diff options
| author |   Sven Vermeulen <sven.vermeulen@siphos.be> | 2013-09-19 16:23:06 +0200 |
|---|---|---|
| committer | Sven Vermeulen <sven.vermeulen@siphos.be> | 2013-09-19 16:23:06 +0200 |
| commit | 9fbaa6ab52cb7b402e162457f8e0142ed69b271a (patch) | |
| tree | 71ff111e3605710cad106bcd02d576aef7d49816 | |
| parent | Add /tmp test (diff) | |
| download | hardened-docs-9fbaa6ab52cb7b402e162457f8e0142ed69b271a.tar.gz hardened-docs-9fbaa6ab52cb7b402e162457f8e0142ed69b271a.tar.bz2 hardened-docs-9fbaa6ab52cb7b402e162457f8e0142ed69b271a.zip | |
Update on baseline, now working on services
| -rw-r--r-- | xml/SCAP/Makefile | 2 | ||||
| -rwxr-xr-x | xml/SCAP/bin/gentoo-sce_installation-toolchain-hardened.sh | 43 | ||||
| -rw-r--r-- | xml/SCAP/gentoo-oval.xml | 551 | ||||
| -rw-r--r-- | xml/SCAP/gentoo-xccdf.xml | 690 |
4 files changed, 1107 insertions, 179 deletions
diff --git a/xml/SCAP/Makefile b/xml/SCAP/Makefile index fcbf549..3de65fa 100644 --- a/xml/SCAP/Makefile +++ b/xml/SCAP/Makefile @@ -1,7 +1,7 @@ all: report.html guide.html remediate.sh #guide.pdf report.html: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml - oscap xccdf eval --cpe gentoo-cpe.xml --profile xccdf_org.gentoo.dev.swift_profile_default --results results-xccdf.xml --oval-results --report report.html gentoo-xccdf.xml + -oscap xccdf eval --cpe gentoo-cpe.xml --profile xccdf_org.gentoo.dev.swift_profile_default --results results-xccdf.xml --oval-results --report report.html gentoo-xccdf.xml guide.html: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml oscap xccdf generate guide --profile xccdf_org.gentoo.dev.swift_profile_default --output guide.html gentoo-xccdf.xml diff --git a/xml/SCAP/bin/gentoo-sce_installation-toolchain-hardened.sh b/xml/SCAP/bin/gentoo-sce_installation-toolchain-hardened.sh new file mode 100755 index 0000000..99ff12c --- /dev/null +++ b/xml/SCAP/bin/gentoo-sce_installation-toolchain-hardened.sh @@ -0,0 +1,43 @@ +#!/bin/sh + +# Get CHOST value +echo "Getting CHOST variable content through portageq."; +my_chost=$(portageq envvar CHOST); +if [ -z "${my_chost}" ]; +then + echo "-- The portageq command failed. Falling back to glibc build info."; + my_chost=$(cat /var/db/pkg/sys-libs/glibc-*/CHOST | tail -1); +fi +echo "-- Got CHOST=${my_chost}"; + +# Get current GCC version +echo "Getting current GCC version through /etc/env.d/gcc/config-*"; +current_gcc=$(grep CURRENT /etc/env.d/gcc/config-* | sed -e "s:CURRENT=${my_chost}-::g" | sed -e "s:\([0-9\.-r]*\){$,-.*$}:\1:g" ); +echo "-- Got version=${current_gcc}"; + +# Get type +echo "Getting compiler type (profile/spec) through its CURRENT= value."; +current_type=$(grep CURRENT /etc/env.d/gcc/config-* | sed -e "s:CURRENT=${my_chost}-${current_gcc}::g" | sed -e 's:^-::g'); +echo "-- Got type=${current_type}"; + +echo "Checking USE flags of gcc-${current_gcc} for hardened USE flag."; +grep -q hardened /var/db/pkg/sys-devel/gcc-${current_gcc}/USE; +current_hardened_use=$?; + +if [ ${current_hardened_use} -ne 0 ]; +then + echo "!! GCC ${current_gcc} is not build with USE=hardened!"; + echo "!! Please enable a hardened profile."; + exit ${XCCDF_RESULT_FAIL}; +else + echo "-- GCC ${current_gcc} is build with USE=hardened."; + if [ -z "${current_type}" ]; + then + echo "-- The default type is used which is a hardened type."; + exit ${XCCDF_RESULT_PASS}; + else + echo "!! A non-default type is used: ${current_type}"; + echo "!! This means not all hardened toolchain measures are enabled."; + exit ${XCCDF_RESULT_FAIL}; + fi +fi diff --git a/xml/SCAP/gentoo-oval.xml b/xml/SCAP/gentoo-oval.xml index 9fa2c1e..4fe52b9 100644 --- a/xml/SCAP/gentoo-oval.xml +++ b/xml/SCAP/gentoo-oval.xml @@ -1,17 +1,17 @@ <?xml version="1.0" encoding="UTF-8"?> <oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" - xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" - xmlns:lin-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" - xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" - xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" - xsi:schemaLocation=" - http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd - http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd - http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd - http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd - http://standards.iso.org/iso/19770/-2/2009/schema.xsd schema.xsd"> + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" + xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" + xmlns:lin-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" + xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" + xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" + xsi:schemaLocation=" + http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd + http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd + http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd + http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd + http://standards.iso.org/iso/19770/-2/2009/schema.xsd schema.xsd"> <generator> <oval:product_name>OVAL Gentoo Linux</oval:product_name> @@ -46,7 +46,7 @@ <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14559-9"/> <description> This definition tests whether the /home location is a separate file - system. + system. </description> </metadata> <criteria operator="AND"> @@ -62,7 +62,7 @@ </affected> <description> This definition tests whether the /home partition is mounted with the nosuid - mount option. + mount option. </description> </metadata> <criteria operator="AND"> @@ -79,7 +79,7 @@ </affected> <description> This definition tests whether the /home partition is mounted with the nodev - mount option. + mount option. </description> </metadata> <criteria operator="AND"> @@ -97,7 +97,7 @@ <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14161-4"/> <description> This definition tests whether the /tmp location is a separate file - system. + system. </description> </metadata> <criteria operator="AND"> @@ -105,7 +105,297 @@ </criteria> </definition> + <definition id="oval:org.gentoo.dev.swift:def:6" version="1" class="compliance"> + <metadata> + <title>The /var location must be a separate file system</title> + <affected family="unix"> + <platform>Gentoo Linux</platform> + </affected> + <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14777-7"/> + <description> + This definition tests whether the /var location is a separate file + system. + </description> + </metadata> + <criteria operator="AND"> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:6" comment="The /var location is on a separate partition" /> + </criteria> + </definition> + + <definition id="oval:org.gentoo.dev.swift:def:7" version="1" class="compliance"> + <metadata> + <title>The /var/log location must be a separate file system</title> + <affected family="unix"> + <platform>Gentoo Linux</platform> + </affected> + <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14011-1"/> + <description> + This definition tests whether the /var/log location is a separate file + system. + </description> + </metadata> + <criteria operator="AND"> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:7" comment="The /var/log location is on a separate partition" /> + </criteria> + </definition> + + <definition id="oval:org.gentoo.dev.swift:def:8" version="1" class="compliance"> + <metadata> + <title>The /var/log/audit location must be a separate file system</title> + <affected family="unix"> + <platform>Gentoo Linux</platform> + </affected> + <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14171-3"/> + <description> + This definition tests whether the /var/log/audit location is a separate file + system. + </description> + </metadata> + <criteria operator="AND"> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:8" comment="The /var/log/audit location is on a separate partition" /> + </criteria> + </definition> + + <definition id="oval:org.gentoo.dev.swift:def:9" version="1" class="compliance"> + <metadata> + <title>The /var file system is mounted with the nodev option</title> + <affected family="unix"> + <platform>Gentoo Linux</platform> + </affected> + <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-4249-9"/> + <description> + This definition tests whether the /var partition is mounted with the nodev + mount option. + </description> + </metadata> + <criteria operator="AND"> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:6" comment="The /var location is on a separate partition" /> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:9" comment="The /var partition is mounted with nodev mount option" /> + </criteria> + </definition> + + <definition id="oval:org.gentoo.dev.swift:def:10" version="1" class="compliance"> + <metadata> + <title>The /var/log file system is mounted with the nodev option</title> + <affected family="unix"> + <platform>Gentoo