ <metadata>
+ <title>The / file system is mounted with the nodev option</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <description>
+ This definition tests whether the / partition is mounted with the nodev
+ mount option.
+ </description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:41" comment="The / file system is mounted with nodev mount option" />
+ </criteria>
+ </definition>
+
</definitions>
<tests>
@@ -946,6 +962,15 @@
<unix-def:state state_ref="oval:org.gentoo.dev.swift:ste:17" />
</unix-def:file_test>
+ <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:41"
+ version="1" check="all" check_existence="all_exist"
+ comment="Tests that / is mounted with nodev option">
+ <!-- / partition -->
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:29" />
+ <!-- "nodev" mount option -->
+ <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:2" />
+ </lin-def:partition_test>
+
</tests>
<objects>
@@ -1117,6 +1142,11 @@
<unix-def:filename xsi:nil="true"/>
</unix-def:file_object>
+ <lin-def:partition_object id="oval:org.gentoo.dev.swift:obj:29"
+ version="1" comment="The / partition">
+ <lin-def:mount_point>/</lin-def:mount_point>
+ </lin-def:partition_object>
+
</objects>
<states>
diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml
index aa85c1e..35ea6c0 100644
--- a/xml/SCAP/gentoo-xccdf.xml
+++ b/xml/SCAP/gentoo-xccdf.xml
@@ -1,2018 +1,2270 @@
<?xml version="1.0" encoding="UTF-8"?>
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:h="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.gentoo.dev.swift_benchmark_gentoo-@@VERSION@@-1" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" resolved="0">
- <status date="@@DATE@@">draft</status>
- <title>Gentoo Security Benchmark</title>
- <description>
- This benchmarks helps people in improving their system configuration to be
- more resilient against attacks and vulnerabilities.
- </description>
- <platform idref="cpe:/o:gentoo:linux"/>
- <version>@@VERSION@@</version>
- <model system="urn:xccdf:scoring:default" />
- <model system="urn:xccdf:scoring:flat" />
- <model system="urn:xccdf:scoring:flat-unweighted" />
- <Profile id="xccdf_org.gentoo.dev.swift_profile_intensive" extends="xccdf_org.gentoo.dev.swift_profile_default">
- <title>Intensive validation profile</title>
- <description>
- This profile extends the default server profile by including tests that
- are more intensive to run on a system. Tests such as full file system
- scans to find world-writable files or directories have an otherwise too
- large impact on the performance of a server. Tests include scripted
- validationn.
- </description>
- <!-- Make sure all world-writable directories have the sticky bit set -->
- <select idref="xccdf_org.gentoo.dev.swift_rule_worldwritedir-stickybit" selected="true" />
- </Profile>
- <Profile id="xccdf_org.gentoo.dev.swift_profile_intensive-oval" extends="xccdf_org.gentoo.dev.swift_profile_default-oval">
- <title>Intensive validation profile (non-scripted)</title>
- <description>
- This profile extends the default server profile by including tests that
- are more intensive to run on a system. Tests such as full file system
- scans to find world-writable files or directories have an otherwise too
- large impact on the performance of a server. Tests do not include
- scripted validation.
- </description>
- <!-- Make sure all world-writable directories have the sticky bit set -->
- <select idref="xccdf_org.gentoo.dev.swift_rule_worldwritedir-stickybit" selected="true" />
- </Profile>
- <Profile id="xccdf_org.gentoo.dev.swift_profile_default-oval">
- <title>Default server setup settings (non-scripted)</title>
- <description>
- In this profile, we verify common settings for Gentoo Linux
- configurations. The tests that are enabled in this profile can be ran
- without visibly impacting the performance of the system. No scripted
- checks are executed.
- </description>
- <!-- The /tmp location is a separate file system -->
- <select idref="xccdf_org.gentoo.dev.swift_rule_partition-tmp" selected="true" />
- <!-- The /var location is a separate file system -->
- <select idref="xccdf_org.gentoo.dev.swift_rule_partition-var" selected="true" />
- <!-- The /var/log location is a separate file system -->
- <select idref="xccdf_org.gentoo.dev.swift_rule_partition-varlog" selected="true" />
- <!-- The /var/log/audit location is a separate file system -->
- <select idref="xccdf_org.gentoo.dev.swift_rule_partition-varlogaudit" selected="true" />
- <!-- The /home location is a separate file system -->
- <select idref="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="true" />
- <!-- The /var/tmp location is a separate file system -->
- <select idref="xccdf_org.gentoo.dev.swift_rule_partition-vartmp" selected="true" />
- <!-- The /var partition is mounted with nodev -->
- <select idref="xccdf_org.gentoo.dev.swift_rule_partition-var-nodev" selected="true" />
- <!-- The /var/log partition is mounted with nodev -->
- <select idref="xccdf_org.gentoo.dev.swift_rule_partition-varlog-nodev" selected="true" />
- <!-- The /var/log/audit partition is mounted with nodev -->
- <select idref="xccdf_org.gentoo.dev.swift_rule_partition-varlogaudit-nodev" selected="true" />
- <!-- The /home partition is moounted with nodev -->
- <select idref="xccdf_org.gentoo.dev.swift_rule_partition-home-nodev" selected="true" />
- <!-- The /tmp partition is mounted with nodev -->
- <select idref="xccdf_org.gentoo.dev.swift_rule_partition-tmp-nodev" selected="true" />
- <!-- The /tmp partition is mounted with nosuid -->
- <select idref="xccdf_org.gentoo.dev.swift_rule_partition-tmp-nosuid" selected="true" />
- <!-- The /home partition is mounted with nosuid -->
- <select idref="xccdf_org.gentoo.dev.swift_rule_partition-home-nosuid" selected="true" />
- <!-- The /dev/shm partition is mounted with nosuid -->
- <select idref="xccdf_org.gentoo.dev.swift_rule_partition-devshm-nosuid" selected="true" />
- <!-- The /tmp partition is mounted with noexec -->
- <select idref="xccdf_org.gentoo.dev.swift_rule_partition-tmp-noexec" selected="true" />
- <!-- The /dev/shm partition is mounted with noexec -->
- <select idref="xccdf_org.gentoo.dev.swift_rule_partition-devshm-noexec" selected="true" />
- <!-- Kernel quota support must be enabled -->
- <select idref="xccdf_org.gentoo.dev.swift_rule_kernel-quota" selected="true" />
- <!-- /var is mounted with usrquota or grpquota -->
- <select idref="xccdf_org.gentoo.dev.swift_rule_var-quota" selected="true" />
- <!-- /home is mounted with usrquota or grpquota -->
- <select idref="xccdf_org.gentoo.dev.swift_rule_home-quota" selected="true" />
- <!-- No telnetd process is running -->
- <select idref="xccdf_org.gentoo.dev.swift_rule_telnetd-notrunning" selected="true" />
- <!-- No ftpd process is running -->
- <select idref="xccdf_org.gentoo.dev.swift_rule_ftpd-notrunning" selected="true" />
- <!-- sulogin is used as shell for single user boot (definition /etc/rc.conf) -->
- <select idref="xccdf_org.gentoo.dev.swift_rule_rcconf-sulogin" selected="true" />
- <!-- sulogin is used as shell for single user boot (definition /etc/inittab) -->
- <select idref="xccdf_org.gentoo.dev.swift_rule_inittab-sulogin" selected="true" />
- <!-- Verify that /etc/hosts.allow exists -->
- <select idref="xccdf_org.gentoo.dev.swift_rule_hostsallow-exists" selected="true" />
- <!-- Verify that /etc/at/at.allow exists -->
- <select idref="xccdf_org.gentoo.dev.swift_rule_atallow-exists" selected="true" />
- <!-- Make sure USE=pam is set -->
- <select idref="xccdf_org.gentoo.dev.swift_rule_USE-pam" selected="true" />
- <!-- Make sure USE=tcpd is set -->
- <select idref="xccdf_org.gentoo.dev.swift_rule_USE-tcpd" selected="true" />
- <!-- Make sure USE=ssl is set -->
- <select idref="xccdf_org.gentoo.dev.swift_rule_USE-ssl" selected="true" />
- <!-- Make sure FEATURES=webrsync-gpg is set -->
- <select idref="xccdf_org.gentoo.dev.swift_rule_FEATURES-webrsync-gpg" selected="true" />
- <!-- Make sure PORTAGE_GPG_DIR is set -->
- <select idref="xccdf_org.gentoo.dev.swift_rule_PORTAGE_GPG_DIR-nonempty" selected="true" />
- <!-- Make sure /etc/securetty only contains console and tty's -->
- <select idref="xccdf_org.gentoo.dev.swift_rule_securetty-limitentries" selected="true" />
- <!-- Make sure /proc is mounted with hidepid=1 or hidepid=2 -->
- <select idref="xccdf_org.gentoo.dev.swift_rule_proc-hidepid" selected="true" />
- <!-- Make sure /boot/grub/grub.conf (if it exists) has a password entry with md5 hash -->
- <select idref="xccdf_org.gentoo.dev.swift_rule_grubconf-password-md5" selected="true" />
- <!-- Make sure /etc/lilo.conf (if it exists) has a password entry -->
- <select idref="xccdf_org.gentoo.dev.swift_rule_liloconf-password" selected="true" />
- </Profile>
- <Profile id="xccdf_org.gentoo.dev.swift_profile_default" extends="xccdf_org.gentoo.dev.swift_profile_default-oval">
- <title>Default server setup settings</title>
- <description>
- In this profile, common settings for Gentoo Linux configurations are validated.
- The tests can be ran without visibly impacting the performance of the system, and
- also includes the scripted evaluation checks (SCE).
- </description>
- <!-- The hardened toolchain must be installated and used -->
- <select idref="xccdf_org.gentoo.dev.swift_rule_installation-toolchain-hardened" selected="true" />
- </Profile>
- <Group id="xccdf_org.gentoo.dev.swift_group_intro">
- <title>Introduction</title>
- <description>
- <h:p>
- Since years, Gentoo Linux has a Gentoo Security Handbook
- which provides a good insight in secure system
- configuration for a Gentoo systems. Although this is important, an
- improved method for describing and tuning a systems' security state has
- emerged: SCAP, or the <h:em>Security Content Automation Protocol</h:em>.
- </h:p>
- <h:p>
- As such, this benchmark is an update on the security
- handbook, including both the in-depth explanation of settings as well as
- the means to validate if a system complies with this or not. Now, during
- the development of this benchmark document, not include all
- information from the Gentoo Security Handbook is included as some of the
- settings are specific to a service that is not all that default on a
- Gentoo Linux system or sufficiently separate that can benefit other
- distributions as well. Although these settings are important as well, it is
- best done in separate benchmarks for those services instead.
- </h:p>
- <h:p>
- Where applicable, this benchmark will refer to a different hardening guide
- for specific purposes (such as the Hardening OpenSSH benchmark).
- </h:p>
- </description>
- <reference href="http://www.gentoo.org/doc/en/security/security-handbook.xml">Gentoo
- Security Handbook</reference>
- <Group id="xccdf_org.gentoo.dev.swift_group_intro-security">
- <title>This is no security policy</title>
- <description>
- <h:p>
- It is <h:em>very important</h:em> to realize that this document is not a
- policy. There is no obligation to follow this to make a secure system
- nor should everything in this document be agreed upon. This document is
- a set of common best practices with the explanation (why is it a best practice)
- and method (how to implement the best practice).
- </h:p>
- <h:p>
- The purpose of this document is to guide readers in their quest to hardening
- their systems. It will provide pointers that could help in deciding
- particular configuration settings and will do this hopefully using
- sufficient background information to allow readers to make a good choice.
- </h:p>
- <h:p>
- Readers might find settings they don't agree with. That's fine, but
- if there is disagreement about <h:em>why</h:em> it is documented, we would
- like to hear it so we can update the guide accordingly.
- </h:p>
- </description>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_intro-scap">
- <title>A little more about SCAP and OVAL</title>
- <description>
- <h:p>
- Within SCAP, NIST has defined some new standards of which XCCDF and OVAL
- are notably important in light of this guide.
- </h:p>
- <h:ul>
- <h:li>
- XCCDF (Extensible Configuration Checklist Description Format) is
- a specification language for writing security checklists and benchmarks
- </h:li>
- <h:li>
- OVAL (Open Vulnerability and Assessment Language) is a standard to describe
- and validate system settings
- </h:li>
- </h:ul>
- <h:p>
- Thanks to the OVAL and XCCDF standards, a security engineer can now describe
- how the state of a system should be configured, how this can be checked
- automatically and even report on these settings. Furthermore, within the
- description, the engineer can make "profiles" of different states (such as
- a profile for a workstation, server (generic), webserver, LDAP server,
- ...) and reusing the states (rules) identified in a more global scope.
- </h:p>
- </description>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_intro-using">
- <title>Using this guide</title>
- <description>
- <h:p>
- This guide is generated from SCAP content (more specifically, the XCCDF document)
- using <h:b>openscap</h:b>, a free software implementation for handling SCAP content.
- Within Gentoo, the package <h:code>app-forensics/openscap</h:code> provides the tools,
- and the following command is used to generate the HTML output:
- </h:p>
- <h:pre>
+<status date="@@DATE@@">draft</status>
+<title>Gentoo Security Benchmark</title>
+<description>
+This benchmarks helps people in improving their system configuration to be
+more resilient against attacks and vulnerabilities.
+</description>
+<platform idref="cpe:/o:gentoo:linux"/>
+<version>@@VERSION@@</version>
+<model system="urn:xccdf:scoring:default" />
+<model system="urn:xccdf:scoring:flat" />
+<model system="urn:xccdf:scoring:flat-unweighted" />
+
+<!--
+ Profiles
+-->
+
+<Profile id="xccdf_org.gentoo.dev.swift_profile_intensive" extends="xccdf_org.gentoo.dev.swift_profile_default">
+<title>Intensive validation profile</title>
+<description>
+This profile extends the default server profile by including tests that
+are more intensive to run on a system. Tests such as full file system
+scans to find world-writable files or directories have an otherwise too
+large impact on the performance of a server. Tests include scripted
+validationn.
+</description>
+<!-- Make sure all world-writable directories have the sticky bit set -->
+<select idref="xccdf_org.gentoo.dev.swift_rule_worldwritedir-stickybit" selected="true" />
+</Profile>
+
+<Profile id="xccdf_org.gentoo.dev.swift_profile_intensive-oval" extends="xccdf_org.gentoo.dev.swift_profile_default-oval">
+<title>Intensive validation profile (non-scripted)</title>
+<description>
+This profile extends the default server profile by including tests that
+are more intensive to run on a system. Tests such as full file system
+scans to find world-writable files or directories have an otherwise too
+large impact on the performance of a server. Tests do not include
+scripted validation.
+</description>
+<!-- Make sure all world-writable directories have the sticky bit set -->
+<select idref="xccdf_org.gentoo.dev.swift_rule_worldwritedir-stickybit" selected="true" />
+</Profile>
+
+<Profile id="xccdf_org.gentoo.dev.swift_profile_default-oval">
+<title>Default server setup settings (non-scripted)</title>
+<description>
+In this profile, we verify common settings for Gentoo Linux
+configurations. The tests that are enabled in this profile can be ran
+without visibly impacting the performance of the system. No scripted
+checks are executed.
+</description>
+<!-- The /tmp location is a separate file system -->
+<select idref="xccdf_org.gentoo.dev.swift_rule_partition-tmp" selected="true" />
+<!-- The /var location is a separate file system -->
+<select idref="xccdf_org.gentoo.dev.swift_rule_partition-var" selected="true" />
+<!-- The /var/log location is a separate file system -->
+<select idref="xccdf_org.gentoo.dev.swift_rule_partition-varlog" selected="true" />
+<!-- The /var/log/audit location is a separate file system -->
+<select idref="xccdf_org.gentoo.dev.swift_rule_partition-varlogaudit" selected="true" />
+<!-- The /home location is a separate file system -->
+<select idref="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="true" />
+<!-- The /var/tmp location is a separate file system -->
+<select idref="xccdf_org.gentoo.dev.swift_rule_partition-vartmp" selected="true" />
+<!-- The / partition is mounted with nodev -->
+<select idref="xccdf_org.gentoo.dev.swift_rule_partition-root-nodev" selected="true" />
+<!-- The /var partition is mounted with nodev -->
+<select idref="xccdf_org.gentoo.dev.swift_rule_partition-var-nodev" selected="true" />
+<!-- The /var/log partition is mounted with nodev -->
+<select idref="xccdf_org.gentoo.dev.swift_rule_partition-varlog-nodev" selected="true" />
+<!-- The /var/log/audit partition is mounted with nodev -->
+<select idref="xccdf_org.gentoo.dev.swift_rule_partition-varlogaudit-nodev" selected="true" />
+<!-- The /home partition is moounted with nodev -->
+<select idref="xccdf_org.gentoo.dev.swift_rule_partition-home-nodev" selected="true" />
+<!-- The /tmp partition is mounted with nodev -->
+<select idref="xccdf_org.gentoo.dev.swift_rule_partition-tmp-nodev" selected="true" />
+<!-- The /tmp partition is mounted with nosuid -->
+<select idref="xccdf_org.gentoo.dev.swift_rule_partition-tmp-nosuid" selected="true" />
+<!-- The /home partition is mounted with nosuid -->
+<select idref="xccdf_org.gentoo.dev.swift_rule_partition-home-nosuid" selected="true" />
+<!-- The /dev/shm partition is mounted with nosuid -->
+<select idref="xccdf_org.gentoo.dev.swift_rule_partition-devshm-nosuid" selected="true" />
+<!-- The /tmp partition is mounted with noexec -->
+<select idref="xccdf_org.gentoo.dev.swift_rule_partition-tmp-noexec" selected="true" />
+<!-- The /dev/shm partition is mounted with noexec -->
+<select idref="xccdf_org.gentoo.dev.swift_rule_partition-devshm-noexec" selected="true" />
+<!-- Kernel quota support must be enabled -->
+<select idref="xccdf_org.gentoo.dev.swift_rule_kernel-quota" selected="true" />
+<!-- /var is mounted with usrquota or grpquota -->
+<select idref="xccdf_org.gentoo.dev.swift_rule_var-quota" selected="true" />
+<!-- /home is mounted with usrquota or grpquota -->
+<select idref="xccdf_org.gentoo.dev.swift_rule_home-quota" selected="true" />
+<!-- No telnetd process is running -->
+<select idref="xccdf_org.gentoo.dev.swift_rule_telnetd-notrunning" selected="true" />
+<!-- No ftpd process is running -->
+<select idref="xccdf_org.gentoo.dev.swift_rule_ftpd-notrunning" selected="true" />
+<!-- sulogin is used as shell for single user boot (definition /etc/rc.conf) -->
+<select idref="xccdf_org.gentoo.dev.swift_rule_rcconf-sulogin" selected="true" />
+<!-- sulogin is used as shell for single user boot (definition /etc/inittab) -->
+<select idref="xccdf_org.gentoo.dev.swift_rule_inittab-sulogin" selected="true" />
+<!-- Verify that /etc/hosts.allow exists -->
+<select idref="xccdf_org.gentoo.dev.swift_rule_hostsallow-exists" selected="true" />
+<!-- Verify that /etc/at/at.allow exists -->
+<select idref="xccdf_org.gentoo.dev.swift_rule_atallow-exists" selected="true" />
+<!-- Make sure USE=pam is set -->
+<select idref="xccdf_org.gentoo.dev.swift_rule_USE-pam" selected="true" />
+<!-- Make sure USE=tcpd is set -->
+<select idref="xccdf_org.gentoo.dev.swift_rule_USE-tcpd" selected="true" />
+<!-- Make sure USE=ssl is set -->
+<select idref="xccdf_org.gentoo.dev.swift_rule_USE-ssl" selected="true" />
+<!-- Make sure FEATURES=webrsync-gpg is set -->
+<select idref="xccdf_org.gentoo.dev.swift_rule_FEATURES-webrsync-gpg" selected="true" />
+<!-- Make sure PORTAGE_GPG_DIR is set -->
+<select idref="xccdf_org.gentoo.dev.swift_rule_PORTAGE_GPG_DIR-nonempty" selected="true" />
+<!-- Make sure /etc/securetty only contains console and tty's -->
+<select idref="xccdf_org.gentoo.dev.swift_rule_securetty-limitentries" selected="true" />
+<!-- Make sure /proc is mounted with hidepid=1 or hidepid=2 -->
+<select idref="xccdf_org.gentoo.dev.swift_rule_proc-hidepid" selected="true" />
+<!-- Make sure /boot/grub/grub.conf (if it exists) has a password entry with md5 hash -->
+<select idref="xccdf_org.gentoo.dev.swift_rule_grubconf-password-md5" selected="true" />
+<!-- Make sure /etc/lilo.conf (if it exists) has a password entry -->
+<select idref="xccdf_org.gentoo.dev.swift_rule_liloconf-password" selected="true" />
+</Profile>
+
+<Profile id="xccdf_org.gentoo.dev.swift_profile_default" extends="xccdf_org.gentoo.dev.swift_profile_default-oval">
+<title>Default server setup settings</title>
+<description>
+In this profile, common settings for Gentoo Linux configurations are validated.
