1 |
commit: e776b21bb7b10d185eeaebb8a97686a932a3b78c |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Wed Mar 26 21:06:50 2014 +0000 |
4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Mar 26 21:06:50 2014 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=e776b21b |
7 |
|
8 |
Add syslog rules and enhance security/access.conf with an example |
9 |
|
10 |
--- |
11 |
xml/SCAP/gentoo-xccdf.xml | 80 ++++++++++++++++++++++++++++++++++++++++++++--- |
12 |
1 file changed, 76 insertions(+), 4 deletions(-) |
13 |
|
14 |
diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml |
15 |
index d2bf154..5fe590d 100644 |
16 |
--- a/xml/SCAP/gentoo-xccdf.xml |
17 |
+++ b/xml/SCAP/gentoo-xccdf.xml |
18 |
@@ -1,13 +1,13 @@ |
19 |
<?xml version="1.0" encoding="UTF-8"?> |
20 |
-<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:h="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.gentoo.dev.swift_benchmark_gentoo-20130917-1" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" resolved="0"> |
21 |
- <status date="2014-02-01">draft</status> |
22 |
+<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:h="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.gentoo.dev.swift_benchmark_gentoo-20140326-1" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" resolved="0"> |
23 |
+ <status date="2014-03-26">draft</status> |
24 |
<title>Gentoo Security Benchmark</title> |
25 |
<description> |
26 |
This benchmarks helps people in improving their system configuration to be |
27 |
more resilient against attacks and vulnerabilities. |
28 |
</description> |
29 |
<platform idref="cpe:/o:gentoo:linux"/> |
30 |
- <version>20140201.1</version> |
31 |
+ <version>20140326.1</version> |
32 |
<model system="urn:xccdf:scoring:default" /> |
33 |
<model system="urn:xccdf:scoring:flat" /> |
34 |
<model system="urn:xccdf:scoring:flat-unweighted" /> |
35 |
@@ -355,7 +355,7 @@ |
36 |
</Group> |
37 |
</Group> |
38 |
<Group id="xccdf_org.gentoo.dev.swift_group_preinstallation"> |
39 |
- <title>Before startng</title> |
40 |
+ <title>Before starting</title> |
41 |
<description> |
42 |
Before starting to deploy Gentoo Linux and start hardening it, it is wise |
43 |
to take a step back and think about what to accomplish. Setting |
44 |
@@ -1244,6 +1244,48 @@ sed -i -e 's:^rc_shell=.*:rc_shell="/sbin/sulogin":g' /etc/rc.conf |
45 |
</description> |
46 |
</Group> |
47 |
</Group> |
48 |
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-services-syslog"> |
49 |
+ <title>Syslog service</title> |
50 |
+ <description> |
51 |
+ <h:p> |
52 |
+ The system logger handles all non-audit related logging generated by applications |
53 |
+ and daemons. In order to ensure proper forensic analysis if it would ever be needed, |
54 |
+ the system logger should be properly configured. |
55 |
+ </h:p> |
56 |
+ </description> |
57 |
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-services-syslog-logintervals"> |
58 |
+ <title>Configure the system logger to log intervals</title> |
59 |
+ <description> |
60 |
+ <h:p> |
61 |
+ Have the system logger log every 10 minutes or so. Without interval logging, |
62 |
+ administrators might think nothing is wrong although in reality the system |
63 |
+ logger is malfunctioning and not writing any log events. |
64 |
+ </h:p> |
65 |
+ </description> |
66 |
+ </Group> |
67 |
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-services-syslog-remotelogging"> |
68 |
+ <title>Enable remote logging</title> |
69 |
+ <description> |
70 |
+ <h:p> |
71 |
+ If possible, have vital (or all) logs sent to a remote system logger as well. |
72 |
+ In home deployments, off-the-shelf (wifi) routers often have a logging daemon |
73 |
+ that can receive syslog events. For larger environments, a dedicated centralized |
74 |
+ log server is recommended. |
75 |
+ </h:p> |
76 |
+ </description> |
77 |
+ </Group> |
78 |
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-services-syslog-terminal"> |
79 |
+ <title>Decide which events to send to user terminals</title> |
80 |
+ <description> |
81 |
+ <h:p> |
82 |
+ On Linux and Unix systems, events can be sent to user terminals to |
83 |
+ make those users immediately aware of what is happening. It is |
84 |
+ recommended to send emergency-level events to everyone and have |
85 |
+ alerts sent to specific administrative user terminals. |
86 |
+ </h:p> |
87 |
+ </description> |
88 |
+ </Group> |
89 |
+ </Group> |
90 |
</Group> |
91 |
<Group id="xccdf_org.gentoo.dev.swift_group_system-portage"> |
92 |
<title>Portage settings</title> |
93 |
@@ -1551,6 +1593,14 @@ tty12</h:pre> |
94 |
account (say <h:code>apache</h:code>) is abused to log on with, or |
95 |
that a new account is created as part of an exploit. |
96 |
</h:p> |
97 |
+ <h:p> |
98 |
+ The following example setting allows only local root logins on tty1, |
99 |
+ and only the <h:em>swift</h:em> account to log on on the system. |
100 |
+ </h:p> |
101 |
+ <h:pre> |
102 |
++ : root : tty1 |
103 |
+- : ALL EXCEPT swift : ALL |
104 |
+ </h:pre> |
105 |
</description> |
106 |
</Group> |
107 |
<Group id="xccdf_org.gentoo.dev.swift_group_system-auth-resources"> |
108 |
@@ -1731,6 +1781,28 @@ session required pam_unix.so</h:pre> |
109 |
</h:p> |
110 |
</description> |
111 |
</Group> |
112 |
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-fileprivileges-caps"> |
113 |
+ <title>Limit capability enabled files</title> |
114 |
+ <description> |
115 |
+ <h:p> |
116 |
+ Capabilities within Linux allow users to perform certain privileged tasks. |
117 |
+ </h:p> |
118 |
+ <h:p> |
119 |
+ Unlike <h:em>setuid</h:em> flags, the allowed privileges can be defined |
120 |
+ in a more granular approach (although one can still add in all possible |
121 |
+ capabilities and thus gain similar privileges as through <h:em>setuid</h:em> |
122 |
+ binaries). |
123 |
+ </h:p> |
124 |
+ <h:p> |
125 |
+ Files with particular capabilities set (through the <h:b>setcap</h:b> |
126 |
+ application) should be regularly reviewed. Capability-enabled files |
127 |
+ can be found through the following command: |
128 |
+ </h:p> |
129 |
+ <h:pre> |
130 |
+# <h:b>getcap -r /</h:b> |
131 |
+ </h:pre> |
132 |
+ </description> |
133 |
+ </Group> |
134 |
<Group id="xccdf_org.gentoo.dev.swift_group_system-fileprivileges-logs"> |
135 |
<title>Logs only readable by proper group</title> |
136 |
<description> |