Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSven Vermeulen <sven.vermeulen@siphos.be>2013-09-17 21:01:39 +0200
committerSven Vermeulen <sven.vermeulen@siphos.be>2013-09-17 21:01:39 +0200
commitd88ab0ae8f09a427faea0822761bba3a6596f216 (patch)
tree18309b8aa7c54eaae18ef857a34bdeebfed65cf2
parentSCAP content for Gentoo (diff)
downloadhardened-docs-d88ab0ae8f09a427faea0822761bba3a6596f216.tar.gz
hardened-docs-d88ab0ae8f09a427faea0822761bba3a6596f216.tar.bz2
hardened-docs-d88ab0ae8f09a427faea0822761bba3a6596f216.zip
Updates on SCAP - Test and generate fix code
Diffstat
-rw-r--r--xml/SCAP/Makefile12
-rw-r--r--xml/SCAP/gentoo-oval.xml35
-rw-r--r--xml/SCAP/gentoo-oval.xml.result.xml166
-rw-r--r--xml/SCAP/gentoo-xccdf.xml33
-rw-r--r--xml/SCAP/report.html292
-rw-r--r--xml/SCAP/results-xccdf.xml326
6 files changed, 72 insertions, 792 deletions
diff --git a/xml/SCAP/Makefile b/xml/SCAP/Makefile
index 81ebe1c..5964888 100644
--- a/xml/SCAP/Makefile
+++ b/xml/SCAP/Makefile
@@ -1,2 +1,12 @@
+all: report.html guide.html
+
report.html: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml
- oscap xccdf eval --cpe gentoo-cpe.xml --results results-xccdf.xml --oval-results --report report.html gentoo-xccdf.xml
+ oscap xccdf eval --cpe gentoo-cpe.xml --profile xccdf_org.gentoo.dev.swift_profile_default --results results-xccdf.xml --oval-results --report report.html gentoo-xccdf.xml
+
+guide.html: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml
+ oscap xccdf generate guide --profile xccdf_org.gentoo.dev.swift_profile_default --output guide.html gentoo-xccdf.xml
+
+eval:
+ oscap xccdf eval --cpe gentoo-cpe.xml --profile xccdf_org.gentoo.dev.swift_profile_default gentoo-xccdf.xml
+
+.PHONY: all eval
diff --git a/xml/SCAP/gentoo-oval.xml b/xml/SCAP/gentoo-oval.xml
index d2ece23..b520353 100644
--- a/xml/SCAP/gentoo-oval.xml
+++ b/xml/SCAP/gentoo-oval.xml
@@ -53,6 +53,24 @@
<criterion test_ref="oval:org.gentoo.dev.swift:tst:2" comment="The /home location is on a separate partition" />
</criteria>
</definition>
+
+ <definition id="oval:org.gentoo.dev.swift:def:3" version="1" class="compliance">
+ <metadata>
+ <title>The /home file system is mounted with the nosuid option</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <description>
+ This definition tests whether the /home partition is mounted with the nosuid
+ mount option.
+ </description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:2" comment="The /home location is on a separate partition" />
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:3" comment="The /home partition is mounted with nosuid mount option" />
+ </criteria>
+ </definition>
+
</definitions>
<tests>
@@ -70,6 +88,15 @@
<!-- /home partition -->
<lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:2" />
</lin-def:partition_test>
+
+ <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:3"
+ version="1" check="all" check_existence="all_exist"
+ comment="Tests that /home is mounted with nosuid option">
+ <!-- /home partition -->
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:2" />
+ <!-- "nosuid" mount option -->
+ <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:1" />
+ </lin-def:partition_test>
</tests>
<objects>
@@ -85,10 +112,14 @@
</lin-def:partition_object>
</objects>
-<!--
<states>
+
+ <lin-def:partition_state id="oval:org.gentoo.dev.swift:ste:1"
+ version="1" comment="The file system is mounted with the nosuid mount option">
+ <lin-def:mount_options entity_check="at least one">nosuid</lin-def:mount_options>
+ </lin-def:partition_state>
+
</states>
--->
<!--
<variables>
diff --git a/xml/SCAP/gentoo-oval.xml.result.xml b/xml/SCAP/gentoo-oval.xml.result.xml
deleted file mode 100644
index 5ae9a7a..0000000
--- a/xml/SCAP/gentoo-oval.xml.result.xml
+++ /dev/null
@@ -1,166 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<oval_results xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://oval.mitre.org/XMLSchema/oval-results-5" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-results-5 oval-results-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd">
- <generator>
- <oval:product_name>cpe:/a:open-scap:oscap</oval:product_name>
- <oval:schema_version>5.10</oval:schema_version>
- <oval:timestamp>2013-09-17T20:24:00</oval:timestamp>
- </generator>
- <directives>
- <definition_true reported="true" content="full"/>
- <definition_false reported="true" content="full"/>
- <definition_unknown reported="true" content="full"/>
- <definition_error reported="true" content="full"/>
- <definition_not_evaluated reported="true" content="full"/>
- <definition_not_applicable reported="true" content="full"/>
- </directives>
- <oval_definitions xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:lin-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd">
- <generator>
- <oval:product_name>OVAL Gentoo Linux</oval:product_name>
- <oval:product_version>20130917.1</oval:product_version>
- <oval:schema_version>5.10</oval:schema_version>
- <oval:timestamp>2013-09-17T19:42:00</oval:timestamp>
- </generator>
- <definitions>
- <definition id="oval:org.gentoo.dev.swift:def:2" version="1" class="compliance">
- <metadata>
- <title>The /home location must be a separate file system</title>
- <affected family="unix">
- <platform>Gentoo Linux</platform>
- </affected>
- <reference source="CCE" ref_id="CCE-14559-9" ref_url="http://nvd.nist.gov/cce/index.cfm"/>
- <description>
- This definition tests whether the /home location is a separate file
- system.
