1 |
commit: 15f31c8d487f24d0d6971801531ebfc9e06161ec |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Sun Mar 30 20:06:31 2014 +0000 |
4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Mar 30 20:06:31 2014 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=15f31c8d |
7 |
|
8 |
Add test for world writable directories |
9 |
|
10 |
--- |
11 |
xml/SCAP/gentoo-oval.xml | 101 ++++++++++++++++++++++++++++++++++++++++++++++ |
12 |
xml/SCAP/gentoo-xccdf.xml | 29 ++++++++++++- |
13 |
2 files changed, 128 insertions(+), 2 deletions(-) |
14 |
|
15 |
diff --git a/xml/SCAP/gentoo-oval.xml b/xml/SCAP/gentoo-oval.xml |
16 |
index f873701..427e5c1 100644 |
17 |
--- a/xml/SCAP/gentoo-oval.xml |
18 |
+++ b/xml/SCAP/gentoo-oval.xml |
19 |
@@ -581,6 +581,37 @@ |
20 |
</criteria> |
21 |
</definition> |
22 |
|
23 |
+ <definition id="oval:org.gentoo.dev.swift:def:35" version="1" class="compliance"> |
24 |
+ <metadata> |
25 |
+ <title>/etc/lilo.conf has a password set</title> |
26 |
+ <affected family="unix"> |
27 |
+ <platform>Gentoo Linux</platform> |
28 |
+ </affected> |
29 |
+ <description> |
30 |
+ If /etc/lilo.conf exists, then it must have a password set. |
31 |
+ </description> |
32 |
+ </metadata> |
33 |
+ <criteria operator="OR"> |
34 |
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:38" comment="/etc/lilo.conf does not exist" /> |
35 |
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:39" comment="/etc/lilo.conf has a password set" /> |
36 |
+ </criteria> |
37 |
+ </definition> |
38 |
+ |
39 |
+ <definition id="oval:org.gentoo.dev.swift:def:36" version="1" class="compliance"> |
40 |
+ <metadata> |
41 |
+ <title>All world writable directories have the sticky bit set</title> |
42 |
+ <affected family="unix"> |
43 |
+ <platform>Gentoo Linux</platform> |
44 |
+ </affected> |
45 |
+ <description> |
46 |
+ All world writable directories must have the sticky bit set. |
47 |
+ </description> |
48 |
+ </metadata> |
49 |
+ <criteria> |
50 |
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:40" comment="All world writable directories have the sticky bit set" /> |
51 |
+ </criteria> |
52 |
+ </definition> |
53 |
+ |
54 |
</definitions> |
55 |
|
56 |
<tests> |
57 |
@@ -879,6 +910,7 @@ |
58 |
version="1" check="at least one" check_existence="at_least_one_exists"> |
59 |
<!-- The /boot/grub/grub.conf file content --> |
60 |
<ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:23" /> |
61 |
+ <!-- A "password - -md5 somevalue" match --> |
62 |
<ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:15" /> |
63 |
</ind-def:textfilecontent54_test> |
64 |
|
65 |
@@ -889,6 +921,31 @@ |
66 |
<unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:24" /> |
67 |
</unix-def:file_test> |
68 |
|
69 |
+ <unix-def:file_test id="oval:org.gentoo.dev.swift:tst:38" |
70 |
+ version="1" check="all" check_existence="none_exist" |
71 |
+ comment="/etc/lilo.conf does not exist"> |
72 |
+ <!-- The /etc/lilo.conf file --> |
73 |
+ <unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:25" /> |
74 |
+ </unix-def:file_test> |
75 |
+ |
76 |
+ <ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:39" |
77 |
+ comment="lilo.conf has a password set" |
78 |
+ version="1" check="at least one" check_existence="at_least_one_exists"> |
79 |
+ <!-- The /etc/lilo.conf content --> |
80 |
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:26" /> |
81 |
+ <!-- A password=somevalue match --> |
82 |
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:16" /> |
83 |
+ </ind-def:textfilecontent54_test> |
84 |
+ |
85 |
+ <unix-def:file_test id="oval:org.gentoo.dev.swift:tst:40" |
86 |
+ comment="All world writable directories have the sticky bit set" |
87 |
+ version="1" check="all" check_existence="all_exist"> |
88 |
+ <!-- All world writable directories --> |
89 |