+The tests can be ran without visibly impacting the performance of the system, and
+also includes the scripted evaluation checks (SCE).
+</description>
+<!-- The hardened toolchain must be installated and used -->
+<select idref="xccdf_org.gentoo.dev.swift_rule_installation-toolchain-hardened" selected="true" />
+</Profile>
+
+<!--
+ Benchmark instructions
+-->
+
+<!-- INTRODUCTION -->
+
+<Group id="xccdf_org.gentoo.dev.swift_group_intro">
+<title>Introduction</title>
+<description>
+<h:p>
+In the past, Gentoo Linux has had a Gentoo Security Handbook
+which provides a good insight in securing a Gentoo system.
+In order to move this to a next level, we started developing a security
+benchmark using SCAP, or the <h:em>Security Content Automation Protocol</h:em>.
+</h:p>
+<h:p>
+Using the SCAP suite, we not only document the various security rules and hardening
+entries for a Gentoo Linux system, but we also allow the benchmark to be interpreted
+by SCAP compliant tools, which can validate an existing system configuration against
+the rules that are documented in the SCAP document.
+</h:p>
+<h:p>
+This particular benchmark is an update on the security handbook, including both the
+in-depth explanation of settings as well as the means to validate if a system complies
+with this or not. Now, during the development of this benchmark document, not all
+information from the Gentoo Security Handbook is included:
+</h:p>
+<h:ul>
+<h:li>
+Some of the settings are specific to a service that is not default (or extremely popular)
+on a Gentoo Linux system
+</h:li>
+<h:li>
+Some of the settings are particular to a service that is not specific to Gentoo. Such
+settings are best put inside a service-specific benchmark so it is replayable and usable
+by non-Gentoo systems as well.
+</h:li>
+</h:ul>
+<h:p>
+Although these settings are important as well, it is best done in
+separate benchmarks for those services instead. As a result, a number of benchmarks will be
+authored and maintained alongside this one.
+</h:p>
+</description>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_intro-security">
+<title>This is no security policy</title>
+<description>
+<h:p>
+It is <h:em>very important</h:em> to realize that this document is not a
+policy. There is no obligation to follow this to make a secure system
+nor should everything in this document be agreed upon. This document is
+a set of common best practices with the explanation (why is it a best practice)
+and method (how to implement the best practice).
+</h:p>
+<h:p>
+The purpose of this document is to guide readers in their quest to hardening
+their systems. It will provide pointers that could help in deciding
+particular configuration settings and will do this hopefully using
+sufficient background information to allow readers to make a good choice.
+</h:p>
+<h:p>
+Readers might find settings they don't agree with. That's fine and perfectly
+understandable. Security depends a lot on the environment, use case of the system,
+user base and more. If the same security settings would be applicable to all users,
+then those settings would be made default (or perhaps even hardcoded) a long time ago.
+</h:p>
+</description>
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_intro-scap">
+<title>A little more about SCAP and OVAL</title>
+<description>
+<h:p>
+Within SCAP, NIST has defined some new standards of which XCCDF and OVAL
+are notably important in light of this guide.
+</h:p>
+<h:ul>
+<h:li>
+XCCDF (Extensible Configuration Checklist Description Format) is
+a specification language for writing security checklists and benchmarks
+</h:li>
+<h:li>
+OVAL (Open Vulnerability and Assessment Language) is a standard to describe
+and validate system settings
+</h:li>
+</h:ul>
+<h:p>
+Thanks to the OVAL and XCCDF standards, a security engineer can now describe
+how the state of a system should be configured, how this can be checked
+automatically and even report on these settings. Furthermore, within the
+description, the engineer can make "profiles" of different states (such as
+a profile for a workstation, server (generic), webserver, LDAP server,
+...) and reusing the states (rules) identified in a more global scope.
+</h:p>
+</description>
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_intro-using">
+<title>Using this guide</title>
+<description>
+<h:p>
+This guide is generated from SCAP content (more specifically, the XCCDF document)
+using <h:b>openscap</h:b>, a free software implementation for handling SCAP content.
+Within Gentoo, the package <h:code>app-forensics/openscap</h:code> provides the tools,
+and the following command is used to generate the HTML output:
+</h:p>
+<h:pre>
# <h:b>oscap xccdf generate guide gentoo-xccdf.xml > output.html</h:b></h:pre>
- <h:p>
- Secondly, together with this XCCDF XML, an OVAL XML file is made available.
- The two files combined allow OVAL interpreters to automatically validate
- various settings as documented in the benchmark.
- </h:p>
- <h:p>
- Finally, if certain tests are not available in OVAL yet, scripts are provided
- that can be executed through the SCE (Script Check Engine) support in openscap.
- As scripts are not guaranteed to have no impact on the system (or leave traces),
- <h:code>-oval</h:code> profiles are available that only enable the OVAL (and not SCE)
- checks.
- </h:p>
- <h:p>
- To validate the tests, the following commands can be used:
- </h:p>
- <h:pre>
+<h:p>
+Secondly, together with this XCCDF XML, an OVAL XML file is made available.
+The two files combined allow OVAL interpreters to automatically validate
+various settings as documented in the benchmark.
+</h:p>
+<h:p>
+Finally, if certain tests are not available in OVAL yet, scripts are provided
+that can be executed through the SCE (Script Check Engine) support in openscap.
+As scripts are not guaranteed to have no impact on the system (or leave traces),
+<h:code>-oval</h:code> profiles are available that only enable the OVAL (and not SCE)
+checks.
+</h:p>
+<h:p>
+To validate the tests, the following commands can be used:
+</h:p>
+<h:pre>
# <h:b>export PROFILE="xccdf_org.gentoo.dev.swift_profile_default"</h:b>
# <h:b>oscap xccdf eval --profile ${PROFILE} gentoo-xccdf.xml</h:b></h:pre>
- <h:p>
- To generate a full report in HTML as well, use the next command:
- </h:p>
- <h:pre>
+<h:p>
+To generate a full report in HTML as well, use the next command:
+</h:p>
+<h:pre>
# <h:b>oscap xccdf eval --profile ${PROFILE} --results xccdf-results.xml \
- --report report.html gentoo-xccdf.xml</h:b></h:pre>
- <h:p>
- Finally, this benchmark will suggest some settings that do not reflect the
- will of the reader. That is perfectly fine - even more, some settings might even
- raise eyebrows left and right. This document will explain the reasoning behind
- the settings but deviations are always possible. If that is the case,
- disable the rules in the XCCDF document or, better yet, create a new profile
- and only refer to the tests that are required.
- </h:p>
- </description>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_intro-profiles">
- <title>Available XCCDF Profiles</title>
- <description>
- <h:p>
- As mentioned earlier, the XCCDF document supports multiple profiles. For the time
- being, two profiles are defined:
- </h:p>
- <h:ul>
- <h:li>
- The <h:em>default</h:em> profile (xccdf_org.gentoo.dev.swift_profile_default) contains
- tests that are quick to validate
- </h:li>
- <h:li>
- The <h:em>default-oval</h:em> profile (xccdf_org.gentoo.dev.swift_profile_default-oval)
- is like the default one, but does not call any other checker than OVAL
- (so no scripts).
- </h:li>
- <h:li>
- The <h:em>intensive</h:em> profile (xccdf_org.gentoo.dev.swift_profile_intensive)
- contains all tests, including those that take a while (for instance because they
- perform full file system scans)
- </h:li>
- <h:li>
- The <h:em>intensive-oval</h:em> profile (xccdf_org.gentoo.dev.swift_profile_intensive-oval)
- is like the intensive one, but does not call any other checker than OVAL
- (so no scripts).
- </h:li>
- </h:ul>
- <h:p>
- Substitute the profile information in the commands above with the required profile.
- </h:p>
- </description>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_intro-weights">
- <title>About the rule weights</title>
- <description>
- <h:p>
- Within this guide, weights are assigned to tests to give some importance to
- the rule (higher weight is more important) as well as a severity.
- </h:p>
- <h:p>
- The severity is one of the following:
- </h:p>
- <h:ul>
- <h:li>
- <h:em>high</h:em> constitutes a grave or critical problem. A rule with this severity
- <h:em>MUST</h:em> be tackled as it detected a misconfiguration that is easily
- exploitable and could lead to full system compromise.
- </h:li>
- <h:li>
- <h:em>medium</h:em> reflects a fairly serious problem. A rule with this severity
- <h:em>SHOULD</h:em> be tackled as it detected a misconfiguration that is easily
- exploitable.
- </h:li>
- <h:li>
- <h:em>low</h:em> reflects a non-serious problem. A rule with this severity
- has detected a misconfiguration but its influence on the overall system security
- is minor (if other compliance rules are followed).
- </h:li>
- <h:li>
- <h:em>info</h:em> reflects an informational rule. Failure to comply with this rule
- does not mean failure to comply with the document itself.
- </h:li>
- </h:ul>
- <h:p>
- It is important to understand though that rules with a low severity can still lead to
- grave security problems if they are not met. Chaining of vulnerabilities or
- misconfiguration can still lead to full system compromise.
- </h:p>
- <h:p>
- For this reason, weights are added to rules as well. A higher weight has a more
- severe potential impact.
- </h:p>
- <h:p>
- Weights are the CVSS (or CCSS) score that is thought to be the case for a misconfiguration.
- They are calculated by NVD's CVSS calculator. Each rule is scored individually; a
- "chain" of misconfigurations might lead to a significantly higher issue, but this would
- make it very hard to make proper scoring.
- </h:p>
- <h:p>
- As an example, take the rule that says <h:code>/var</h:code> has to be on its own
- partition. The metrics we fill in in the calculator are currently based on the risk
- that the root file system is filled (no more free space), which can halt the system.
- </h:p>
- <h:ul>
- <h:li>
- The <h:em>related exploit range</h:em> (access vector) is "Local", because this is
- by itself not exploitable remotely - unless of course certain services are running
- that can fill up <h:code>/var</h:code>, but such assumptions are not taken.
- </h:li>
- <h:li>
- The <h:em>attack complexity</h:em> (access complexity) is "Low", as all that is
- needed is a local account and we can find the necessary ways to fill up
- <h:code>/var</h:code>.
- </h:li>
- <h:li>
- The <h:em>level of authentication needed</h:em> (authentication) is "Single"
- as the attacker needs one authentication step (local access) to exploit.
- </h:li>
- <h:li>
- The <h:em>confidentiality impact</h:em> is "None" (no data leakage)
- </h:li>
- <h:li>
- The <h:em>integrity impact</h:em> is "None" (no data manipulation)
- </h:li>
- <h:li>
- The <h:em>availability impact</h:em> is "Complete" (system crash or halt).
- </h:li>
- </h:ul>
- <h:p>
- This results in the CVSS base score of 4.6. The environmental score metrics and
- temporal score metrics are ignored as those are too specific for environments
- and organizations.
- </h:p>
- </description>
- <reference href="https://nvd.nist.gov/cvss.cfm?calculator&version=2">NVD CVSS calculator</reference>
- <reference href="http://csrc.nist.gov/publications/nistir/ir7502/nistir-7502_CCSS.pdf">The Common Configuration Scoring System (PDF)</reference>
- </Group>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_preinstallation">
- <title>Before starting</title>
- <description>
- Before starting to deploy Gentoo Linux and start hardening it, it is wise
- to take a step back and think about what to accomplish. Setting
- up a more secured Gentoo Linux isn't a goal, but a means to reach
- something. Most likely the system will become a Gentoo Linux powered server.
- What is this server for? Where will it be hosted? What services are scheduled to run
- on this operating system? Etc.
- </description>
- <Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-architecturing">
- <title>Infrastructure architecturing</title>
- <description>
- <h:p>
- When considering the entire IT architecture, many architecturing
- frameworks exist to write down and further design infrastructure.
- There are very elaborate ones, like TOGAF (The Open Group Architecture
- Framework), but smaller ones exist as well.
- </h:p>
- <h:p>
- A well written and maintained infrastructure architecture helps to
- position new services or consider the impact of changes on existing
- components.
- </h:p>
- <h:p>
- Security is about reducing risks, not about harassing people or making
- work for a system administrator harder. And reducing risks also means
- that a clear eye needs to be kept on the architecture and all its
- components. If there is no knowledge as to what is being integrated, where
- it is going to be installed or why, then hardening by itself will probably not
- do much to the secure state of the system.
- </h:p>
- </description>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-requirements">
- <title>Mapping requirements</title>
- <description>
- <h:p>
- When designing a service, we need to take both functional and
- non-functional requirements into account. That does sound like
- overshooting for a simple server installation, but it is not. Is
- auditing considered? Where should the audit logs be sent to? What
- about authentication? Centrally managed, or manually set? And the server,
- will it only host a particular service, or will it provide several services?
- </h:p>
- <h:p>
- When hosting multiple services on the same server, make sure that the
- server is positioned within the network on an acceptable segment. It is
- not safe to host central LDAP infrastructure on the same system as
- a web server that is facing the Internet.
- </h:p>
- </description>
- <reference href="https://www.ibm.com/developerworks/rational/library/4706.html">IBM DeveloperWorks article on "Capturing Architectural Requirements"</reference>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-nonsoftware">
- <title>Non-software security concerns</title>
- <description>
- From the next chapter onwards, the focus will be on the software side
- hardening. There are of course also non-software concerns that need to be
- taken care of.
- </description>
- <reference href="https://www.rfc-editor.org/info/rfc2196">Site Security Handbook (RFC2196)</reference>
- <Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-nonsoftware-physical">
- <title>Physical security</title>
- <description>
- <h:p>
- Make sure that the system is only accessible (physically) by trusted
- people. Fully hardening a system, only to have a malicious person
- take out the harddisk and run away with the confidential data is not
- something fun to experience.
- </h:p>
- <h:p>
- When physical security cannot be guaranteed (like with laptops), make
- sure that theft of the device only results in the loss of the hardware
- and not of the data and software on it (take backups!), and also that the
- data on it cannot be read by unauthorized people.
- </h:p>
- </description>
- <reference
- href="http://www.sans.org/reading_room/whitepapers/awareness/data-center-physical-security-checklist_416">Data Center Physical Security Checklist (SANS, PDF)</reference>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-nonsoftware-policies">
- <title>Policies and contractual agreements</title>
- <description>
- <h:p>
- Create or validate the security policies in the organization. This is
- not only as a stick (against internal people who might want to abuse
- their powers) but also to document and describe why certain decisions
- are made (both architecturally as otherwise).
- </h:p>
- <h:p>
- Make sure that the reasoning for the guidelines is clear. If the policies ever
- need to be adjusted towards new environments or concepts (like "bring your own
- device") having the reasons for the (old) guidelines documented will make it much
- easier to write new ones.
- </h:p>
- </description>
- <reference
- href="http://www.sans.org/reading_room/whitepapers/policyissues/technical-writing-security-policies-easy-steps_492">Technical Writing for IT Security Policies in Five Easy Steps (SANS, PDF)</reference>
- <reference
- href="https://www.sans.org/security-resources/policies/">Information Security Policy Templates (SANS)</reference>
- </Group>
- </Group>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_installation">
- <title>Installation configuration</title>
- <description>
- Gentoo Linux allows us to update various parts of the system after installation,
- but it might be interesting to consider the following aspects during (or before)
- installation to not risk a huge migration project later.
- </description>
- <Group id="xccdf_org.gentoo.dev.swift_group_installation-storage">
- <title>Storage configuration</title>
- <description>
- Storage is of utmost importance in any environment. It needs to be
- sufficiently fast (performance), but also secure and
- manageable while remaining flexible to handle future changes.
- </description>
- <Group id="xccdf_org.gentoo.dev.swift_group_installation-storage-partitioning">
- <title>Partitioning</title>
- <description>
- Know which locations in the file system structure need to be on a
- different partition or logical volume. Separate locations allow for a
- more distinct segregation (for instance, no hard links between different
- file systems) and low-level protection (file system corruption impact,
- but also putting the right data on the right storage media).
- </description>
- <reference href="http://www.pathname.com/fhs/">Filesystem Hierarchy
- Standard</reference>
- <Group id="xccdf_org.gentoo.dev.swift_group_installation-storage-partitioning-separate">
- <title>Separate file systems for important locations</title>
- <description>
- <h:p>
- Having a separate file system for important locations has several advantages, but
- those advantages need to be weighted against the disadvantages of separate file
- systems.
- </h:p>
- <h:p>
- These disadvantages are:
- </h:p>
- <h:ul>
- <h:li>
- Separate file systems mean that better disk space control is needed
- (governing free space). A file system that is given too much free space
- means that disk space is being wasted, but a file system that is not given
- enough free disk space will need to be grown quickly - if possibile. This
- also means that creating a proper partitioning setup with many different
- partitions (file systems) will take some time and calculations; many users
- have no good idea how much space they need to make available for a file system.
- </h:li>
- <h:li>
- Some file system locations need to be available early in the boot process.
- If those locations reside on different file systems, special precautions need
- to be taken to make those file systems available when the system is booted
- (such as creating an initial ram file system).
- </h:li>
- </h:ul>
- <h:p>
- The advantages on the other hand:
- </h:p>
- <h:ul>
- <h:li>
- A sudden disk space growth will eventually be stopped by the limits of the
- file system. If a non-critical file system is full, the impact on the overall
- system is limited. Without separate file systems, a full file system might
- jeopardise the availability of the entire system.
- </h:li>
- <h:li>
- Specific mount options can be enabled on the file systems that improve the
- security of the file system (permissions) as well as performance. Such mount
- options include ownership details, allowing (or disallowing) setuid binaries,
- device files and more.
- </h:li>
- <h:li>
- Different file systems can be hosted on different devices (or even on network
- shares), allowing administrators to pick the most efficient storage device
- for a particular file system.
- </h:li>
- </h:ul>
- <h:p>
- Considering these pros and cons, it is recommended to have at least the following
- file system locations to be on a different file system:
- </h:p>
- <h:ul>
- <h:li>
- <h:code>/tmp</h:code> as this is a world-writable location and requires
- specific mount options. When possible, this location can be made a
- <h:em>tmpfs</h:em> file system. This is to protect the root file system
- from being flooded.
- </h:li>
- <h:li>
- <h:code>/var</h:code> as this contains variable data (and thus is prone
- to grow extensively depending on the installed services). This is to protect
- the root file system from being flooded.
- </h:li>
- <h:li>
- <h:code>/var/log</h:code> as this contains logging data (and thus is prone
- to grow extensively depending on the services). This is to protect the
- <h:code>/var</h:code> file system from being flooded, as this might impact
- various services (like databases, web servers, etc.).
- </h:li>
- <h:li>
- <h:code>/var/log/audit</h:code> as this contains (potentially sensitive)
- logging data. Some services refuse to continue if the audit target location
- is full. Having the location separate from <h:code>/var/log</h:code> protects
- the audit file system when <h:code>/var/log</h:code> would be flooded.
- </h:li>
- <h:li>
- <h:code>/home</h:code> as this is completely under the control of end users.
- It needs to be mounted with more secure settings (more about that later) and
- should be separate both to protect the root file system, but also to allow
- the <h:code>/home</h:code> location to be either shared or used elsewhere.
- </h:li>
- <h:li>
- <h:code>/var/tmp</h:code> which is a "second" <h:code>/tmp</h:code> location,
- but where the content is preserved after a reboot. Still, it is world-writable
- and requires specific mount options, and should be on a different file system
- to prevent <h:code>/var</h:code> to be flooded which might impact the
- availability of services.
- </h:li>
- </h:ul>
- </description>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-tmp" selected="false" severity="medium" weight="4.6">
- <title>/tmp is a separate file system</title>
- <fixtext>
- Create a file system for <h:code>/tmp</h:code>; make sure it is added in
- the <h:code>/etc/fstab</h:code> file and reboot the system.
- </fixtext>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:5" href="gentoo-oval.xml" />
- </check>
- </Rule>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-var" selected="false" severity="medium" weight="4.6">
- <title>/var is a separate file system</title>
- <fixtext>
- Create a file system for <h:code>/var</h:code>; make sure it is added in
- the <h:code>/etc/fstab</h:code> file and reboot the system.
- </fixtext>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:6" href="gentoo-oval.xml" />
- </check>
- </Rule>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-varlog" selected="false" severity="low" weight="2.1">
- <title>/var/log is a separate file system</title>
- <fixtext>
- Create a file system for <h:code>/var/log</h:code>; make sure it is added in
- the <h:code>/etc/fstab</h:code> file and reboot the system.