- </description>
- </metadata>
- <criteria>
- <criterion test_ref="oval:org.gentoo.dev.swift:tst:2" comment="The /home location is on a separate partition"/>
- </criteria>
- </definition>
- <definition id="oval:org.gentoo.dev.swift:def:1" version="1" class="inventory">
- <metadata>
- <title>Gentoo Linux is installed</title>
- <affected family="unix">
- <platform>Gentoo Linux</platform>
- </affected>
- <description>
- This definition tests whether Gentoo Linux is installed.
- </description>
- </metadata>
- <criteria>
- <criterion test_ref="oval:org.gentoo.dev.swift:tst:1" comment="The /etc/gentoo-release file exists"/>
- </criteria>
- </definition>
- </definitions>
- <tests>
- <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:2" version="1" check_existence="all_exist" check="all" comment="Tests that /home is a separate file system">
- <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:2"/>
- </lin-def:partition_test>
- <unix-def:file_test id="oval:org.gentoo.dev.swift:tst:1" version="1" check_existence="all_exist" check="all" comment="Tests that /etc/gentoo-release exists">
- <unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:1"/>
- </unix-def:file_test>
- </tests>
- <objects>
- <lin-def:partition_object id="oval:org.gentoo.dev.swift:obj:2" version="1" comment="The /home partition">
- <lin-def:mount_point>/home</lin-def:mount_point>
- </lin-def:partition_object>
- <unix-def:file_object id="oval:org.gentoo.dev.swift:obj:1" version="1" comment="The /etc/gentoo-release file">
- <unix-def:filepath>/etc/gentoo-release</unix-def:filepath>
- </unix-def:file_object>
- </objects>
- </oval_definitions>
- <results>
- <system>
- <definitions>
- <definition definition_id="oval:org.gentoo.dev.swift:def:2" result="true" version="1">
- <criteria operator="AND" result="true">
- <criterion test_ref="oval:org.gentoo.dev.swift:tst:2" version="1" result="true"/>
- </criteria>
- </definition>
- <definition definition_id="oval:org.gentoo.dev.swift:def:1" result="not evaluated" version="1">
- <criteria operator="AND" result="not evaluated">
- <criterion test_ref="oval:org.gentoo.dev.swift:tst:1" version="1" result="not evaluated"/>
- </criteria>
- </definition>
- </definitions>
- <tests>
- <test test_id="oval:org.gentoo.dev.swift:tst:2" version="1" check_existence="all_exist" check="all" result="true">
- <tested_item item_id="1277011" result="not evaluated"/>
- </test>
- <test test_id="oval:org.gentoo.dev.swift:tst:1" version="1" check_existence="all_exist" check="all" result="not evaluated"/>
- </tests>
- <oval_system_characteristics xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:unix-sys="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#unix" xmlns:ind-sys="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#independent" xmlns:lin-sys="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#linux" xmlns="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5 oval-system-characteristics-schema.xsd http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#independent independent-system-characteristics-schema.xsd http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#unix unix-system-characteristics-schema.xsd http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#linux linux-system-characteristics-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd">
- <generator>
- <oval:product_name>cpe:/a:open-scap:oscap</oval:product_name>
- <oval:schema_version>5.10</oval:schema_version>
