[gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/ - gentoo-commits

From:	Sven Vermeulen <swift@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
Date:	Sat, 01 Feb 2014 14:24:24
Message-Id:	`1391264607.9b2ba0b21a29addbe49dd8bffb82c245f37cc65f.swift@gentoo`

1

commit:     9b2ba0b21a29addbe49dd8bffb82c245f37cc65f

2

Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

3

AuthorDate: Sat Feb  1 14:23:27 2014 +0000

4

Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>

5

CommitDate: Sat Feb  1 14:23:27 2014 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=9b2ba0b2

7

8

Add in hidepid information (yes I know, grsec can also do this)

9

10

---

11

 xml/SCAP/gentoo-xccdf.xml | 41 ++++++++++++++++++++++++++++++++++++-----

12

 1 file changed, 36 insertions(+), 5 deletions(-)

13

14

diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml

15

index 25621c0..d2bf154 100644

16

--- a/xml/SCAP/gentoo-xccdf.xml

17

+++ b/xml/SCAP/gentoo-xccdf.xml

18

@@ -1,13 +1,13 @@

19

 <?xml version="1.0" encoding="UTF-8"?>

20

 <Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:h="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.gentoo.dev.swift_benchmark_gentoo-20130917-1" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" resolved="0">

21

-  <status date="2013-12-20">draft</status>

22

+  <status date="2014-02-01">draft</status>

23

   <title>Gentoo Security Benchmark</title>

24

   <description>

25

     This benchmarks helps people in improving their system configuration to be

26

     more resilient against attacks and vulnerabilities.

27

   </description>

28

   <platform idref="cpe:/o:gentoo:linux"/>

29

-  <version>20131220.1</version>

30

+  <version>20140201.1</version>

31

   <model system="urn:xccdf:scoring:default" />

32

   <model system="urn:xccdf:scoring:flat" />

33

   <model system="urn:xccdf:scoring:flat-unweighted" />

34

@@ -57,7 +57,7 @@

35

     <select idref="xccdf_org.gentoo.dev.swift_rule_partition-varlog-nodev" selected="true" />

36

     <!-- The /var/log/audit partition is mounted with nodev -->

37

     <select idref="xccdf_org.gentoo.dev.swift_rule_partition-varlogaudit-nodev" selected="true" />

38

-    <!-- The /home partition is mounted with nodev -->

39

+    <!-- The /home partition is moounted with nodev -->

40

     <select idref="xccdf_org.gentoo.dev.swift_rule_partition-home-nodev" selected="true" />

41

     <!-- The /tmp partition is mounted with nodev -->

42

     <select idref="xccdf_org.gentoo.dev.swift_rule_partition-tmp-nodev" selected="true" />

43

@@ -99,6 +99,8 @@

44

     <select idref="xccdf_org.gentoo.dev.swift_rule_FEATURES-webrsync-gpg" selected="true" />

45

     <!-- Make sure PORTAGE_GPG_DIR is set -->

46

     <select idref="xccdf_org.gentoo.dev.swift_rule_PORTAGE_GPG_DIR-nonempty" selected="true" />

47

+    <!-- Make sure /etc/securetty only contains console and tty's -->

48

+    <select idref="xccdf_org.gentoo.dev.swift_rule_securetty-limitentries" selected="true" />

49

   </Profile>

50

   <Profile id="xccdf_org.gentoo.dev.swift_profile_default" extends="xccdf_org.gentoo.dev.swift_profile_default-oval">

51

     <title>Default server setup settings</title>

52

@@ -701,7 +703,7 @@

53

         for file systems are explained.

54

       </description>

55

       <Group id="xccdf_org.gentoo.dev.swift_group_system-fs-mountoptions">

56

-        <title>Appropriate mount options for the file systems</title>

57

+        <title>Using no* mount options for the file systems</title>

58

         <description>

59

 	  <h:p>

60

           Non-root file systems should be mounted with the <h:em>nodev</h:em> mount option.

61

@@ -988,6 +990,26 @@ mount -o remount,usrquota,grpquota /home

62

 	  </check>

63

 	</Rule>

64

       </Group> <!-- system-fs-quotas -->

65

+      <Group  id="xccdf_org.gentoo.dev.swift_group_system-fs-hidepid">

66

+        <title>Hiding process information through hidepid</title>

67

+	<description>

68

+	  <h:p>

69

+	    In order to hide process information from other users, the <h:code>/proc</h:code> file system needs to be

70

+	    mounted with the <h:code>hidepid</h:code> option. With value 0, the default behavior is used, meaning that 

71

+	    all process information is world readable.