- </fixtext>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:7" href="gentoo-oval.xml" />
- </check>
- </Rule>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-varlogaudit" selected="false" severity="low" weight="2.1">
- <title>/var/log/audit is a separate file system</title>
- <fixtext>
- Create a file system for <h:code>/var/log/audit</h:code>; make sure it is added in
- the <h:code>/etc/fstab</h:code> file and reboot the system.
- </fixtext>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:8" href="gentoo-oval.xml" />
- </check>
- </Rule>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="false" severity="medium" weight="4.6">
- <title>/home is a separate file system</title>
- <fixtext>
- Create a file system for <h:code>/home</h:code>; make sure it is added in
- the <h:code>/etc/fstab</h:code> file and reboot the system.
- </fixtext>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:2" href="gentoo-oval.xml" />
- </check>
- </Rule>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-vartmp" selected="false" severity="low" weight="2.1">
- <title>/var/tmp is a separate file system</title>
- <fixtext>
- Create a file system for <h:code>/var/tmp</h:code>; make sure it is added in
- the <h:code>/etc/fstab</h:code> file and reboot the system.
- </fixtext>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:17" href="gentoo-oval.xml" />
- </check>
- </Rule>
- </Group>
- </Group>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_installation-toolchain">
- <title>Use a Hardened Toolchain</title>
- <description>
- <h:p>
- When Gentoo is installed, use the hardened stages and hardened toolchain.
- The hardened toolchain includes additional security patches, such as
- support for non-executable program stacks and buffer overflow detection.
- </h:p>
- <h:ul>
- <h:li>
- <h:em>Position Independent Executables (PIE)</h:em> and <h:em>Position Independent
- Code (PIC)</h:em> implements a memory hardening approach where the application
- (or library), when loaded to memory, does not have hard requirements where in
- memory it is loaded. Together with ASLR this makes it more difficult for exploits
- to know at which memory region certain data will be available.
- </h:li>
- <h:li>
- <h:em>Stack Smashing Protection (SSP)</h:em> adds markers outside buffer areas
- to detect buffer overflow attacks, killing the application rather than effectively
- having the overflow succeed.
- </h:li>
- </h:ul>
- <h:p>
- During installation, make sure that the <h:em>default</h:em> hardened
- toolchain is selected, not one of the <h:code>-hardenedno*</h:code> as
- those are toolchains where specific settings are disabled. The
- <h:code>-vanilla</h:code> one is a toolchain with no hardened patches.
- </h:p>
- <h:pre>
-# <h:b>gcc-config -l</h:b>
- [1] x86_64-pc-linux-gnu-4.4.5 *
- [2] x86_64-pc-linux-gnu-4.4.5-hardenednopie
- [3] x86_64-pc-linux-gnu-4.4.5-hardenednopie.gcc-config-ref
- [4] x86_64-pc-linux-gnu-4.4.5-hardenednopiessp
- [5] x86_64-pc-linux-gnu-4.4.5-hardenednossp
- [6] x86_64-pc-linux-gnu-4.4.5-vanilla</h:pre>
- </description>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_installation-toolchain-hardened" selected="false" severity="low" weight="0.0">
- <title>The hardened toolchain is used</title>
- <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_installation-toolchain-hardened">
- Use a hardened Gentoo profile and select the default compiler (not vanilla
- nor any of the hardenedno* ones).
- </fixtext>
- <check system="http://open-scap.org/page/SCE">
- <check-import import-name="stdout" />
- <check-content-ref href="bin/gentoo-sce_installation-toolchain-hardened.sh" />
- </check>
- </Rule>
- </Group> <!-- installation-toolchain -->
- </Group> <!-- installation -->
- <Group id="xccdf_org.gentoo.dev.swift_group_system">
- <title>System settings</title>
- <description>
- Within this chapter, the (recommended) settings that can be adjusted relatively easily
- are presented, even when a Gentoo installation has already been performed. This is the
- bulk of the security settings.
- </description>
- <Group id="xccdf_org.gentoo.dev.swift_group_system-fs">
- <title>File system related settings</title>
- <description>
- Servers and systems are about manipulating data. In this chapter, the security settings
- for file systems are explained.
- </description>
- <Group id="xccdf_org.gentoo.dev.swift_group_system-fs-mountoptions">
- <title>Using no* mount options for the file systems</title>
- <description>
- <h:p>
- Non-root file systems should be mounted with the <h:em>nodev</h:em> mount option.
- This mount option ensures that device files are not allowed on these file systems
- (and if they are there, they are ignored by the Linux kernel for any device
- operation).
- </h:p>
- <h:p>
- Having device files on non-root file systems could allow unauthorized people access
- to sensitive data (for instance when having a readable raw disk device files) or
- even manipulate the system.
- </h:p>
- <h:p>
- The privilege to create special device files (beyond regular sockets) such as
- character and block device files is handled through the CAP_MKNOD capability
- which is not granted to regular users. As such, the risk is when more privileged
- users or processes are tricked to create such device files.
- </h:p>
- <h:p>
- This setting is appropriate for file systems such as (non-exhaustive list):
- </h:p>
- <h:ul>
- <h:li>
- <h:code>/var</h:code> (as it is recommended to be a separate file system)
- </h:li>
- <h:li>
- <h:code>/var/log</h:code> (as it is recommended to be a separate file system)
- </h:li>
- <h:li>
- <h:code>/var/log/audit</h:code> (as it is recommended to be a separate file system)
- </h:li>
- <h:li>
- <h:code>/home</h:code> (as it is recommended to be a separate file system)
- </h:li>
- <h:li>
- <h:code>/tmp</h:code> (as it is recommended to be a separate file system)
- </h:li>
- </h:ul>
- <h:p>
- Specific file systems should also be mounted with the <h:em>nosuid</h:em> mount
- option. This prevents setuid binaries to run as a different user when hosted
- on this file system. As there are several locations where setuid binaries might
- be needed, this only affects particular file systems:
- </h:p>
- <h:ul>
- <h:li>
- The <h:code>/tmp</h:code> file system should not be used for setuid binaries
- as this is a world-writable location and often target storage for attacks.
- </h:li>
- <h:li>
- The <h:code>/home</h:code> file system should not be used for setuid binaries
- as this is the home location for non-root users.
- </h:li>
- <h:li>
- The <h:code>/dev/shm</h:code> file system should not be used for any binaries
- (shared memory region).
- </h:li>
- </h:ul>
- <h:p>
- Specific file systems should also be mounted with the <h:em>noexec</h:em> mount
- option. This prevents some automated attacks to execute certain payload (exploits)
- from these locations.
- </h:p>
- <h:p>
- This is just one of the many "layers" though, as executing payload can still be
- done using different methods. For instance, scripts can be invoked through the
- shell itself (rather than directly) and in the past, binaries could even be
- executed through the <h:code>ld-linux.so</h:code> binary (although this has
- been fixed).
- </h:p>
- <h:p>
- File systems for which <h:em>noexec</h:em> is recommended are:
- </h:p>
- <h:ul>
- <h:li>
- The <h:code>/tmp</h:code> file system as it is a popular target to store exploit
- code in.
- </h:li>
- <h:li>
- The <h:code>/dev/shm</h:code> file system as it is meant as a shared memory
- location and is becoming a popular target to store exploit code in.
- </h:li>
- </h:ul>
- </description>
- <!-- CVSS2 AV:L/Au:M/C:C/I:C/A:C (high complexity as device node needs
- to be created first and is then only exploitable after local access.
- Multiple authentication (one to create device file, one to log on)
- -->
- <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-var-nodev" selected="false" severity="low" weight="5.9">
- <title>/var is mounted with nodev</title>
- <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-var-nodev">Mount /var with nodev mount option</fixtext>
- <fix id="xccdf_org.gentoo.dev.swift_fix_partition-var-nodev"
- system="urn:xccdf:fix:system:commands"
- platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+--report report.html gentoo-xccdf.xml</h:b></h:pre>
+</description>
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_intro-profiles">
+<title>Available XCCDF Profiles</title>
+<description>
+<h:p>
+As mentioned earlier, this XCCDF document supports multiple profiles. For the time
+being, two profiles are defined:
+</h:p>
+<h:ul>
+<h:li>
+The <h:em>default</h:em> profile (xccdf_org.gentoo.dev.swift_profile_default) contains
+tests that are quick to validate
+</h:li>
+<h:li>
+The <h:em>default-oval</h:em> profile (xccdf_org.gentoo.dev.swift_profile_default-oval)
+is like the default one, but does not call any other checker than OVAL
+(so no scripts).
+</h:li>
+<h:li>
+The <h:em>intensive</h:em> profile (xccdf_org.gentoo.dev.swift_profile_intensive)
+contains all tests, including those that take a while (for instance because they
+perform full file system scans)
+</h:li>
+<h:li>
+The <h:em>intensive-oval</h:em> profile (xccdf_org.gentoo.dev.swift_profile_intensive-oval)
+is like the intensive one, but does not call any other checker than OVAL
+(so no scripts).
+</h:li>
+</h:ul>
+<h:p>
+Substitute the profile information in the commands above with the required profile.
+</h:p>
+</description>
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_intro-weights">
+<title>About the rule weights</title>
+<description>
+<h:p>
+Within this guide, weights are assigned to tests to give some importance to
+the rule (higher weight is more important) as well as a severity.
+</h:p>
+<h:p>
+The severity is one of the following:
+</h:p>
+<h:ul>
+<h:li>
+<h:em>high</h:em> constitutes a grave or critical problem. A rule with this severity
+<h:em>MUST</h:em> be tackled as it detected a misconfiguration that is easily
+exploitable and could lead to full system compromise.
+</h:li>
+<h:li>
+<h:em>medium</h:em> reflects a fairly serious problem. A rule with this severity
+<h:em>SHOULD</h:em> be tackled as it detected a misconfiguration that is easily
+exploitable.
+</h:li>
+<h:li>
+<h:em>low</h:em> reflects a non-serious problem. A rule with this severity
+has detected a misconfiguration but its influence on the overall system security
+is minor (if other compliance rules are followed).
+</h:li>
+<h:li>
+<h:em>info</h:em> reflects an informational rule. Failure to comply with this rule
+does not mean failure to comply with the document itself.
+</h:li>
+</h:ul>
+<h:p>
+It is important to understand though that rules with a low severity can still lead to
+grave security problems if they are not met. Chaining of vulnerabilities or
+misconfiguration can still lead to full system compromise.
+</h:p>
+<h:p>
+For this reason, weights are added to rules as well. A higher weight has a more
+severe potential impact.
+</h:p>
+<h:p>
+Weights are the CVSS (or CCSS) score that is thought to be the case for a misconfiguration.
+They are calculated by NVD's CVSS calculator. Each rule is scored individually; a
+"chain" of misconfigurations might lead to a significantly higher issue, but this would
+make it very hard to make proper scoring.
+</h:p>
+<h:p>
+As an example, take the rule that says <h:code>/var</h:code> has to be on its own
+partition. The metrics we fill in in the calculator are currently based on the risk
+that the root file system is filled (no more free space), which can halt the system.
+</h:p>
+<h:ul>
+<h:li>
+The <h:em>related exploit range</h:em> (access vector) is "Local", because this is
+by itself not exploitable remotely - unless of course certain services are running
+that can fill up <h:code>/var</h:code>, but such assumptions are not taken.
+</h:li>
+<h:li>
+The <h:em>attack complexity</h:em> (access complexity) is "Low", as all that is
+needed is a local account and we can find the necessary ways to fill up
+<h:code>/var</h:code>.
+</h:li>
+<h:li>
+The <h:em>level of authentication needed</h:em> (authentication) is "Single"
+as the attacker needs one authentication step (local access) to exploit.
+</h:li>
+<h:li>
+The <h:em>confidentiality impact</h:em> is "None" (no data leakage)
+</h:li>
+<h:li>
+The <h:em>integrity impact</h:em> is "None" (no data manipulation)
+</h:li>
+<h:li>
+The <h:em>availability impact</h:em> is "Complete" (system crash or halt).
+</h:li>
+</h:ul>
+<h:p>
+This results in the CVSS base score of 4.6. The environmental score metrics and
+temporal score metrics are ignored as those are too specific for environments
+and organizations.
+</h:p>
+</description>
+<reference href="https://nvd.nist.gov/cvss.cfm?calculator&version=2">NVD CVSS calculator</reference>
+<reference href="http://csrc.nist.gov/publications/nistir/ir7502/nistir-7502_CCSS.pdf">The Common Configuration Scoring System (PDF)</reference>
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_intro-resources">
+<title>Additional resources</title>
+<description>
+From the next chapter onwards, the focus will be on the software side
+hardening. For more information about other related security areas, please take a look
+at the following resources.
+</description>
+<reference href="https://www.rfc-editor.org/info/rfc2196">Site Security Handbook (RFC2196)</reference>
+<reference href="http://www.sans.org/reading_room/whitepapers/awareness/data-center-physical-security-checklist_416">Data Center Physical Security Checklist (SANS, PDF)</reference>
+<reference href="http://www.sans.org/reading_room/whitepapers/policyissues/technical-writing-security-policies-easy-steps_492">Technical Writing for IT Security Policies in Five Easy Steps (SANS, PDF)</reference>
+<reference href="https://www.sans.org/security-resources/policies/">Information Security Policy Templates (SANS)</reference>
+</Group>
+</Group>
+
+<!-- INSTALLATION -->
+
+<Group id="xccdf_org.gentoo.dev.swift_group_installation">
+<title>Installation related settings</title>
+<description>
+<h:p>
+Gentoo Linux allows us to update various parts of the system after installation,
+but it might be interesting to consider some aspects during (or before)
+installation as it might require a huge migration afterwards.
+</h:p>
+<h:p>
+The Gentoo Linux installation is structured as follows:
+</h:p>
+<h:ol>
+<h:li>The disks, partitions or other storage is prepared to host the Gentoo Linux OS</h:li>
+<h:li>The base Gentoo installation (a minimal install called a "stage3") is extracted on the system</h:li>
+<h:li>Boot-critical configuration entries, such as file system information and Portage configuration are set up</h:li>
+<h:li>A Linux kernel is compiled and installed, together with a boot loader</h:li>
+<h:li>Basic accounts are created to allow a log on to the system after boot</h:li>
+</h:ol>
+<h:p>
+In the following sections, the best practices for a secure system are described related to these installation specific entries.
+</h:p>
+</description>
+<reference href="https://wiki.gentoo.org/wiki/Handbook:Main_Page">Gentoo Linux Handbook</reference>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_installation-hardware">
+<title>Hardware selection</title>
+<description>
+<h:p>
+TODO
+</h:p>
+</description>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_installation-hardware-tpm">
+<title>Trusted Platform Module</title>
+<description>
+<h:p>
+TODO
+</h:p>
+</description>
+</Group>
+
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_installation-storage">
+<title>Storage and file systems</title>
+<description>
+<h:p>
+Storage devices, and the file systems on them, are one of the basic parts of any operating system.
+The file systems provide not only structured access to the data, but also metadata about the files
+and directories, including access control related information.
+</h:p>
+<h:p>
+When securing a system, we need to look at:
+</h:p>
+<h:ul>
+<h:li>Partition and file system structure</h:li>
+<h:li>File system tuning</h:li>
+</h:ul>
+<h:p>
+The file system structure (or partition layout as it is also often called) is a very important
+step in the design of any operating system deployment. Within Gentoo Linux' Handbook, an entire
+chapter is written just on this particular matter. The structure needs to support the purpose of
+the system.
+</h:p>
+<h:p>
+For instance, for a database server, the file system on which the database files are stored is
+usually separate from the operating system file system, and often even has its dedicated back
+end storage (different disks) in order to be sufficiently high performing. The location of the
+log files (and audit logs) is separate from operating system and database files so that an overflow
+in the logs does not harm the database itself or the operating system.
+</h:p>
+<h:p>
+And database servers are just one example. LDAP servers, mail servers, shell servers, workstations,
+... all have their own specific file system structure and best practices.
+</h:p>
+</description>
+<reference href="http://www.pathname.com/fhs/">Filesystem Hierarchy Standard</reference>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_installation-storage-separatepartitions">
+<title>Separate file systems for important locations</title>
+<description>
+<h:p>
+Separate file systems for important locations is an important basic security measure, but it does have
+its consequences. Depending on the purpose of the system and the financial freedom while designing the
+server structure, some concessions might need to be made.
+</h:p>
+<h:p>
+The main disadvantages of a separate file system for a location are:
+</h:p>
+<h:ul>
+<h:li>
+Separate file systems mean that better disk space control is needed
+(governing free space). A file system that is given too much free space
+means that disk space is being wasted, but a file system that is not given
+enough free disk space will need to be grown quickly - if possibile. This
+also means that creating a proper partitioning setup with many different
+partitions (file systems) will take some time and calculations; many users
+have no good idea how much space they need to make available for a file system.
+</h:li>
+<h:li>
+Some file system locations need to be available early in the boot process.
+If those locations reside on different file systems, special precautions need
+to be taken to make those file systems available when the system is booted
+(such as creating an initial ram file system).
+</h:li>
+</h:ul>
+<h:p>
+The advantages on the other hand:
+</h:p>
+<h:ul>
+<h:li>
+A sudden disk space growth will eventually be stopped by the limits of the
+file system. If a non-critical file system is full, the impact on the overall
+system is limited. Without separate file systems, a full file system might
+jeopardise the availability of the entire system.
+</h:li>
+<h:li>
+Specific mount options can be enabled on the file systems that improve the
+security of the file system (permissions) as well as performance. Such mount
+options include ownership details, allowing (or disallowing) setuid binaries,
+device files and more.
+</h:li>
+<h:li>
+Different file systems can be hosted on different devices (or even on network
+shares), allowing administrators to pick the most efficient storage device
+for a particular file system.
+</h:li>
+</h:ul>
+<h:p>
+Considering these pros and cons, it is recommended to have at least the following
+file system locations be on a different file system:
+</h:p>
+<h:ul>
+<h:li>
+<h:code>/tmp</h:code> as this is a world-writable location and requires
+specific mount options. When possible, this location can be made a
+<h:em>tmpfs</h:em> file system. This is to protect the root file system
+from being flooded.
+</h:li>
+<h:li>
+<h:code>/var</h:code> as this contains variable data (and thus is prone
+to grow extensively depending on the installed services). This is to protect
+the root file system from being flooded.
+</h:li>
+<h:li>
+<h:code>/var/log</h:code> as this contains logging data (and thus is prone
+to grow extensively depending on the services). This is to protect the
+<h:code>/var</h:code> file system from being flooded, as this might impact
+various services (like databases, web servers, etc.).
+</h:li>
+<h:li>
+<h:code>/var/log/audit</h:code> as this contains (potentially sensitive)
+logging data. Some services refuse to continue if the audit target location
+is full. Having the location separate from <h:code>/var/log</h:code> protects
+the audit file system when <h:code>/var/log</h:code> would be flooded.
+</h:li>
+<h:li>
+<h:code>/home</h:code> as this is completely under the control of end users.
+It needs to be mounted with more secure settings (more about that later) and
+should be separate both to protect the root file system, but also to allow
+the <h:code>/home</h:code> location to be either shared or used elsewhere.
+</h:li>
+<h:li>
+<h:code>/var/tmp</h:code> which is a "second" <h:code>/tmp</h:code> location,
+but where the content is preserved after a reboot. Still, it is world-writable
+and requires specific mount options, and should be on a different file system
+to prevent <h:code>/var</h:code> to be flooded which might impact the
+availability of services.
+</h:li>
+</h:ul>
+</description>
+
+<Rule id="xccdf_org.gentoo.dev.swift_rule_partition-tmp" selected="false" severity="medium" weight="4.6">
+<title>/tmp is a separate file system</title>
+<fixtext>
+Create a file system for <h:code>/tmp</h:code>; make sure it is added in
+the <h:code>/etc/fstab</h:code> file and reboot the system.
+</fixtext>
+<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+<check-content-ref name="oval:org.gentoo.dev.swift:def:5" href="gentoo-oval.xml" />
+</check>
+</Rule>
+
+<Rule id="xccdf_org.gentoo.dev.swift_rule_partition-var" selected="false" severity="medium" weight="4.6">
+<title>/var is a separate file system</title>
+<fixtext>
+Create a file system for <h:code>/var</h:code>; make sure it is added in
+the <h:code>/etc/fstab</h:code> file and reboot the system.
+</fixtext>
+<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+<check-content-ref name="oval:org.gentoo.dev.swift:def:6" href="gentoo-oval.xml" />
+</check>
+</Rule>
+
+<Rule id="xccdf_org.gentoo.dev.swift_rule_partition-varlog" selected="false" severity="low" weight="2.1">
+<title>/var/log is a separate file system</title>
+<fixtext>
+Create a file system for <h:code>/var/log</h:code>; make sure it is added in
+the <h:code>/etc/fstab</h:code> file and reboot the system.