- <oval:timestamp>2013-09-17T20:24:00</oval:timestamp>
- </generator>
- <system_info>
- <os_name>Linux</os_name>
- <os_version>#5 SMP PREEMPT Wed Aug 14 18:25:47 CEST 2013</os_version>
- <architecture>x86_64</architecture>
- <primary_host_name>hpl</primary_host_name>
- <interfaces>
- <interface>
- <interface_name>lo</interface_name>
- <ip_address>127.0.0.1</ip_address>
- <mac_address>00:00:00:00:00:00</mac_address>
- </interface>
- <interface>
- <interface_name>wlan0</interface_name>
- <ip_address>192.168.1.3</ip_address>
- <mac_address>F0:7B:CB:0F:5A:3B</mac_address>
- </interface>
- <interface>
- <interface_name>tap0</interface_name>
- <ip_address>192.168.100.1</ip_address>
- <mac_address>22:45:EA:47:E5:69</mac_address>
- </interface>
- <interface>
- <interface_name>lo</interface_name>
- <ip_address>::1</ip_address>
- <mac_address>00:00:00:00:00:00</mac_address>
- </interface>
- <interface>
- <interface_name>wlan0</interface_name>
- <ip_address>fe80::f27b:cbff:fe0f:5a3b</ip_address>
- <mac_address>F0:7B:CB:0F:5A:3B</mac_address>
- </interface>
- <interface>
- <interface_name>tap0</interface_name>
- <ip_address>2001:db8:81:e2:0:26b5:365b:5072</ip_address>
- <mac_address>22:45:EA:47:E5:69</mac_address>
- </interface>
- <interface>
- <interface_name>tap0</interface_name>
- <ip_address>fe80::2045:eaff:fe47:e569</ip_address>
- <mac_address>22:45:EA:47:E5:69</mac_address>
- </interface>
- </interfaces>
- </system_info>
- <collected_objects>
- <object id="oval:org.gentoo.dev.swift:obj:2" version="1" flag="complete">
- <reference item_ref="1277011"/>
- </object>
- </collected_objects>
- <system_data>
- <lin-sys:partition_item id="1277011" status="exists">
- <lin-sys:mount_point>/home</lin-sys:mount_point>
- <lin-sys:device>/dev/mapper/volgrp-home</lin-sys:device>
- <lin-sys:fs_type>ext4</lin-sys:fs_type>
- <lin-sys:mount_options>rw</lin-sys:mount_options>
- <lin-sys:mount_options>seclabel</lin-sys:mount_options>
- <lin-sys:mount_options>nosuid</lin-sys:mount_options>
- <lin-sys:mount_options>nodev</lin-sys:mount_options>
- <lin-sys:mount_options>noatime</lin-sys:mount_options>
- <lin-sys:mount_options>nodelalloc</lin-sys:mount_options>
- <lin-sys:mount_options>data=journal</lin-sys:mount_options>
- <lin-sys:total_space datatype="int">15449087</lin-sys:total_space>
- <lin-sys:space_used datatype="int">12723993</lin-sys:space_used>
- <lin-sys:space_left datatype="int">2725094</lin-sys:space_left>
- </lin-sys:partition_item>
- </system_data>
- </oval_system_characteristics>
- </system>
- </results>
-</oval_results>
diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml
index 28098a7..a501b53 100644
--- a/xml/SCAP/gentoo-xccdf.xml
+++ b/xml/SCAP/gentoo-xccdf.xml
@@ -26,6 +26,8 @@
</description>
<!-- The /home location is a separate file system -->
<select idref="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="true" />
+ <!-- The /home partition is mounted with nosuid -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_partition-home-nosuid" selected="true" />
</Profile>
<Group id="xccdf_org.gentoo.dev.swift_group_intro">
<title>Introduction</title>
@@ -106,7 +108,7 @@
the following command is used to generate the HTML output:
<h:br />
<h:pre>### Command to generate this guide ###
-# <h:b>oscap xccdf generate guide scap-gentoo-xccdf.xml &gt; output.html</h:b>
+# <h:b>oscap xccdf generate guide gentoo-xccdf.xml &gt; output.html</h:b>
</h:pre>
<h:br />
Secondly, together with this XCCDF XML, you will also find an OVAL XML file.
