diff options
-rw-r--r-- | xml/SCAP/.gitignore | 3 | ||||
-rw-r--r-- | xml/SCAP/Makefile | 13 | ||||
-rw-r--r-- | xml/SCAP/gentoo-oval.xml | 62 | ||||
-rw-r--r-- | xml/SCAP/gentoo-xccdf.xml | 446 |
4 files changed, 347 insertions, 177 deletions
diff --git a/xml/SCAP/.gitignore b/xml/SCAP/.gitignore index f943490..d62a6b5 100644 --- a/xml/SCAP/.gitignore +++ b/xml/SCAP/.gitignore @@ -3,3 +3,6 @@ report.html gentoo-oval.xml.result.xml results-xccdf.xml remediate.sh +guide.docbook +guide.fo +guide.pdf diff --git a/xml/SCAP/Makefile b/xml/SCAP/Makefile index ac0b4e2..fcbf549 100644 --- a/xml/SCAP/Makefile +++ b/xml/SCAP/Makefile @@ -1,4 +1,4 @@ -all: report.html guide.html remediate.sh +all: report.html guide.html remediate.sh #guide.pdf report.html: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml oscap xccdf eval --cpe gentoo-cpe.xml --profile xccdf_org.gentoo.dev.swift_profile_default --results results-xccdf.xml --oval-results --report report.html gentoo-xccdf.xml @@ -6,6 +6,15 @@ report.html: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml guide.html: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml oscap xccdf generate guide --profile xccdf_org.gentoo.dev.swift_profile_default --output guide.html gentoo-xccdf.xml +guide.docbook: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml + oscap xccdf generate guide --profile xccdf_org.gentoo.dev.swift_profile_default --format docbook --output guide.docbook gentoo-xccdf.xml + +guide.fo: guide.docbook + xsltproc --output guide.fo --stringparam paper.type A4 /usr/share/sgml/docbook/xsl-stylesheets/fo/docbook.xsl guide.docbook + +guide.pdf: guide.fo + fop guide.fo guide.pdf + remediate.sh: results-xccdf.xml oscap xccdf generate fix --output remediate.sh results-xccdf.xml chmod 0644 remediate.sh @@ -14,6 +23,6 @@ eval: oscap xccdf eval --cpe gentoo-cpe.xml --profile xccdf_org.gentoo.dev.swift_profile_default gentoo-xccdf.xml clean: - -rm results-xccdf.xml report.html guide.html gentoo-oval.xml.results.xml remediate.sh + -rm results-xccdf.xml report.html guide.html gentoo-oval.xml.results.xml remediate.sh guide.docbook guide.pdf guide.fo .PHONY: all eval clean diff --git a/xml/SCAP/gentoo-oval.xml b/xml/SCAP/gentoo-oval.xml index b520353..9fa2c1e 100644 --- a/xml/SCAP/gentoo-oval.xml +++ b/xml/SCAP/gentoo-oval.xml @@ -71,6 +71,41 @@ </criteria> </definition> + <definition id="oval:org.gentoo.dev.swift:def:4" version="1" class="compliance"> + <metadata> + <title>The /home file system is mounted with the nodev option</title> + <affected family="unix"> + <platform>Gentoo Linux</platform> + </affected> + <description> + This definition tests whether the /home partition is mounted with the nodev + mount option. + </description> + </metadata> + <criteria operator="AND"> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:2" comment="The /home location is on a separate partition" /> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:4" comment="The /home partition is mounted with nodev mount option" /> + </criteria> + </definition> + + <definition id="oval:org.gentoo.dev.swift:def:5" version="1" class="compliance"> + <metadata> + <title>The /tmp location must be a separate file system</title> + <affected family="unix"> + <platform>Gentoo Linux</platform> + </affected> + <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14161-4"/> + <description> + This definition tests whether the /tmp location is a separate file + system. + </description> + </metadata> + <criteria operator="AND"> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:5" comment="The /tmp location is on a separate partition" /> + </criteria> + </definition> + + </definitions> <tests> @@ -97,6 +132,22 @@ <!-- "nosuid" mount option --> <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:1" /> </lin-def:partition_test> + + <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:4" + version="1" check="all" check_existence="all_exist" + comment="Tests that /home is mounted with nodev option"> + <!-- /home partition --> + <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:2" /> + <!-- "nodev" mount option --> + <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:2" /> + </lin-def:partition_test> + + <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:5" + version="1" check="all" check_existence="all_exist" + comment="Tests that /tmp is a separate file system"> + <!-- /home partition --> + <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:3" /> + </lin-def:partition_test> </tests> <objects> @@ -110,6 +161,12 @@ version="1" comment="The /home partition"> <lin-def:mount_point>/home</lin-def:mount_point> </lin-def:partition_object> + + <lin-def:partition_object id="oval:org.gentoo.dev.swift:obj:3" + version="1" comment="The /tmp partition"> + <lin-def:mount_point>/tmp</lin-def:mount_point> + </lin-def:partition_object> + </objects> <states> @@ -119,6 +176,11 @@ <lin-def:mount_options entity_check="at least one">nosuid</lin-def:mount_options> </lin-def:partition_state> + <lin-def:partition_state id="oval:org.gentoo.dev.swift:ste:2" + version="1" comment="The file system is mounted with the nodev mount option"> + <lin-def:mount_options entity_check="at least one">nodev</lin-def:mount_options> + </lin-def:partition_state> + </states> <!-- diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml index a501b53..39af64c 100644 --- a/xml/SCAP/gentoo-xccdf.xml +++ b/xml/SCAP/gentoo-xccdf.xml @@ -24,10 +24,15 @@ configurations. The tests that are enabled in this profile can be ran without visibly impacting the performance of the system. </description> + <!-- The /tmp location is a separate file system --> + <select idref="xccdf_org.gentoo.dev.swift_rule_partition-tmp" selected="true" /> <!-- The /home location is a separate file system --> <select idref="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="true" /> <!-- The /home partition is mounted with nosuid --> <select idref="xccdf_org.gentoo.dev.swift_rule_partition-home-nosuid" selected="true" /> + <!-- The /home partition is mounted with nodev --> + <select idref="xccdf_org.gentoo.dev.swift_rule_partition-home-nodev" selected="true" /> + </Profile> <Group id="xccdf_org.gentoo.dev.swift_group_intro"> <title>Introduction</title> @@ -58,31 +63,32 @@ <title>This is no security policy</title> <description> It is <h:em>very important</h:em> to realize that this document is not a - policy. You are not obliged to follow this if you want a secure system - nor do you need to agree with everything said in the document. - <h:br /> - <h:br /> - The purpose of this document is to guide you in your quest to hardening - your system. It will provide pointers that could help you decide in - particular configuration settings and will do this hopefully using - sufficient background information to make a good choice. - <h:br /> - <h:br /> - You <h:em>will</h:em> find settings you don't agree with. That's fine, but - if you disagree with <h:em>why</h:em> we do this, we would like to hear it - and we'll add the feedback to the guide. + policy. There is no obligation to follow this to make a secure system + nor should everything in this document be agreed upon. What we document is + a set of common best practices with the explanation (why is it a best practice) + and method (how to implement the best practice). + <h:br /> + <h:br /> + The purpose of this document is to guide readers in their quest to hardening + their systems. It will provide pointers that could help in deciding + particular configuration settings and will do this hopefully using + sufficient background information to allow readers to make a good choice. + <h:br /> + <h:br /> + Readers might find settings they don't agree with. That's fine, but + if there is disagreement about <h:em>why</h:em> it is documented, we would + like to hear it so we can update the guide accordingly. </description> </Group> <Group id="xccdf_org.gentoo.dev.swift_group_intro-scap"> <title>A little more about SCAP and OVAL</title> <description> Within SCAP, NIST has defined some new standards of which XCCDF and OVAL - are notably important in light of the guide you are currently using. + are notably important in light of this guide. <h:ul> <h:li> XCCDF (Extensible Configuration Checklist Description Format) is a specification language for writing security checklists and benchmarks - (such as the one you are reading now) </h:li> <h:li> OVAL (Open Vulnerability and Assessment Language) is a standard to describe @@ -101,80 +107,77 @@ <Group id="xccdf_org.gentoo.dev.swift_group_intro-using"> <title>Using this guide</title> <description> - The guide you are currently reading is the guide generated from this SCAP - content (more specifically, the XCCDF document) using <h:b>openscap</h:b>, - a free software implementation for handling SCAP content. Within Gentoo, - the package <h:code>app-forensics/openscap</h:code> provides the tools, and - the following command is used to generate the HTML output: + This guide is generated from SCAP content (more specifically, the XCCDF document) + using <h:b>openscap</h:b>, a free software implementation for handling SCAP content. + Within Gentoo, the package <h:code>app-forensics/openscap</h:code> provides the tools, + and the following command is used to generate the HTML output: <h:br /> - <h:pre>### Command to generate this guide ### -# <h:b>oscap xccdf generate guide gentoo-xccdf.xml > output.html</h:b> + <h:pre># <h:b>oscap xccdf generate guide gentoo-xccdf.xml > output.html</h:b> </h:pre> <h:br /> - Secondly, together with this XCCDF XML, you will also find an OVAL XML file. - The two files combined allow you to automatically validate various settings as - documented in the benchmark. - <h:br /> - <h:br /> - Now, to validate the tests, you can use the following commands: - <h:pre>### Testing the rules mentioned in the XCCDF document ### -# <h:b>oscap xccdf eval --profile xccdf_org.gentoo.dev.swift_profile_default gentoo-xccdf.xml</h:b></h:pre> + Secondly, together with this XCCDF XML, an OVAL XML file is made available. + The two files combined