From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id BB7121387FD for ; Wed, 26 Mar 2014 21:07:03 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 26CDBE0AA6; Wed, 26 Mar 2014 21:07:03 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 9947AE0AA6 for ; Wed, 26 Mar 2014 21:07:02 +0000 (UTC) Received: from spoonbill.gentoo.org (spoonbill.gentoo.org [81.93.255.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 96AA933FD5C for ; Wed, 26 Mar 2014 21:07:01 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by spoonbill.gentoo.org (Postfix) with ESMTP id 3DAC7188EF for ; Wed, 26 Mar 2014 21:07:00 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1395868010.e776b21bb7b10d185eeaebb8a97686a932a3b78c.swift@gentoo> Subject: [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/ X-VCS-Repository: proj/hardened-docs X-VCS-Files: xml/SCAP/gentoo-xccdf.xml X-VCS-Directories: xml/SCAP/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: e776b21bb7b10d185eeaebb8a97686a932a3b78c X-VCS-Branch: master Date: Wed, 26 Mar 2014 21:07:00 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: f6318907-eb32-48ed-804e-a5db8780e8b2 X-Archives-Hash: 100009e3162e9fd235c58289fabd7b23 commit: e776b21bb7b10d185eeaebb8a97686a932a3b78c Author: Sven Vermeulen siphos be> AuthorDate: Wed Mar 26 21:06:50 2014 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Wed Mar 26 21:06:50 2014 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=e776b21b Add syslog rules and enhance security/access.conf with an example --- xml/SCAP/gentoo-xccdf.xml | 80 ++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 76 insertions(+), 4 deletions(-) diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml index d2bf154..5fe590d 100644 --- a/xml/SCAP/gentoo-xccdf.xml +++ b/xml/SCAP/gentoo-xccdf.xml @@ -1,13 +1,13 @@ - - draft + + draft Gentoo Security Benchmark This benchmarks helps people in improving their system configuration to be more resilient against attacks and vulnerabilities. - 20140201.1 + 20140326.1 @@ -355,7 +355,7 @@ - Before startng + Before starting Before starting to deploy Gentoo Linux and start hardening it, it is wise to take a step back and think about what to accomplish. Setting @@ -1244,6 +1244,48 @@ sed -i -e 's:^rc_shell=.*:rc_shell="/sbin/sulogin":g' /etc/rc.conf + + Syslog service + + + The system logger handles all non-audit related logging generated by applications + and daemons. In order to ensure proper forensic analysis if it would ever be needed, + the system logger should be properly configured. + + + + Configure the system logger to log intervals + + + Have the system logger log every 10 minutes or so. Without interval logging, + administrators might think nothing is wrong although in reality the system + logger is malfunctioning and not writing any log events. + + + + + Enable remote logging + + + If possible, have vital (or all) logs sent to a remote system logger as well. + In home deployments, off-the-shelf (wifi) routers often have a logging daemon + that can receive syslog events. For larger environments, a dedicated centralized + log server is recommended. + + + + + Decide which events to send to user terminals + + + On Linux and Unix systems, events can be sent to user terminals to + make those users immediately aware of what is happening. It is + recommended to send emergency-level events to everyone and have + alerts sent to specific administrative user terminals. + + + + Portage settings @@ -1551,6 +1593,14 @@ tty12 account (say apache) is abused to log on with, or that a new account is created as part of an exploit. + + The following example setting allows only local root logins on tty1, + and only the swift account to log on on the system. + + ++ : root : tty1 +- : ALL EXCEPT swift : ALL + @@ -1731,6 +1781,28 @@ session required pam_unix.so + + Limit capability enabled files + + + Capabilities within Linux allow users to perform certain privileged tasks. + + + Unlike setuid flags, the allowed privileges can be defined + in a more granular approach (although one can still add in all possible + capabilities and thus gain similar privileges as through setuid + binaries). + + + Files with particular capabilities set (through the setcap + application) should be regularly reviewed. Capability-enabled files + can be found through the following command: + + +# getcap -r / + + + Logs only readable by proper group