+</fixtext>
+<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+<check-content-ref name="oval:org.gentoo.dev.swift:def:7" href="gentoo-oval.xml" />
+</check>
+</Rule>
+
+<Rule id="xccdf_org.gentoo.dev.swift_rule_partition-varlogaudit" selected="false" severity="low" weight="2.1">
+<title>/var/log/audit is a separate file system</title>
+<fixtext>
+Create a file system for <h:code>/var/log/audit</h:code>; make sure it is added in
+the <h:code>/etc/fstab</h:code> file and reboot the system.
+</fixtext>
+<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+<check-content-ref name="oval:org.gentoo.dev.swift:def:8" href="gentoo-oval.xml" />
+</check>
+</Rule>
+
+<Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="false" severity="medium" weight="4.6">
+<title>/home is a separate file system</title>
+<fixtext>
+Create a file system for <h:code>/home</h:code>; make sure it is added in
+the <h:code>/etc/fstab</h:code> file and reboot the system.
+</fixtext>
+<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+<check-content-ref name="oval:org.gentoo.dev.swift:def:2" href="gentoo-oval.xml" />
+</check>
+</Rule>
+
+<Rule id="xccdf_org.gentoo.dev.swift_rule_partition-vartmp" selected="false" severity="low" weight="2.1">
+<title>/var/tmp is a separate file system</title>
+<fixtext>
+Create a file system for <h:code>/var/tmp</h:code>; make sure it is added in
+the <h:code>/etc/fstab</h:code> file and reboot the system.
+</fixtext>
+<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+<check-content-ref name="oval:org.gentoo.dev.swift:def:17" href="gentoo-oval.xml" />
+</check>
+</Rule>
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_installation-storage-mountoptions">
+<title>File system mount options</title>
+<description>
+<h:p>
+There are a number of mount options which can improve system security significantly.
+</h:p>
+<!-- nodev -->
+<h:p>
+A first important setting is the <h:tt>nodev</h:tt> mount option.
+This mount option ensures that device files are not allowed on these file systems
+(and if they are there, they are ignored by the Linux kernel for any device
+operation). Having device files on the wrong file systems could allow unauthorized
+people access to sensitive data (for instance when having a readable raw disk device
+files) or even manipulate the system.
+</h:p>
+<h:p>
+The privilege to create special device files (beyond regular sockets) such as
+character and block device files is handled through the CAP_MKNOD capability
+which is not granted to regular users. As such, the risk is when more privileged
+users or processes are tricked into creating such device files, or by having different
+locations with device files accessible (such as removable media).
+</h:p>
+<h:p>
+Given that, on Gentoo Linux, device files are situated inside a <h:em>devtmpfs</h:em>
+file system, most mount points can be configured with the <h:tt>nodev</h:tt> mount
+option.
+</h:p>
+<h:ul>
+<h:li>
+<h:code>/</h:code> (as the root file system)
+</h:li>
+<h:li>
+<h:code>/var</h:code> (as it is recommended to be a separate file system)
+</h:li>
+<h:li>
+<h:code>/var/log</h:code> (as it is recommended to be a separate file system)
+</h:li>
+<h:li>
+<h:code>/var/log/audit</h:code> (as it is recommended to be a separate file system)
+</h:li>
+<h:li>
+<h:code>/home</h:code> (as it is recommended to be a separate file system)
+</h:li>
+<h:li>
+<h:code>/tmp</h:code> (as it is recommended to be a separate file system)
+</h:li>
+</h:ul>
+<!-- nosuid -->
+<h:p>
+A second important mount option is the <h:tt>nosuid</h:tt> one. This prevents setuid binaries
+to effectively run as a different user when hosted on this file system. In other words, it is as
+if there is no setuid bit set on these binaries. When SELinux is enabled, this will also prevent any
+domain transition for executables on this file system. When using capabilities, the <h:tt>nosuid</h:tt>
+option also influences the <h:tt>CAP_SETUID</h:tt> and <h:tt>CAP_SETGID</h:tt> capabilities.
+</h:p>
+<h:p>
+As there are several locations where setuid binaries (or related capabilities) might be needed
+(or where SELinux domain transitions are still wanted), this is only recommended for a specific
+set of file systems:
+</h:p>
+<h:ul>
+<h:li>
+The <h:code>/tmp</h:code> file system should not be used for setuid binaries
+as this is a world-writable location and often target storage for attacks.
+</h:li>
+<h:li>
+The <h:code>/home</h:code> file system should not be used for setuid binaries
+as this is the home location for non-root users.
+</h:li>
+<h:li>
+The <h:code>/dev/shm</h:code> file system should not be used for any binaries
+(shared memory region).
+</h:li>
+</h:ul>
+<!-- noexec -->
+<h:p>
+Specific file systems should also be mounted with the <h:tt>noexec</h:tt> mount
+option. This prevents some automated attacks to execute certain payload (exploits)
+from these locations.
+</h:p>
+<h:p>
+This is just one of the many "layers" though, as executing payload can still be
+done using different methods. For instance, scripts can be invoked through the
+shell itself (rather than directly) and in the past, binaries could even be
+executed through the <h:code>ld-linux.so</h:code> binary (although this has
+been fixed).
+</h:p>
+<h:p>
+File systems for which <h:tt>noexec</h:tt> is recommended are:
+</h:p>
+<h:ul>
+<h:li>
+The <h:code>/tmp</h:code> file system as it is a popular target to store exploit
+code in.
+</h:li>
+<h:li>
+The <h:code>/dev/shm</h:code> file system as it is meant as a shared memory
+location and is becoming a popular target to store exploit code in.
+</h:li>
+</h:ul>
+</description>
+<warning>
+This section uses mount options as the means to configure the mount points. However, mount options are not the
+only way of tuning these settings - many file systems support the same through commands such as <h:tt>tune2fs</h:tt>.
+</warning>
+
+<!-- CVSS2 AV:L/Au:M/C:C/I:C/A:C (high complexity as device node needs
+to be created first and is then only exploitable after local access.
+Multiple authentication (one to create device file, one to log on)
+-->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_partition-root-nodev" selected="false" severity="low" weight="5.9">
+<title>/ is mounted with nodev</title>
+<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-root-nodev">Mount / with nodev mount option</fixtext>
+<fix id="xccdf_org.gentoo.dev.swift_fix_partition-root-nodev"
+system="urn:xccdf:fix:system:commands"
+platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+mount -o remount,nodev /
+</fix>
+<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+<check-content-ref name="oval:org.gentoo.dev.swift:def:37" href="gentoo-oval.xml" />
+</check>
+</Rule>
+
+<Rule id="xccdf_org.gentoo.dev.swift_rule_partition-var-nodev" selected="false" severity="low" weight="5.9">
+<title>/var is mounted with nodev</title>
+<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-var-nodev">Mount /var with nodev mount option</fixtext>
+<fix id="xccdf_org.gentoo.dev.swift_fix_partition-var-nodev"
+system="urn:xccdf:fix:system:commands"
+platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
mount -o remount,nodev /var
- </fix>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:9" href="gentoo-oval.xml" />
- </check>
- </Rule>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-varlog-nodev" selected="false" severity="low" weight="5.9">
- <title>/var/log is mounted with nodev</title>
- <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-varlog-nodev">Mount /var/log with nodev mount option</fixtext>
- <fix id="xccdf_org.gentoo.dev.swift_fix_partition-varlog-nodev"
- system="urn:xccdf:fix:system:commands"
- platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+</fix>
+<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+<check-content-ref name="oval:org.gentoo.dev.swift:def:9" href="gentoo-oval.xml" />
+</check>
+</Rule>
+
+<Rule id="xccdf_org.gentoo.dev.swift_rule_partition-varlog-nodev" selected="false" severity="low" weight="5.9">
+<title>/var/log is mounted with nodev</title>
+<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-varlog-nodev">Mount /var/log with nodev mount option</fixtext>
+<fix id="xccdf_org.gentoo.dev.swift_fix_partition-varlog-nodev"
+system="urn:xccdf:fix:system:commands"
+platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
mount -o remount,nodev /var/log
- </fix>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:10" href="gentoo-oval.xml" />
- </check>
- </Rule>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-varlogaudit-nodev" selected="false" severity="low" weight="5.9">
- <title>/var/log/audit is mounted with nodev</title>
- <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-varlogaudit-nodev">Mount /var/log/audit with nodev mount option</fixtext>
- <fix id="xccdf_org.gentoo.dev.swift_fix_partition-varlogaudit-nodev"
- system="urn:xccdf:fix:system:commands"
- platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+</fix>
+<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+<check-content-ref name="oval:org.gentoo.dev.swift:def:10" href="gentoo-oval.xml" />
+</check>
+</Rule>
+
+<Rule id="xccdf_org.gentoo.dev.swift_rule_partition-varlogaudit-nodev" selected="false" severity="low" weight="5.9">
+<title>/var/log/audit is mounted with nodev</title>
+<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-varlogaudit-nodev">Mount /var/log/audit with nodev mount option</fixtext>
+<fix id="xccdf_org.gentoo.dev.swift_fix_partition-varlogaudit-nodev"
+system="urn:xccdf:fix:system:commands"
+platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
mount -o remount,nodev /var/log/audit
- </fix>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:11" href="gentoo-oval.xml" />
- </check>
- </Rule>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home-nodev" selected="false" severity="low" weight="5.9">
- <title>/home is mounted with nodev</title>
- <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-home-nodev">Mount /home with nodev mount option</fixtext>
- <fix id="xccdf_org.gentoo.dev.swift_fix_partition-home-nodev"
- system="urn:xccdf:fix:system:commands"
- platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+</fix>
+<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+<check-content-ref name="oval:org.gentoo.dev.swift:def:11" href="gentoo-oval.xml" />
+</check>
+</Rule>
+
+<Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home-nodev" selected="false" severity="low" weight="5.9">
+<title>/home is mounted with nodev</title>
+<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-home-nodev">Mount /home with nodev mount option</fixtext>
+<fix id="xccdf_org.gentoo.dev.swift_fix_partition-home-nodev"
+system="urn:xccdf:fix:system:commands"
+platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
mount -o remount,nodev /home
- </fix>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:4" href="gentoo-oval.xml" />
- </check>
- </Rule>
- <!-- Higher severity due to more best practices and world writeable,
- also more likely that exploit of process is done towards /tmp -->
- <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-tmp-nodev" selected="false" severity="medium" weight="5.9">
- <title>/tmp is mounted with nodev</title>
- <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-tmp-nodev">Mount /tmp with nodev mount option</fixtext>
- <fix id="xccdf_org.gentoo.dev.swift_fix_partition-tmp-nodev"
- system="urn:xccdf:fix:system:commands"
- platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+</fix>
+<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+<check-content-ref name="oval:org.gentoo.dev.swift:def:4" href="gentoo-oval.xml" />
+</check>
+</Rule>
+
+<!-- Higher severity due to more best practices and world writeable, also more likely that exploit of process is done towards /tmp -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_partition-tmp-nodev" selected="false" severity="medium" weight="5.9">
+<title>/tmp is mounted with nodev</title>
+<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-tmp-nodev">Mount /tmp with nodev mount option</fixtext>
+<fix id="xccdf_org.gentoo.dev.swift_fix_partition-tmp-nodev"
+system="urn:xccdf:fix:system:commands"
+platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
mount -o remount,nodev /tmp
- </fix>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:12" href="gentoo-oval.xml" />
- </check>
- </Rule>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-tmp-nosuid" selected="false" severity="medium" weight="5.9">
- <title>/tmp is mounted with nosuid</title>
- <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-tmp-nosuid">Mount /tmp with nosuid mount option</fixtext>
- <fix id="xccdf_org.gentoo.dev.swift_fix_partition-tmp-nosuid"
- system="urn:xccdf:fix:system:commands"
- platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+</fix>
+<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+<check-content-ref name="oval:org.gentoo.dev.swift:def:12" href="gentoo-oval.xml" />
+</check>
+</Rule>
+
+<Rule id="xccdf_org.gentoo.dev.swift_rule_partition-tmp-nosuid" selected="false" severity="medium" weight="5.9">
+<title>/tmp is mounted with nosuid</title>
+<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-tmp-nosuid">Mount /tmp with nosuid mount option</fixtext>
+<fix id="xccdf_org.gentoo.dev.swift_fix_partition-tmp-nosuid"
+system="urn:xccdf:fix:system:commands"
+platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
mount -o remount,nosuid /tmp
- </fix>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:13" href="gentoo-oval.xml" />
- </check>
- </Rule>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home-nosuid" selected="false" severity="low" weight="5.9">
- <title>/home is mounted with nosuid</title>
- <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-home-nosuid">Mount /home with nosuid mount option</fixtext>
- <fix id="xccdf_org.gentoo.dev.swift_fix_partition-home-nosuid"
- system="urn:xccdf:fix:system:commands"
- platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+</fix>
+<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+<check-content-ref name="oval:org.gentoo.dev.swift:def:13" href="gentoo-oval.xml" />
+</check>
+</Rule>
+
+<Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home-nosuid" selected="false" severity="low" weight="5.9">
+<title>/home is mounted with nosuid</title>
+<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-home-nosuid">Mount /home with nosuid mount option</fixtext>
+<fix id="xccdf_org.gentoo.dev.swift_fix_partition-home-nosuid"
+system="urn:xccdf:fix:system:commands"
+platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
mount -o remount,nosuid /home
- </fix>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:3" href="gentoo-oval.xml" />
- </check>
- </Rule>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-devshm-nosuid" selected="false" severity="medium" weight="5.9">
- <title>/dev/shm is mounted with nosuid</title>
- <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-devshm-nosuid">Mount /dev/shm with nosuid mount option</fixtext>
- <fix id="xccdf_org.gentoo.dev.swift_fix_partition-devshm-nosuid"
- system="urn:xccdf:fix:system:commands"
- platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+</fix>
+<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+<check-content-ref name="oval:org.gentoo.dev.swift:def:3" href="gentoo-oval.xml" />
+</check>
+</Rule>
+
+<Rule id="xccdf_org.gentoo.dev.swift_rule_partition-devshm-nosuid" selected="false" severity="medium" weight="5.9">
+<title>/dev/shm is mounted with nosuid</title>
+<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-devshm-nosuid">Mount /dev/shm with nosuid mount option</fixtext>
+<fix id="xccdf_org.gentoo.dev.swift_fix_partition-devshm-nosuid"
+system="urn:xccdf:fix:system:commands"
+platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
mount -o remount,nosuid /dev/shm
- </fix>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:14" href="gentoo-oval.xml" />
- </check>
- </Rule>
- <!-- Weight is 0 as this is a means to exploit, not exploitable by
- itself -->
- <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-tmp-noexec" selected="false" severity="medium" weight="0.0">
- <title>/tmp is mounted with noexec</title>
- <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-tmp-noexec">Mount /tmp with noexec mount option</fixtext>
- <fix id="xccdf_org.gentoo.dev.swift_fix_partition-tmp-noexec"
- system="urn:xccdf:fix:system:commands"
- platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+</fix>
+<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+<check-content-ref name="oval:org.gentoo.dev.swift:def:14" href="gentoo-oval.xml" />
+</check>
+</Rule>
+
+<!-- Weight is 0 as this is a means to exploit, not exploitable by itself -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_partition-tmp-noexec" selected="false" severity="medium" weight="0.0">
+<title>/tmp is mounted with noexec</title>
+<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-tmp-noexec">Mount /tmp with noexec mount option</fixtext>
+<fix id="xccdf_org.gentoo.dev.swift_fix_partition-tmp-noexec"
+system="urn:xccdf:fix:system:commands"
+platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
mount -o remount,noexec /tmp
- </fix>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:15" href="gentoo-oval.xml" />
- </check>
- </Rule>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-devshm-noexec" selected="false" severity="medium" weight="0.0">
- <title>/dev/shm is mounted with noexec</title>
- <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-devshm-noexec">Mount /dev/shm with nosuid mount option</fixtext>
- <fix id="xccdf_org.gentoo.dev.swift_fix_partition-devshm-noexec"
- system="urn:xccdf:fix:system:commands"
- platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+</fix>
+<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+<check-content-ref name="oval:org.gentoo.dev.swift:def:15" href="gentoo-oval.xml" />
+</check>
+</Rule>
+
+<Rule id="xccdf_org.gentoo.dev.swift_rule_partition-devshm-noexec" selected="false" severity="medium" weight="0.0">
+<title>/dev/shm is mounted with noexec</title>
+<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-devshm-noexec">Mount /dev/shm with nosuid mount option</fixtext>
+<fix id="xccdf_org.gentoo.dev.swift_fix_partition-devshm-noexec"
+system="urn:xccdf:fix:system:commands"
+platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
mount -o remount,noexec /dev/shm
- </fix>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:16" href="gentoo-oval.xml" />
- </check>
- </Rule>
- </Group> <!-- system-fs-mountoptions -->
- <Group id="xccdf_org.gentoo.dev.swift_group_system-fs-quotas">
- <title>Disk quota support</title>
- <description>
- <h:p>
- Most file systems support the notion of <h:em>quotas</h:em> - limits
- on the amount of data / files that are allowed on that particular file system.
- </h:p>
- <h:p>
- To enable quotas, first configure the Linux kernel to include
- <h:code>CONFIG_QUOTA</h:code>.
- </h:p>
- <h:p>
- Next, install the <h:code>sys-fs/quota</h:code> package.
- </h:p>
- <h:pre>
+</fix>
+<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+<check-content-ref name="oval:org.gentoo.dev.swift:def:16" href="gentoo-oval.xml" />
+</check>
+</Rule>
+
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_installation-storage-encrypted">
+<title>Use encrypted file systems</title>
+<description>
+<h:p>
+TODO: Use encrypted file systems if not hosted in fully trusted environment
+</h:p>
+<h:p>
+This includes encrypted swap!
+</h:p>
+</description>
+</Group>
+
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_installation-base">
+<title>Gentoo base installation</title>
+<description>
+<h:p>
+The Gentoo base installation concerns itself with the extraction of a minimal Gentoo Linux environment.
+This minimal environment provides the base foundation for building the rest of the system, including
+a compiler, necessary set of libraries and system services.
+</h:p>
+</description>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_installation-base-stage3">
+<title>Hardened stage3</title>
+<description>
+<h:p>
+Use one of Gentoo Hardened's stage3 archive files as the base of the Linux installation.
+</h:p>
+<h:p>
+The Gentoo Hardened stages are built with a hardened compiler and toolchain, which means
+that the various binaries included are already built with PIC and PIE, allowing for the
+various memory protections (such as Address Space Layout Randomization) to take effect.
+</h:p>
+<h:p>
+Administrations will have the option of selecting a hardened <h:em>nomultilib</h:em> stage
+as well. With multilib, the system is capable of running both 32-bit and 64-bit applications.
+With a <h:em>nomultilib</h:em> stage, only 64-bit applications can be used. It is generally recommended
+to use the <h:em>nomultilib</h:em> stages if this is possible functionally. That means, if there
+is no need to run 32-bit applications on a 64-bit installation.
+</h:p>
+<h:p>
+One of the concerns with using multilib systems is that a number of libraries are provided through
+the <h:tt>emul-linux</h:tt> package, which might contain vulnerable libraries. Sadly, there is not
+enough manpower available to update this package as quickly as the main libraries. Gentoo Linux
+is slowly converting towards the <h:em>gx86-multilib</h:em> approach where the 32-bit libraries
+are provided by the native ebuilds themselves.
+</h:p>
+</description>
+<reference href="https://wiki.gentoo.org/wiki/Multilib/gx86-multilib">Gentoo gx86-multilib information</reference>
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_installation-base-toolchain">
+<title>Hardened toolchain</title>
+<description>
+<h:p>
+When Gentoo is installed, use the hardened stages and hardened toolchain.
+The hardened toolchain includes additional security patches, such as
+support for non-executable program stacks and buffer overflow detection.
+</h:p>
+<h:ul>
+<h:li>
+When using <h:em>Position Independent Executables (PIE)</h:em> and <h:em>Position Independent
+Code (PIC)</h:em>, which is enabled when selecting the hardened toolchain, memory hardening techniques
+such as those implemented by grsecurity PaX allows for Address Space Layout Randomization (ASLR) so
+that memory locations for an application are randomized with every run. This makes exploitation of
+memory oriented vulnerabilities much harder.
+</h:li>
+<h:li>
+<h:em>Stack Smashing Protection (SSP)</h:em> adds markers outside buffer areas
+to detect buffer overflow attacks, killing the application rather than effectively
+having the overflow succeed.
+</h:li>
+</h:ul>
+<h:p>
+During installation, make sure that the <h:em>default</h:em> hardened
+toolchain is selected, not one of the <h:code>-hardenedno*</h:code> as
+those are toolchains where specific settings are disabled. The
+<h:code>-vanilla</h:code> one is a toolchain with no hardened patches.