allow OVAL interpreters to automatically validate + various settings as documented in the benchmark. + <h:br /> + <h:br /> + To validate the tests, the following commands can be used: + <h:pre># <h:b>oscap xccdf eval --profile xccdf_org.gentoo.dev.swift_profile_default gentoo-xccdf.xml</h:b></h:pre> <h:br /> To generate a full report in HTML as well, you can use the next command: - <h:pre>### Testing the rules and generating an HTML report ### -# <h:b>oscap xccdf eval --profile xccdf_org.gentoo.dev.swift_profile_default --results xccdf-results.xml --report report.html gentoo-xccdf.xml</h:b></h:pre> + <h:pre># <h:b>oscap xccdf eval --profile xccdf_org.gentoo.dev.swift_profile_default --results xccdf-results.xml --report report.html gentoo-xccdf.xml</h:b></h:pre> <h:br /> - <h:br /> - Finally, this benchmark will suggest some settings which you do not want - to enable. That is perfectly fine - even more, some settings might even + <h:br /> + Finally, this benchmark will suggest some settings that do not reflect the + will of the reader. That is perfectly fine - even more, some settings might even raise eyebrows left and right. We will try to document the reasoning behind the settings but you are free to deviate from them. If that is the case, - you might want to disable the rules in the XCCDF document so that they are - not checked on your system. + disable the rules in the XCCDF document or, better yet, create a new profile + and only refer to the tests that are required. </description> </Group> <Group id="xccdf_org.gentoo.dev.swift_group_intro-profiles"> <title>Available XCCDF Profiles</title> <description> As mentioned earlier, the XCCDF document supports multiple profiles. For the time - being, two profiles are defined: - <h:br /> - <h:ul> - <h:li> - The <em>default</em> profile contains tests that are quick to validate - </h:li> - <h:li> - The <em>intensive</em> profile contains all tests, including those that - take a while (for instance because they perform full file system scans) - </h:li> - </h:ul> - Substitute the profile information in the commands above with the profile you want to test on. + being, two profiles are defined: + <h:br /> + <h:ul> + <h:li> + The <em>default</em> profile (xccdf_org.gentoo.dev.swift_profile_default) contains + tests that are quick to validate + </h:li> + <h:li> + The <em>intensive</em> profile (xccdf_org.gentoo.dev.swift_profile_intensive) + contains all tests, including those that take a while (for instance because they + perform full file system scans) + </h:li> + </h:ul> + Substitute the profile information in the commands above with the required profile. </description> </Group> </Group> <Group id="xccdf_org.gentoo.dev.swift_group_preinstallation"> - <title>Before You Start</title> + <title>Before we start</title> <description> - Before you start deploying Gentoo Linux and start hardening it, it is wise - to take a step back and think about what you want to accomplish. Setting + Before we start deploying Gentoo Linux and start hardening it, it is wise + to take a step back and think about what we want to accomplish. Setting up a more secured Gentoo Linux isn't a goal, but a means to reach something. Most likely, you are considering setting up a Gentoo Linux powered server. What is this server for? Where will you put it? What other services will you want to run on the same OS? Etc. </description> <Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-architecturing"> - <title>Infrastructure Architecturing</title> + <title>Infrastructure architecturing</title> <description> - When considering your entire IT architecture, many architecturing - frameworks exist to write down and further design your infrastructure. + When considering the entire IT architecture, many architecturing + frameworks exist to write down and further design infrastructure. There are very elaborate ones, like TOGAF (The Open Group Architecture Framework), but smaller ones exist as well. <h:br /> <h:br /> - A well written and maintained infrastructure architecture helps you + A well written and maintained infrastructure architecture helps to position new services or consider the impact of changes on existing - components. And the reason for mentioning such a well designed architecture - in a hardening guide is not weird. + components. <h:br /> <h:br /> Security is about reducing risks, not about harassing people or making @@ -186,130 +189,223 @@ </description> </Group> <Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-requirements"> - <title>Mapping Requirements</title> + <title>Mapping requirements</title> <description> - When you design a service, you need to take both functional and + When designing a service, we need to take both functional and non-functional requirements into account. That does sound like - overshooting for a simple server installation, but it is not. Have you - considered auditing? Where do the audit logs need to be sent to? What - about authentication? Centrally managed, or manually set? And the server - you are installing, will it only host a particular service, or will it - provide several services? + overshooting for a simple server installation, but it is not. Is + auditing considered? Where should the audit logs be sent to? What + about authentication? Centrally managed, or manually set? And the server, + will it only host a particular service, or will it provide several services? <h:br /> <h:br /> When hosting multiple services on the same server, make sure that the - server is positioned within your network on an acceptable segment. It is - not safe to host your central LDAP infrastructure on the same system as - your web server that is facing the Internet. + server is positioned within the network on an acceptable segment. It is + not safe to host central LDAP infrastructure on the same system as + a web server that is facing the Internet. </description> <reference href="https://www.ibm.com/developerworks/rational/library/4706.html">IBM DeveloperWorks article on "Capturing Architectural Requirements"</reference> </Group> <Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-nonsoftware"> - <title>Non-Software Security Concerns</title> + <title>Non-software security concerns</title> <description> - From the next chapter onwards, we will only focus on the software side - hardening. There are of course also non-software concerns that you - should investigate. + From the next chapter onwards, our focus will be on the software side + hardening. There are of course also non-software concerns that need to be + taken care of. </description> - <reference href="https://www.rfc-editor.org/info/rfc2196">Site Security - Handbook (RFC2196)</reference> + <reference href="https://www.rfc-editor.org/info/rfc2196">Site Security Handbook (RFC2196)</reference> <Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-nonsoftware-physical"> - <title>Physical Security</title> + <title>Physical security</title> <description> - Make sure that your system is only accessible (physically) by trusted - people. Fully hardening your system, only to have a malicious person - take out the harddisk and run away with your confidential data is not - something you want to experience. + Make sure that the system is only accessible (physically) by trusted + people. Fully hardening a system, only to have a malicious person + take out the harddisk and run away with the confidential data is not + something we want to experience. <h:br /> <h:br /> When physical security cannot be guaranteed (like with laptops), make sure that theft of the device only results in the loss of the hardware - and not of the data and software on it (backups), and also that the - data on it cannot be read by unauthorized people. We will come back on - disk encryption later. + and not of the data and software on it (take backups!), and also that the + data on it cannot be read by unauthorized people. + We will describe disk encryption later. </description> <reference - href="http://www.sans.org/reading_room/whitepapers/awareness/data-center-physical-security-checklist_416">Data - Center Physical Security Checklist (SANS, PDF)</reference> + href="http://www.sans.org/reading_room/whitepapers/awareness/data-center-physical-security-checklist_416">Data Center Physical Security Checklist (SANS, PDF)</reference> </Group> <Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-nonsoftware-policies"> - <title>Policies and Contractual Agreements</title> + <title>Policies and contractual agreements</title> <description> - Create or validate the security policies in your organization. This is + Create or validate the security policies in the organization. This is not only as a stick (against internal people who might want to abuse their powers) but also to document and describe why certain decisions are made (both architecturally as otherwise). + <h:br /> + <h:br /> + Make sure that the reasoning for the guidelines is clear. If the policies ever + need to be adjusted towards new environments or concepts (like "bring your own + device") having the reasons for the (old) guidelines documented will make it much + easier to write new ones. </description> <reference - href="http://www.sans.org/reading_room/whitepapers/policyissues/technical-writing-security-policies-easy-steps_492">Technical - Writing for IT Security Policies in Five Easy Steps (SANS, - PDF)</reference> + href="http://www.sans.org/reading_room/whitepapers/policyissues/technical-writing-security-policies-easy-steps_492">Technical Writing for IT Security Policies in Five Easy Steps (SANS, PDF)</reference> <reference - href="https://www.sans.org/security-resources/policies/">Information - Security Policy Templates (SANS)</reference> + href="https://www.sans.org/security-resources/policies/">Information Security Policy Templates (SANS)</reference> </Group> </Group> </Group> <Group id="xccdf_org.gentoo.dev.swift_group_installation"> - <title>Installation Configuration</title> + <title>Installation configuration</title> <description> - Let's focus now on