[gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/ - gentoo-commits

From:	Sven Vermeulen <swift@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
Date:	Wed, 26 Mar 2014 21:07:03
Message-Id:	`1395868010.e776b21bb7b10d185eeaebb8a97686a932a3b78c.swift@gentoo`

1

commit:     e776b21bb7b10d185eeaebb8a97686a932a3b78c

2

Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

3

AuthorDate: Wed Mar 26 21:06:50 2014 +0000

4

Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>

5

CommitDate: Wed Mar 26 21:06:50 2014 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=e776b21b

7

8

Add syslog rules and enhance security/access.conf with an example

9

10

---

11

 xml/SCAP/gentoo-xccdf.xml | 80 ++++++++++++++++++++++++++++++++++++++++++++---

12

 1 file changed, 76 insertions(+), 4 deletions(-)

13

14

diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml

15

index d2bf154..5fe590d 100644

16

--- a/xml/SCAP/gentoo-xccdf.xml

17

+++ b/xml/SCAP/gentoo-xccdf.xml

18

@@ -1,13 +1,13 @@

19

 <?xml version="1.0" encoding="UTF-8"?>

20

-<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:h="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.gentoo.dev.swift_benchmark_gentoo-20130917-1" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" resolved="0">

21

-  <status date="2014-02-01">draft</status>

22

+<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:h="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.gentoo.dev.swift_benchmark_gentoo-20140326-1" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" resolved="0">

23

+  <status date="2014-03-26">draft</status>

24

   <title>Gentoo Security Benchmark</title>

25

   <description>

26

     This benchmarks helps people in improving their system configuration to be

27

     more resilient against attacks and vulnerabilities.

28

   </description>

29

   <platform idref="cpe:/o:gentoo:linux"/>

30

-  <version>20140201.1</version>

31

+  <version>20140326.1</version>

32

   <model system="urn:xccdf:scoring:default" />

33

   <model system="urn:xccdf:scoring:flat" />

34

   <model system="urn:xccdf:scoring:flat-unweighted" />

35

@@ -355,7 +355,7 @@

36

     </Group>

37

   </Group>

38

   <Group id="xccdf_org.gentoo.dev.swift_group_preinstallation">

39

-    <title>Before startng</title>

40

+    <title>Before starting</title>

41

     <description>

42

       Before starting to deploy Gentoo Linux and start hardening it, it is wise

43

       to take a step back and think about what to accomplish. Setting

44

@@ -1244,6 +1244,48 @@ sed -i -e 's:^rc_shell=.*:rc_shell="/sbin/sulogin":g' /etc/rc.conf

45

           </description>

46

         </Group>

47

       </Group>

48

+      <Group id="xccdf_org.gentoo.dev.swift_group_system-services-syslog">

49

+        <title>Syslog service</title>

50

+	<description>

51

+	  <h:p>

52

+	  The system logger handles all non-audit related logging generated by applications

53

+	  and daemons. In order to ensure proper forensic analysis if it would ever be needed,

54

+	  the system logger should be properly configured.

55

+	  </h:p>

56

+	</description>

57

+	<Group id="xccdf_org.gentoo.dev.swift_group_system-services-syslog-logintervals">

58

+          <title>Configure the system logger to log intervals</title>

59

+	  <description>

60

+	    <h:p>

61

+	    Have the system logger log every 10 minutes or so. Without interval logging,

62

+	    administrators might think nothing is wrong although in reality the system

63

+	    logger is malfunctioning and not writing any log events.

64

+	    </h:p>

65

+	  </description>

66

+	</Group>

67

+	<Group id="xccdf_org.gentoo.dev.swift_group_system-services-syslog-remotelogging">

68

+	  <title>Enable remote logging</title>

69

+	  <description>

70

+	    <h:p>

71

+	    If possible, have vital (or all) logs sent to a remote system logger as well.

72

+	    In home deployments, off-the-shelf (wifi) routers often have a logging daemon

73

+	    that can receive syslog events. For larger environments, a dedicated centralized

74

+	    log server is recommended.

75

+	    </h:p>

76

+	  </description>

77

+	</Group>

78

+	<Group id="xccdf_org.gentoo.dev.swift_group_system-services-syslog-terminal">

79

+	  <title>Decide which events to send to user terminals</title>

80

+	  <description>

81

+	    <h:p>

82

+	    On Linux and Unix systems, events can be sent to user terminals to

83

+	    make those users immediately aware of what is happening. It is

84

+	    recommended to send emergency-level events to everyone and have

85

+	    alerts sent to specific administrative user terminals.