+</h:p>
+<h:pre>
+# <h:b>gcc-config -l</h:b>
+[1] x86_64-pc-linux-gnu-4.4.5 *
+[2] x86_64-pc-linux-gnu-4.4.5-hardenednopie
+[3] x86_64-pc-linux-gnu-4.4.5-hardenednopie.gcc-config-ref
+[4] x86_64-pc-linux-gnu-4.4.5-hardenednopiessp
+[5] x86_64-pc-linux-gnu-4.4.5-hardenednossp
+[6] x86_64-pc-linux-gnu-4.4.5-vanilla</h:pre>
+</description>
+
+<Rule id="xccdf_org.gentoo.dev.swift_rule_installation-toolchain-hardened" selected="false" severity="low" weight="0.0">
+<title>The hardened toolchain is used</title>
+<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_installation-toolchain-hardened">
+Use a hardened Gentoo profile and select the default compiler (not vanilla
+nor any of the hardenedno* ones).
+</fixtext>
+<check system="http://open-scap.org/page/SCE">
+<check-import import-name="stdout" />
+<check-content-ref href="bin/gentoo-sce_installation-toolchain-hardened.sh" />
+</check>
+</Rule>
+
+</Group>
+
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_installation-boot">
+<title>Boot-critical services</title>
+<description>
+<h:p>
+Before finishing a Gentoo Linux installation, a number of boot-critical services are installed.
+This includes the boot loader itself as well as the Linux kernel.
+</h:p>
+<h:p>
+Building a Linux kernel with the right set of security-related settings is moved outside the scope of this
+benchmark. Please refer to the Kernel hardening benchmark for more information.
+</h:p>
+</description>
+<reference href="http://dev.gentoo.org/~swift/docs/security_benchmarks/guide-kernel-xccdf.html">Gentoo Linux Kernel hardening benchmark</reference>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_installation-boot-bootloader">
+<title>Bootloader configuration</title>
+<description>
+<h:p>
+The bootloader (be it GRUB or another tool) is responsible for loading
+the Linux kernel and handing over system control to the kernel. But boot
+loaders also allow for a flexible approach on kernel loading, which can
+be (ab)used to work around security mechanisms.
+</h:p>
+</description>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_installation-boot-bootloader-uefi">
+<title>UEFI settings</title>
+<description>
+<h:p>
+TODO: Use UEFI boot mode
+</h:p>
+<h:p>
+TODO: Password required to enter UEFI configuration
+</h:p>
+<h:p>
+TODO: UEFI level password to boot system
+</h:p>
+</description>
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_installation-boot-bootloader-grub2pass">
+<title>Password protect GRUB 2</title>
+<description>
+<h:p>
+It is recommended to password-protect the GRUB configuration so that the
+boot options cannot be modified during a boot without providing the valid
+password.
+</h:p>
+<h:p>
+TODO looks like this has become a lot more difficult to obtain
+</h:p>
+</description>
+<reference href="https://help.ubuntu.com/community/Grub2/Passwords">GRUB2 Passwords (Ubuntu wiki)</reference>
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_installation-boot-bootloader-grub1pass">
+<title>Password protect GRUB (legacy)</title>
+<description>
+<h:p>
+It is recommended to password-protect the GRUB configuration so that
+the boot options cannot be modified during a boot without providing the
+valid password.
+</h:p>
+<h:p>
+This can be accomplished by inserting <h:code>password abc123</h:code>
+in <h:code>/boot/grub/grub.conf</h:code> (which will set the password
+to "abc123"). But as clear-text passwords in the configuration file are insecure as well,
+hash the passwords. Just start <h:b>grub</h:b>
+and, in the grub-shell, type <h:b>md5crypt</h:b>.
+</h:p>
+<h:pre>
+# <h:b>grub</h:b>
+
+GRUB version 0.92 (640K lower / 3072K upper memory)
+
+[ Minimal BASH-like line editing is supported. ... ]
+
+grub> <h:b>md5crypt</h:b>
+
+Password: <h:em>abc123</h:em>
+Encrypted: $1$18u.M0$J8VbOsGXuoG9Fh3n7ZkqY.
+
+grub> <h:b>quit</h:b></h:pre>
+<h:p>
+This hashed password can now be used in <h:code>grub.conf</h:code>
+using <h:code>password --md5 $1$18u.M0$J8VbOsGXuoG9Fh3n7ZkqY.</h:code>.
+</h:p>
+</description>
+
+<Rule id="xccdf_org.gentoo.dev.swift_rule_grubconf-password-md5" selected="false" severity="low" weight="6.9">
+<title>Grub legacy (if it exists) has a password entry with md5 hash</title>
+<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_grubconf-password-md5">
+Edit /boot/grub/grub.conf and set a password entry with md5 hash
+</fixtext>
+<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+<check-content-ref name="oval:org.gentoo.dev.swift:def:34" href="gentoo-oval.xml" />
+</check>
+</Rule>
+
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_installation-boot-bootloader-lilopass">
+<title>Password protect LILO</title>
+<description>
+<h:p>
+It is recommended to password-protect the LILO configuration so that
+modifying the boot options during a boot without providing the
+valid password is not possible.
+</h:p>
+<h:p>
+This can be accomplished by inserting <h:code>password=abc123</h:code>
+followed by <h:code>restricted</h:code> in the
+<h:code>/etc/lilo.conf</h:code> file. It is also possible to do this
+on a per-image level.
+</h:p>
+<h:pre>
+password=abc123
+restricted
+delay=3
+
+image=/boot/bzImage
+read-only
+password=def456
+restricted</h:pre>
+<h:p>
+The <h:code>restricted</h:code> keyword is needed to have LILO only
+ask for the password if a modification is given. If the defaults are
+used, then no password needs to be provided.
+</h:p>
+<h:p>
+Rerun <h:code>lilo</h:code> after updating the configuration file.
+</h:p>
+</description>
+
+<Rule id="xccdf_org.gentoo.dev.swift_rule_liloconf-password" selected="false" severity="low" weight="6.9">
+<title>LILO (if it exists) has a password entry</title>
+<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_liloconf-password">
+Edit /etc/lilo.conf and set a password entry
+</fixtext>
+<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+<check-content-ref name="oval:org.gentoo.dev.swift:def:35" href="gentoo-oval.xml" />
+</check>
+</Rule>
+
+</Group>
+
+</Group>
+
+</Group>
+
+</Group> <!-- End of installation related -->
+
+<Group id="xccdf_org.gentoo.dev.swift_group_system">
+<title>Portage and system settings</title>
+<description>
+<h:p>
+After a succesful Gentoo Linux installation, there are still various settings which need to be
+adjusted in order to create a properly hardened system.
+</h:p>
+</description>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_system-fs">
+<title>File system related settings</title>
+<description>
+Servers and systems are about manipulating data. In this chapter, the security settings
+for file systems are explained.
+</description>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_system-fs-quotas">
+<title>Disk quota support</title>
+<description>
+<h:p>
+Most file systems support the notion of <h:em>quotas</h:em> - limits
+on the amount of data / files that are allowed on that particular file system.
+</h:p>
+<h:p>
+To enable quotas, first configure the Linux kernel to include
+<h:code>CONFIG_QUOTA</h:code>.
+</h:p>
+<h:p>
+Next, install the <h:code>sys-fs/quota</h:code> package.
+</h:p>
+<h:pre>
# <h:b>emerge quota</h:b></h:pre>
- <h:p>
- Then add <h:code>usrquota</h:code> and <h:code>grpquota</h:code> to
- the partitions (in <h:code>/etc/fstab</h:code>) where quotas need to be
- enabled on. For instance, the following snippet from
- <h:code>/etc/fstab</h:code> enables quotas on <h:code>/var</h:code>
- and <h:code>/home</h:code>.
- </h:p>
- <h:pre>
+<h:p>
+Then add <h:code>usrquota</h:code> and <h:code>grpquota</h:code> to
+the partitions (in <h:code>/etc/fstab</h:code>) where quotas need to be
+enabled on. For instance, the following snippet from
+<h:code>/etc/fstab</h:code> enables quotas on <h:code>/var</h:code>
+and <h:code>/home</h:code>.
+</h:p>
+<h:pre>
/dev/mapper/volgrp-home /home ext4 noatime,nodev,nosuid,<h:b>usrquota,grpquota</h:b> 0 0
/dev/mapper/volgrp-var /var ext4 noatime,<h:b>usrquota,grpquota</h:b> 0 0</h:pre>
- <h:p>
- Finally, add the <h:code>quota</h:code> service to the boot runlevel.
- </h:p>
- <h:pre>
+<h:p>
+Finally, add the <h:code>quota</h:code> service to the boot runlevel.
+</h:p>
+<h:pre>
# <h:b>rc-update add quota boot</h:b></h:pre>
- <h:p>
- Reboot the system so that the partitions are mounted with the correct
- mount options and that the quota service is running. Then the quotas for
- users and groups can be set up.
- </h:p>
- </description>
- <reference
- href="http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch28_:_Managing_Disk_Usage_with_Quotas">Managing
- Disk Usage with Quotas (LinuxHomeNetworking)</reference>
- <reference href="http://www.gentoo.org/doc/en/kernel-config.xml#shorthand">Gentoo Linux Kernel Configuration - shorthand notation information</reference>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_kernel-quota" selected="false" severity="low" weight="1.7">
- <title>The kernel supports quota (CONFIG_QUOTA)</title>
- <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_kernel-quota">Rebuild the Linux kernel with quota support (CONFIG_QUOTA)</fixtext>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:18" href="gentoo-oval.xml" />
- </check>
- </Rule>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_var-quota" selected="false" severity="low" weight="1.7">
- <title>The /var file system is mounted with usrquota or grpquota</title>
- <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_var-quota">Mount /var with usrquota and/or grpquota</fixtext>
- <fix id="xccdf_org.gentoo.dev.swift_fix_partition-var-quota"
- system="urn:xccdf:fix:system:commands"
- platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+<h:p>
+Reboot the system so that the partitions are mounted with the correct
+mount options and that the quota service is running. Then the quotas for
+users and groups can be set up.
+</h:p>
+</description>
+<reference
+href="http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch28_:_Managing_Disk_Usage_with_Quotas">Managing
+Disk Usage with Quotas (LinuxHomeNetworking)</reference>
+<reference href="http://www.gentoo.org/doc/en/kernel-config.xml#shorthand">Gentoo Linux Kernel Configuration - shorthand notation information</reference>
+
+<Rule id="xccdf_org.gentoo.dev.swift_rule_kernel-quota" selected="false" severity="low" weight="1.7">
+<title>The kernel supports quota (CONFIG_QUOTA)</title>
+<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_kernel-quota">Rebuild the Linux kernel with quota support (CONFIG_QUOTA)</fixtext>
+<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+<check-content-ref name="oval:org.gentoo.dev.swift:def:18" href="gentoo-oval.xml" />
+</check>
+</Rule>
+
+<Rule id="xccdf_org.gentoo.dev.swift_rule_var-quota" selected="false" severity="low" weight="1.7">
+<title>The /var file system is mounted with usrquota or grpquota</title>
+<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_var-quota">Mount /var with usrquota and/or grpquota</fixtext>
+<fix id="xccdf_org.gentoo.dev.swift_fix_partition-var-quota"
+system="urn:xccdf:fix:system:commands"
+platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
mount -o remount,usrquota,grpquota /var
- </fix>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:25" href="gentoo-oval.xml" />
- </check>
- </Rule>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_home-quota" selected="false" severity="low" weight="1.7">
- <title>The /home file system is mounted with usrquota or grpquota</title>
- <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_home-quota">Mount /home with usrquota and/or grpquota</fixtext>
- <fix id="xccdf_org.gentoo.dev.swift_fix_partition-home-quota"
- system="urn:xccdf:fix:system:commands"
- platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+</fix>
+<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+<check-content-ref name="oval:org.gentoo.dev.swift:def:25" href="gentoo-oval.xml" />
+</check>
+</Rule>
+
+<Rule id="xccdf_org.gentoo.dev.swift_rule_home-quota" selected="false" severity="low" weight="1.7">
+<title>The /home file system is mounted with usrquota or grpquota</title>
+<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_home-quota">Mount /home with usrquota and/or grpquota</fixtext>
+<fix id="xccdf_org.gentoo.dev.swift_fix_partition-home-quota"
+system="urn:xccdf:fix:system:commands"
+platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
mount -o remount,usrquota,grpquota /home
- </fix>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:26" href="gentoo-oval.xml" />
- </check>
- </Rule>
- </Group> <!-- system-fs-quotas -->
- <Group id="xccdf_org.gentoo.dev.swift_group_system-fs-hidepid">
- <title>Hiding process information through hidepid</title>
- <description>
- <h:p>
- In order to hide process information from other users, the <h:code>/proc</h:code> file system needs to be
- mounted with the <h:code>hidepid</h:code> option. With value 0, the default behavior is used, meaning that
- all process information is world readable.
- </h:p>
- <h:p>
- When the value 1 is passed, the process information is not readable, but process directories are still shown
- in the <h:code>/proc</h:code> mount. In order to truly hide this information, pass on the value 2.
- </h:p>
- <h:p>
- In order to allow a particular group of people to see other people's processes, the <h:code>gid=</h:code>
- option can be used to exempt this group from the PID hiding.
- </h:p>
- </description>
- <reference href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0499680a42141d86417a8fbaa8c8db806bea1201">Kernel commit introducing
- the hidepid support</reference>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_proc-hidepid" selected="false" severity="medium" weight="1.7">
- <title>The /proc file system is mounted with hidepid=1 or hidepid=2</title>
- <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_proc-hidepid">Mount /proc with hidepid=1 or hidepid=2</fixtext>
- <fix id="xccdf_org.gentoo.dev.swift_fix_proc-hidepid"
- system="urn:xccdf:fix:system:commands"
- platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+</fix>
+<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+<check-content-ref name="oval:org.gentoo.dev.swift:def:26" href="gentoo-oval.xml" />
+</check>
+</Rule>
+
+</Group> <!-- system-fs-quotas -->
+
+<Group id="xccdf_org.gentoo.dev.swift_group_system-fs-hidepid">
+<title>Hiding process information through hidepid</title>
+<description>
+<h:p>
+In order to hide process information from other users, the <h:code>/proc</h:code> file system needs to be
+mounted with the <h:code>hidepid</h:code> option. With value 0, the default behavior is used, meaning that
+all process information is world readable.
+</h:p>
+<h:p>
+When the value 1 is passed, the process information is not readable, but process directories are still shown
+in the <h:code>/proc</h:code> mount. In order to truly hide this information, pass on the value 2.
+</h:p>
+<h:p>
+In order to allow a particular group of people to see other people's processes, the <h:code>gid=</h:code>
+option can be used to exempt this group from the PID hiding.
+</h:p>
+</description>
+<reference href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0499680a42141d86417a8fbaa8c8db806bea1201">Kernel commit introducing
+the hidepid support</reference>
+
+<Rule id="xccdf_org.gentoo.dev.swift_rule_proc-hidepid" selected="false" severity="medium" weight="1.7">
+<title>The /proc file system is mounted with hidepid=1 or hidepid=2</title>
+<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_proc-hidepid">Mount /proc with hidepid=1 or hidepid=2</fixtext>
+<fix id="xccdf_org.gentoo.dev.swift_fix_proc-hidepid"
+system="urn:xccdf:fix:system:commands"
+platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
mount -o remount,hidepid=2 /proc
- </fix>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:33" href="gentoo-oval.xml" />
- </check>
- </Rule>
- </Group>
- </Group> <!-- system-fs -->
- <Group id="xccdf_org.gentoo.dev.swift_group_system-services">
- <title>System services</title>
- <description>
- <h:p>
- Services (daemons) are the primary reason for a server to exist.
- They represent the function of the server. For instance, a web server
- will run the apache2 or lighttpd service. A name server will run the
- named service.
- </h:p>
- <h:p>
- In this benchmark, the focus is on a limited set of system services. For
- the other services it is wise to consult other hardening guides specific
- for those services.
- </h:p>
- </description>
- <reference href="http://www.cisecurity.org">Center for Internet Security,
- host of many service benchmarks</reference>
- <Group id="xccdf_org.gentoo.dev.swift_group_system-services-disable">
- <title>Disable unsafe services</title>
- <description>
- <h:p>
- It is recommended to disable (or even uninstall) the following services unless
- absolutely necessary. These services use plain-text protocols and are as such unsafe
- to use on (untrusted) networks.
- </h:p>
- <h:ul>
- <h:li>Telnet service</h:li>
- <h:li>FTP Service</h:li>
- </h:ul>
- <h:p>
- It is recommended to substitute these services with their more secure
- counterparts (like sFTP, SSH, ...).
- </h:p>
- </description>
- <!-- Max score: password in clear text and your system is compromised (if it is root) -->
- <Rule id="xccdf_org.gentoo.dev.swift_rule_telnetd-notrunning" selected="false" severity="high" weight="10.0">
- <title>No telnet daemons are running</title>
- <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_telnetd-notrunning">Stop telnet services</fixtext>
- <fix id="xccdf_org.gentoo.dev.swift_fix_telnetd-notrunning"
- system="urn:xccdf:fix:system:commands"
- platform="cpe:/o:gentoo:linux" complexity="low" disruption="high" reboot="false">
+</fix>
+<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+<check-content-ref name="oval:org.gentoo.dev.swift:def:33" href="gentoo-oval.xml" />
+</check>
+</Rule>
+
+</Group>
+
+</Group> <!-- system-fs -->
+
+<Group id="xccdf_org.gentoo.dev.swift_group_system-services">
+<title>System services</title>
+<description>
+<h:p>
+Services (daemons) are the primary reason for a server to exist.
+They represent the function of the server. For instance, a web server
+will run the apache2 or lighttpd service. A name server will run the
+named service.
+</h:p>
+<h:p>
+In this benchmark, the focus is on a limited set of system services. For
+the other services it is wise to consult other hardening guides specific
+for those services.
+</h:p>
+</description>
+<reference href="http://www.cisecurity.org">Center for Internet Security,
+host of many service benchmarks</reference>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_system-services-disable">
+<title>Disable unsafe services</title>
+<description>
+<h:p>
+It is recommended to disable (or even uninstall) the following services unless
+absolutely necessary. These services use plain-text protocols and are as such unsafe
+to use on (untrusted) networks.
+</h:p>
+<h:ul>
+<h:li>Telnet service</h:li>
+<h:li>FTP Service</h:li>
+</h:ul>
+<h:p>
+It is recommended to substitute these services with their more secure
+counterparts (like sFTP, SSH, ...).
+</h:p>
+</description>
+<!-- Max score: password in clear text and your system is compromised (if it is root) -->
+
+<Rule id="xccdf_org.gentoo.dev.swift_rule_telnetd-notrunning" selected="false" severity="high" weight="10.0">
+<title>No telnet daemons are running</title>
+<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_telnetd-notrunning">Stop telnet services</fixtext>
+<fix id="xccdf_org.gentoo.dev.swift_fix_telnetd-notrunning"
+system="urn:xccdf:fix:system:commands"
+platform="cpe:/o:gentoo:linux" complexity="low" disruption="high" reboot="false">
for service in /etc/init.d/*telnet*;
do
- test -f ${service} && run_init rc-service ${service##*/} stop;
+test -f ${service} && run_init rc-service ${service##*/} stop;
done
- </fix>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:19" href="gentoo-oval.xml" />
- </check>
- </Rule>
- <!-- Partial breach, assuming accounts are not system accounts -->
- <Rule id="xccdf_org.gentoo.dev.swift_rule_ftpd-notrunning" selected="false" severity="medium" weight="7.5">
- <title>No FTP daemons are running</title>
- <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_ftpd-notrunning">Stop FTPd services</fixtext>
- <fix id="xccdf_org.gentoo.dev.swift_fix_ftpd-notrunning"
- system="urn:xccdf:fix:system:commands"
- platform="cpe:/o:gentoo:linux" complexity="low" disruption="high" reboot="false">
+</fix>
+<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+<check-content-ref name="oval:org.gentoo.dev.swift:def:19" href="gentoo-oval.xml" />
+</check>
+</Rule>
+
+<!-- Partial breach, assuming accounts are not system accounts -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_ftpd-notrunning" selected="false" severity="medium" weight="7.5">
+<title>No FTP daemons are running</title>
+<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_ftpd-notrunning">Stop FTPd services</fixtext>
+<fix id="xccdf_org.gentoo.dev.swift_fix_ftpd-notrunning"
+system="urn:xccdf:fix:system:commands"
+platform="cpe:/o:gentoo:linux" complexity="low" disruption="high" reboot="false">
for service in /etc/init.d/*ftp*;
do
- test -f ${service} && run_init rc-service ${service##*/} stop;
+test -f ${service} && run_init rc-service ${service##*/} stop;
done
- </fix>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:20" href="gentoo-oval.xml" />
- </check>
- </Rule>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_system-services-sulogin">
- <title>Require single-user boot to give root password</title>
- <description>
- <h:p>
- When a system is booted in single user mode, some users might find it
- handy to immediately get a root prompt; many even have a specific
- bootloader entry to boot in single user mode.