the OS hardening. Gentoo Linux allows you to update the - system as you want after installation, but it might be interesting to - consider the following aspects during installation if you do not want a - huge migration project later. + Let's focus now on the OS hardening. Gentoo Linux allows us to update various + parts of the system after installation, but it might be interesting to + consider the following aspects during (or before) installation if we do not want + to risk a huge migration project later. </description> <Group id="xccdf_org.gentoo.dev.swift_group_installation-storage"> - <title>Storage Configuration</title> + <title>Storage configuration</title> <description> - Your storage is of utmost importance in any environment. It needs to be - sufficiently fast, not to jeopardize performance, but also secure and - manageable yet still remain flexible to handle future changes. + Storage is of utmost importance in any environment. It needs to be + sufficiently fast (performance), but also secure and + manageable while remaining flexible to handle future changes. </description> <Group id="xccdf_org.gentoo.dev.swift_group_installation-storage-partitioning"> <title>Partitioning</title> <description> - Know which locations in your file system structure you want on a + Know which locations in the file system structure need to be on a different partition or logical volume. Separate locations allow for a - more distinct segregation (for instance, hard links between different + more distinct segregation (for instance, no hard links between different file systems) and low-level protection (file system corruption impact, but also putting the right data on the right storage media). </description> <reference href="http://www.pathname.com/fhs/">Filesystem Hierarchy Standard</reference> + <Group id="xccdf_org.gentoo.dev.swift_group_installation-storage-partitioning-separate"> + <title>Separate file systems for important locations</title> + <description> + Having a separate file system for important locations has several advantages, but + we need to weigh those advantages against the disadvantages of separate file + systems. + <h:br /> + <h:br /> + Let's start with the disadvantages: + <h:ul> + <h:li> + Separate file systems mean that you need to do better disk space control + (governing free space). A file system that is given too much free space + means that disk space is being wasted, but a file system that is not given + enough free disk space will need to be grown quickly - if possibile. This + also means that creating a proper partitioning setup with many different + partitions (file systems) will take some time and calculations; many users + have no good idea how much space they need to make available for a file system. + </h:li> + <h:li> + Some file system locations need to be available early in the boot process. + If those locations reside on different file systems, special precautions need + to be taken to make those file systems available when the system is booted + (such as creating an initial ram file system). + </h:li> + </h:ul> + The advantages on the other hand: + <h:ul> + <h:li> + A sudden disk space growth will eventually be stopped by the limits of the + file system. If a non-critical file system is full, the impact on the overall + system is limited. Without separate file systems, a full file system might + jeopardise the availability of the entire system. + </h:li> + <h:li> + Specific mount options can be enabled on the file systems that improve the + security of the file system (permissions) as well as performance. Such mount + options include ownership details, allowing (or disallowing) setuid binaries, + device files and more. + </h:li> + <h:li> + Different file systems can be hosted on different devices (or even on network + shares), allowing administrators to pick the most efficient storage device + for a particular file system. + </h:li> + </h:ul> + Considering these pros and cons, it is recommended to have at least the following + file system locations to be on a different file system: + <h:ul> + <h:li> + <h:code>/tmp</h:code> as this is a world-writable location and requires + specific mount options. When possible, this location can be made a + <h:em>tmpfs</h:em> file system. + </h:li> + </h:ul> + </description> + <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-tmp" selected="false"> + <title>Test if /tmp is a separate file system</title> + <fixtext> + Create a file system for <h:code>/tmp</h:code>; make sure it is added in + the <h:code>/etc/fstab</h:code> file and reboot the system. + </fixtext> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:5" href="gentoo-oval.xml" /> + </check> + </Rule> + </Group> <Group id="xccdf_org.gentoo.dev.swift_group_installation-storage-partitioning-home"> <title>/home Location</title> <description> The <h:code>/home</h:code> location should be on its own partition, allowing the administrator to mount this location with specific - options targetting the file systems' security