Linux</platform> + </affected> + <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-4249-9"/> + <description> + This definition tests whether the /var/log partition is mounted with the nodev + mount option. + </description> + </metadata> + <criteria operator="AND"> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:7" comment="The /var/log location is on a separate partition" /> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:10" comment="The /var/log partition is mounted with nodev mount option" /> + </criteria> + </definition> + + <definition id="oval:org.gentoo.dev.swift:def:11" version="1" class="compliance"> + <metadata> + <title>The /var/log/audit file system is mounted with the nodev option</title> + <affected family="unix"> + <platform>Gentoo Linux</platform> + </affected> + <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-4249-9"/> + <description> + This definition tests whether the /var/log/audit partition is mounted with the nodev + mount option. + </description> + </metadata> + <criteria operator="AND"> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:8" comment="The /var/log/audit location is on a separate partition" /> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:11" comment="The /var/log/audit partition is mounted with nodev mount option" /> + </criteria> + </definition> + + <definition id="oval:org.gentoo.dev.swift:def:12" version="1" class="compliance"> + <metadata> + <title>The /tmp file system is mounted with the nodev option</title> + <affected family="unix"> + <platform>Gentoo Linux</platform> + </affected> + <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-4249-9"/> + <description> + This definition tests whether the /tmp partition is mounted with the nodev + mount option. + </description> + </metadata> + <criteria operator="AND"> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:5" comment="The /var/log/audit location is on a separate partition" /> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:12" comment="The /var/log/audit partition is mounted with nodev mount option" /> + </criteria> + </definition> + + <definition id="oval:org.gentoo.dev.swift:def:13" version="1" class="compliance"> + <metadata> + <title>The /tmp file system is mounted with the nosuid option</title> + <affected family="unix"> + <platform>Gentoo Linux</platform> + </affected> + <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14940-1"/> + <description> + This definition tests whether the /tmp partition is mounted with the nosuid + mount option. + </description> + </metadata> + <criteria operator="AND"> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:5" comment="The /tmp location is on a separate partition" /> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:13" comment="The /tmp partition is mounted with nosuid mount option" /> + </criteria> + </definition> + + <definition id="oval:org.gentoo.dev.swift:def:14" version="1" class="compliance"> + <metadata> + <title>The /dev/shm file system is mounted with the nosuid option</title> + <affected family="unix"> + <platform>Gentoo Linux</platform> + </affected> + <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14306-5"/> + <description> + This definition tests whether the /dev/shm partition is mounted with the nosuid + mount option. + </description> + </metadata> + <criteria operator="AND"> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:14" comment="The /dev/shm location is a separate file system" /> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:15" comment="The /dev/shm file system is mounted with nosuid mount option" /> + </criteria> + </definition> + + <definition id="oval:org.gentoo.dev.swift:def:15" version="1" class="compliance"> + <metadata> + <title>The /tmp file system is mounted with the noexec option</title> + <affected family="unix"> + <platform>Gentoo Linux</platform> + </affected> + <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14927-8"/> + <description> + This definition tests whether the /tmp partition is mounted with the noexec + mount option. + </description> + </metadata> + <criteria operator="AND"> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:5" comment="The /tmp location is on a separate partition" /> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:16" comment="The /tmp partition is mounted with noexec mount option" /> + </criteria> + </definition> + + <definition id="oval:org.gentoo.dev.swift:def:16" version="1" class="compliance"> + <metadata> + <title>The /dev/shm file system is mounted with the noexec option</title> + <affected family="unix"> + <platform>Gentoo Linux</platform> + </affected> + <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14703-3"/> + <description> + This definition tests whether the /dev/shm partition is mounted with the noexec + mount option. + </description> + </metadata> + <criteria operator="AND"> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:14" comment="The /dev/shm location is a separate file system" /> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:17" comment="The /dev/shm file system is mounted with nosuid mount option" /> + </criteria> + </definition> + + <definition id="oval:org.gentoo.dev.swift:def:17" version="1" class="compliance"> + <metadata> + <title>The /var/tmp location is on a separate file system</title> + <affected family="unix"> + <platform>Gentoo Linux</platform> + </affected> + <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14584-7"/> + <description> + This definition tests whether the /var/tmp location is on its own file system. + </description> + </metadata> + <criteria operator="AND"> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:18" comment="The /var/tmp location is a separate file system" /> + </criteria> + </definition> + + <definition id="oval:org.gentoo.dev.swift:def:18" version="1" class="compliance"> + <metadata> + <title>The kernel is build with quota support (CONFIG_QUOTA)</title> + <affected family="unix"> + <platform>Gentoo Linux</platform> + </affected> + <description> + This definition tests whether the Linux kernel is build with quota support (CONFIG_QUOTA). + </description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:19" comment="The Linux kernel is build with CONFIG_QUOTA" /> + </criteria> + </definition> + + <definition id="oval:org.gentoo.dev.swift:def:19" version="1" class="compliance"> + <metadata> + <title>No process matching "telnetd" is running</title> + <affected family="unix"> + <platform>Gentoo Linux</platform> + </affected> + <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-3390-2" /> + <description> + This definition tests if no telnet daemon processes are running. + </description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:20" comment="No telnet daemons are running" /> + </criteria> + </definition> + <definition id="oval:org.gentoo.dev.swift:def:20" version="1" class="compliance"> + <metadata> + <title>No process matching "ftpd" is running</title> + <affected family="unix"> + <platform>Gentoo Linux</platform> + </affected> + <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-4273-9" /> + <description> + This definition tests if no FTP daemon processes are running. + </description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:21" comment="No FTP daemons are running" /> + </criteria> + </definition> + + <definition id="oval:org.gentoo.dev.swift:def:21" version="1" class="compliance"> + <metadata> + <title>rc.conf's rc_shell should be set to /sbin/sulogin</title> + <affected family="unix"> + <platform>Gentoo Linux</platform> + </affected> + <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-4241-6" /> + <description> + This definition tests if rc_shell in /etc/rc.conf is set to /sbin/sulogin, ensuring + that single user boots still require the root password to be provided. + </description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:22" comment="/etc/rc.conf rc_shell is set to /sbin/sulogin" /> + </criteria> + </definition> + + <definition id="oval:org.gentoo.dev.swift:def:22" version="1" class="compliance"> + <metadata> + <title>Single user definitions in inittab should only refer to '/sbin/rc single' or '/sbin/sulogin'</title> + <affected family="unix"> + <platform>Gentoo Linux</platform> + </affected> + <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-4241-6" /> + <description> + This definition tests if /etc/inittab single user login settings only refers + to '/sbin/rc single' or '/sbin/sulogin'. + </description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:23" comment="/etc/inittab single user settings refers only to '/sbin/rc single' or '/sbin/sulogin'" /> + </criteria> + </definition> </definitions> <tests> @@ -145,9 +435,158 @@ <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:5" version="1" check="all" check_existence="all_exist" comment="Tests that /tmp is a separate file system"> - <!-- /home partition --> + <!-- /tmp partition --> + <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:3" /> + </lin-def:partition_test> + + <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:6" + version="1" check="all" check_existence="all_exist" + comment="Tests that /var is a separate file system"> + <!-- /var partition --> + <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:4" /> + </lin-def:partition_test> + + <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:7" + version="1" check="all" check_existence="all_exist" + comment="Tests that /var/log is a separate file system"> + <!-- /var/log partition --> + <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:5" /> + </lin-def:partition_test> + + <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:8" + version="1" check="all" check_existence="all_exist" + comment="Tests that /var/log/audit is a separate file system"> + <!-- /var/log/audit partition --> + <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:6" /> + </lin-def:partition_test> + + <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:9" + version="1" check="all" check_existence="all_exist" + comment="Tests that /var is mounted with nodev option"> + <!-- /var partition --> + <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:4" /> + <!-- "nodev" mount option --> + <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:2" /> + </lin-def:partition_test> + + <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:10" + version="1" check="all" check_existence="all_exist" + comment="Tests that /var/log is mounted with nodev option"> + <!-- /var/log partition --> + <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:5" /> + <!-- "nodev" mount option --> + <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:2" /> + </lin-def:partition_test> + + <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:11" + version="1" check="all" check_existence="all_exist" + comment="Tests that /var/log/audit is mounted with nodev option"> + <!-- /var/log/audit partition --> + <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:6" /> + <!-- "nodev" mount option --> + <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:2" /> + </lin-def:partition_test> + + <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:12" + version="1" check="all" check_existence="all_exist" + comment="Tests that /tmp is mounted with nodev option"> + <!-- /tmp partition --> + <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:2" /> + <!-- "nodev" mount option --> + <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:2" /> + </lin-def:partition_test> + + <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:13" + version="1" check="all" check_existence="all_exist" + comment="Tests that /tmp is mounted with nosuid option"> + <!-- /tmp partition --> + <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:2" /> + <!-- "nosuid" mount option --> + <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:1" /> + </lin-def:partition_test> + + <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:14" + version="1" check="all" check_existence="all_exist" + comment="Tests that /dev/shm is a separate file system"> + <!-- /dev/shm file system --> + <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:7" /> + </lin-def:partition_test> + + <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:15" + version="1" check="all" check_existence="all_exist" + comment="Tests that /dev/shm is mounted with nosuid option"> + <!-- /dev/shm file system --> + <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:7" /> + <!-- "nosuid" mount option --> + <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:1" /> + </lin-def:partition_test> + + <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:16" + version="1" check="all" check_existence="all_exist" + comment="Tests that /tmp is mounted with noexec option"> + <!-- /tmp file system --> <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:3" /> + <!-- "noexec" mount option --> + <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:3" /> </lin-def:partition_test> + + <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:17" + version="1" check="all" check_existence="all_exist" + comment="Tests that /dev/shm is mounted with noexec option"> + <!-- /dev/shm file system --> + <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:7" /> + <!-- "noexec" mount option --> + <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:3" /> + </lin-def:partition_test> + + <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:18" + version="1" check="all" check_existence="all_exist" + comment="Tests that /var/tmp is on its own file system"> + <!-- /var/tmp file system --> + <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:8" /> + </lin-def:partition_test> + + <ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:19" + version="1" check="at least one" check_existence="at_least_one_exists" + comment="Tests that CONFIG_QUOTA is in the kernel configuration"> + <!-- The file containing kernel configuration --> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:9" /> + <!-- Match for "^CONFIG_QUOTA=[ym]" --> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:4" /> + </ind-def:textfilecontent54_test> + + <unix-def:process58_test id="oval:org.gentoo.dev.swift:tst:20" + version="1" check="all" check_existence="none_exist" + comment="Tests that no telnet daemons are running"> + <!-- Process matching "telnetd" --> + <unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:10" /> + </unix-def:process58_test> + + <unix-def:process58_test id="oval:org.gentoo.dev.swift:tst:21" + version="1" check="all" check_existence="none_exist" + comment="Tests that no FTP daemons are running"> + <!-- Process matching "ftpd" --> + <unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:11" /> + </unix-def:process58_test> + + <ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:22" + version="1" check="at least one" check_existence="all_exist" + comment="Tests that rc_shell in /etc/rc.conf is set to /sbin/sulogin"> + <!-- The variable settings in /etc/rc.conf --> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:12" /> + <!-- Match for rc_shell=/sbin/sulogin --> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:5" /> + </ind-def:textfilecontent54_test> + + <ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:23" + version="1" check="all" check_existence="at_least_one_exists" + comment="Tests that single-user boot only triggers '/sbin/rc single' or '/sbin/sulogin'"> + <!-- The single-user boot rules in /etc/inittab --> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:13" /> + <!-- The '/sbin/rc single' or '/sbin/sulogin' matches --> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:6" /> + </ind-def:textfilecontent54_test> + </tests> <objects> @@ -167,6 +606,64 @@ <lin-def:mount_point>/tmp</lin-def:mount_point> </lin-def:partition_object> + <lin-def:partition_object id="oval:org.gentoo.dev.swift:obj:4" + version="1" comment="The /var partition"> + <lin-def:mount_point>/var</lin-def:mount_point> + </lin-def:partition_object> + + <lin-def:partition_object id="oval:org.gentoo.dev.swift:obj:5" + version="1" comment="The /var/log partition"> + <lin-def:mount_point>/var/log</lin-def:mount_point> + </lin-def:partition_object> + + <lin-def:partition_object id="oval:org.gentoo.dev.swift:obj:6" + version="1" comment="The /var/log/audit partition"> + <lin-def:mount_point>/var/log/audit</lin-def:mount_point> + </lin-def:partition_object> + + <lin-def:partition_object id="oval:org.gentoo.dev.swift:obj:7" + version="1" comment="The /dev/shm file system"> + <lin-def:mount_point>/dev/shm</lin-def:mount_point> + </lin-def:partition_object> + + <lin-def:partition_object id="oval:org.gentoo.dev.swift:obj:8" + version="1" comment="The /var/tmp file system"> + <lin-def:mount_point>/var/tmp</lin-def:mount_point> + </lin-def:partition_object> + + <ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:9" + version="1" comment="The file containing kernel configuration"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">^CONFIG_.*</ind-def:pattern> + <ind-def:instance operation="greater than or equal" datatype="int">1</ind-def:instance> + </ind-def:textfilecontent54_object> + + <unix-def:process58_object id="oval:org.gentoo.dev.swift:obj:10" + version="1" comment="Process matching telnetd in its command name"> + <unix-def:command_line operation="pattern match">.*[Tt][Ee][Ll][Nn][Ee][Tt][Dd].*</unix-def:command_line> + <unix-def:pid datatype="int" operation="greater than">0</unix-def:pid> + </unix-def:process58_object> + + <unix-def:process58_object id="oval:org.gentoo.dev.swift:obj:11" + version="1" comment="Process matching ftpd in its command name"> + <unix-def:command_line operation="pattern match">.*[Ff][Tt][Pp][Dd].