- </h:p>
- <h:p>
- It is important that, for a more secure server environment, even
- booting in single user mode requires the user to enter the root
- password. This is already done by default in Gentoo through the
- <h:code>rc_shell</h:code> variable in <h:code>/etc/rc.conf</h:code>.
- </h:p>
- <h:p>
- Administrators should also make sure that no direct shells are provided
- in <h:code>/etc/inittab</h:code> for single-user mode. Gentoo's
- <h:code>/etc/inittab</h:code> definition should look like so:
- </h:p>
- <h:pre>
+</fix>
+<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+<check-content-ref name="oval:org.gentoo.dev.swift:def:20" href="gentoo-oval.xml" />
+</check>
+</Rule>
+
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_system-services-sulogin">
+<title>Require single-user boot to give root password</title>
+<description>
+<h:p>
+When a system is booted in single user mode, some users might find it
+handy to immediately get a root prompt; many even have a specific
+bootloader entry to boot in single user mode.
+</h:p>
+<h:p>
+It is important that, for a more secure server environment, even
+booting in single user mode requires the user to enter the root
+password. This is already done by default in Gentoo through the
+<h:code>rc_shell</h:code> variable in <h:code>/etc/rc.conf</h:code>.
+</h:p>
+<h:p>
+Administrators should also make sure that no direct shells are provided
+in <h:code>/etc/inittab</h:code> for single-user mode. Gentoo's
+<h:code>/etc/inittab</h:code> definition should look like so:
+</h:p>
+<h:pre>
su0:S:wait:/sbin/rc single
<h:b>su1:S:wait:/sbin/sulogin</h:b></h:pre>
- </description>
- <!-- CVSS2: AV:L/AC:H/Au:S/C:C/I:C/A:C (high attack complexity due to console access) -->
- <Rule id="xccdf_org.gentoo.dev.swift_rule_rcconf-sulogin" selected="false" severity="medium" weight="6.0">
- <title>sulogin is used for single-user boot (/etc/rc.conf)</title>
- <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_rcconf-sulogin">Set /sbin/sulogin for rc_shell</fixtext>
- <fix id="xccdf_org.gentoo.dev.swift_fix_rcconf-sulogin"
- system="urn:xccdf:fix:system:commands"
- platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+</description>
+
+<!-- CVSS2: AV:L/AC:H/Au:S/C:C/I:C/A:C (high attack complexity due to console access) -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_rcconf-sulogin" selected="false" severity="medium" weight="6.0">
+<title>sulogin is used for single-user boot (/etc/rc.conf)</title>
+<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_rcconf-sulogin">Set /sbin/sulogin for rc_shell</fixtext>
+<fix id="xccdf_org.gentoo.dev.swift_fix_rcconf-sulogin"
+system="urn:xccdf:fix:system:commands"
+platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
sed -i -e 's:^rc_shell=.*:rc_shell="/sbin/sulogin":g' /etc/rc.conf
- </fix>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:21" href="gentoo-oval.xml" />
- </check>
- </Rule>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_inittab-sulogin" selected="false" severity="medium" weight="6.0">
- <title>sulogin is used for single-user boot (/etc/inittab)</title>
- <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_inittab-sulogin">
- Set /sbin/sulogin or '/sbin/rc single' for single-user boot in /etc/inittab
- </fixtext>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:22" href="gentoo-oval.xml" />
- </check>
- </Rule>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_system-services-tcpwrappers">
- <title>Properly Configure TCP Wrappers</title>
- <description>
- <h:p>
- With TCP wrappers, services that support TCP wrappers (or those
- started through <h:b>xinetd</h:b>) should be configured to only accept
- communication with trusted hosts. With the use of
- <h:code>/etc/hosts.allow</h:code> and <h:code>/etc/hosts.deny</h:code>,
- proper access control lists can be created.
- </h:p>
- <h:p>
- More information on the format of these files can be obtained through
- <h:b>man 5 hosts_access</h:b>.
- </h:p>
- </description>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_hostsallow-exists" selected="false" severity="info" weight="0.0">
- <title>/etc/hosts.allow exists</title>
- <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_hostsallow-exists">
- Create and properly configure /etc/hosts.allow
- </fixtext>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:23" href="gentoo-oval.xml" />
- </check>
- </Rule>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_system-services-ssh">
- <title>SSH service</title>
- <description>
- <h:p>
- The SSH service is used for secure remote access towards a system, but
- also to provide secure file transfers. It is very commonly found on Unix/Linux
- systems so proper hardening is definitely in place.
- </h:p>
- <h:p>
- Please use the "Hardening OpenSSH" guide for the necessary instructions.
- </h:p>
- </description>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_system-services-cron">
- <title>Cron service</title>
- <description>
- A cron service is used to schedule tasks and processes on predefined
- times. Cron is most often used for regular maintenance tasks.
- </description>
- <Group id="xccdf_org.gentoo.dev.swift_group_system-services-cron-acl">
- <title>Only allow trusted accounts cron access</title>
- <description>
- <h:p>
- Only allow trusted accounts to use cron. How to achieve this depends on the cron service
- installed.
- </h:p>
- <h:p>
- If vixie-cron or cronie is installed, then have (only) those users that need cron access
- take part in the <h:em>cron</h:em> unix group.
- </h:p>
- <h:p>
- If dcron is used, then make sure <h:code>/usr/sbin/crontab</h:code> is only executable by
- root and the cron unix group, and make sure (only) those users that need cron access take part
- in the <h:em>cron</h:em> unix group.
- </h:p>
- </description>
- </Group>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_system-services-at">
- <title>At service</title>
- <description>
- The at service allows users to execute a task once on a given time.
- Unlike cron, this is not scheduled repeatedly - once executed, the
- task is considered completed and at will not invoke it again.
- </description>
- <Group id="xccdf_org.gentoo.dev.swift_group_system-services-at-acl">
- <title>Only allow trusted accounts at access</title>
- <description>
- <h:p>
- Only allow trusted accounts to use at. Unlike cron access, at access is governed through
- the <h:code>/etc/at/at.allow</h:code> file. If the <h:code>at.allow</h:code> file does not
- exist but <h:code>/etc/at/at.deny</h:code> does, then all names <h:em>not</h:em> mentioned in
- the file are allowed to run at. The most secure method is to use the <h:code>at.allow</h:code>
- method.
- </h:p>
- <h:p>
- The format of these files is one username per line.
- </h:p>
- </description>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_atallow-exists" selected="false" severity="low" weight="0.0">
- <title>/etc/at/at.allow exists</title>
- <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_atsallow-exists">
- Create and properly configure /etc/at/at.allow
- </fixtext>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:24" href="gentoo-oval.xml" />
- </check>
- </Rule>
- </Group>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_system-services-ntp">
- <title>NTP service</title>
- <description>
- <h:p>
- With NTP, systems can synchronise their clocks, ensuring correct date
- and time information. This is important as huge clock drift could
- cause misinterpretation of log files or even unwanted execution of
- commands.
- </h:p>
- </description>
- <Group id="xccdf_org.gentoo.dev.swift_group_system-services-ntp-sync">
- <title>Synchronise the system clock</title>
- <description>
- <h:p>
- Synchronise the systems' clock with an authorative NTP server, and
- use the same NTP service for all other systems.
- </h:p>
- <h:p>
- This can be accomplished by regularly executing <h:b>ntpdate</h:b>,
- but can also be handled using a service like <h:code>net-misc/ntp</h:code>'s
- <h:b>ntpd</h:b>.
- </h:p>
- </description>
- </Group>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_system-services-syslog">
- <title>Syslog service</title>
- <description>
- <h:p>
- The system logger handles all non-audit related logging generated by applications
- and daemons. In order to ensure proper forensic analysis if it would ever be needed,
- the system logger should be properly configured.
- </h:p>
- </description>
- <Group id="xccdf_org.gentoo.dev.swift_group_system-services-syslog-logintervals">
- <title>Configure the system logger to log intervals</title>
- <description>
- <h:p>
- Have the system logger log every 10 minutes or so. Without interval logging,
- administrators might think nothing is wrong although in reality the system
- logger is malfunctioning and not writing any log events.
- </h:p>
- </description>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_system-services-syslog-remotelogging">
- <title>Enable remote logging</title>
- <description>
- <h:p>
- If possible, have vital (or all) logs sent to a remote system logger as well.
- In home deployments, off-the-shelf (wifi) routers often have a logging daemon
- that can receive syslog events. For larger environments, a dedicated centralized
- log server is recommended.
- </h:p>
- </description>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_system-services-syslog-terminal">
- <title>Decide which events to send to user terminals</title>
- <description>
- <h:p>
- On Linux and Unix systems, events can be sent to user terminals to
- make those users immediately aware of what is happening. It is
- recommended to send emergency-level events to everyone and have
- alerts sent to specific administrative user terminals.
- </h:p>
- </description>
- </Group>
- </Group>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_system-portage">
- <title>Portage settings</title>
- <description>
- <h:p>
- The package manager of any system is a very important tool. It is
- responsible for handling proper software deployments, but also offers
- features that should not be neglected, like security patch roll-out.
- </h:p>
- <h:p>
- For Gentoo, the package manager offers a great deal of flexibility (as
- that is the goal of Gentoo anyhow). As such, good settings for a more
- secure environment within Portage (assuming that Portage is used as
- package manager) are important.
- </h:p>
- </description>
- <Group id="xccdf_org.gentoo.dev.swift_group_system-portage-use">
- <title>USE flags</title>
- <description>
- <h:p>
- USE flags in Gentoo are used to tune the functionality of many
- components and enable or disable features.
- </h:p>
- <h:p>
- For a well secured environment, there are a couple of USE flags that
- should be set in a global manner. These USE flags are
- </h:p>
- <h:ul>
- <h:li>
- <h:code>pam</h:code> to enable Pluggable Authentication
- Modules support
- </h:li>
- <h:li>
- <h:code>tcpd</h:code> for TCP wrappers support
- </h:li>
- <h:li>
- <h:code>ssl</h:code> for SSL/TLS support
- </h:li>
- </h:ul>
- <h:p>
- <h:b>Pluggable Authentication Modules</h:b> are a powerful mechanism
- to manage authentication, authorization and user sessions.
- Applications that support PAM can be tuned to the liking of the
- organization, leveraging central authentication, password policies,
- auditing and more.
- </h:p>
- <h:p>
- With <h:b>TCP wrappers</h:b>, services can be shielded from
- unauthorized access on host level. It is an access control level
- mechanism which allows configuring allowed (and denied) hosts or
- network segments on application level.
- </h:p>
- <h:p>
- Finally, leveraging <h:b>Secure Sockets Layer</h:b> (or the
- standardized <h:b>Transport Layer Security</h:b>) allows applications
- to encrypt network communication or even implement a
- client-certificate based authentication mechanism.
- </h:p>
- <h:p>
- Set the USE flags globally in <h:code>/etc/portage/make.conf</h:code>
- so they are applicable to all installed software.
- </h:p>
- <h:pre>
+</fix>
+<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+<check-content-ref name="oval:org.gentoo.dev.swift:def:21" href="gentoo-oval.xml" />
+</check>
+</Rule>
+
+<Rule id="xccdf_org.gentoo.dev.swift_rule_inittab-sulogin" selected="false" severity="medium" weight="6.0">
+<title>sulogin is used for single-user boot (/etc/inittab)</title>
+<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_inittab-sulogin">
+Set /sbin/sulogin or '/sbin/rc single' for single-user boot in /etc/inittab
+</fixtext>
+<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+<check-content-ref name="oval:org.gentoo.dev.swift:def:22" href="gentoo-oval.xml" />
+</check>
+</Rule>
+
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_system-services-tcpwrappers">
+<title>Properly Configure TCP Wrappers</title>
+<description>
+<h:p>
+With TCP wrappers, services that support TCP wrappers (or those
+started through <h:b>xinetd</h:b>) should be configured to only accept
+communication with trusted hosts. With the use of
+<h:code>/etc/hosts.allow</h:code> and <h:code>/etc/hosts.deny</h:code>,
+proper access control lists can be created.
+</h:p>
+<h:p>
+More information on the format of these files can be obtained through
+<h:b>man 5 hosts_access</h:b>.
+</h:p>
+</description>
+
+<Rule id="xccdf_org.gentoo.dev.swift_rule_hostsallow-exists" selected="false" severity="info" weight="0.0">
+<title>/etc/hosts.allow exists</title>
+<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_hostsallow-exists">
+Create and properly configure /etc/hosts.allow
+</fixtext>
+<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+<check-content-ref name="oval:org.gentoo.dev.swift:def:23" href="gentoo-oval.xml" />
+</check>
+</Rule>
+
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_system-services-ssh">
+<title>SSH service</title>
+<description>
+<h:p>
+The SSH service is used for secure remote access towards a system, but
+also to provide secure file transfers. It is very commonly found on Unix/Linux
+systems so proper hardening is definitely in place.
+</h:p>
+<h:p>
+Please use the "Hardening OpenSSH" guide for the necessary instructions.
+</h:p>
+</description>
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_system-services-cron">
+<title>Cron service</title>
+<description>
+A cron service is used to schedule tasks and processes on predefined
+times. Cron is most often used for regular maintenance tasks.
+</description>
+<Group id="xccdf_org.gentoo.dev.swift_group_system-services-cron-acl">
+<title>Only allow trusted accounts cron access</title>
+<description>
+<h:p>
+Only allow trusted accounts to use cron. How to achieve this depends on the cron service
+installed.
+</h:p>
+<h:p>
+If vixie-cron or cronie is installed, then have (only) those users that need cron access
+take part in the <h:em>cron</h:em> unix group.
+</h:p>
+<h:p>
+If dcron is used, then make sure <h:code>/usr/sbin/crontab</h:code> is only executable by
+root and the cron unix group, and make sure (only) those users that need cron access take part
+in the <h:em>cron</h:em> unix group.
+</h:p>
+</description>
+</Group>
+
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_system-services-at">
+<title>At service</title>
+<description>
+The at service allows users to execute a task once on a given time.
+Unlike cron, this is not scheduled repeatedly - once executed, the
+task is considered completed and at will not invoke it again.
+</description>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_system-services-at-acl">
+<title>Only allow trusted accounts at access</title>
+<description>
+<h:p>
+Only allow trusted accounts to use at. Unlike cron access, at access is governed through
+the <h:code>/etc/at/at.allow</h:code> file. If the <h:code>at.allow</h:code> file does not
+exist but <h:code>/etc/at/at.deny</h:code> does, then all names <h:em>not</h:em> mentioned in
+the file are allowed to run at. The most secure method is to use the <h:code>at.allow</h:code>
+method.
+</h:p>
+<h:p>
+The format of these files is one username per line.
+</h:p>
+</description>
+
+<Rule id="xccdf_org.gentoo.dev.swift_rule_atallow-exists" selected="false" severity="low" weight="0.0">
+<title>/etc/at/at.allow exists</title>
+<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_atsallow-exists">
+Create and properly configure /etc/at/at.allow
+</fixtext>
+<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+<check-content-ref name="oval:org.gentoo.dev.swift:def:24" href="gentoo-oval.xml" />
+</check>
+</Rule>
+
+</Group>
+
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_system-services-ntp">
+<title>NTP service</title>
+<description>
+<h:p>
+With NTP, systems can synchronise their clocks, ensuring correct date
+and time information. This is important as huge clock drift could
+cause misinterpretation of log files or even unwanted execution of
+commands.
+</h:p>
+</description>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_system-services-ntp-sync">
+<title>Synchronise the system clock</title>
+<description>
+<h:p>
+Synchronise the systems' clock with an authorative NTP server, and
+use the same NTP service for all other systems.
+</h:p>
+<h:p>
+This can be accomplished by regularly executing <h:b>ntpdate</h:b>,
+but can also be handled using a service like <h:code>net-misc/ntp</h:code>'s
+<h:b>ntpd</h:b>.
+</h:p>
+</description>
+</Group>
+
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_system-services-syslog">
+<title>Syslog service</title>
+<description>
+<h:p>
+The system logger handles all non-audit related logging generated by applications
+and daemons. In order to ensure proper forensic analysis if it would ever be needed,
+the system logger should be properly configured.
+</h:p>
+</description>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_system-services-syslog-logintervals">
+<title>Configure the system logger to log intervals</title>
+<description>
+<h:p>
+Have the system logger log every 10 minutes or so. Without interval logging,
+administrators might think nothing is wrong although in reality the system
+logger is malfunctioning and not writing any log events.
+</h:p>
+</description>
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_system-services-syslog-remotelogging">
+<title>Enable remote logging</title>
+<description>
+<h:p>
+If possible, have vital (or all) logs sent to a remote system logger as well.
+In home deployments, off-the-shelf (wifi) routers often have a logging daemon
+that can receive syslog events. For larger environments, a dedicated centralized
+log server is recommended.
+</h:p>
+</description>
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_system-services-syslog-terminal">
+<title>Decide which events to send to user terminals</title>
+<description>
+<h:p>
+On Linux and Unix systems, events can be sent to user terminals to
+make those users immediately aware of what is happening. It is
+recommended to send emergency-level events to everyone and have
+alerts sent to specific administrative user terminals.
+</h:p>
+</description>
+</Group>
+
+</Group>
+
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_system-portage">
+<title>Portage settings</title>
+<description>
+<h:p>
+The package manager of any system is a very important tool. It is
+responsible for handling proper software deployments, but also offers
+features that should not be neglected, like security patch roll-out.
+</h:p>
+<h:p>
+For Gentoo, the package manager offers a great deal of flexibility (as
+that is the goal of Gentoo anyhow). As such, good settings for a more
+secure environment within Portage (assuming that Portage is used as
+package manager) are important.
+</h:p>
+</description>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_system-portage-use">
+<title>USE flags</title>
+<description>
+<h:p>
+USE flags in Gentoo are used to tune the functionality of many
+components and enable or disable features.
+</h:p>
+<h:p>
+For a well secured environment, there are a couple of USE flags that
+should be set in a global manner. These USE flags are
+</h:p>
+<h:ul>
+<h:li>
+<h:code>pam</h:code> to enable Pluggable Authentication
+Modules support
+</h:li>
+<h:li>
+<h:code>tcpd</h:code> for TCP wrappers support
+</h:li>
+<h:li>
+<h:code>ssl</h:code> for SSL/TLS support
+</h:li>
+</h:ul>
+<h:p>
+<h:b>Pluggable Authentication Modules</h:b> are a powerful mechanism
+to manage authentication, authorization and user sessions.
+Applications that support PAM can be tuned to the liking of the
+organization, leveraging central authentication, password policies,
+auditing and more.
+</h:p>
+<h:p>
+With <h:b>TCP wrappers</h:b>, services can be shielded from
+unauthorized access on host level. It is an access control level
+mechanism which allows configuring allowed (and denied) hosts or
+network segments on application level.
+</h:p>
+<h:p>
+Finally, leveraging <h:b>Secure Sockets Layer</h:b> (or the
+standardized <h:b>Transport Layer Security</h:b>) allows applications
+to encrypt network communication or even implement a
+client-certificate based authentication mechanism.
+</h:p>
+<h:p>
+Set the USE flags globally in <h:code>/etc/portage/make.conf</h:code>
+so they are applicable to all installed software.