+ <unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:27" /> |
90 |
+ <!-- sticky bit is set --> |
91 |
+ <unix-def:state state_ref="oval:org.gentoo.dev.swift:ste:17" /> |
92 |
+ </unix-def:file_test> |
93 |
+ |
94 |
</tests> |
95 |
|
96 |
<objects> |
97 |
@@ -1031,6 +1088,35 @@ |
98 |
<unix-def:filepath>/boot/grub</unix-def:filepath> |
99 |
</unix-def:file_object> |
100 |
|
101 |
+ <unix-def:file_object id="oval:org.gentoo.dev.swift:obj:25" |
102 |
+ version="1" comment="The /etc/lilo.conf file"> |
103 |
+ <unix-def:filepath>/etc/lilo.conf</unix-def:filepath> |
104 |
+ </unix-def:file_object> |
105 |
+ |
106 |
+ <ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:26" |
107 |
+ version="1" comment="The /etc/lilo.conf content"> |
108 |
+ <ind-def:filepath>/etc/lilo.conf</ind-def:filepath> |
109 |
+ <ind-def:pattern operation="pattern match">^([^#\n]*)(?#.*)?$</ind-def:pattern> |
110 |
+ <ind-def:instance operation="greater than or equal" datatype="int">1</ind-def:instance> |
111 |
+ </ind-def:textfilecontent54_object> |
112 |
+ |
113 |
+ <unix-def:file_object id="oval:org.gentoo.dev.swift:obj:27" |
114 |
+ version="1" comment="All world writable directories"> |
115 |
+ <set set_operator="UNION" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5"> |
116 |
+ <!-- All local directories --> |
117 |
+ <object_reference>oval:org.gentoo.dev.swift:obj:28</object_reference> |
118 |
+ <!-- filter out just those with the world-writable bit set --> |
119 |
+ <filter action="exclude">oval:org.gentoo.dev.swift:ste:18</filter> <!-- exclude is default but this is more readable --> |
120 |
+ </set> |
121 |
+ </unix-def:file_object> |
122 |
+ |
123 |
+ <unix-def:file_object id="oval:org.gentoo.dev.swift:obj:28" |
124 |
+ version="1" comment="All local directories"> |
125 |
+ <unix-def:behaviors recurse_direction="down" recurse_file_system="local" recurse="directories"/> |
126 |
+ <unix-def:path>/</unix-def:path> |
127 |
+ <unix-def:filename xsi:nil="true"/> |
128 |
+ </unix-def:file_object> |
129 |
+ |
130 |
</objects> |
131 |
|
132 |
<states> |
133 |
@@ -1110,6 +1196,21 @@ |
134 |
<ind-def:subexpression datatype="string" operation="pattern match" entity_check="all">[\s]*password --md5 [\S]+</ind-def:subexpression> |
135 |
</ind-def:textfilecontent54_state> |
136 |
|
137 |
+ <ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:16" |
138 |
+ version="1" comment="Has a password=... entry"> |
139 |
+ <ind-def:subexpression datatype="string" operation="pattern match" entity_check="all">[\s]*password=[\S]+</ind-def:subexpression> |
140 |
+ </ind-def:textfilecontent54_state> |
141 |
+ |
142 |
+ <unix-def:file_state id="oval:org.gentoo.dev.swift:ste:17" |
143 |
+ version="1" comment="The sticky bit is set"> |
144 |
+ <unix-def:sticky datatype="boolean">1</unix-def:sticky> |
145 |
+ </unix-def:file_state> |
146 |
+ |
147 |
+ <unix-def:file_state id="oval:org.gentoo.dev.swift:ste:18" |
148 |
+ version="1" comment="Not world writable"> |
149 |
+ <unix-def:owrite datatype="boolean">0</unix-def:owrite> |
150 |
+ </unix-def:file_state> |
151 |
+ |
152 |
</states> |
153 |
|
154 |
<variables> |
155 |
|
156 |
diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml |
157 |
index 732bde3..aa85c1e 100644 |
158 |
--- a/xml/SCAP/gentoo-xccdf.xml |
159 |
+++ b/xml/SCAP/gentoo-xccdf.xml |
160 |
@@ -20,6 +20,8 @@ |
161 |
large impact on the performance of a server. Tests include scripted |
162 |
validationn. |
163 |
</description> |
164 |
+ <!-- Make sure all world-writable directories have the sticky bit set --> |
165 |
+ <select idref="xccdf_org.gentoo.dev.swift_rule_worldwritedir-stickybit" selected="true" /> |
166 |
</Profile> |
167 |
<Profile id="xccdf_org.gentoo.dev.swift_profile_intensive-oval" extends="xccdf_org.gentoo.dev.swift_profile_default-oval"> |
