[gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/ - gentoo-commits

From:	Sven Vermeulen <swift@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
Date:	Sun, 30 Mar 2014 18:29:42
Message-Id:	`1396204167.e85228a786ea2041715e8e2193d93411261f1950.swift@gentoo`

1

commit:     e85228a786ea2041715e8e2193d93411261f1950

2

Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

3

AuthorDate: Sun Mar 30 18:29:27 2014 +0000

4

Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>

5

CommitDate: Sun Mar 30 18:29:27 2014 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=e85228a7

7

8

Check grub.conf with password md5 hash

9

10

---

11

 xml/SCAP/gentoo-oval.xml  | 62 +++++++++++++++++++++++++++++++++++++++++++++++

12

 xml/SCAP/gentoo-xccdf.xml | 11 +++++++++

13

 2 files changed, 73 insertions(+)

14

15

diff --git a/xml/SCAP/gentoo-oval.xml b/xml/SCAP/gentoo-oval.xml

16

index 7f6e674..f873701 100644

17

--- a/xml/SCAP/gentoo-oval.xml

18

+++ b/xml/SCAP/gentoo-oval.xml

19

@@ -562,6 +562,25 @@

20

     </criteria>

21

   </definition>

22

23

+  <definition id="oval:org.gentoo.dev.swift:def:34" version="1" class="compliance">

24

+    <metadata>

25

+      <title>/boot/grub/grub.conf has a password set</title>

26

+      <affected family="unix">

27

+        <platform>Gentoo Linux</platform>

28

+      </affected>

29

+      <description>

30

+        If /boot/grub/grub.conf exists, then it must have a password set.

31

+      </description>

32

+    </metadata>

33

+    <criteria operator="OR">

34

+      <criteria operator="AND">

35

+        <criterion test_ref="oval:org.gentoo.dev.swift:tst:37" comment="/boot/grub exists" />

36

+        <criterion test_ref="oval:org.gentoo.dev.swift:tst:35" comment="/boot/grub/grub.conf does not exist" />

37

+      </criteria>

38

+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:36" comment="GRUB Legacy configuration has a password set" />

39

+    </criteria>

40

+  </definition>

41

+

42

 </definitions>

43

44

 <tests>

45

@@ -848,6 +867,27 @@

46

     <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:14" />

47

   </lin-def:partition_test>

48

49

+  <unix-def:file_test id="oval:org.gentoo.dev.swift:tst:35"

50

+    version="1" check="all" check_existence="none_exist"

51

+    comment="/boot/grub/grub.conf does not exist">

52

+    <!-- The /boot/grub/grub.conf file -->

53

+    <unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:22" />

54

+  </unix-def:file_test>

55

+

56

+  <ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:36"

57

+    comment="The grub.conf file has a password --md5 entry"

58

+    version="1" check="at least one" check_existence="at_least_one_exists">

59

+    <!-- The /boot/grub/grub.conf file content -->

60

+    <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:23" />

61

+    <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:15" />

62

+  </ind-def:textfilecontent54_test>

63

+

64

+  <unix-def:file_test id="oval:org.gentoo.dev.swift:tst:37"

65

+    version="1" check="all" check_existence="all_exist"

66

+    comment="/boot/grub exists">

67

+    <!-- The /boot/grub location exists -->

68

+    <unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:24" />

69

+  </unix-def:file_test>

70

71

 </tests>

72

73

@@ -974,6 +1014,23 @@

74

     <lin-def:mount_point>/proc</lin-def:mount_point>

75

   </lin-def:partition_object>

76

77

+  <unix-def:file_object id="oval:org.gentoo.dev.swift:obj:22"

78

+    version="1" comment="The /boot/grub/grub.conf file">

79

+    <unix-def:filepath>/boot/grub/grub.conf</unix-def:filepath>

80

+  </unix-def:file_object>

81

+

82

+  <ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:23"

83

+    version="1" comment="The /boot/grub/grub.conf content">

84

+    <ind-def:filepath>/boot/grub/grub.conf</ind-def:filepath>

85

+    <ind-def:pattern operation="pattern match">^([^#\n]*)(?#.*)?$</ind-def:pattern>

86

+    <ind-def:instance operation="greater than or equal" datatype="int">1</ind-def:instance>

87

+  </ind-def:textfilecontent54_object>

88

+

89

+  <unix-def:file_object id="oval:org.gentoo.dev.swift:obj:24"

90

+    version="1" comment="The /boot/grub location">

91

+    <unix-def:filepath>/boot/grub</unix-def:filepath>

92

+  </unix-def:file_object>

93

+

94

 </objects>

95

96

 <states>

97

@@ -1048,6 +1105,11 @@

98

     <lin-def:mount_options entity_check="at least one" operation="pattern match">hidepid=[12]</lin-def:mount_options>