+</h:p>
+<h:pre>
USE="... pam tcpd ssl"</h:pre>
- </description>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_USE-pam" selected="false" severity="low" weight="0.0">
- <title>USE="pam" is set</title>
- <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_USE-pam">
- Edit /etc/portage/make.conf and make sure that 'pam' is in the USE declaration
- </fixtext>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:27" href="gentoo-oval.xml" />
- </check>
- </Rule>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_USE-tcpd" selected="false" severity="low" weight="0.0">
- <title>USE="tcpd" is set</title>
- <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_USE-tcpd">
- Edit /etc/portage/make.conf and make sure that 'tcpd' is in the USE declaration
- </fixtext>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:28" href="gentoo-oval.xml" />
- </check>
- </Rule>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_USE-ssl" selected="false" severity="low" weight="0.0">
- <title>USE="ssl" is set</title>
- <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_USE-ssl">
- Edit /etc/portage/make.conf and make sure that 'ssl' is in the USE declaration
- </fixtext>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:29" href="gentoo-oval.xml" />
- </check>
- </Rule>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_system-portage-webrsync">
- <title>Fetching signed portage tree</title>
- <description>
- <h:p>
- Gentoo Portage supports fetching signed tree snapshots using
- <h:b>emerge-webrsync</h:b>. This is documented in the Gentoo Handbook,
- but as it is quite easy, here are the instructions again:
- </h:p>
- <h:pre>
+</description>
+
+<Rule id="xccdf_org.gentoo.dev.swift_rule_USE-pam" selected="false" severity="low" weight="0.0">
+<title>USE="pam" is set</title>
+<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_USE-pam">
+Edit /etc/portage/make.conf and make sure that 'pam' is in the USE declaration
+</fixtext>
+<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+<check-content-ref name="oval:org.gentoo.dev.swift:def:27" href="gentoo-oval.xml" />
+</check>
+</Rule>
+
+<Rule id="xccdf_org.gentoo.dev.swift_rule_USE-tcpd" selected="false" severity="low" weight="0.0">
+<title>USE="tcpd" is set</title>
+<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_USE-tcpd">
+Edit /etc/portage/make.conf and make sure that 'tcpd' is in the USE declaration
+</fixtext>
+<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+<check-content-ref name="oval:org.gentoo.dev.swift:def:28" href="gentoo-oval.xml" />
+</check>
+</Rule>
+
+<Rule id="xccdf_org.gentoo.dev.swift_rule_USE-ssl" selected="false" severity="low" weight="0.0">
+<title>USE="ssl" is set</title>
+<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_USE-ssl">
+Edit /etc/portage/make.conf and make sure that 'ssl' is in the USE declaration
+</fixtext>
+<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+<check-content-ref name="oval:org.gentoo.dev.swift:def:29" href="gentoo-oval.xml" />
+</check>
+
+</Rule>
+
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_system-portage-webrsync">
+<title>Fetching signed portage tree</title>
+<description>
+<h:p>
+Gentoo Portage supports fetching signed tree snapshots using
+<h:b>emerge-webrsync</h:b>. This is documented in the Gentoo Handbook,
+but as it is quite easy, here are the instructions again:
+</h:p>
+<h:pre>
# <h:b>mkdir -p /etc/portage/gpg</h:b>
# <h:b>chmod 0700 /etc/portage/gpg</h:b>
# <h:b>export SRV="subkeys.pgp.net"</h:b>
# <h:b>export KEY="0x96D8BF6D"</h:b>
# <h:b>gpg --homedir /etc/portage/gpg --keyserver ${SRV} --recv-keys ${KEY}</h:b>
# <h:b>gpg --homedir /etc/portage/gpg --edit-key ${KEY} trust</h:b></h:pre>
- <h:p>
- After this, edit <h:code>/etc/portage/make.conf</h:code>:
- </h:p>
- <h:pre>
+<h:p>
+After this, edit <h:code>/etc/portage/make.conf</h:code>:
+</h:p>
+<h:pre>
FEATURES="webrsync-gpg"
PORTAGE_GPG_DIR="/etc/portage/gpg"
</h:pre>
- <h:p>
- In the repository configuration (<h:code>/etc/portage/repos.conf</h:code> or a
- file inside it) <h:code>sync-uri</h:code> has to be commented out, or set to an
- empty value.
- </h:p>
- </description>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_FEATURES-webrsync-gpg" selected="false" severity="low" weight="0.0">
- <title>FEATURES="webrsync-gpg" is set</title>
- <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_FEATURES-webrsync-gpg">
- Edit /etc/portage/make.conf and make sure that 'webrsync-gpg' is in the FEATURES declaration.
- </fixtext>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:30" href="gentoo-oval.xml" />
- </check>
- </Rule>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_PORTAGE_GPG_DIR-nonempty" selected="false" severity="low" weight="0.0">
- <title>PORTAGE_GPG_DIR is set</title>
- <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_PORTAGE_GPG_DIR-nonempty">
- Edit /etc/portage/make.conf and make sure that PORTAGE_GPG_DIR is set correctly.
- </fixtext>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:31" href="gentoo-oval.xml" />
- </check>
- </Rule>
-
- </Group>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_system-kernel">
- <title>Kernel configuration</title>
- <description>
- <h:p>
- The Linux kernel should be configured using a sane security standard in
- mind. When using grSecurity, additional security-enhancing settings can
- be enabled.
- </h:p>
- <h:p>
- For further details, please refer to the "Hardening the Linux kernel" guide.
- </h:p>
- </description>
- <reference href="http://www.gentoo.org/doc/en/kernel-config.xml#shorthand">Gentoo Kernel Configuration Guide - Shorthand notation information</reference>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_system-bootloader">
- <title>Bootloader configuration</title>
- <description>
- <h:p>
- The bootloader (be it GRUB or another tool) is responsible for loading
- the Linux kernel and handing over system control to the kernel. But boot
- loaders also allow for a flexible approach on kernel loading, which can
- be (ab)used to work around security mechanisms.
- </h:p>
- </description>
- <Group id="xccdf_org.gentoo.dev.swift_group_system-bootloader-grub2pass">
- <title>Password protect GRUB 2</title>
- <description>
- <h:p>
- It is recommended to password-protect the GRUB configuration so that the
- boot options cannot be modified during a boot without providing the valid
- password.
- </h:p>
- <h:p>
- TODO looks like this has become a lot more difficult to obtain
- </h:p>
- </description>
- <reference href="https://help.ubuntu.com/community/Grub2/Passwords">GRUB2 Passwords (Ubuntu wiki)</reference>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_system-bootloader-grub1pass">
- <title>Password protect GRUB (legacy)</title>
- <description>
- <h:p>
- It is recommended to password-protect the GRUB configuration so that
- the boot options cannot be modified during a boot without providing the
- valid password.
- </h:p>
- <h:p>
- This can be accomplished by inserting <h:code>password abc123</h:code>
- in <h:code>/boot/grub/grub.conf</h:code> (which will set the password
- to "abc123"). But as clear-text passwords in the configuration file are insecure as well,
- hash the passwords. Just start <h:b>grub</h:b>
- and, in the grub-shell, type <h:b>md5crypt</h:b>.
- </h:p>
- <h:pre>
-# <h:b>grub</h:b>
+<h:p>
+In the repository configuration (<h:code>/etc/portage/repos.conf</h:code> or a
+file inside it) <h:code>sync-uri</h:code> has to be commented out, or set to an
+empty value.
+</h:p>
+</description>
-GRUB version 0.92 (640K lower / 3072K upper memory)
+<Rule id="xccdf_org.gentoo.dev.swift_rule_FEATURES-webrsync-gpg" selected="false" severity="low" weight="0.0">
+<title>FEATURES="webrsync-gpg" is set</title>
+<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_FEATURES-webrsync-gpg">
+Edit /etc/portage/make.conf and make sure that 'webrsync-gpg' is in the FEATURES declaration.
+</fixtext>
+<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+<check-content-ref name="oval:org.gentoo.dev.swift:def:30" href="gentoo-oval.xml" />
+</check>
+</Rule>
-[ Minimal BASH-like line editing is supported. ... ]
+<Rule id="xccdf_org.gentoo.dev.swift_rule_PORTAGE_GPG_DIR-nonempty" selected="false" severity="low" weight="0.0">
+<title>PORTAGE_GPG_DIR is set</title>
+<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_PORTAGE_GPG_DIR-nonempty">
+Edit /etc/portage/make.conf and make sure that PORTAGE_GPG_DIR is set correctly.
+</fixtext>
+<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+<check-content-ref name="oval:org.gentoo.dev.swift:def:31" href="gentoo-oval.xml" />
+</check>
+</Rule>
-grub> <h:b>md5crypt</h:b>
+</Group>
-Password: <h:em>abc123</h:em>
-Encrypted: $1$18u.M0$J8VbOsGXuoG9Fh3n7ZkqY.
+</Group>
-grub> <h:b>quit</h:b></h:pre>
- <h:p>
- This hashed password can now be used in <h:code>grub.conf</h:code>
- using <h:code>password --md5 $1$18u.M0$J8VbOsGXuoG9Fh3n7ZkqY.</h:code>.
- </h:p>
- </description>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_grubconf-password-md5" selected="false" severity="low" weight="6.9">
- <title>Grub legacy (if it exists) has a password entry with md5 hash</title>
- <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_grubconf-password-md5">
- Edit /boot/grub/grub.conf and set a password entry with md5 hash
- </fixtext>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:34" href="gentoo-oval.xml" />
- </check>
- </Rule>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_system-bootloader-lilopass">
- <title>Password protect LILO</title>
- <description>
- <h:p>
- It is recommended to password-protect the LILO configuration so that
- modifying the boot options during a boot without providing the
- valid password is not possible.
- </h:p>
- <h:p>
- This can be accomplished by inserting <h:code>password=abc123</h:code>
- followed by <h:code>restricted</h:code> in the
- <h:code>/etc/lilo.conf</h:code> file. It is also possible to do this
- on a per-image level.
- </h:p>
- <h:pre>
-password=abc123
-restricted
-delay=3
+<Group id="xccdf_org.gentoo.dev.swift_group_system-kernel">
+<title>Kernel configuration</title>
+<description>
+<h:p>
+The Linux kernel should be configured using a sane security standard in
+mind. When using grSecurity, additional security-enhancing settings can
+be enabled.
+</h:p>
+<h:p>
+For further details, please refer to the "Hardening the Linux kernel" guide.
+</h:p>
+</description>
+<reference href="http://www.gentoo.org/doc/en/kernel-config.xml#shorthand">Gentoo Kernel Configuration Guide - Shorthand notation information</reference>
+</Group>
-image=/boot/bzImage
- read-only
- password=def456
- restricted</h:pre>
- <h:p>
- The <h:code>restricted</h:code> keyword is needed to have LILO only
- ask for the password if a modification is given. If the defaults are
- used, then no password needs to be provided.
- </h:p>
- <h:p>
- Rerun <h:code>lilo</h:code> after updating the configuration file.
- </h:p>
- </description>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_liloconf-password" selected="false" severity="low" weight="6.9">
- <title>LILO (if it exists) has a password entry</title>
- <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_liloconf-password">
- Edit /etc/lilo.conf and set a password entry
- </fixtext>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:35" href="gentoo-oval.xml" />
- </check>
- </Rule>
- </Group>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_system-auth">
- <title>Authentication and authorization settings</title>
- <description>
- <h:p>
- An important part in a servers' security is its authentication and
- authorization support. We have already described how to build in PAM
- support (through the Portage USE flags), but proper authentication and
- authorization settings are mode than just compiling in the necessary
- functionality.
- </h:p>
- </description>
- <Group id="xccdf_org.gentoo.dev.swift_group_system-auth-securetty">
- <title>Restrict root system logon</title>
- <description>
- <h:p>
- To restrict where the root user can directly log on, edit
- <h:code>/etc/securetty</h:code> and specify the supported terminals
- for the root user.
- </h:p>
- <h:p>
- When properly configured, any attempt to log on as the root user from
- a non-defined terminal will result in logon failure.
- </h:p>
- <h:p>
- A recommended setting is to only allow root user login through the
- console and the physical terminals (<h:code>tty0-tty12</h:code>).
- </h:p>
- <h:pre>
+<Group id="xccdf_org.gentoo.dev.swift_group_system-auth">
+<title>Authentication and authorization settings</title>
+<description>
+<h:p>
+An important part in a servers' security is its authentication and
+authorization support. We have already described how to build in PAM
+support (through the Portage USE flags), but proper authentication and
+authorization settings are mode than just compiling in the necessary
+functionality.
+</h:p>
+</description>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_system-auth-securetty">
+<title>Restrict root system logon</title>
+<description>
+<h:p>
+To restrict where the root user can directly log on, edit
+<h:code>/etc/securetty</h:code> and specify the supported terminals
+for the root user.
+</h:p>
+<h:p>
+When properly configured, any attempt to log on as the root user from
+a non-defined terminal will result in logon failure.
+</h:p>
+<h:p>
+A recommended setting is to only allow root user login through the
+console and the physical terminals (<h:code>tty0-tty12</h:code>).
+</h:p>
+<h:pre>
console
tty0
tty1
...
tty12</h:pre>
- </description>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_securetty-limitentries" selected="false" severity="low" weight="0.0">
- <title>/etc/securetty is limited to console and tty's</title>
- <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_securetty-limitentries">
- Edit /etc/securetty and make sure only 'console' and 'tty[0-9]*' are defined.
- </fixtext>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:32" href="gentoo-oval.xml" />
- </check>
- </Rule>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_system-auth-userlogin">
- <title>Allow only known users to login</title>
- <description>
- <h:p>
- When PAM is enabled, the <h:code>/etc/security/access.conf</h:code>
- file is used to check which users are allowed to log on and not
- (through the <h:b>login</h:b> application). These limits are based on
- username, group and host, network or tty that the user is trying to
- log on from.
- </h:p>
- <h:p>
- By enabling these settings, the risk is reduced that a functional
- account (say <h:code>apache</h:code>) is abused to log on with, or
- that a new account is created as part of an exploit.
- </h:p>
- <h:p>
- The following example setting allows only local root logins on tty1,
- and only the <h:em>swift</h:em> account to log on on the system.
- </h:p>
- <h:pre>
+</description>
+
+<Rule id="xccdf_org.gentoo.dev.swift_rule_securetty-limitentries" selected="false" severity="low" weight="0.0">
+<title>/etc/securetty is limited to console and tty's</title>
+<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_securetty-limitentries">
+Edit /etc/securetty and make sure only 'console' and 'tty[0-9]*' are defined.
+</fixtext>
+<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+<check-content-ref name="oval:org.gentoo.dev.swift:def:32" href="gentoo-oval.xml" />
+</check>
+</Rule>
+
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_system-auth-userlogin">
+<title>Allow only known users to login</title>
+<description>
+<h:p>
+When PAM is enabled, the <h:code>/etc/security/access.conf</h:code>
+file is used to check which users are allowed to log on and not
+(through the <h:b>login</h:b> application). These limits are based on
+username, group and host, network or tty that the user is trying to
+log on from.
+</h:p>
+<h:p>
+By enabling these settings, the risk is reduced that a functional
+account (say <h:code>apache</h:code>) is abused to log on with, or
+that a new account is created as part of an exploit.
+</h:p>
+<h:p>
+The following example setting allows only local root logins on tty1,
+and only the <h:em>swift</h:em> account to log on on the system.
+</h:p>
+<h:pre>
+ : root : tty1
- : ALL EXCEPT swift : ALL
- </h:pre>
- </description>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_system-auth-resources">
- <title>Restrict user resources</title>
- <description>
- <h:p>
- When facing a DoS (Denial-of-Service) attack, reducing the impact of
- the attack can be done by limited resource consumption. Although the
- component that is under attack will even more quickly fail, the impact
- towards the other services on the system (including remote logon to
- fix things) is more limited.
- </h:p>
- <h:p>
- In Gentoo Linux, the following methods are available to limit
- resources.
- </h:p>
- <h:ul>
- <h:li>
- <h:code>/etc/security/limits.conf</h:code> defines the
- resource limits for logins that are done through a PAM-aware
- component (default in our setup)
- </h:li>
- <h:li>
- <h:code>/etc/limits</h:code> defines the resource limits for
- logins that are done through login programs that are not
- PAM-aware.
- </h:li>
- </h:ul>
- <h:p>
- Generally, it should suffice to set up
- <h:code>/etc/security/limits.conf</h:code>, which is the configuration
- file used by the <h:code>pam_limits.so</h:code> module.
- </h:p>
- <h:p>
- Note that the settings are applicable on a <h:em>per login
- session</h:em> basis.
- </h:p>
- <h:p>
- More information on these files and their syntax can be obtained
- through their manual pages.
- </h:p>
- <h:pre>
+</h:pre>
+</description>
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_system-auth-resources">
+<title>Restrict user resources</title>
+<description>
+<h:p>
+When facing a DoS (Denial-of-Service) attack, reducing the impact of
+the attack can be done by limited resource consumption. Although the
+component that is under attack will even more quickly fail, the impact
+towards the other services on the system (including remote logon to
+fix things) is more limited.
+</h:p>
+<h:p>
+In Gentoo Linux, the following methods are available to limit
+resources.
+</h:p>
+<h:ul>
+<h:li>
+<h:code>/etc/security/limits.conf</h:code> defines the
+resource limits for logins that are done through a PAM-aware
+component (default in our setup)
+</h:li>
+<h:li>
+<h:code>/etc/limits</h:code> defines the resource limits for
+logins that are done through login programs that are not
+PAM-aware.
+</h:li>
+</h:ul>
+<h:p>
+Generally, it should suffice to set up
+<h:code>/etc/security/limits.conf</h:code>, which is the configuration
+file used by the <h:code>pam_limits.so</h:code> module.
+</h:p>
+<h:p>
+Note that the settings are applicable on a <h:em>per login
+session</h:em> basis.
+</h:p>
+<h:p>
+More information on these files and their syntax can be obtained
+through their manual pages.
+</h:p>
+<h:pre>
# <h:b>man limits.conf</h:b>
# <h:b>man limits</h:b></h:pre>
- </description>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_system-auth-password">
- <title>Enforce password policy</title>
- <description>
- <h:p>
- Usually most organizations have a password policy, telling their users
- how long their passwords should be and how often the passwords should
- be changed. Most users see this as an annoying aspect, so it might be
- best to enforce this policy.
- </h:p>
- <h:p>
- Enforcing password policies is (partially) part of the
- <h:code>sys-apps/shadow</h:code> package (which is installed by
- default) and can be configured through the
- <h:code>/etc/login.defs</h:code> file. This file is well documented
- (using comments) and it has a full manual page as well.
- </h:p>
- <h:p>
- A second important player when dealing with password policies is the
- <h:code>pam_cracklib.so</h:code> library. This can be used in the
- appropriate <h:code>/etc/pam.d/*</h:code> files. For instance, for the
- <h:code>/etc/pam.d/passwd</h:code> definition:
- </h:p>
- <h:pre>
+</description>
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_system-auth-password">
+<title>Enforce password policy</title>
+<description>
+<h:p>
+Usually most organizations have a password policy, telling their users
+how long their passwords should be and how often the passwords should
+be changed. Most users see this as an annoying aspect, so it might be
+best to enforce this policy.
+</h:p>
+<h:p>
+Enforcing password policies is (partially) part of the
+<h:code>sys-apps/shadow</h:code> package (which is installed by
+default) and can be configured through the
+<h:code>/etc/login.defs</h:code> file. This file is well documented
+(using comments) and it has a full manual page as well.
+</h:p>
+<h:p>
+A second important player when dealing with password policies is the
+<h:code>pam_cracklib.so</h:code> library. This can be used in the
+appropriate <h:code>/etc/pam.d/*</h:code> files. For instance, for the
+<h:code>/etc/pam.d/passwd</h:code> definition:
+</h:p>
+<h:pre>
auth required pam_unix.so shadow nullok
account required pam_unix.so
<h:b>password required pam_cracklib.so difok=3 retry=3 \
- minlen=8 dcredit=-2 \
- ocredit=-2</h:b>
+minlen=8 dcredit=-2 \
+ocredit=-2</h:b>
password required pam_unix.so md5 use_authok
session required pam_unix.so</h:pre>
- <h:p>
- In the above example, the password is required to be at least 8
- characters long, differ more than 3 characters from the previous
- password, contain 2 digits and 2 non-alphanumeric characters.
- </h:p>
- </description>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_system-auth-ripper">
- <title>Review password strength regularly</title>
- <description>
- <h:p>
- Regularly check the strength of the users' passwords. There are tools
- out there, like <h:code>app-crypt/johntheripper</h:code> which, given
- a <h:code>/etc/shadow</h:code> file (or sometimes even LDAP dump) try
- to find the passwords for the users.
- </h:p>
- <h:p>
- When such a tool can guess a users' password, that users' password
- should be expired and the user should be notified and asked to change
- his password.
- </h:p>
- </description>
- </Group>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_system-session">
- <title>Session settings</title>
- <description>
- <h:p>
- Unlike authentication and authorization settings, a <h:em>session</h:em>
- setting is one that is applicable to an authenticated and authorized
- user when he is logged on to the system.
- </h:p>
- </description>
- <Group id="xccdf_org.gentoo.dev.swift_group_system-session-mesg">
- <title>Disable access to user terminals</title>
- <description>
- <h:p>
- By default, user terminals are accessible by others to write messages
- to (using <h:b>write</h:b>, <h:b>wall</h:b> or <h:b>talk</h:b>). It is
- adviseable to disable this unless explicitly necessary.
- </h:p>
- <h:p>
- Messages can confuse users and trick them into performing malicious
- actions.
- </h:p>
- <h:p>
- This can be disabled by setting <h:code>mesg n</h:code> in
- <h:code>/etc/profile</h:code>. A user-friendly method for doing so in
- Gentoo is to create a file <h:code>/etc/profile.d/disable_mesg</h:code> which
- contains this command.