168 |
<title>Intensive validation profile (non-scripted)</title> |
169 |
@@ -30,6 +32,8 @@ |
170 |
large impact on the performance of a server. Tests do not include |
171 |
scripted validation. |
172 |
</description> |
173 |
+ <!-- Make sure all world-writable directories have the sticky bit set --> |
174 |
+ <select idref="xccdf_org.gentoo.dev.swift_rule_worldwritedir-stickybit" selected="true" /> |
175 |
</Profile> |
176 |
<Profile id="xccdf_org.gentoo.dev.swift_profile_default-oval"> |
177 |
<title>Default server setup settings (non-scripted)</title> |
178 |
@@ -103,8 +107,10 @@ |
179 |
<select idref="xccdf_org.gentoo.dev.swift_rule_securetty-limitentries" selected="true" /> |
180 |
<!-- Make sure /proc is mounted with hidepid=1 or hidepid=2 --> |
181 |
<select idref="xccdf_org.gentoo.dev.swift_rule_proc-hidepid" selected="true" /> |
182 |
- <!-- Make sure /boot/grub/grub.conf has a password entry with md5 hash --> |
183 |
+ <!-- Make sure /boot/grub/grub.conf (if it exists) has a password entry with md5 hash --> |
184 |
<select idref="xccdf_org.gentoo.dev.swift_rule_grubconf-password-md5" selected="true" /> |
185 |
+ <!-- Make sure /etc/lilo.conf (if it exists) has a password entry --> |
186 |
+ <select idref="xccdf_org.gentoo.dev.swift_rule_liloconf-password" selected="true" /> |
187 |
</Profile> |
188 |
<Profile id="xccdf_org.gentoo.dev.swift_profile_default" extends="xccdf_org.gentoo.dev.swift_profile_default-oval"> |
189 |
<title>Default server setup settings</title> |
190 |
@@ -1516,7 +1522,7 @@ grub> <h:b>quit</h:b></h:pre> |
191 |
</h:p> |
192 |
</description> |
193 |
<Rule id="xccdf_org.gentoo.dev.swift_rule_grubconf-password-md5" selected="false" severity="low" weight="6.9"> |
194 |
- <title>Grub legacy has a password entry with md5 hash</title> |
195 |
+ <title>Grub legacy (if it exists) has a password entry with md5 hash</title> |
196 |
<fixtext fixref="xccdf_org.gentoo.dev.swift_fix_grubconf-password-md5"> |
197 |
Edit /boot/grub/grub.conf and set a password entry with md5 hash |
198 |
</fixtext> |
199 |
@@ -1557,6 +1563,15 @@ image=/boot/bzImage |
200 |
Rerun <h:code>lilo</h:code> after updating the configuration file. |
201 |
</h:p> |
202 |
</description> |
203 |
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_liloconf-password" selected="false" severity="low" weight="6.9"> |
204 |
+ <title>LILO (if it exists) has a password entry</title> |
205 |
+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_liloconf-password"> |
206 |
+ Edit /etc/lilo.conf and set a password entry |
207 |
+ </fixtext> |
208 |
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> |
209 |
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:35" href="gentoo-oval.xml" /> |
210 |
+ </check> |
211 |
+ </Rule> |
212 |
</Group> |
213 |
</Group> |
214 |
<Group id="xccdf_org.gentoo.dev.swift_group_system-auth"> |
215 |
@@ -1782,6 +1797,16 @@ session required pam_unix.so</h:pre> |
216 |
world writable privilege is not accessible anyhow). |
217 |
</h:p> |
218 |
</description> |
219 |
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_worldwritedir-stickybit" selected="false" severity="medium" weight="4.3"> |
220 |
+ <title>All world writable directories have the sticky bit set</title> |
221 |
+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_worldwritedirs-stickybit"> |
222 |
+ Make sure all world-writable directories have the sticky bit set |
223 |
+ </fixtext> |
224 |
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> |
225 |
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:36" href="gentoo-oval.xml" /> |
226 |
+ </check> |
227 |
+ </Rule> |
228 |
+ |
229 |
</Group> |
230 |
<Group id="xccdf_org.gentoo.dev.swift_group_system-fileprivileges-suidsgid"> |
231 |
<title>Limit setuid and setgid file and directory usage</title> |