72

+	  </h:p>

73

+	  <h:p>

74

+	    When the value 1 is passed, the process information is not readable, but process directories are still shown

75

+	    in the <h:code>/proc</h:code> mount. In order to truly hide this information, pass on the value 2.

76

+	  </h:p>

77

+	  <h:p>

78

+	    In order to allow a particular group of people to see other people's processes, the <h:code>gid=</h:code>

79

+	    option can be used to exempt this group from the PID hiding.

80

+	  </h:p>

81

+	</description>

82

+	<reference href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0499680a42141d86417a8fbaa8c8db806bea1201">Kernel commit introducing

83

+	the hidepid support</reference>

84

+      </Group>

85

     </Group> <!-- system-fs -->

86

     <Group id="xccdf_org.gentoo.dev.swift_group_system-services">

87

       <title>System services</title>

88

@@ -1399,8 +1421,8 @@ PORTAGE_GPG_DIR="/etc/portage/gpg"

89

 	  <h:p>

90

 	  TODO looks like this has become a lot more difficult to obtain

91

 	  </h:p>

92

-	  <reference href="https://help.ubuntu.com/community/Grub2/Passwords">GRUB2 Passwords (Ubuntu wiki)</reference>

93

 	</description>

94

+	<reference href="https://help.ubuntu.com/community/Grub2/Passwords">GRUB2 Passwords (Ubuntu wiki)</reference>

95

       </Group>

96

       <Group id="xccdf_org.gentoo.dev.swift_group_system-bootloader-grub1pass">

97

         <title>Password protect GRUB (legacy)</title>

98

@@ -1504,6 +1526,15 @@ tty1

99

...

100

 tty12</h:pre>

101

         </description>

102

+        <Rule id="xccdf_org.gentoo.dev.swift_rule_securetty-limitentries" selected="false" severity="low" weight="0.0">

103

+	  <title>/etc/securetty is limited to console and tty's</title>

104

+	  <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_securetty-limitentries">

105

+	    Edit /etc/securetty and make sure only 'console' and 'tty[0-9]*' are defined.

106

+	  </fixtext>

107

+	  <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">

108

+	    <check-content-ref name="oval:org.gentoo.dev.swift:def:32" href="gentoo-oval.xml" />