86

+	    </h:p>

87

+	  </description>

88

+	</Group>

89

+      </Group>

90

     </Group>

91

     <Group id="xccdf_org.gentoo.dev.swift_group_system-portage">

92

       <title>Portage settings</title>

93

@@ -1551,6 +1593,14 @@ tty12</h:pre>

94

           account (say <h:code>apache</h:code>) is abused to log on with, or

95

           that a new account is created as part of an exploit.

96

 	  </h:p>

97

+	  <h:p>

98

+	  The following example setting allows only local root logins on tty1,

99

+	  and only the <h:em>swift</h:em> account to log on on the system.

100

+	  </h:p>

101

+	  <h:pre>

102

++ : root : tty1

103

+- : ALL EXCEPT swift : ALL

104

+          </h:pre>

105

         </description>

106

       </Group>

107

       <Group id="xccdf_org.gentoo.dev.swift_group_system-auth-resources">

108

@@ -1731,6 +1781,28 @@ session  required pam_unix.so</h:pre>

109

 	  </h:p>

110

         </description>

111

       </Group>

112

+      <Group id="xccdf_org.gentoo.dev.swift_group_system-fileprivileges-caps">

113

+        <title>Limit capability enabled files</title>

114

+	<description>

115

+	  <h:p>

116

+	  Capabilities within Linux allow users to perform certain privileged tasks.

117

+	  </h:p>

118

+	  <h:p>

119

+	  Unlike <h:em>setuid</h:em> flags, the allowed privileges can be defined

120

+	  in a more granular approach (although one can still add in all possible

121

+	  capabilities and thus gain similar privileges as through <h:em>setuid</h:em>

122

+	  binaries).

123

+	  </h:p>

124

+	  <h:p>

125

+	  Files with particular capabilities set (through the <h:b>setcap</h:b>

126

+	  application) should be regularly reviewed. Capability-enabled files 

127

+	  can be found through the following command:

128

+	  </h:p>

129

+	  <h:pre>

130

+# <h:b>getcap -r /</h:b>

131

+          </h:pre>

132

+	</description>

133

+      </Group>

134

       <Group id="xccdf_org.gentoo.dev.swift_group_system-fileprivileges-logs">

135

         <title>Logs only readable by proper group</title>

136

         <description>

1	commit: e776b21bb7b10d185eeaebb8a97686a932a3b78c
2	Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3	AuthorDate: Wed Mar 26 21:06:50 2014 +0000
4	Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
5	CommitDate: Wed Mar 26 21:06:50 2014 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=e776b21b
7
8	Add syslog rules and enhance security/access.conf with an example
9
10	---
11	xml/SCAP/gentoo-xccdf.xml \| 80 ++++++++++++++++++++++++++++++++++++++++++++---
12	1 file changed, 76 insertions(+), 4 deletions(-)
13
14	diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml
15	index d2bf154..5fe590d 100644
16	--- a/xml/SCAP/gentoo-xccdf.xml
17	+++ b/xml/SCAP/gentoo-xccdf.xml
18	@@ -1,13 +1,13 @@
19	<?xml version="1.0" encoding="UTF-8"?>
20	-<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:h="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.gentoo.dev.swift_benchmark_gentoo-20130917-1" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" resolved="0">
21	- <status date="2014-02-01">draft</status>
22	+<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:h="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.gentoo.dev.swift_benchmark_gentoo-20140326-1" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" resolved="0">
23	+ <status date="2014-03-26">draft</status>
24	<title>Gentoo Security Benchmark</title>
25	<description>
26	This benchmarks helps people in improving their system configuration to be
27	more resilient against attacks and vulnerabilities.
28	</description>
29	<platform idref="cpe:/o:gentoo:linux"/>
30	- <version>20140201.1</version>
31	+ <version>20140326.1</version>
32	<model system="urn:xccdf:scoring:default" />
33	<model system="urn:xccdf:scoring:flat" />
34	<model system="urn:xccdf:scoring:flat-unweighted" />
35	@@ -355,7 +355,7 @@
36	</Group>
37	</Group>
38	<Group id="xccdf_org.gentoo.dev.swift_group_preinstallation">
39	- <title>Before startng</title>
40	+ <title>Before starting</title>
41	<description>
42	Before starting to deploy Gentoo Linux and start hardening it, it is wise
43	to take a step back and think about what to accomplish. Setting
44	@@ -1244,6 +1244,48 @@ sed -i -e 's:^rc_shell=.*:rc_shell="/sbin/sulogin":g' /etc/rc.conf
45	</description>
46	</Group>
47	</Group>
48	+ <Group id="xccdf_org.gentoo.dev.swift_group_system-services-syslog">
49	+ <title>Syslog service</title>
50	+ <description>
51	+ <h:p>
52	+ The system logger handles all non-audit related logging generated by applications
53	+ and daemons. In order to ensure proper forensic analysis if it would ever be needed,
54	+ the system logger should be properly configured.
55	+ </h:p>
56	+ </description>
57	+ <Group id="xccdf_org.gentoo.dev.swift_group_system-services-syslog-logintervals">
58	+ <title>Configure the system logger to log intervals</title>
59	+ <description>
60	+ <h:p>
61	+ Have the system logger log every 10 minutes or so. Without interval logging,
62	+ administrators might think nothing is wrong although in reality the system
63	+ logger is malfunctioning and not writing any log events.
64	+ </h:p>
65	+ </description>
66	+ </Group>
67	+ <Group id="xccdf_org.gentoo.dev.swift_group_system-services-syslog-remotelogging">
68	+ <title>Enable remote logging</title>
69	+ <description>
70	+ <h:p>
71	+ If possible, have vital (or all) logs sent to a remote system logger as well.
72	+ In home deployments, off-the-shelf (wifi) routers often have a logging daemon
73	+ that can receive syslog events. For larger environments, a dedicated centralized
74	+ log server is recommended.
75	+ </h:p>
76	+ </description>
77	+ </Group>
78	+ <Group id="xccdf_org.gentoo.dev.swift_group_system-services-syslog-terminal">
79	+ <title>Decide which events to send to user terminals</title>
80	+ <description>
81	+ <h:p>
82	+ On Linux and Unix systems, events can be sent to user terminals to
83	+ make those users immediately aware of what is happening. It is
84	+ recommended to send emergency-level events to everyone and have
85	+ alerts sent to specific administrative user terminals.
86	+ </h:p>
87	+ </description>
88	+ </Group>
89	+ </Group>
90	</Group>
91	<Group id="xccdf_org.gentoo.dev.swift_group_system-portage">
92	<title>Portage settings</title>
93	@@ -1551,6 +1593,14 @@ tty12</h:pre>
94	account (say <h:code>apache</h:code>) is abused to log on with, or
95	that a new account is created as part of an exploit.
96	</h:p>
97	+ <h:p>
98	+ The following example setting allows only local root logins on tty1,
99	+ and only the <h:em>swift</h:em> account to log on on the system.
100	+ </h:p>
101	+ <h:pre>
102	++ : root : tty1
103	+- : ALL EXCEPT swift : ALL
104	+ </h:pre>
105	</description>
106	</Group>
107	<Group id="xccdf_org.gentoo.dev.swift_group_system-auth-resources">
108	@@ -1731,6 +1781,28 @@ session required pam_unix.so</h:pre>
109	</h:p>
110	</description>
111	</Group>
112	+ <Group id="xccdf_org.gentoo.dev.swift_group_system-fileprivileges-caps">
113	+ <title>Limit capability enabled files</title>
114	+ <description>
115	+ <h:p>
116	+ Capabilities within Linux allow users to perform certain privileged tasks.
117	+ </h:p>
118	+ <h:p>
119	+ Unlike <h:em>setuid</h:em> flags, the allowed privileges can be defined
120	+ in a more granular approach (although one can still add in all possible
121	+ capabilities and thus gain similar privileges as through <h:em>setuid</h:em>
122	+ binaries).
123	+ </h:p>
124	+ <h:p>
125	+ Files with particular capabilities set (through the <h:b>setcap</h:b>
126	+ application) should be regularly reviewed. Capability-enabled files
127	+ can be found through the following command:
128	+ </h:p>
129	+ <h:pre>
130	+# <h:b>getcap -r /</h:b>
131	+ </h:pre>
132	+ </description>
133	+ </Group>
134	<Group id="xccdf_org.gentoo.dev.swift_group_system-fileprivileges-logs">
135	<title>Logs only readable by proper group</title>
136	<description>

Gentoo Archives: gentoo-commits