- </h:p>
- </description>
- </Group>
- </Group>
- <Group id="xccdf_org.gentoo.dev_group_system-fileprivileges">
- <title>File and directory privileges and integrity</title>
- <description>
- Proper privileges on files makes it far more difficult to malicious
- users to obtain sensitive information or write/update files they should
- not have access to.
- </description>
- <Group id="xccdf_org.gentoo.dev.swift_group_system-fileprivileges-worldrw">
- <title>Limit world writable files and locations</title>
- <description>
- <h:p>
- Limit (or even remove) the use of world writable files and locations.
- If a directory is world writable, it makes sense to have the
- sticky bit set on it as well (like with <h:code>/tmp</h:code>).
- </h:p>
- <h:p>
- Use <h:code>find</h:code> to locate such files or directories.
- </h:p>
- <h:pre>
+<h:p>
+In the above example, the password is required to be at least 8
+characters long, differ more than 3 characters from the previous
+password, contain 2 digits and 2 non-alphanumeric characters.
+</h:p>
+</description>
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_system-auth-ripper">
+<title>Review password strength regularly</title>
+<description>
+<h:p>
+Regularly check the strength of the users' passwords. There are tools
+out there, like <h:code>app-crypt/johntheripper</h:code> which, given
+a <h:code>/etc/shadow</h:code> file (or sometimes even LDAP dump) try
+to find the passwords for the users.
+</h:p>
+<h:p>
+When such a tool can guess a users' password, that users' password
+should be expired and the user should be notified and asked to change
+his password.
+</h:p>
+</description>
+</Group>
+
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_system-session">
+<title>Session settings</title>
+<description>
+<h:p>
+Unlike authentication and authorization settings, a <h:em>session</h:em>
+setting is one that is applicable to an authenticated and authorized
+user when he is logged on to the system.
+</h:p>
+</description>
+<Group id="xccdf_org.gentoo.dev.swift_group_system-session-mesg">
+<title>Disable access to user terminals</title>
+<description>
+<h:p>
+By default, user terminals are accessible by others to write messages
+to (using <h:b>write</h:b>, <h:b>wall</h:b> or <h:b>talk</h:b>). It is
+adviseable to disable this unless explicitly necessary.
+</h:p>
+<h:p>
+Messages can confuse users and trick them into performing malicious
+actions.
+</h:p>
+<h:p>
+This can be disabled by setting <h:code>mesg n</h:code> in
+<h:code>/etc/profile</h:code>. A user-friendly method for doing so in
+Gentoo is to create a file <h:code>/etc/profile.d/disable_mesg</h:code> which
+contains this command.
+</h:p>
+</description>
+</Group>
+
+</Group>
+
+<Group id="xccdf_org.gentoo.dev_group_system-fileprivileges">
+<title>File and directory privileges and integrity</title>
+<description>
+Proper privileges on files makes it far more difficult to malicious
+users to obtain sensitive information or write/update files they should
+not have access to.
+</description>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_system-fileprivileges-worldrw">
+<title>Limit world writable files and locations</title>
+<description>
+<h:p>
+Limit (or even remove) the use of world writable files and locations.
+If a directory is world writable, it makes sense to have the
+sticky bit set on it as well (like with <h:code>/tmp</h:code>).
+</h:p>
+<h:p>
+Use <h:code>find</h:code> to locate such files or directories.
+</h:p>
+<h:pre>
# <h:b>find / -perm +o=w ! \( -type d -perm +o=t \) ! -type l -print</h:b></h:pre>
- <h:p>
- The above command shows world writable files and locations, unless it
- is a directory with the sticky bit set, or a symbolic link (whose
- world writable privilege is not accessible anyhow).
- </h:p>
- </description>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_worldwritedir-stickybit" selected="false" severity="medium" weight="4.3">
- <title>All world writable directories have the sticky bit set</title>
- <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_worldwritedirs-stickybit">
- Make sure all world-writable directories have the sticky bit set
- </fixtext>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:36" href="gentoo-oval.xml" />
- </check>
- </Rule>
-
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_system-fileprivileges-suidsgid">
- <title>Limit setuid and setgid file and directory usage</title>
- <description>
- <h:p>
- The <h:em>setuid</h:em> and <h:em>setgid</h:em> flags for files and
- directories can be used to work around authentication and
- authorization measures taken on the system. So their use should be
- carefully guarded.
- </h:p>
- <h:p>
- In case of files, the setuid or setgid bit causes the application (if
- the file is marked as executable) to run with the privileges of the
- file owner (setuid) or group owner (setgid). It is necessary for
- applications that need elevated privileges, like <h:b>su</h:b> or
- <h:b>sudo</h:b>.
- </h:p>
- <h:p>
- In case of directories, the setgit bit causes newly created
- files in that directory to automatically be owned by the same group as
- the mentioned (parent) directory.
- </h:p>
- </description>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_system-fileprivileges-caps">
- <title>Limit capability enabled files</title>
- <description>
- <h:p>
- Capabilities within Linux allow users to perform certain privileged tasks.
- </h:p>
- <h:p>
- Unlike <h:em>setuid</h:em> flags, the allowed privileges can be defined
- in a more granular approach (although one can still add in all possible
- capabilities and thus gain similar privileges as through <h:em>setuid</h:em>
- binaries).
- </h:p>
- <h:p>
- Files with particular capabilities set (through the <h:b>setcap</h:b>
- application) should be regularly reviewed. Capability-enabled files
- can be found through the following command:
- </h:p>
- <h:pre>
+<h:p>
+The above command shows world writable files and locations, unless it
+is a directory with the sticky bit set, or a symbolic link (whose
+world writable privilege is not accessible anyhow).
+</h:p>
+</description>
+
+<Rule id="xccdf_org.gentoo.dev.swift_rule_worldwritedir-stickybit" selected="false" severity="medium" weight="4.3">
+<title>All world writable directories have the sticky bit set</title>
+<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_worldwritedirs-stickybit">
+Make sure all world-writable directories have the sticky bit set
+</fixtext>
+<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+<check-content-ref name="oval:org.gentoo.dev.swift:def:36" href="gentoo-oval.xml" />
+</check>
+</Rule>
+
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_system-fileprivileges-suidsgid">
+<title>Limit setuid and setgid file and directory usage</title>
+<description>
+<h:p>
+The <h:em>setuid</h:em> and <h:em>setgid</h:em> flags for files and
+directories can be used to work around authentication and
+authorization measures taken on the system. So their use should be
+carefully guarded.
+</h:p>
+<h:p>
+In case of files, the setuid or setgid bit causes the application (if
+the file is marked as executable) to run with the privileges of the
+file owner (setuid) or group owner (setgid). It is necessary for
+applications that need elevated privileges, like <h:b>su</h:b> or
+<h:b>sudo</h:b>.
+</h:p>
+<h:p>
+In case of directories, the setgit bit causes newly created
+files in that directory to automatically be owned by the same group as
+the mentioned (parent) directory.
+</h:p>
+</description>
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_system-fileprivileges-caps">
+<title>Limit capability enabled files</title>
+<description>
+<h:p>
+Capabilities within Linux allow users to perform certain privileged tasks.
+</h:p>
+<h:p>
+Unlike <h:em>setuid</h:em> flags, the allowed privileges can be defined
+in a more granular approach (although one can still add in all possible
+capabilities and thus gain similar privileges as through <h:em>setuid</h:em>
+binaries).
+</h:p>
+<h:p>
+Files with particular capabilities set (through the <h:b>setcap</h:b>
+application) should be regularly reviewed. Capability-enabled files
+can be found through the following command:
+</h:p>
+<h:pre>
# <h:b>getcap -r /</h:b>
- </h:pre>
- </description>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_system-fileprivileges-logs">
- <title>Logs only readable by proper group</title>
- <description>
- No log file in <h:code>/var/log</h:code> should be world readable. Log
- files should be limited by particular groups (either the group
- representing the service, like <h:code>apache</h:code> or
- <h:code>portage</h:code>, or a specific administrative group like
- <h:code>wheel</h:code>).
- </description>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_system-fileprivileges-rootonly">
- <title>Files only used by root should be root-only</title>
- <description>
- <h:p>
- Some files, like <h:code>/etc/shadow</h:code>, are meant to be read
- (and perhaps modified) by root only. These files should never have
- privileges for group- or others.
- </h:p>
- <h:p>
- A nonexhaustive list of such files is:
- </h:p>
- <h:ul>
- <h:li>
- <h:code>/etc/shadow</h:code> which contains account password
- information (including password hashes)
- </h:li>
- <h:li>
- <h:code>/etc/securetty</h:code> which contains the list of
- terminals where root is allowed to log on from
- </h:li>
- </h:ul>
- </description>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_system-fileprivileges-hids">
- <title>Review file integrity regularly</title>
- <description>
- Deploy intrusion detection tool(s) to validate the integrity and
- privileges on important files. <h:code>app-forensics/aide</h:code> is
- an example of such a tool.
- </description>
- </Group>
- </Group>
- </Group> <!-- system -->
- <Group id="xccdf_org.gentoo.dev.swift_group_data">
- <title>Data flows</title>
- <description>
- Clearly map out how data flows in and out of the server (and which data
- this is). This will be needed anyhow when firewalls are configured, but it
- also improves integration of the server in a larger infrastructure.
- </description>
- <Group id="xccdf_org.gentoo.dev.swift_group_data-backup">
- <title>Backup the data</title>
- <description>
- Make sure that the data is backed up. This is not only in case of
- server loss, but also to protect against accidental file removal or an
- awkward bug in a service that deleted important information.
- </description>
- <Group id="xccdf_org.gentoo.dev.swift_group_data-backup-automate">
- <title>Automated backups</title>
- <description>
- <h:p>
- Automate backups on the system. If the backups are performed manually
- then they are done wrong and someone will eventually forget it.
- </h:p>
- <h:p>
- Use scheduling software like <h:code>cron</h:code> to
- automatically take backups on regular intervals, or use a central
- backup solution like <h:code>bacula</h:code>.
- </h:p>
- </description>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_data-backups-coverage">
- <title>Full data coverage</title>
- <description>
- Many users that do take backups only do this on what they seem as
- important files. However, it is wise to make full system backups too
- as recreating an entire system from scratch could otherwise take days
- or even weeks.
- </description>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_data-backups-history">
- <title>Retention</title>
- <description>
- <h:p>
- Ensure that the backups use a long enough retention. It is not wise
- to take a single backup and overwrite this one over and over again, as
- there will be a time that a file needs to be recovered that was corrupted
- long before the last backup was taken.
- </h:p>
- <h:p>
- There is no perfect retention period however, as the more backups are
- kept, the more storage is required and the more money or time needs to be invested in
- managing the backups.
- </h:p>
- <h:p>
- In most cases, introduce a "layered" approach on retention. For instance:
- </h:p>
- <h:ul>
- <h:li>keep daily backups for a week</h:li>
- <h:li>
- keep weekly backups (say each monday backup) for a month
- </h:li>
- <h:li>
- keep monthly backups (say each first monday) for a year
- </h:li>
- <h:li>
- keep yearly backups for 30 years
- </h:li>
- </h:ul>
- </description>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_data-backups-location">
- <title>Off-site backups</title>
- <description>
- <h:p>
- Keep the backups off-site in case of disaster. But consider this
- location carefully. Investigate how fast the backup can be put there,
- but also how fast it can be retrieved it in case of need. Also investigate if this
- location is juridically sane (is it allowed to put the data on this location
- and is this off-site location trusted).
- </h:p>
- <h:p>
- Also ensure that the backups are stored securely. If necessary,
- encrypt the backups.
- </h:p>
- </description>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_data-backups-validate">
- <title>Validate and test</title>
- <description>
- Validate that the backup system works. Try recovering files (for
- instance on a second server or different location) or even entire
- systems (virtualization is a great help here) and do this regularly.
- </description>
- </Group>
- </Group>
- </Group> <!-- Data flows -->
- <Group id="xccdf_org.gentoo.dev.swift_group_removal">
- <title>Decommissioning servers</title>
- <description>
- When a server needs to be decommissioned, make sure that its data
- is safeguarded from future extraction.
- </description>
- <Group id="xccdf_org.gentoo.dev.swift_group_removal-wipedisk">
- <title>Wipe disks</title>
- <description>
- <h:p>
- Clear all data from the disks on the server in a secure manner.
- Applications like <h:b>shred</h:b> (part of
- <h:code>sys-apps/coreutils</h:code>) can be used to security wipe data
- or even entire partitions or disks.
- </h:p>
- <h:p>
- It is recommended to perform full disk wipes rather than file wipes.
- If this needs to be done on file level, see if the file system
- journaling can be disabled during the wipe session as journaling might "buffer" the
- secure writes and only write the end result to the disk.
- </h:p>
- </description>
- <reference href="http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf">NIST Publication "Guidelines for Media Sanitization" (PDF)</reference>
- </Group>
- </Group> <!-- Removal -->
+</h:pre>
+</description>
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_system-fileprivileges-logs">
+<title>Logs only readable by proper group</title>
+<description>
+No log file in <h:code>/var/log</h:code> should be world readable. Log
+files should be limited by particular groups (either the group
+representing the service, like <h:code>apache</h:code> or
+<h:code>portage</h:code>, or a specific administrative group like
+<h:code>wheel</h:code>).
+</description>
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_system-fileprivileges-rootonly">
+<title>Files only used by root should be root-only</title>
+<description>
+<h:p>
+Some files, like <h:code>/etc/shadow</h:code>, are meant to be read
+(and perhaps modified) by root only. These files should never have
+privileges for group- or others.
+</h:p>
+<h:p>
+A nonexhaustive list of such files is:
+</h:p>
+<h:ul>
+<h:li>
+<h:code>/etc/shadow</h:code> which contains account password
+information (including password hashes)
+</h:li>
+<h:li>
+<h:code>/etc/securetty</h:code> which contains the list of
+terminals where root is allowed to log on from
+</h:li>
+</h:ul>
+</description>
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_system-fileprivileges-hids">
+<title>Review file integrity regularly</title>
+<description>
+Deploy intrusion detection tool(s) to validate the integrity and
+privileges on important files. <h:code>app-forensics/aide</h:code> is
+an example of such a tool.
+</description>
+</Group>
+
+</Group>
+
+</Group> <!-- system -->
+
+<Group id="xccdf_org.gentoo.dev.swift_group_hardening">
+<title>Hardening and risk mitigation</title>
+<description>
+<h:p>
+This chapter focuses on additional hardening instructions and risk mitigation. Unlike the previous
+chapters, this one focuses on <h:em>additional software</h:em> and configuration concerns rather than
+tuning and tweaking existing ones.
+</h:p>
+</description>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_hardening-secureboot">
+<title>SecureBoot</title>
+<description>
+<h:p>
+TODO
+</h:p>
+</description>
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_hardening-firewall">
+<title>Firewall</title>
+<description>
+<h:p>
+TODO: Firewall
+</h:p>
+</description>
+</Group>
+
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_data">
+<title>Data flows</title>
+<description>
+Clearly map out how data flows in and out of the server (and which data
+this is). This will be needed anyhow when firewalls are configured, but it
+also improves integration of the server in a larger infrastructure.
+</description>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_data-backup">
+<title>Backup the data</title>
+<description>
+Make sure that the data is backed up. This is not only in case of
+server loss, but also to protect against accidental file removal or an
+awkward bug in a service that deleted important information.
+</description>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_data-backup-automate">
+<title>Automated backups</title>
+<description>
+<h:p>
+Automate backups on the system. If the backups are performed manually
+then they are done wrong and someone will eventually forget it.
+</h:p>
+<h:p>
+Use scheduling software like <h:code>cron</h:code> to
+automatically take backups on regular intervals, or use a central
+backup solution like <h:code>bacula</h:code>.
+</h:p>
+</description>
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_data-backups-coverage">
+<title>Full data coverage</title>
+<description>
+Many users that do take backups only do this on what they seem as
+important files. However, it is wise to make full system backups too
+as recreating an entire system from scratch could otherwise take days
+or even weeks.
+</description>
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_data-backups-history">
+<title>Retention</title>
+<description>
+<h:p>
+Ensure that the backups use a long enough retention. It is not wise
+to take a single backup and overwrite this one over and over again, as
+there will be a time that a file needs to be recovered that was corrupted
+long before the last backup was taken.
+</h:p>
+<h:p>
+There is no perfect retention period however, as the more backups are
+kept, the more storage is required and the more money or time needs to be invested in
+managing the backups.
+</h:p>
+<h:p>
+In most cases, introduce a "layered" approach on retention. For instance:
+</h:p>
+<h:ul>
+<h:li>keep daily backups for a week</h:li>
+<h:li>
+keep weekly backups (say each monday backup) for a month
+</h:li>
+<h:li>
+keep monthly backups (say each first monday) for a year
+</h:li>
+<h:li>
+keep yearly backups for 30 years
+</h:li>
+</h:ul>
+</description>
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_data-backups-location">
+<title>Off-site backups</title>
+<description>
+<h:p>
+Keep the backups off-site in case of disaster. But consider this
+location carefully. Investigate how fast the backup can be put there,
+but also how fast it can be retrieved it in case of need. Also investigate if this
+location is juridically sane (is it allowed to put the data on this location
+and is this off-site location trusted).
+</h:p>
+<h:p>
+Also ensure that the backups are stored securely. If necessary,
+encrypt the backups.
+</h:p>
+</description>
+</Group>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_data-backups-validate">
+<title>Validate and test</title>
+<description>
+Validate that the backup system works. Try recovering files (for
+instance on a second server or different location) or even entire
+systems (virtualization is a great help here) and do this regularly.
+</description>
+</Group>
+
+</Group>
+
+</Group> <!-- Data flows -->
+
+<Group id="xccdf_org.gentoo.dev.swift_group_removal">
+<title>Decommissioning servers</title>
+<description>
+When a server needs to be decommissioned, make sure that its data
+is safeguarded from future extraction.
+</description>
+
+<Group id="xccdf_org.gentoo.dev.swift_group_removal-wipedisk">
+<title>Wipe disks</title>
+<description>
+<h:p>
+Clear all data from the disks on the server in a secure manner.
+Applications like <h:b>shred</h:b> (part of
+<h:code>sys-apps/coreutils</h:code>) can be used to security wipe data
+or even entire partitions or disks.
+</h:p>
+<h:p>
+It is recommended to perform full disk wipes rather than file wipes.
+If this needs to be done on file level, see if the file system
+journaling can be disabled during the wipe session as journaling might "buffer" the
+secure writes and only write the end result to the disk.
+</h:p>
+</description>
+<reference href="http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf">NIST Publication "Guidelines for Media Sanitization" (PDF)</reference>
+</Group>
+
+</Group> <!-- Removal -->
+
</Benchmark>
^ permalink raw reply related [flat|nested] 37+ messages in thread
end of thread, other threads:[~2015-09-04 19:50 UTC | newest]
Thread overview: 37+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-12-20 14:47 [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/ Sven Vermeulen
-- strict thread matches above, loose matches on Subject: below --
2015-09-04 19:50 Sven Vermeulen
2015-09-02 20:24 Sven Vermeulen
2014-03-30 20:08 Sven Vermeulen
2014-03-30 20:08 Sven Vermeulen
2014-03-30 18:29 Sven Vermeulen
2014-03-30 18:29 Sven Vermeulen
2014-03-26 21:07 Sven Vermeulen
2014-02-01 14:24 Sven Vermeulen
2014-02-01 14:24 Sven Vermeulen
2014-02-01 14:24 Sven Vermeulen
2014-02-01 14:24 Sven Vermeulen
2013-12-20 14:48 Sven Vermeulen
2013-12-20 14:41 Sven Vermeulen
2013-12-20 14:38 Sven Vermeulen
2013-12-20 14:25 Sven Vermeulen
2013-12-20 14:15 Sven Vermeulen
2013-12-20 14:15 Sven Vermeulen
2013-12-20 13:56 Sven Vermeulen
2013-12-20 13:56 Sven Vermeulen
2013-12-20 13:56 Sven Vermeulen
2013-12-20 13:56 Sven Vermeulen
2013-12-20 13:56 Sven Vermeulen
2013-12-20 13:56 Sven Vermeulen
2013-12-20 10:59 Sven Vermeulen
2013-12-11 20:58 Sven Vermeulen
2013-12-11 20:58 Sven Vermeulen
2013-12-11 20:53 Sven Vermeulen
2013-12-11 20:53 Sven Vermeulen
2013-09-24 17:10 Sven Vermeulen
2013-09-23 11:46 Sven Vermeulen
2013-09-23 11:40 Sven Vermeulen
2013-09-19 19:26 Sven Vermeulen
2013-09-18 13:51 Sven Vermeulen
2013-09-17 19:07 Sven Vermeulen
2013-09-17 19:07 Sven Vermeulen
2013-09-17 19:07 Sven Vermeulen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox