1 |
commit: 9b2ba0b21a29addbe49dd8bffb82c245f37cc65f |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Sat Feb 1 14:23:27 2014 +0000 |
4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Feb 1 14:23:27 2014 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=9b2ba0b2 |
7 |
|
8 |
Add in hidepid information (yes I know, grsec can also do this) |
9 |
|
10 |
--- |
11 |
xml/SCAP/gentoo-xccdf.xml | 41 ++++++++++++++++++++++++++++++++++++----- |
12 |
1 file changed, 36 insertions(+), 5 deletions(-) |
13 |
|
14 |
diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml |
15 |
index 25621c0..d2bf154 100644 |
16 |
--- a/xml/SCAP/gentoo-xccdf.xml |
17 |
+++ b/xml/SCAP/gentoo-xccdf.xml |
18 |
@@ -1,13 +1,13 @@ |
19 |
<?xml version="1.0" encoding="UTF-8"?> |
20 |
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:h="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.gentoo.dev.swift_benchmark_gentoo-20130917-1" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" resolved="0"> |
21 |
- <status date="2013-12-20">draft</status> |
22 |
+ <status date="2014-02-01">draft</status> |
23 |
<title>Gentoo Security Benchmark</title> |
24 |
<description> |
25 |
This benchmarks helps people in improving their system configuration to be |
26 |
more resilient against attacks and vulnerabilities. |
27 |
</description> |
28 |
<platform idref="cpe:/o:gentoo:linux"/> |
29 |
- <version>20131220.1</version> |
30 |
+ <version>20140201.1</version> |
31 |
<model system="urn:xccdf:scoring:default" /> |
32 |
<model system="urn:xccdf:scoring:flat" /> |
33 |
<model system="urn:xccdf:scoring:flat-unweighted" /> |
34 |
@@ -57,7 +57,7 @@ |
35 |
<select idref="xccdf_org.gentoo.dev.swift_rule_partition-varlog-nodev" selected="true" /> |
36 |
<!-- The /var/log/audit partition is mounted with nodev --> |
37 |
<select idref="xccdf_org.gentoo.dev.swift_rule_partition-varlogaudit-nodev" selected="true" /> |
38 |
- <!-- The /home partition is mounted with nodev --> |
39 |
+ <!-- The /home partition is moounted with nodev --> |
40 |
<select idref="xccdf_org.gentoo.dev.swift_rule_partition-home-nodev" selected="true" /> |
41 |
<!-- The /tmp partition is mounted with nodev --> |
42 |
<select idref="xccdf_org.gentoo.dev.swift_rule_partition-tmp-nodev" selected="true" /> |
43 |
@@ -99,6 +99,8 @@ |
44 |
<select idref="xccdf_org.gentoo.dev.swift_rule_FEATURES-webrsync-gpg" selected="true" /> |
45 |
<!-- Make sure PORTAGE_GPG_DIR is set --> |
46 |
<select idref="xccdf_org.gentoo.dev.swift_rule_PORTAGE_GPG_DIR-nonempty" selected="true" /> |
47 |
+ <!-- Make sure /etc/securetty only contains console and tty's --> |
48 |
+ <select idref="xccdf_org.gentoo.dev.swift_rule_securetty-limitentries" selected="true" /> |
49 |
</Profile> |
50 |
<Profile id="xccdf_org.gentoo.dev.swift_profile_default" extends="xccdf_org.gentoo.dev.swift_profile_default-oval"> |
51 |
<title>Default server setup settings</title> |
52 |
@@ -701,7 +703,7 @@ |
53 |
for file systems are explained. |
54 |
</description> |
55 |
<Group id="xccdf_org.gentoo.dev.swift_group_system-fs-mountoptions"> |
56 |
- <title>Appropriate mount options for the file systems</title> |
57 |
+ <title>Using no* mount options for the file systems</title> |
58 |
<description> |
59 |
<h:p> |
60 |
Non-root file systems should be mounted with the <h:em>nodev</h:em> mount option. |
61 |
@@ -988,6 +990,26 @@ mount -o remount,usrquota,grpquota /home |
62 |
</check> |
63 |
</Rule> |
64 |
</Group> <!-- system-fs-quotas --> |
65 |
+ <Group id="xccdf_org.gentoo.dev.swift_group_system-fs-hidepid"> |
66 |
+ <title>Hiding process information through hidepid</title> |
67 |
+ <description> |
68 |
+ <h:p> |
69 |
+ In order to hide process information from other users, the <h:code>/proc</h:code> file system needs to be |
70 |
+ mounted with the <h:code>hidepid</h:code> option. With value 0, the default behavior is used, meaning that |
71 |
+ all process information is world readable. |
72 |
+ </h:p> |
73 |
+ <h:p> |
74 |
+ When the value 1 is passed, the process information is not readable, but process directories are still shown |
75 |
+ in the <h:code>/proc</h:code> mount. In order to truly hide this information, pass on the value 2. |
76 |
+ </h:p> |
77 |
+ <h:p> |
78 |
+ In order to allow a particular group of people to see other people's processes, the <h:code>gid=</h:code> |
79 |
+ option can be used to exempt this group from the PID hiding. |
80 |
+ </h:p> |
81 |
+ </description> |
82 |
+ <reference href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0499680a42141d86417a8fbaa8c8db806bea1201">Kernel commit introducing |
83 |
+ the hidepid support</reference> |
84 |
+ </Group> |
85 |
</Group> <!-- system-fs --> |
86 |
<Group id="xccdf_org.gentoo.dev.swift_group_system-services"> |
87 |
<title>System services</title> |
88 |
@@ -1399,8 +1421,8 @@ PORTAGE_GPG_DIR="/etc/portage/gpg" |
89 |
<h:p> |
90 |
TODO looks like this has become a lot more difficult to obtain |
91 |
</h:p> |
92 |
- <reference href="https://help.ubuntu.com/community/Grub2/Passwords">GRUB2 Passwords (Ubuntu wiki)</reference> |
93 |
</description> |
94 |
+ <reference href="https://help.ubuntu.com/community/Grub2/Passwords">GRUB2 Passwords (Ubuntu wiki)</reference> |
95 |
</Group> |
96 |
<Group id="xccdf_org.gentoo.dev.swift_group_system-bootloader-grub1pass"> |
97 |
<title>Password protect GRUB (legacy)</title> |
98 |
@@ -1504,6 +1526,15 @@ tty1 |
99 |
... |
100 |
tty12</h:pre> |
101 |
</description> |
102 |
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_securetty-limitentries" selected="false" severity="low" weight="0.0"> |
103 |
+ <title>/etc/securetty is limited to console and tty's</title> |
104 |
+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_securetty-limitentries"> |
105 |
+ Edit /etc/securetty and make sure only 'console' and 'tty[0-9]*' are defined. |
106 |
+ </fixtext> |
107 |
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> |
108 |
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:32" href="gentoo-oval.xml" /> |
109 |
+ </check> |
110 |
+ </Rule> |
111 |
</Group> |
112 |
<Group id="xccdf_org.gentoo.dev.swift_group_system-auth-userlogin"> |
113 |
<title>Allow only known users to login</title> |