From e776b21bb7b10d185eeaebb8a97686a932a3b78c Mon Sep 17 00:00:00 2001 From: Sven Vermeulen Date: Wed, 26 Mar 2014 22:06:50 +0100 Subject: Add syslog rules and enhance security/access.conf with an example --- xml/SCAP/gentoo-xccdf.xml | 80 ++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 76 insertions(+), 4 deletions(-) diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml index d2bf154..5fe590d 100644 --- a/xml/SCAP/gentoo-xccdf.xml +++ b/xml/SCAP/gentoo-xccdf.xml @@ -1,13 +1,13 @@ - - draft + + draft Gentoo Security Benchmark This benchmarks helps people in improving their system configuration to be more resilient against attacks and vulnerabilities. - 20140201.1 + 20140326.1 @@ -355,7 +355,7 @@ - Before startng + Before starting Before starting to deploy Gentoo Linux and start hardening it, it is wise to take a step back and think about what to accomplish. Setting @@ -1244,6 +1244,48 @@ sed -i -e 's:^rc_shell=.*:rc_shell="/sbin/sulogin":g' /etc/rc.conf + + Syslog service + + + The system logger handles all non-audit related logging generated by applications + and daemons. In order to ensure proper forensic analysis if it would ever be needed, + the system logger should be properly configured. + + + + Configure the system logger to log intervals + + + Have the system logger log every 10 minutes or so. Without interval logging, + administrators might think nothing is wrong although in reality the system + logger is malfunctioning and not writing any log events. + + + + + Enable remote logging + + + If possible, have vital (or all) logs sent to a remote system logger as well. + In home deployments, off-the-shelf (wifi) routers often have a logging daemon + that can receive syslog events. For larger environments, a dedicated centralized + log server is recommended. + + + + + Decide which events to send to user terminals + + + On Linux and Unix systems, events can be sent to user terminals to + make those users immediately aware of what is happening. It is + recommended to send emergency-level events to everyone and have + alerts sent to specific administrative user terminals. + + + + Portage settings @@ -1551,6 +1593,14 @@ tty12 account (say apache) is abused to log on with, or that a new account is created as part of an exploit. + + The following example setting allows only local root logins on tty1, + and only the swift account to log on on the system. + + ++ : root : tty1 +- : ALL EXCEPT swift : ALL + @@ -1731,6 +1781,28 @@ session required pam_unix.so + + Limit capability enabled files + + + Capabilities within Linux allow users to perform certain privileged tasks. + + + Unlike setuid flags, the allowed privileges can be defined + in a more granular approach (although one can still add in all possible + capabilities and thus gain similar privileges as through setuid + binaries). + + + Files with particular capabilities set (through the setcap + application) should be regularly reviewed. Capability-enabled files + can be found through the following command: + + +# getcap -r / + + + Logs only readable by proper group -- cgit v1.2.3-65-gdbad