*</unix-def:command_line> + <unix-def:pid datatype="int" operation="greater than">0</unix-def:pid> + </unix-def:process58_object> + + <ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:12" + version="1" comment="The /etc/rc.conf variable declarations"> + <ind-def:filepath>/etc/rc.conf</ind-def:filepath> + <ind-def:pattern operation="pattern match">^[[:space:]]*[\S]+[[:space:]]*=[[:space:]]*[\S]+</ind-def:pattern> + <ind-def:instance operation="greater than or equal" datatype="int">1</ind-def:instance> + </ind-def:textfilecontent54_object> + + <ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:13" + version="1" comment="The /etc/inittab contents"> + <ind-def:filepath>/etc/inittab</ind-def:filepath> + <ind-def:pattern operation="pattern match">^[\S]+:S:[\S]+:.*</ind-def:pattern> + <ind-def:instance operation="greater than or equal" datatype="int">1</ind-def:instance> + </ind-def:textfilecontent54_object> + </objects> <states> @@ -181,6 +678,26 @@ <lin-def:mount_options entity_check="at least one">nodev</lin-def:mount_options> </lin-def:partition_state> + <lin-def:partition_state id="oval:org.gentoo.dev.swift:ste:3" + version="1" comment="The file system is mounted with the noexec mount option"> + <lin-def:mount_options entity_check="at least one">noexec</lin-def:mount_options> + </lin-def:partition_state> + + <ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:4" + version="1" comment="Matching ^CONFIG_QUOTA=[ym]"> + <ind-def:text datatype="string" operation="pattern match" entity_check="all">^CONFIG_QUOTA=[ym]</ind-def:text> + </ind-def:textfilecontent54_state> + + <ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:5" + version="1" comment="Matching rc_shell=/sbin/sulogin"> + <ind-def:text datatype="string" operation="pattern match" entity_check="all">rc_shell[[:space:]]*=[[:space:]]*["]?/sbin/sulogin["]?</ind-def:text> + </ind-def:textfilecontent54_state> + + <ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:6" + version="1" comment="Single user boot lines may only match '/sbin/rc single' or '/sbin/sulogin'"> + <ind-def:text datatype="string" operation="pattern match" entity_check="all">su[[:digit:]]+:S:[\S]+:(/sbin/rc single|/sbin/sulogin)</ind-def:text> + </ind-def:textfilecontent54_state> + </states> <!-- diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml index 39af64c..bc6d977 100644 --- a/xml/SCAP/gentoo-xccdf.xml +++ b/xml/SCAP/gentoo-xccdf.xml @@ -8,6 +8,9 @@ </description> <platform idref="cpe:/o:gentoo:linux"/> <version>20130917.1</version> + <model system="urn:xccdf:scoring:default" /> + <model system="urn:xccdf:scoring:flat" /> + <model system="urn:xccdf:scoring:flat-unweighted" /> <Profile id="xccdf_org.gentoo.dev.swift_profile_intensive" extends="xccdf_org.gentoo.dev.swift_profile_default"> <title>Intensive validation profile</title> <description> @@ -26,13 +29,48 @@ </description> <!-- The /tmp location is a separate file system --> <select idref="xccdf_org.gentoo.dev.swift_rule_partition-tmp" selected="true" /> + <!-- The /var location is a separate file system --> + <select idref="xccdf_org.gentoo.dev.swift_rule_partition-var" selected="true" /> + <!-- The /var/log location is a separate file system --> + <select idref="xccdf_org.gentoo.dev.swift_rule_partition-varlog" selected="true" /> + <!-- The /var/log/audit location is a separate file system --> + <select idref="xccdf_org.gentoo.dev.swift_rule_partition-varlogaudit" selected="true" /> <!-- The /home location is a separate file system --> <select idref="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="true" /> - <!-- The /home partition is mounted with nosuid --> - <select idref="xccdf_org.gentoo.dev.swift_rule_partition-home-nosuid" selected="true" /> + <!-- The /var/tmp location is a separate file system --> + <select idref="xccdf_org.gentoo.dev.swift_rule_partition-vartmp" selected="true" /> + <!-- The /var partition is mounted with nodev --> + <select idref="xccdf_org.gentoo.dev.swift_rule_partition-var-nodev" selected="true" /> + <!-- The /var/log partition is mounted with nodev --> + <select idref="xccdf_org.gentoo.dev.swift_rule_partition-varlog-nodev" selected="true" /> + <!-- The /var/log/audit partition is mounted with nodev --> + <select idref="xccdf_org.gentoo.dev.swift_rule_partition-varlogaudit-nodev" selected="true" /> <!-- The /home partition is mounted with nodev --> <select idref="xccdf_org.gentoo.dev.swift_rule_partition-home-nodev" selected="true" /> - + <!-- The /tmp partition is mounted with nodev --> + <select idref="xccdf_org.gentoo.dev.swift_rule_partition-tmp-nodev" selected="true" /> + <!-- The /tmp partition is mounted with nosuid --> + <select idref="xccdf_org.gentoo.dev.swift_rule_partition-tmp-nosuid" selected="true" /> + <!-- The /home partition is mounted with nosuid --> + <select idref="xccdf_org.gentoo.dev.swift_rule_partition-home-nosuid" selected="true" /> + <!-- The /dev/shm partition is mounted with nosuid --> + <select idref="xccdf_org.gentoo.dev.swift_rule_partition-devshm-nosuid" selected="true" /> + <!-- The /tmp partition is mounted with noexec --> + <select idref="xccdf_org.gentoo.dev.swift_rule_partition-tmp-noexec" selected="true" /> + <!-- The /dev/shm partition is mounted with noexec --> + <select idref="xccdf_org.gentoo.dev.swift_rule_partition-devshm-noexec" selected="true" /> + <!-- The hardened toolchain must be installated and used --> + <select idref="xccdf_org.gentoo.dev.swift_rule_installation-toolchain-hardened" selected="true" /> + <!-- Kernel quota support must be enabled --> + <select idref="xccdf_org.gentoo.dev.swift_rule_kernel-quota" selected="true" /> + <!-- No telnetd process is running --> + <select idref="xccdf_org.gentoo.dev.swift_rule_telnetd-notrunning" selected="true" /> + <!-- No ftpd process is running --> + <select idref="xccdf_org.gentoo.dev.swift_rule_ftpd-notrunning" selected="true" /> + <!-- sulogin is used as shell for single user boot (definition /etc/rc.conf) --> + <select idref="xccdf_org.gentoo.dev.swift_rule_rcconf-sulogin" selected="true" /> + <!-- sulogin is used as shell for single user boot (definition /etc/inittab) --> + <select idref="xccdf_org.gentoo.dev.swift_rule_inittab-sulogin" selected="true" /> </Profile> <Group id="xccdf_org.gentoo.dev.swift_group_intro"> <title>Introduction</title> @@ -155,6 +193,84 @@ Substitute the profile information in the commands above with the required profile. </description> </Group> + <Group id="xccdf_org.gentoo.dev.swift_group_intro-weights"> + <title>About the rule weights</title> + <description> + Within this guide, weights are assigned to tests to give some importance to + the rule (higher weight is more important) as well as a severity. + <h:br /> + <h:br /> + The severity is one of the following: + <h:ul> + <h:li> + <h:em>high</h:em> constitutes a grave or critical problem. A rule with this severity + <h:em>MUST</h:em> be tackled as it detected a misconfiguration that is easily + exploitable and could lead to full system compromise. + </h:li> + <h:li> + <h:em>medium</h:em> reflects a fairly serious problem. A rule with this severity + <h:em>SHOULD</h:em> be tackled as it detected a misconfiguration that is easily + exploitable. + </h:li> + <h:li> + <h:em>low</h:em> reflects a non-serious problem. A rule with this severity + has detected a misconfiguration but its influence on the overall system security + is minor (if other compliance rules are followed). + </h:li> + <h:li> + <h:em>info</h:em> reflects an informational rule. Failure to comply with this rule + does not mean failure to comply with the document itself. + </h:li> + </h:ul> + It is important to understand though that rules with a low severity can still lead to + grave security problems if they are not met. Chaining of vulnerabilities or + misconfiguration can still lead to full system compromise. + <h:br /> + <h:br /> + For this reason, weights are added to rules as well. A higher weight has a more + severe potential impact. + <h:br /> + <h:br /> + Weights are the CVSS score that the author assumes is the case for a misconfiguration. + They are calculated by NVD's CVSS calculator. Each rule is scored individually; a + "chain" of misconfigurations might lead to a significantly higher issue, but this would + make it very hard to make proper scoring. + <h:br /> + <h:br /> + As an example, take the rule that says <h:code>/var</h:code> has to be on its own + partition. The metrics we fill in in the calculator are currently based on the risk + that the root file system is filled (no more free space), which can halt the system. + <h:ul> + <h:li> + The <h:em>related exploit range</h:em> (access vector) is "Local", because this is + by itself not exploitable remotely - unless of course certain services are running + that can fill up <h:code>/var</h:code>, but we do not take such assumptions. + </h:li> + <h:li> + The <h:em>attack complexity</h:em> (access complexity) is "Low", as all that is + needed is