99

   </lin-def:partition_state>

100

101

+  <ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:15"

102

+    version="1" comment="Has a password --md5 entry">

103

+    <ind-def:subexpression datatype="string" operation="pattern match" entity_check="all">[\s]*password --md5 [\S]+</ind-def:subexpression>

104

+  </ind-def:textfilecontent54_state>

105

+

106

 </states>

107

108

 <variables>

109

110

diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml

111

index 3c3afcd..732bde3 100644

112

--- a/xml/SCAP/gentoo-xccdf.xml

113

+++ b/xml/SCAP/gentoo-xccdf.xml

114

@@ -103,6 +103,8 @@

115

     <select idref="xccdf_org.gentoo.dev.swift_rule_securetty-limitentries" selected="true" />

116

     <!-- Make sure /proc is mounted with hidepid=1 or hidepid=2 -->

117

     <select idref="xccdf_org.gentoo.dev.swift_rule_proc-hidepid" selected="true" />

118

+    <!-- Make sure /boot/grub/grub.conf has a password entry with md5 hash -->

119

+    <select idref="xccdf_org.gentoo.dev.swift_rule_grubconf-password-md5" selected="true" />

120

   </Profile>

121

   <Profile id="xccdf_org.gentoo.dev.swift_profile_default" extends="xccdf_org.gentoo.dev.swift_profile_default-oval">

122

     <title>Default server setup settings</title>

123

@@ -1513,6 +1515,15 @@ grub&gt; <h:b>quit</h:b></h:pre>

124

           using <h:code>password --md5 $1$18u.M0$J8VbOsGXuoG9Fh3n7ZkqY.</h:code>.

125

 	  </h:p>

126

         </description>

127

+        <Rule id="xccdf_org.gentoo.dev.swift_rule_grubconf-password-md5" selected="false" severity="low" weight="6.9">

128

+	  <title>Grub legacy has a password entry with md5 hash</title>

129

+	  <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_grubconf-password-md5">

130

+	    Edit /boot/grub/grub.conf and set a password entry with md5 hash

131

+	  </fixtext>

132

+	  <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">

133

+	    <check-content-ref name="oval:org.gentoo.dev.swift:def:34" href="gentoo-oval.xml" />

134

+	  </check>

135

+	</Rule>

136

       </Group>

137

       <Group id="xccdf_org.gentoo.dev.swift_group_system-bootloader-lilopass">

138

         <title>Password protect LILO</title>

1	commit: e85228a786ea2041715e8e2193d93411261f1950
2	Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3	AuthorDate: Sun Mar 30 18:29:27 2014 +0000
4	Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
5	CommitDate: Sun Mar 30 18:29:27 2014 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=e85228a7
7
8	Check grub.conf with password md5 hash
9
10	---
11	xml/SCAP/gentoo-oval.xml \| 62 +++++++++++++++++++++++++++++++++++++++++++++++
12	xml/SCAP/gentoo-xccdf.xml \| 11 +++++++++
13	2 files changed, 73 insertions(+)
14
15	diff --git a/xml/SCAP/gentoo-oval.xml b/xml/SCAP/gentoo-oval.xml
16	index 7f6e674..f873701 100644
17	--- a/xml/SCAP/gentoo-oval.xml
18	+++ b/xml/SCAP/gentoo-oval.xml
19	@@ -562,6 +562,25 @@
20	</criteria>
21	</definition>
22
23	+ <definition id="oval:org.gentoo.dev.swift:def:34" version="1" class="compliance">
24	+ <metadata>
25	+ <title>/boot/grub/grub.conf has a password set</title>
26	+ <affected family="unix">
27	+ <platform>Gentoo Linux</platform>
28	+ </affected>
29	+ <description>
30	+ If /boot/grub/grub.conf exists, then it must have a password set.
31	+ </description>
32	+ </metadata>
33	+ <criteria operator="OR">
34	+ <criteria operator="AND">
35	+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:37" comment="/boot/grub exists" />
36	+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:35" comment="/boot/grub/grub.conf does not exist" />
37	+ </criteria>
38	+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:36" comment="GRUB Legacy configuration has a password set" />
39	+ </criteria>
40	+ </definition>
41	+
42	</definitions>
43
44	<tests>
45	@@ -848,6 +867,27 @@
46	<lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:14" />
47	</lin-def:partition_test>
48
49	+ <unix-def:file_test id="oval:org.gentoo.dev.swift:tst:35"
50	+ version="1" check="all" check_existence="none_exist"
51	+ comment="/boot/grub/grub.conf does not exist">
52	+ <!-- The /boot/grub/grub.conf file -->
53	+ <unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:22" />
54	+ </unix-def:file_test>
55	+
56	+ <ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:36"
57	+ comment="The grub.conf file has a password --md5 entry"
58	+ version="1" check="at least one" check_existence="at_least_one_exists">
59	+ <!-- The /boot/grub/grub.conf file content -->
60	+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:23" />
61	+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:15" />
62	+ </ind-def:textfilecontent54_test>
63	+
64	+ <unix-def:file_test id="oval:org.gentoo.dev.swift:tst:37"
65	+ version="1" check="all" check_existence="all_exist"
66	+ comment="/boot/grub exists">
67	+ <!-- The /boot/grub location exists -->
68	+ <unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:24" />
69	+ </unix-def:file_test>
70
71	</tests>
72
73	@@ -974,6 +1014,23 @@
74	<lin-def:mount_point>/proc</lin-def:mount_point>
75	</lin-def:partition_object>
76
77	+ <unix-def:file_object id="oval:org.gentoo.dev.swift:obj:22"
78	+ version="1" comment="The /boot/grub/grub.conf file">
79	+ <unix-def:filepath>/boot/grub/grub.conf</unix-def:filepath>
80	+ </unix-def:file_object>
81	+
82	+ <ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:23"
83	+ version="1" comment="The /boot/grub/grub.conf content">
84	+ <ind-def:filepath>/boot/grub/grub.conf</ind-def:filepath>
85	+ <ind-def:pattern operation="pattern match">^([^#\n])(?#.)?$</ind-def:pattern>
86	+ <ind-def:instance operation="greater than or equal" datatype="int">1</ind-def:instance>
87	+ </ind-def:textfilecontent54_object>
88	+
89	+ <unix-def:file_object id="oval:org.gentoo.dev.swift:obj:24"
90	+ version="1" comment="The /boot/grub location">
91	+ <unix-def:filepath>/boot/grub</unix-def:filepath>
92	+ </unix-def:file_object>
93	+
94	</objects>
95
96	<states>
97	@@ -1048,6 +1105,11 @@
98	<lin-def:mount_options entity_check="at least one" operation="pattern match">hidepid=[12]</lin-def:mount_options>
99	</lin-def:partition_state>
100
101	+ <ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:15"
102	+ version="1" comment="Has a password --md5 entry">
103	+ <ind-def:subexpression datatype="string" operation="pattern match" entity_check="all">[\s]*password --md5 [\S]+</ind-def:subexpression>
104	+ </ind-def:textfilecontent54_state>
105	+
106	</states>
107
108	<variables>
109
110	diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml
111	index 3c3afcd..732bde3 100644
112	--- a/xml/SCAP/gentoo-xccdf.xml
113	+++ b/xml/SCAP/gentoo-xccdf.xml
114	@@ -103,6 +103,8 @@
115	<select idref="xccdf_org.gentoo.dev.swift_rule_securetty-limitentries" selected="true" />
116	<!-- Make sure /proc is mounted with hidepid=1 or hidepid=2 -->
117	<select idref="xccdf_org.gentoo.dev.swift_rule_proc-hidepid" selected="true" />
118	+ <!-- Make sure /boot/grub/grub.conf has a password entry with md5 hash -->
119	+ <select idref="xccdf_org.gentoo.dev.swift_rule_grubconf-password-md5" selected="true" />
120	</Profile>
121	<Profile id="xccdf_org.gentoo.dev.swift_profile_default" extends="xccdf_org.gentoo.dev.swift_profile_default-oval">
122	<title>Default server setup settings</title>
123	@@ -1513,6 +1515,15 @@ grub> <h:b>quit</h:b></h:pre>
124	using <h:code>password --md5 $1$18u.M0$J8VbOsGXuoG9Fh3n7ZkqY.</h:code>.
125	</h:p>
126	</description>
127	+ <Rule id="xccdf_org.gentoo.dev.swift_rule_grubconf-password-md5" selected="false" severity="low" weight="6.9">
128	+ <title>Grub legacy has a password entry with md5 hash</title>
129	+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_grubconf-password-md5">
130	+ Edit /boot/grub/grub.conf and set a password entry with md5 hash
131	+ </fixtext>
132	+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
133	+ <check-content-ref name="oval:org.gentoo.dev.swift:def:34" href="gentoo-oval.xml" />
134	+ </check>
135	+ </Rule>
136	</Group>
137	<Group id="xccdf_org.gentoo.dev.swift_group_system-bootloader-lilopass">
138	<title>Password protect LILO</title>

Gentoo Archives: gentoo-commits