109

+	  </check>

110

+	</Rule>

111

       </Group>

112

       <Group id="xccdf_org.gentoo.dev.swift_group_system-auth-userlogin">

113

         <title>Allow only known users to login</title>

1	commit: 9b2ba0b21a29addbe49dd8bffb82c245f37cc65f
2	Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3	AuthorDate: Sat Feb 1 14:23:27 2014 +0000
4	Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
5	CommitDate: Sat Feb 1 14:23:27 2014 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=9b2ba0b2
7
8	Add in hidepid information (yes I know, grsec can also do this)
9
10	---
11	xml/SCAP/gentoo-xccdf.xml \| 41 ++++++++++++++++++++++++++++++++++++-----
12	1 file changed, 36 insertions(+), 5 deletions(-)
13
14	diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml
15	index 25621c0..d2bf154 100644
16	--- a/xml/SCAP/gentoo-xccdf.xml
17	+++ b/xml/SCAP/gentoo-xccdf.xml
18	@@ -1,13 +1,13 @@
19	<?xml version="1.0" encoding="UTF-8"?>
20	<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:h="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.gentoo.dev.swift_benchmark_gentoo-20130917-1" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" resolved="0">
21	- <status date="2013-12-20">draft</status>
22	+ <status date="2014-02-01">draft</status>
23	<title>Gentoo Security Benchmark</title>
24	<description>
25	This benchmarks helps people in improving their system configuration to be
26	more resilient against attacks and vulnerabilities.
27	</description>
28	<platform idref="cpe:/o:gentoo:linux"/>
29	- <version>20131220.1</version>
30	+ <version>20140201.1</version>
31	<model system="urn:xccdf:scoring:default" />
32	<model system="urn:xccdf:scoring:flat" />
33	<model system="urn:xccdf:scoring:flat-unweighted" />
34	@@ -57,7 +57,7 @@
35	<select idref="xccdf_org.gentoo.dev.swift_rule_partition-varlog-nodev" selected="true" />
36	<!-- The /var/log/audit partition is mounted with nodev -->
37	<select idref="xccdf_org.gentoo.dev.swift_rule_partition-varlogaudit-nodev" selected="true" />
38	- <!-- The /home partition is mounted with nodev -->
39	+ <!-- The /home partition is moounted with nodev -->
40	<select idref="xccdf_org.gentoo.dev.swift_rule_partition-home-nodev" selected="true" />
41	<!-- The /tmp partition is mounted with nodev -->
42	<select idref="xccdf_org.gentoo.dev.swift_rule_partition-tmp-nodev" selected="true" />
43	@@ -99,6 +99,8 @@
44	<select idref="xccdf_org.gentoo.dev.swift_rule_FEATURES-webrsync-gpg" selected="true" />
45	<!-- Make sure PORTAGE_GPG_DIR is set -->
46	<select idref="xccdf_org.gentoo.dev.swift_rule_PORTAGE_GPG_DIR-nonempty" selected="true" />
47	+ <!-- Make sure /etc/securetty only contains console and tty's -->
48	+ <select idref="xccdf_org.gentoo.dev.swift_rule_securetty-limitentries" selected="true" />
49	</Profile>
50	<Profile id="xccdf_org.gentoo.dev.swift_profile_default" extends="xccdf_org.gentoo.dev.swift_profile_default-oval">
51	<title>Default server setup settings</title>
52	@@ -701,7 +703,7 @@
53	for file systems are explained.
54	</description>
55	<Group id="xccdf_org.gentoo.dev.swift_group_system-fs-mountoptions">
56	- <title>Appropriate mount options for the file systems</title>
57	+ <title>Using no* mount options for the file systems</title>
58	<description>
59	<h:p>
60	Non-root file systems should be mounted with the <h:em>nodev</h:em> mount option.
61	@@ -988,6 +990,26 @@ mount -o remount,usrquota,grpquota /home
62	</check>
63	</Rule>
64	</Group> <!-- system-fs-quotas -->
65	+ <Group id="xccdf_org.gentoo.dev.swift_group_system-fs-hidepid">
66	+ <title>Hiding process information through hidepid</title>
67	+ <description>
68	+ <h:p>
69	+ In order to hide process information from other users, the <h:code>/proc</h:code> file system needs to be
70	+ mounted with the <h:code>hidepid</h:code> option. With value 0, the default behavior is used, meaning that
71	+ all process information is world readable.
72	+ </h:p>
73	+ <h:p>
74	+ When the value 1 is passed, the process information is not readable, but process directories are still shown
75	+ in the <h:code>/proc</h:code> mount. In order to truly hide this information, pass on the value 2.
76	+ </h:p>
77	+ <h:p>
78	+ In order to allow a particular group of people to see other people's processes, the <h:code>gid=</h:code>
79	+ option can be used to exempt this group from the PID hiding.
80	+ </h:p>
81	+ </description>
82	+ <reference href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0499680a42141d86417a8fbaa8c8db806bea1201">Kernel commit introducing
83	+ the hidepid support</reference>
84	+ </Group>
85	</Group> <!-- system-fs -->
86	<Group id="xccdf_org.gentoo.dev.swift_group_system-services">
87	<title>System services</title>
88	@@ -1399,8 +1421,8 @@ PORTAGE_GPG_DIR="/etc/portage/gpg"
89	<h:p>
90	TODO looks like this has become a lot more difficult to obtain
91	</h:p>
92	- <reference href="https://help.ubuntu.com/community/Grub2/Passwords">GRUB2 Passwords (Ubuntu wiki)</reference>
93	</description>
94	+ <reference href="https://help.ubuntu.com/community/Grub2/Passwords">GRUB2 Passwords (Ubuntu wiki)</reference>
95	</Group>
96	<Group id="xccdf_org.gentoo.dev.swift_group_system-bootloader-grub1pass">
97	<title>Password protect GRUB (legacy)</title>
98	@@ -1504,6 +1526,15 @@ tty1
99	...
100	tty12</h:pre>
101	</description>
102	+ <Rule id="xccdf_org.gentoo.dev.swift_rule_securetty-limitentries" selected="false" severity="low" weight="0.0">
103	+ <title>/etc/securetty is limited to console and tty's</title>
104	+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_securetty-limitentries">
105	+ Edit /etc/securetty and make sure only 'console' and 'tty[0-9]*' are defined.
106	+ </fixtext>
107	+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
108	+ <check-content-ref name="oval:org.gentoo.dev.swift:def:32" href="gentoo-oval.xml" />
109	+ </check>
110	+ </Rule>
111	</Group>
112	<Group id="xccdf_org.gentoo.dev.swift_group_system-auth-userlogin">
113	<title>Allow only known users to login</title>

Gentoo Archives: gentoo-commits