a local account and we can find the necessary ways to fill up + <h:code>/var</h:code>. + </h:li> + <h:li> + The <h:em>level of authentication needed</h:em> (authentication) is "Single" + as the attacker needs one authentication step (local access) to exploit. + </h:li> + <h:li> + The <h:em>confidentiality impact</h:em> is "None" (no data leakage) + </h:li> + <h:li> + The <h:em>integrity impact</h:em> is "None" (no data manipulation) + </h:li> + <h:li> + The <h:em>availability impact</h:em> is "Complete" (system crash or halt). + </h:li> + </h:ul> + This results in the CVSS base score of 4.6. The environmental score metrics and + temporal score metrics are ignored as those are too specific for environments + and organizations. + </description> + <reference href="https://nvd.nist.gov/cvss.cfm?calculator&version=2">NVD CVSS calculator</reference> + </Group> </Group> <Group id="xccdf_org.gentoo.dev.swift_group_preinstallation"> <title>Before we start</title> @@ -279,7 +395,7 @@ </description> <reference href="http://www.pathname.com/fhs/">Filesystem Hierarchy Standard</reference> - <Group id="xccdf_org.gentoo.dev.swift_group_installation-storage-partitioning-separate"> + <Group id="xccdf_org.gentoo.dev.swift_group_installation-storage-partitioning-separate"> <title>Separate file systems for important locations</title> <description> Having a separate file system for important locations has several advantages, but @@ -331,11 +447,42 @@ <h:li> <h:code>/tmp</h:code> as this is a world-writable location and requires specific mount options. When possible, this location can be made a - <h:em>tmpfs</h:em> file system. + <h:em>tmpfs</h:em> file system. This is to protect the root file system + from being flooded. + </h:li> + <h:li> + <h:code>/var</h:code> as this contains variable data (and thus is prone + to grow extensively depending on the installed services). This is to protect + the root file system from being flooded. + </h:li> + <h:li> + <h:code>/var/log</h:code> as this contains logging data (and thus is prone + to grow extensively depending on the services). This is to protect the + <h:code>/var</h:code> file system from being flooded, as this might impact + various services (like databases, web servers, etc.). + </h:li> + <h:li> + <h:code>/var/log/audit</h:code> as this contains (potentially sensitive) + logging data. Some services refuse to continue if the audit target location + is full. Having the location separate from <h:code>/var/log</h:code> protects + the audit file system when <h:code>/var/log</h:code> would be flooded. + </h:li> + <h:li> + <h:code>/home</h:code> as this is completely under the control of end users. + It needs to be mounted with more secure settings (more about that later) and + should be separate both to protect the root file system, but also to allow + the <h:code>/home</h:code> location to be either shared or used elsewhere. + </h:li> + <h:li> + <h:code>/var/tmp</h:code> which is a "second" <h:code>/tmp</h:code> location, + but where the content is preserved after a reboot. Still, it is world-writable + and requires specific mount options, and should be on a different file system + to prevent <h:code>/var</h:code> to be flooded which might impact the + availability of services. </h:li> </h:ul> </description> - <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-tmp" selected="false"> + <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-tmp" selected="false" severity="medium" weight="4.6"> <title>Test if /tmp is a separate file system</title> <fixtext> Create a file system for <h:code>/tmp</h:code>; make sure it is added in @@ -345,72 +492,60 @@ <check-content-ref name="oval:org.gentoo.dev.swift:def:5" href="gentoo-oval.xml" /> </check> </Rule> - </Group> - <Group id="xccdf_org.gentoo.dev.swift_group_installation-storage-partitioning-home"> - <title>/home Location</title> - <description> - The <h:code>/home</h:code> location should be on its own partition, - allowing the administrator to mount this location with specific - options targetting the file systems' security settings or quota. It - also prevents the system to become unresponsive when a user starts - filling up his home directory, although quota support can be used - to mitigate this risk as well. - <h:br /> - <h:br /> - Next to the separate file system, it should also be mounted with - the <h:em>nosuid</h:em> mount option. When a vulnerability in a - software, or a rogue user, would somehow place a setuid binary in - this home directory in order to create a simple backdoor to gain - root privileges, this mount option disables the setuid ability. - <h:br /> - <h:br /> - There is also no reason for the <h:code>/home</h:code> location to - contain any device files, so mount it with <h:em>nodev</h:em> too. - If an attacker would somehow be able to create sensitive device files - with the rights for him to read/write to those device files, then he - might be able to impact the system security. - </description> - <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="false"> - <title>Test if /home is a separate partition</title> + <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-var" selected="false" severity="medium" weight="4.6"> + <title>Test if /var is a separate file system</title> <fixtext> - Create a file system for the user home files and mount it at <h:code>/home</h:code> - after migrating the users' files to it. + Create a file system for <h:code>/var</h:code>; make sure it is added in + the <h:code>/etc/fstab</h:code> file and reboot the system. </fixtext> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> - <check-content-ref name="oval:org.gentoo.dev.swift:def:2" href="gentoo-oval.xml" /> + <check-content-ref name="oval:org.gentoo.dev.swift:def:6" href="gentoo-oval.xml" /> </check> </Rule> - <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home-nosuid" selected="false"> - <title>Test if /home is mounted with nosuid</title> - <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-home-nosuid">Mount /home with nosuid mount option</fixtext> - <!-- TODO can we put in multiple fixes? I would like to add in one - that asks the user (not automatically) to update fstab --> - <fix id="xccdf_org.gentoo.dev.swift_fix_partition-home-nosuid" - system="urn:xccdf:fix:system:commands" - platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false"> -mount -o remount,nosuid /home - </fix> + <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-varlog" selected="false" severity="low" weight="2.1"> + <title>Test if /var/log is a separate file system</title> + <fixtext> + Create a file system for <h:code>/var/log</h:code>; make sure it is added in + the <h:code>/etc/fstab</h:code> file and reboot the system. + </fixtext> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> - <check-content-ref name="oval:org.gentoo.dev.swift:def:3" href="gentoo-oval.xml" /> + <check-content-ref name="oval:org.gentoo.dev.swift:def:7" href="gentoo-oval.xml" /> </check> </Rule> - <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home-nodev" selected="false"> - <title>Test if /home is mounted with nodev</title> - <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-home-nodev">Mount /home with nodev mount option</fixtext> - <fix id="xccdf_org.gentoo.dev.swift_fix_partition-home-nodev" - system="urn:xccdf:fix:system:commands" - platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false"> -mount -o remount,nodev /home - </fix> + <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-varlogaudit" selected="false" severity="low" weight="2.1"> + <title>Test if /var/log/audit is a separate file system</title> + <fixtext> + Create a file system for <h:code>/var/log/audit</h:code>; make sure it is added in + the <h:code>/etc/fstab</h:code> file and reboot the system. + </fixtext> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:8" href="gentoo-oval.xml" /> + </check> + </Rule> + <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="false" severity="medium" weight="4.6"> + <title>Test if /home is a separate file system</title> + <fixtext> + Create a file system for <h:code>/home</h:code>; make sure it is added in + the <h:code>/etc/fstab</h:code> file and reboot the system. + </fixtext> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:2" href="gentoo-oval.xml" /> + </check> + </Rule> + <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-vartmp" selected="false" severity="low" weight="2.1"> + <title>Test if /var/tmp is a separate file system</title> + <fixtext> + Create a file system for <h:code>/var/tmp</h:code>; make sure it is added in + the <h:code>/etc/fstab</h:code> file and reboot the system. + </fixtext> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> - <check-content-ref name="oval:org.gentoo.dev.swift:def:4" href="gentoo-oval.xml" /> + <check-content-ref name="oval:org.gentoo.dev.swift:def:17" href="gentoo-oval.xml" /> </check> </Rule> </Group> </Group> </Group> - <!