settings or quota. - <h:br /> - <h:br /> - Next to the separate file system, it should also be mounted with - the <h:em>nosuid</h:em> mount option. When a vulnerability in a - software, or a rogue user, would somehow place a setuid binary in - this home directory in order to create a simple backdoor to gain - root privileges, this mount option disables the setuid ability. + options targetting the file systems' security settings or quota. It + also prevents the system to become unresponsive when a user starts + filling up his home directory, although quota support can be used + to mitigate this risk as well. + <h:br /> + <h:br /> + Next to the separate file system, it should also be mounted with + the <h:em>nosuid</h:em> mount option. When a vulnerability in a + software, or a rogue user, would somehow place a setuid binary in + this home directory in order to create a simple backdoor to gain + root privileges, this mount option disables the setuid ability. + <h:br /> + <h:br /> + There is also no reason for the <h:code>/home</h:code> location to + contain any device files, so mount it with <h:em>nodev</h:em> too. + If an attacker would somehow be able to create sensitive device files + with the rights for him to read/write to those device files, then he + might be able to impact the system security. </description> - <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="false"> - <title>Test if /home is a separate partition</title> - <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="false"> + <title>Test if /home is a separate partition</title> + <fixtext> + Create a file system for the user home files and mount it at <h:code>/home</h:code> + after migrating the users' files to it. + </fixtext> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-content-ref name="oval:org.gentoo.dev.swift:def:2" href="gentoo-oval.xml" /> - </check> - </Rule> - <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home-nosuid" selected="false"> - <title>Test if /home is mounted with nosuid</title> - <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-home-nosuid">Mount /home with nosuid mount option</fixtext> - <!-- TODO can we put in multiple fixes? I would like to add in one - that asks the user (not automatically) to update fstab --> - <fix id="xccdf_org.gentoo.dev.swift_fix_partition-home-nosuid" - system="urn:xccdf:fix:system:commands" - platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false"> + </check> + </Rule> + <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home-nosuid" selected="false"> + <title>Test if /home is mounted with nosuid</title> + <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-home-nosuid">Mount /home with nosuid mount option</fixtext> + <!-- TODO can we put in multiple fixes? I would like to add in one + that asks the user (not automatically) to update fstab --> + <fix id="xccdf_org.gentoo.dev.swift_fix_partition-home-nosuid" + system="urn:xccdf:fix:system:commands" + platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false"> mount -o remount,nosuid /home - </fix> - <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> - <check-content-ref name="oval:org.gentoo.dev.swift:def:3" href="gentoo-oval.xml" /> - </check> - </Rule> + </fix> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:3" href="gentoo-oval.xml" /> + </check> + </Rule> + <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home-nodev" selected="false"> + <title>Test if /home is mounted with nodev</title> + <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-home-nodev">Mount /home with nodev mount option</fixtext> + <fix id="xccdf_org.gentoo.dev.swift_fix_partition-home-nodev" + system="urn:xccdf:fix:system:commands" + platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false"> +mount -o remount,nodev /home + </fix> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:4" href="gentoo-oval.xml" /> + </check> + </Rule> </Group> </Group> </Group> @@ -326,7 +422,7 @@ mount -o remount,nosuid /home toolchain is selected, not one of the <h:code>-hardenedno*</h:code> as those are toolchains where specific settings are disabled. The <h:code>-vanilla</h:code> one is a toolchain with no hardened patches. - <h:pre>### Using the appropriate hardened toolchain ### + <h:pre> # <h:b>gcc-config -l</h:b> [1] x86_64-pc-linux-gnu-4.4.5 * [2] x86_64-pc-linux-gnu-4.4.5-hardenednopie @@ -340,18 +436,18 @@ mount -o remount,nosuid /home <title>Use a Mandatory Access Control system</title> <description> Linux uses, by default, what is called a <h:em>Discretionary Access Control</h:em> - system. This means, amongst other things, that a user can control which files others - can access, but also that he is able to leak information towards other users. - <h:br /> - <h:br /> - With a <h:em>Mandatory Access Control</h:em> system in place, the security administrator - of a system defines security policies to which the entire system should adhere to. Users - then can "play" within the defined fields of this policy, but cannot extend this policy themselves. - <h:br /> - <h:br /> - Linux supports a few of these MAC systems. SELinux is a popular one, grSecurity RBAC system - is another, TOMOYO exists as well, etc. It is advisable to use such a MAC system, but its - configuration and testing of these settings are beyond the scope of this benchmark for now. + system. This means, amongst other things, that a user can control which files others + can access, but also that he is able to leak information towards other users. + <h:br /> + <h:br /> + With a <h:em>Mandatory Access Control</h:em> system in place, the security administrator + of a system defines security policies to which the entire system should adhere to. Users + then can "play" within the defined fields of this policy, but cannot extend this policy themselves. + <h:br /> + <h:br /> + Linux supports a few of these MAC systems. SELinux is a popular one, grSecurity RBAC system + is another, TOMOYO exists as well, etc. It is advisable to use such a MAC system, but its + configuration and testing of these settings are beyond the scope of this benchmark for now. </description> <reference href="http://hardened.gentoo.org/selinux">Gentoo Hardened SELinux project page</reference> </Group> @@ -374,7 +470,7 @@ mount -o remount,nosuid /home <h:br /> <h:br /> Mount options can be set in <h:code>/etc/fstab</h:code> in the fourth column. - <h:pre>### Setting mount options### + <h:pre> # <h:b>vim /etc/fstab</h:b> [...] tmpfs /tmp tmpfs defaults<h:b>,nosuid,noexec,nodev</h:b> 0 0</h:pre> @@ -410,15 +506,15 @@ tmpfs /tmp tmpfs defaults<h:b>,nosuid,noexec,nodev</h:b> 0 0</h cleared during shut down or reboot) and mounted with nosuid,noexec and nodev mount options (to reduce the impact when an exploit is attempted from within this location). - <h:pre>### Sample /etc/fstab line for /tmp ### + <h:pre> tmpfs /tmp tmpfs defaults,nosuid,noexec,nodev 0 0</h:pre> Also, the location must have the sticky bit set (cfr the trailing 't' in the - output of <h:b>ls -ld</h:b>). - <h:pre>### Sticky bit for /tmp must be set ### + output of <h:b>ls -ld</h:b>). + <h:pre> # <h:b>ls -ld /tmp</h:b> drwxrwxrwt 9 root root 260 Dec 27 16:00 /tmp</h:pre> Of course, using <h:code>tmpfs</h:code> does not give you freedom nor a - secure means to write security sensitive information in <h:code>/tmp</h:code>. + secure means to write security sensitive information in <h:code>/tmp</h:code>. </description> </Group> <Group id="gt-system-mounts-home"> @@ -428,7 +524,7 @@ drwxrwxrwt 9 root root 260 Dec 27 16:00 /tmp</h:pre> To reduce the risk of an exploit being launched, it is adviseable to mount this partition with the <h:code>nosuid,nodev</h:code> mount options. <h:br /> - <h:pre>### Sample /etc/fstab line for /home ### + <h:pre> /dev/mapper/volgrp-home /home ext4 noatime,nosuid,nodev,data=journal 0 2</h:pre> </description> </Group> @@ -445,19 +541,19 @@ drwxrwxrwt 9 root root 260 Dec 27 16:00 /tmp</h:pre> <h:br /> <h:br /> Next, install the <h:code>sys-fs/quota</h:code> package. - <h:pre>### Installing quota ### + <h:pre> # <h:b>emerge quota</h:b></h:pre> Then add <h:code>usrquota</h:code> and <h:code>grpquota</h:code> to the partitions (in <h:code>/etc/fstab</h:code>) where you want to enable quotas on. For instance, the following snippet from <h:code>/etc/fstab</h:code> enables quotas on <h:code>/var</h:code> and <h:code>/home</h:code>. - <h:pre>### Example quota definition in /etc/fstab ### + <h:pre> /dev/mapper/volgrp-home /home ext4 noatime,nodev,nosuid,<h:b>usrquota,grpquota</h:b> 0 0 /dev/mapper/volgrp-var /var ext4 noatime,<h:b>usrquota,grpquota</h:b> 0 0 </h:pre> Finally, add the <h:code>quota</h:code> service to the boot runlevel. - <h:pre>### Adding quota to the boot runlevel ### + <h:pre> # <h:b>rc-update add quota boot</h:b></h:pre> Reboot the system so that the partitions are mounted with the correct mount options and that the quota service is running. Then you can @@ -466,7 +562,7 @@ drwxrwxrwt 9 root root 260 Dec 27 16:00 /tmp</h:pre> <reference href="http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch28_:_Managing_Disk_Usage_with_Quotas">Managing Disk Usage with Quotas (LinuxHomeNetworking)</reference> - <reference href="http://www.gentoo.org/doc/en/kernel-config.xml#shorthand">Gentoo Linux Kernel Configuration - shorthand notation information</reference> + <reference href="http://www.gentoo.org/doc/en/kernel-config.xml#shorthand">Gentoo Linux Kernel Configuration - shorthand notation information</reference> </Group> </Group> <Group id="gt-system-services"> @@ -513,7 +609,7 @@ drwxrwxrwt 9 root root 260 Dec 27 16:00 /tmp</h:pre> booting in single user mode requires the user to enter the root password. This is already done by default in Gentoo and is part of <h:code>/etc/inittab</h:code>'s definition: - <h:pre>### Ensure sulogin is available for single user mode ### + <h:pre> su0:S:wait:/sbin/rc single <h:b>su1:S:wait:/sbin/sulogin</h:b></h:pre> </description> @@ -537,10 +633,10 @@ su0:S:wait:/sbin/rc single <description> The SSH service is used for secure remote access