-- - <Group id="gt-installation-toolchain"> + <Group id="xccdf_org.gentoo.dev.swift_group_installation-toolchain"> <title>Use a Hardened Toolchain</title> <description> When you install Gentoo, use the hardened stages and hardened toolchain. @@ -418,12 +553,25 @@ mount -o remount,nodev /home support for non-executable program stacks and buffer overflow detection. <h:br /> <h:br /> + <h:ul> + <h:li> + <h:em>Position Independent Executables (PIE)</h:em> and <h:em>Position Independent + Code (PIC)</h:em> implements a memory hardening approach where the application + (or library), when loaded to memory, does not have hard requirements where in + memory it is loaded. Together with ASLR this makes it more difficult for exploits + to know at which memory region certain data will be available. + </h:li> + <h:li> + <h:em>Stack Smashing Protection (SSP)</h:em> adds markers outside buffer areas + to detect buffer overflow attacks, killing the application rather than effectively + having the overflow succeed. + </h:li> + </h:ul> During installation, make sure that the <h:em>default</h:em> hardened toolchain is selected, not one of the <h:code>-hardenedno*</h:code> as those are toolchains where specific settings are disabled. The <h:code>-vanilla</h:code> one is a toolchain with no hardened patches. - <h:pre> -# <h:b>gcc-config -l</h:b> + <h:pre># <h:b>gcc-config -l</h:b> [1] x86_64-pc-linux-gnu-4.4.5 * [2] x86_64-pc-linux-gnu-4.4.5-hardenednopie [3] x86_64-pc-linux-gnu-4.4.5-hardenednopie.gcc-config-ref @@ -431,7 +579,19 @@ mount -o remount,nodev /home [5] x86_64-pc-linux-gnu-4.4.5-hardenednossp [6] x86_64-pc-linux-gnu-4.4.5-vanilla</h:pre> </description> - </Group> + <Rule id="xccdf_org.gentoo.dev.swift_rule_installation-toolchain-hardened" selected="false" severity="low" weight="0.0"> + <title>Test if the hardened toolchain is used</title> + <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_installation-toolchain-hardened"> + Use a hardened Gentoo profile and select the default compiler (not vanilla + nor any of the hardenedno* ones). + </fixtext> + <check system="http://open-scap.org/page/SCE"> + <check-import import-name="stdout" /> + <check-content-ref href="bin/gentoo-sce_installation-toolchain-hardened.sh" /> + </check> + </Rule> + </Group> <!-- installation-toolchain --> + <!-- <Group id="gt-installation-selinux"> <title>Use a Mandatory Access Control system</title> <description> @@ -452,84 +612,231 @@ mount -o remount,nodev /home <reference href="http://hardened.gentoo.org/selinux">Gentoo Hardened SELinux project page</reference> </Group> --> - </Group> - <!-- - <Group id="gt-system"> - <title>System Settings</title> + </Group> <!-- installation --> + <Group id="xccdf_org.gentoo.dev.swift_group_system"> + <title>System settings</title> <description> - Within this chapter, we describe the (recommended) settings that can be - adjusted relatively easily, even when a Gentoo installation has already - been performed. This is the bulk of the security settings. + Within this chapter, the (recommended) settings that can be adjusted relatively easily + are presented, even when a Gentoo installation has already been performed. This is the + bulk of the security settings. </description> - <Group id="gt-system-mounts"> - <title>Mounts and Mount Points</title> + <Group id="xccdf_org.gentoo.dev.swift_group_system-fs"> + <title>File system related settings</title> <description> - When mounting file systems, options can be presented that add or remove - features from the mount point. Some of these options can be used to - restrict actions taken or originating from the file system. - <h:br /> - <h:br /> - Mount options can be set in <h:code>/etc/fstab</h:code> in the fourth column. - <h:pre> -# <h:b>vim /etc/fstab</h:b> -[...] -tmpfs /tmp tmpfs defaults<h:b>,nosuid,noexec,nodev</h:b> 0 0</h:pre> - <h:br /> - Important mount options that are used later are: - <h:ul> - <h:li> - <h:code>nosuid</h:code> will ignore SUID bits on binaries. If such - a binary is encountered, it is executed as if it did not have the SUID - bit set. - </h:li> - <h:li> - <h:code>noexec</h:code> will prevent direct execution of files or - binaries from this partition. - </h:li> - <h:li> - <h:code>nodev</h:code> will ignore device files in this partition. - </h:li> - </h:ul> - <h:br /> - Even though these mount options can be worked around, it is a first line - of defence against popular exploits and worms. + Servers and systems are about manipulating data. In this chapter, the security settings + for file systems are explained. </description> - <Group id="gt-system-mounts-tmp"> - <title>Temporary Files</title> + <Group id="xccdf_org.gentoo.dev.swift_group_system-fs-mountoptions"> + <title>Appropriate mount options for the file systems</title> <description> - The <h:code>/tmp</h:code> location is world writable, allowing for - any service to put temporary files in it that are required during - service operation. + Non-root file systems should be mounted with the <h:em>nodev</h:em> mount option. + This mount option ensures that device files are not allowed on these file systems + (and if they are there, they are ignored by the Linux kernel for any device + operation). <h:br /> <h:br /> - This location should be a tmpfs file system (so that its content is - cleared during shut down or reboot) and mounted with nosuid,noexec and - nodev mount options (to reduce the impact when an exploit is attempted from - within this location). - <h:pre> -tmpfs /tmp tmpfs defaults,nosuid,noexec,nodev 0 0</h:pre> - Also, the location must have the sticky bit set (cfr the trailing 't' in the - output of <h:b>ls -ld</h:b>). - <h:pre> -# <h:b>ls -ld /tmp</h:b> -drwxrwxrwt 9 root root 260 Dec 27 16:00 /tmp</h:pre> - Of course, using <h:code>tmpfs</h:code> does not give you freedom nor a - secure means to write security sensitive information in <h:code>/tmp</h:code>. - </description> - </Group> - <Group id="gt-system-mounts-home"> - <title>Home Directories</title> - <description> - The <h:code>/home</h:code> location is used to host end user files. - To reduce the risk of an exploit being launched, it is adviseable to - mount this partition with the <h:code>nosuid,nodev</h:code> mount options. + Having device files on non-root file systems could allow unauthorized people access + to sensitive data (for instance when having a readable raw disk device files) or + even manipulate the system. <h:br /> - <h:pre> -/dev/mapper/volgrp-home /home ext4 noatime,nosuid,nodev,data=journal 0 2</h:pre> + <h:br /> + The privilege to create special device files (beyond regular sockets) such as + character and block device files is handled through the CAP_MKNOD capability + which is not granted to regular users. As such, the risk is when more privileged + users or processes are tricked to create such device files. + <h:br /> + <h:br /> + This setting is appropriate for file systems such as (non-exhaustive list): + <h:ul> + <h:li> + <h:code>/var</h:code> (as it is recommended to be a separate file system) + </h:li> + <h:li> + <h:code>/var/log</h:code> (as it is recommended to be a separate file system) + </h:li> + <h:li> + <h:code>/var/log/audit</h:code> (as it is recommended to be a separate file system) + </h:li> + <h:li> + <h:code>/home</h:code> (as it is recommended to be a separate file system) + </h:li> + <h:li> + <h:code>/tmp</h:code> (as it is recommended to be a separate file system) + </h:li> + </h:ul> + Specific file systems should also be mounted with the <h:em>nosuid</h:em> mount + option. This prevents setuid binaries to run as a different user when hosted + on this file system. As there are several locations where setuid binaries might + be needed, this only affects particular file systems: + <h:ul> + <h:li> + The <h:code>/tmp</h:code> file system should not be used for setuid binaries + as this is a world-writable location and often target storage for attacks. + </h:li> + <h:li> + The <h:code>/home</h:code> file system should not be used for setuid binaries + as this is the home location for non-root users. + </h:li> + <h:li> + The <h:code>/dev/shm</h:code> file system should not be used for any binaries + (shared memory region). + </h:li> + </h:ul> + Specific file systems should also be mounted with the <h:em>noexec</h:em> mount + option. This prevents some automated attacks to execute certain payload (exploits) + from these locations. + <h:br /> + <h:br /> + This is just one of the many "layers" though, as executing payload can still be + done using different methods. For instance, scripts can be invoked through the + shell itself (rather than directly) and in the past, binaries could even be + executed through the <h:code>ld-linux.so</h:code> binary (although this has + been fixed). + <h:br /> + <h:br /> + File systems for which <h:em>noexec</h:em> is recommended are: + <h:ul> + <h:li> + The <h:code>/tmp</h:code> file system as it is a popular target to store exploit + code in. + </h:li> + <h:li> + The <h:code>/dev/shm</h:code> file system as it is meant as a shared memory + location and is becoming a popular target to store exploit code in. + </h:li> + </h:ul> </description> - </Group> - <Group id="gt-system-mounts-quotas"> - <title>Quota's</title> + <!-- CVSS2 AV:L/Au:M/C:C/I:C/A:C (high complexity as device node needs + to be created first and is then only exploitable after local access. + Multiple authentication (one to create device file, one to log on) + --> + <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-var-nodev" selected="false" severity="low" weight="5.9"> + <title>Test if /var is mounted with nodev</title> + <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-var-nodev">Mount /var with nodev mount option</fixtext> + <fix id="xccdf_org.gentoo.dev.swift_fix_partition-var-nodev" + system="urn:xccdf:fix:system:commands" + platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false"> +mount -o remount,nodev /var + </fix> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:9" href="gentoo-oval.xml" /> + </check> + </Rule> + <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-varlog-nodev" selected="false" severity="low" weight="5.9"> + <title>Test if /var/log is mounted with nodev</title> + <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-varlog-nodev">Mount /var/log with nodev mount option</fixtext> + <fix id="xccdf_org.gentoo.dev.swift_fix_partition-varlog-nodev" + system="urn:xccdf:fix:system:commands" + platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false"> +mount -o remount,nodev /var/log + </fix> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:10" href="gentoo-oval.xml" /> + </check> + </Rule> + <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-varlogaudit-nodev" selected="false" severity="low" weight="5.9"> + <title>Test if /var/log/audit is mounted with nodev</title> + <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-varlogaudit-nodev">Mount /var/log/audit with nodev mount option</fixtext> + <fix id="xccdf_org.gentoo.dev.swift_fix_partition-varlogaudit-nodev" + system="urn:xccdf:fix:system:commands" + platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false"> +mount -o remount,nodev /var/log/audit + </fix> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:11" href="gentoo-oval.xml" /> + </check> + </Rule> + <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home-nodev" selected="false" severity="low" weight="5.9"> + <title>Test if /home is mounted with nodev</title> + <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-home-nodev">Mount /home with nodev mount option</fixtext> + <fix id="xccdf_org.gentoo.dev.swift_fix_partition-home-nodev" + system="urn:xccdf:fix:system:commands" + platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false"> +mount -o remount,nodev /home + </fix> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:4" href="gentoo-oval.xml" /> + </check> + </Rule> + <!-- Higher severity due to more best practices and world writeable, + also more likely that exploit of process is done towards /tmp --> + <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-tmp-nodev" selected="false" severity="medium" weight="5.9"> + <title>Test if /tmp is mounted with nodev</title> + <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-tmp-nodev">Mount /tmp with nodev mount option</fixtext> + <fix id="xccdf_org.gentoo.dev.swift_fix_partition-tmp-nodev" + system="urn:xccdf:fix:system:commands" + platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false"> +mount -o remount,nodev /tmp + </fix> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:12" href="gentoo-oval.xml" /> + </check> + </Rule> + <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-tmp-nosuid" selected="false" severity="medium" weight="5.9"> + <title>Test if /tmp is mounted with nosuid</title> + <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-tmp-nosuid">Mount /tmp with nosuid mount option</fixtext> + <fix id="xccdf_org.gentoo.dev.swift_fix_partition-tmp-nosuid" + system="urn:xccdf:fix:system:commands" + platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false"> +mount -o remount,nosuid /tmp + </fix> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:13" href="gentoo-oval.xml" /> + </check> + </Rule> + <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home-nosuid" selected="false" severity="low" weight="5.9"> + <title>Test if /home is mounted with nosuid</title> + <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-home-nosuid">Mount /home with nosuid mount option</fixtext> + <fix id="xccdf_org.gentoo.dev.swift_fix_partition-home-nosuid" + system="urn:xccdf:fix:system:commands" + platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false"> +mount -o remount,nosuid /home + </fix> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:3" href="gentoo-oval.xml" /> + </check> + </Rule> + <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-devshm-nosuid" selected="false" severity="medium" weight="5.9"> + <title>Test if /dev/shm is mounted with nosuid</title> + <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-devshm-nosuid">Mount /dev/shm with nosuid mount option</fixtext> + <fix id="xccdf_org.gentoo.dev.swift_fix_partition-devshm-nosuid" + system="urn:xccdf:fix:system:commands" + platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false"> +mount -o remount,nosuid /dev/shm + </fix> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:14" href="gentoo-oval.xml" /> + </check> + </Rule> + <!-- Weight is 0 as this is a means to exploit, not exploitable by + itself --> + <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-tmp-noexec" selected="false" severity="medium" weight="0.0"> + <title>Test if /tmp is mounted with noexec</title> + <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-tmp-noexec">Mount /tmp with noexec mount option</fixtext> + <fix id="xccdf_org.gentoo.dev.swift_fix_partition-tmp-noexec" + system="urn:xccdf:fix:system:commands" + platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false"> +mount -o remount,noexec /tmp + </fix> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:15" href="gentoo-oval.xml" /> + </check> + </Rule> + <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-devshm-noexec" selected="false" severity="medium" weight="0.0"> + <title>Test if /dev/shm is mounted with noexec</title> + <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-devshm-noexec">Mount /dev/shm with nosuid mount option</fixtext> + <fix id="xccdf_org.gentoo.dev.swift_fix_partition-devshm-noexec" + system="urn:xccdf:fix:system:commands" + platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false"> +mount -o remount,noexec /dev/shm + </fix> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:16" href="gentoo-oval.xml" /> + </check> + </Rule> + </Group> <!-- system-fs-mountoptions --> + <Group id="xccdf_org.gentoo.dev.swift_group_system-fs-quotas"> + <title>Disk quota support</title> <description> Most file systems support the notion of <h:em>quotas</h:em> - limits on the amount of data / files you are allowed to have on that @@ -541,15 +848,13 @@ drwxrwxrwt 9 root root 260 Dec 27 16:00 /tmp</h:pre> <h:br /> <h:br /> Next, install the <h:code>sys-fs/quota</h:code> package. - <h:pre> -# <h:b>emerge quota</h:b></h:pre> + <h:pre># <h:b>emerge quota</h:b></h:pre> Then add <h:code>usrquota</h:code> and <h:code>grpquota</h:code> to the partitions (in <h:code>/etc/fstab</h:code>) where you want to enable quotas on. For instance, the following snippet from <h:code>/etc/fstab</h:code> enables quotas on <h:code>/var</h:code> and <h:code>/home</h:code>. - <h:pre> -/dev/mapper/volgrp-home /home ext4 noatime,nodev,nosuid,<h:b>usrquota,grpquota</h:b> 0 0 + <h:pre>/dev/mapper/volgrp-home /home ext4 noatime,nodev,nosuid,<h:b>usrquota,grpquota</h:b> 0 0 /dev/mapper/volgrp-var /var ext4 noatime,<h:b>usrquota,grpquota</h:b> 0 0 </h:pre> Finally, add the <h:code>quota</h:code> service to the boot runlevel. @@ -563,10 +868,17 @@ drwxrwxrwt 9 root root 260 Dec 27 16:00 /tmp</h:pre> href="http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch28_:_Managing_Disk_Usage_with_Quotas">Managing Disk Usage with Quotas (LinuxHomeNetworking)</reference> <reference href="http://www.gentoo.org/doc/en/kernel-config.xml#shorthand">Gentoo Linux Kernel Configuration - shorthand notation information</reference> - </Group> - </Group> - <Group id="gt-system-services"> - <title>Services</title> + <Rule id="xccdf_org.gentoo.dev.swift_rule_kernel-quota" selected="false" severity="low" weight="1.7"> + <title>Test if the kernel supports quota (CONFIG_QUOTA)</title> + <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_kernel-quota">Rebuild the Linux kernel with quota support (CONFIG_QUOTA)</fixtext> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:18" href="gentoo-oval.xml" /> + </check> + </Rule> + </Group> <!