towards a system, but also to provide secure file transfers. It is very commonly found on Unix/Linux - systems to proper hardening is definitely in place. - <h:br /> - <h:br /> - Please use the "Hardening OpenSSH" guide for the necessary instructions. + systems to proper hardening is definitely in place. + <h:br /> + <h:br /> + Please use the "Hardening OpenSSH" guide for the necessary instructions. </description> </Group> <Group id="gt-system-services-cron"> @@ -650,7 +746,7 @@ su0:S:wait:/sbin/rc single You should set the USE flags globally in <h:code>/etc/make.conf</h:code>. <h:br /> - <h:pre>### Setting the USE flag in /etc/make.conf ### + <h:pre> USE="... pam tcpd ssl"</h:pre> </description> </Group> @@ -659,15 +755,15 @@ USE="... pam tcpd ssl"</h:pre> <description> Gentoo Portage supports fetching signed tree snapshots using <h:b>emerge-webrsync</h:b>. This is documented in the Gentoo Handbook, - but as it is quite easy, here you can find the instructions again: - <h:pre>### Using emerge-webrsync with GPG signatures ### + but as it is quite easy, here you can find the instructions again: + <h:pre> # <h:b>mkdir -p /etc/portage/gpg</h:b> # <h:b>chmod 0700 /etc/portage/gpg</h:b> # <h:b>gpg - -homedir /etc/portage/gpg - -keyserver subkeys.pgp.net - -recv-keys 0x239C75C4 0x96D8BF6D</h:b> # <h:b>gpg - -homedir /etc/portage/gpg - -edit-key 0x239C75C4 trust</h:b> # <h:b>gpg - -homedir /etc/portage/gpg - -edit-key 0x96D8BF6D trust</h:b></h:pre> After this, you can edit <h:code>/etc/make.conf</h:code>: - <h:pre>### Editing make.conf for signed portage trees ### + <h:pre> FEATURES="webrsync-gpg" PORTAGE_GPG_DIR="/etc/portage/gpg" SYNC=""</h:pre> @@ -680,9 +776,9 @@ SYNC=""</h:pre> The Linux kernel should be configured using a sane security standard in mind. When using grSecurity, additional security-enhancing settings can be enabled. - <h:br /> - <h:br /> - For further details, I refer to the "Hardening the Linux kernel" guide. + <h:br /> + <h:br /> + For further details, I refer to the "Hardening the Linux kernel" guide. </description> <reference href="http://www.gentoo.org/doc/en/kernel-config.xml#shorthand">Gentoo Kernel Configuration Guide - Shorthand notation information</reference> </Group> @@ -708,7 +804,7 @@ SYNC=""</h:pre> the configuration file, you can hash it. Just start <h:b>grub</h:b> and, in the grub-shell, type <h:b>md5crypt</h:b>. <h:br /> - <h:pre>### Getting a hashed password for GRUB ### + <h:pre> # <h:b>grub</h:b> GRUB version 0.92 (640K lower / 3072K upper memory) @@ -740,7 +836,7 @@ grub> <h:b>quit</h:b></h:pre> <h:code>/etc/lilo.conf</h:code> file. It is also possible to do this on a per-image level. <h:br /> - <h:pre>### Setting a password for LILO in /etc/lilo.conf ### + <h:pre> password=abc123 restricted delay=3 @@ -782,7 +878,7 @@ image=/boot/bzImage <h:br /> A recommended setting is to only allow root user login through the console and the physical terminals (<h:code>tty0-tty12</h:code>). - <h:pre>### /etc/securetty ### + <h:pre> console tty0 tty1 @@ -840,7 +936,7 @@ tty12</h:pre> <h:br /> More information on these files and their syntax can be obtained through their manual pages. - <h:pre>### Reading the limits manual pages ### + <h:pre> # <h:b>man limits.conf</h:b> # <h:b>man limits</h:b></h:pre> </description> @@ -866,7 +962,7 @@ tty12</h:pre> <h:code>pam_cracklib.so</h:code> library. You can then use this in the appropriate <h:code>/etc/pam.d/*</h:code> files. For instance, for the <h:code>/etc/pam.d/passwd</h:code> definition: - <h:pre>### Sample /etc/pam.d/passwd setting with cracklib ### + <h:pre> auth required pam_unix.so shadow nullok account required pam_unix.so <h:b>password required pam_cracklib.so difok=3 retry=3 minlen=8 dcredit=-2 ocredit=-2</h:b> @@ -934,19 +1030,19 @@ session required pam_unix.so</h:pre> <h:br /> <h:br /> You can use <h:code>find</h:code> to locate such files or directories. - <h:pre>### Using find to find world writable files and directories ### + <h:pre> # <h:b>find / -perm +o=w ! \( -type d -perm +o=t \) ! -type l -print</h:b></h:pre> The above command shows world writable files and locations, unless it is a directory with the sticky bit set, or a symbolic link (whose world writable privilege is not accessible anyhow). </description> - <Rule id="rule-world-writeable-sticky" selected="false"> + <Rule id="rule-world-writeable-sticky" selected="false"> <title>World writeable directories must have sticky bit set</title> - <description>World writeable directories must have sticky bit set</description> - <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> - <check-content-ref href="gentoo-oval.xml" name="oval:@@OVALNS@@.static:def:2" /> - </check> - </Rule> + <description>World writeable directories must have sticky bit set</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref href="gentoo-oval.xml" name="oval:@@OVALNS@@.static:def:2" /> + </check> + </Rule> </Group> <Group id="gt-system-fileprivileges-suidsgid"> <title>Limit Setuid and Setgid File and Directory Usage</title> |