-- system-fs-quotas --> + </Group> <!-- system-fs --> + <Group id="xccdf_org.gentoo.dev.swift_group_system-services"> + <title>System services</title> <description> Services (daemons) are the primary reason for a server to exist. They represent the function of the server. For instance, a web server @@ -574,20 +886,20 @@ drwxrwxrwt 9 root root 260 Dec 27 16:00 /tmp</h:pre> named service. <h:br /> <h:br /> - In this benchmark, we will only focus on those services that are either + In this benchmark, the focus is on those services that are either default available on a Gentoo installation (like SSHd) or that are commonly used in Gentoo server architectures (like rsync). For the other - services, we refer to other benchmarks. + services it is wise to consult other hardening guides specific for those + services. </description> <reference href="http://www.cisecurity.org">Center for Internet Security, host of many service benchmarks</reference> - <Group id="gt-system-services-disable"> - <title>Disable Unsafe Services</title> + <Group id="xccdf_org.gentoo.dev.swift_group_system-services-disable"> + <title>Disable unsafe services</title> <description> - We recommend not to enable the following services unless absolutely - necessary. These services use plain-text protocols and as thus unsafe - to use on untrusted networks (like the Internet, but also internal - networks). + It is recommended to disable (or even uninstall) the following services unless + absolutely necessary. These services use plain-text protocols and are as such unsafe + to use on (untrusted) networks. <h:ul> <h:li>Telnet service</h:li> <h:li>FTP Service</h:li> @@ -596,25 +908,76 @@ drwxrwxrwt 9 root root 260 Dec 27 16:00 /tmp</h:pre> It is recommended to substitute these services with their more secure counterparts (like sFTP, SSH, ...). </description> + <!-- Max score: password in clear text and your system is compromised (if it is root) --> + <Rule id="xccdf_org.gentoo.dev.swift_rule_telnetd-notrunning" selected="false" severity="high" weight="10.0"> + <title>Test if no telnet daemons are running</title> + <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_telnetd-notrunning">Stop telnet services</fixtext> + <fix id="xccdf_org.gentoo.dev.swift_fix_telnetd-notrunning" + system="urn:xccdf:fix:system:commands" + platform="cpe:/o:gentoo:linux" complexity="low" disruption="high" reboot="false"> +for service in /etc/init.d/*telnet*; do test -f ${service} && run_init rc-service ${service##*/} stop; done + </fix> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:19" href="gentoo-oval.xml" /> + </check> + </Rule> + <!-- Partial breach, assuming accounts are not system accounts --> + <Rule id="xccdf_org.gentoo.dev.swift_rule_ftpd-notrunning" selected="false" severity="medium" weight="7.5"> + <title>Test if no FTP daemons are running</title> + <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_ftpd-notrunning">Stop FTPd services</fixtext> + <fix id="xccdf_org.gentoo.dev.swift_fix_ftpd-notrunning" + system="urn:xccdf:fix:system:commands" + platform="cpe:/o:gentoo:linux" complexity="low" disruption="high" reboot="false"> +for service in /etc/init.d/*ftp*; do test -f ${service} && run_init rc-service ${service##*/} stop; done + </fix> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:20" href="gentoo-oval.xml" /> + </check> + </Rule> </Group> - <Group id="gt-system-services-sulogin"> - <title>Require Single-User Boot to Give Root Password</title> + <Group id="xccdf_org.gentoo.dev.swift_group_system-services-sulogin"> + <title>Require single-user boot to give root password</title> <description> When a system is booted in single user mode, some users might find it - handy to immediately get a root prompt; others even have a specific + handy to immediately get a root prompt; many even have a specific bootloader entry to boot in single user mode. <h:br /> <h:br /> It is important that, for a more secure server environment, even booting in single user mode requires the user to enter the root - password. This is already done by default in Gentoo and is part of - <h:code>/etc/inittab</h:code>'s definition: - <h:pre> -su0:S:wait:/sbin/rc single + password. This is already done by default in Gentoo through the + <h:code>rc_shell</h:code> variable in <h:code>/etc/rc.conf</h:code>. + <h:br /> + <h:br /> + Administrators should also make sure that no direct shells are provided + in <h:code>/etc/inittab</h:code> for single-user mode. Gentoo's + <h:code>/etc/inittab</h:code> definition should look like so: + <h:pre>su0:S:wait:/sbin/rc single <h:b>su1:S:wait:/sbin/sulogin</h:b></h:pre> </description> + <!-- CVSS2: AV:L/AC:H/Au:S/C:C/I:C/A:C (high attack complexity due to console access) --> + <Rule id="xccdf_org.gentoo.dev.swift_rule_rcconf-sulogin" selected="false" severity="medium" weight="6.0"> + <title>Test if sulogin is used for single-user boot (/etc/rc.conf)</title> + <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_rcconf-sulogin">Set /sbin/sulogin for rc_shell</fixtext> + <fix id="xccdf_org.gentoo.dev.swift_fix_rcconf-sulogin" + system="urn:xccdf:fix:system:commands" + platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false"> +sed -i -e 's:^rc_shell=.*:rc_shell="/sbin/sulogin":g' /etc/rc.conf + </fix> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:21" href="gentoo-oval.xml" /> + </check> + </Rule> + <Rule id="xccdf_org.gentoo.dev.swift_rule_inittab-sulogin" selected="false" severity="medium" weight="6.0"> + <title>Test if sulogin is used for single-user boot (/etc/inittab)</title> + <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_inittab-sulogin">Set /sbin/sulogin or '/sbin/rc single' for single-user boot</fixtext> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:22" href="gentoo-oval.xml" /> + </check> + </Rule> + </Group> - <Group id="gt-system-services-tcpwrappers"> + <Group id="xccdf_org.gentoo.dev.swift_group_system-services-tcpwrappers"> <title>Properly Configure TCP Wrappers</title> <description> With TCP wrappers, services that support TCP wrappers (or those @@ -628,7 +991,7 @@ su0:S:wait:/sbin/rc single <h:b>man 5 hosts_access</h:b>. </description> </Group> - <Group id="gt-system-services-ssh"> + <Group id="xccdf_org.gentoo.dev.swift_group_system-services-ssh"> <title>SSH Service</title> <description> The SSH service is used for secure remote access towards a system, but @@ -639,13 +1002,13 @@ su0:S:wait:/sbin/rc single Please use the "Hardening OpenSSH" guide for the necessary instructions. </description> </Group> - <Group id="gt-system-services-cron"> + <Group id="xccdf_org.gentoo.dev.swift_group_system-services-cron"> <title>Cron Service</title> <description> A cron service is used to schedule tasks and processes on predefined times. Cron is most often used for regular maintenance tasks. </description> - <Group id="gt-system-services-cron-acl"> + <Group id="xccdf_org.gentoo.dev.swift_group_system-services-cron-acl"> <title>Only Allow Trusted Accounts Cron Access</title> <description> Only allow trusted accounts to use cron. You should list trusted @@ -653,14 +1016,14 @@ su0:S:wait:/sbin/rc single </description> </Group> </Group> - <Group id="gt-system-services-at"> + <Group id="xccdf_org.gentoo.dev.swift_group_system-services-at"> <title>At Service</title> <description> The at service allows users to execute a task once on a given time. Unlike cron, this is not scheduled repeatedly - once executed, the task is considered completed and at will not invoke it again. </description> - <Group id="gt-system-services-at-acl"> + <Group id="xccdf_org.gentoo.dev.swift_group_system-services-at-acl"> <title>Only Allow Trusted Accounts At Access</title> <description> Only allow trusted accounts to use at. You should list trusted @@ -668,7 +1031,7 @@ su0:S:wait:/sbin/rc single </description> </Group> </Group> - <Group id="gt-system-services-ntp"> + <Group id="xccdf_org.gentoo.dev.swift_group_system-services-ntp"> <title>NTP Service</title> <description> With NTP, systems can synchronise their clocks, ensuring correct date @@ -676,7 +1039,7 @@ su0:S:wait:/sbin/rc single cause misinterpretation of log files or even unwanted execution of commands. </description> - <Group id="gt-system-services-ntp-sync"> + <Group id="xccdf_org.gentoo.dev.swift_group_system-services-ntp-sync"> <title>Synchronise The System Clock</title> <description> Synchronise your systems' clock with an authorative NTP server, and @@ -690,6 +1053,11 @@ su0:S:wait:/sbin/rc single </Group> </Group> </Group> + </Group> <!-- system --> + <!-- + <Group id="gt-system-services"> + + </Group> <Group id="gt-system-portage"> <title>Portage Settings</title> <description> |