@@ -116,11 +118,11 @@
<h:br />
Now, to validate the tests, you can use the following commands:
<h:pre>### Testing the rules mentioned in the XCCDF document ###
-# <h:b>oscap xccdf eval --profile xccdf_org.gentoo.dev.swift_profile_default scap-gentoo-xccdf.xml</h:b></h:pre>
+# <h:b>oscap xccdf eval --profile xccdf_org.gentoo.dev.swift_profile_default gentoo-xccdf.xml</h:b></h:pre>
<h:br />
To generate a full report in HTML as well, you can use the next command:
<h:pre>### Testing the rules and generating an HTML report ###
-# <h:b>oscap xccdf eval --profile xccdf_org.gentoo.dev.swift_profile_default --results xccdf-results.xml --report report.html scap-gentoo-xccdf.xml</h:b></h:pre>
+# <h:b>oscap xccdf eval --profile xccdf_org.gentoo.dev.swift_profile_default --results xccdf-results.xml --report report.html gentoo-xccdf.xml</h:b></h:pre>
<h:br />
<h:br />
Finally, this benchmark will suggest some settings which you do not want
@@ -280,13 +282,34 @@
The <h:code>/home</h:code> location should be on its own partition,
allowing the administrator to mount this location with specific
options targetting the file systems' security settings or quota.
+ <h:br />
+ <h:br />
+ Next to the separate file system, it should also be mounted with
+ the <h:em>nosuid</h:em> mount option. When a vulnerability in a
+ software, or a rogue user, would somehow place a setuid binary in
+ this home directory in order to create a simple backdoor to gain
+ root privileges, this mount option disables the setuid ability.
</description>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="true">
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="false">
<title>Test if /home is a separate partition</title>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.gentoo.dev.swift:def:2" href="gentoo-oval.xml" />
</check>
</Rule>
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home-nosuid" selected="false">
+ <title>Test if /home is mounted with nosuid</title>
+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-home-nosuid">Mount /home with nosuid mount option</fixtext>
+ <!-- TODO can we put in multiple fixes? I would like to add in one
+ that asks the user (not automatically) to update fstab -->
+ <fix id="xccdf_org.gentoo.dev.swift_fix_partition-home-nosuid"
+ system="urn:xccdf:fix:system:commands"
+ platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+mount -o remount,nosuid /home
+ </fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:3" href="gentoo-oval.xml" />
+ </check>
+ </Rule>
</Group>
</Group>
</Group>
@@ -921,7 +944,7 @@ session required pam_unix.so</h:pre>
<title>World writeable directories must have sticky bit set</title>
<description>World writeable directories must have sticky bit set</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref href="scap-gentoo-oval.xml" name="oval:@@OVALNS@@.static:def:2" />
+ <check-content-ref href="gentoo-oval.xml" name="oval:@@OVALNS@@.static:def:2" />
</check>
</Rule>
</Group>
diff --git a/xml/SCAP/report.html b/xml/SCAP/report.html
deleted file mode 100644
index 76fed49..0000000
--- a/xml/SCAP/report.html
+++ /dev/null
@@ -1,292 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:svg="http://www.w3.org/2000/svg">
- <head>
- <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
- <title>XCCDF test result</title>
- <meta name="generator" content="" />
- <meta name="Content-Type" content="text/html;charset=utf-8" />
- <style type="text/css" media="all">
- html, body { background-color: black; font-family:sans-serif; margin:0; padding:0; }
- abbr { text-transform:none; border:none; font-variant:normal; }
- div.score-outer { height: .8em; width:100%; min-width:100px; background-color: red; }
- div.score-inner { height: 100%; background-color: green; }
- .score-max, .score-val, .score-percent { text-align:right; }
- .score-percent { font-weight: bold; }
- th, td { padding-left:.5em; padding-right:.5em; }
- .rule-selected, .result-pass strong, .result-fixed strong { color:green; }
- .rule-inactive, .unknown, .result-notselected strong, .result-notchecked strong, .result-notapplicable strong, .result-informational strong, .result-unknown strong { color:#555; }
- .rule-notselected, .result-error strong, .result-fail strong { color:red; }
- table { border-collapse: collapse; border: 1px black solid; width:100%; }
- table th, thead tr { background-color:black; color:white; }
- table td { border-right: 1px black solid; }
- table td.result, table td.link { text-align:center; }
- table td.num { text-align:right; }
- div#rule-results-summary { margin-bottom: 1em; }
- table tr.result-legend td { width: 10%; }
- div#content p { text-align:justify; }
- div.result-detail { border: 1px solid black; margin: 2em 0; padding: 0 1em; }
- div#content h2 { border-bottom:2px dashed; margin-top:1em; margin-bottom:0.5em; text-align:center; }
- div#content h2#summary { margin-top:0; }
- h1 { margin:1em 0; }
- div.raw table, div.raw table td { border:none; width:auto; padding:0; }
- div.raw table { margin-left: 2em; }
- div.raw table td { padding: .1em .7em; }
- table tr { border-bottom: 1px dotted #000; }
- dir.raw table tr { border-bottom: 0 !important; }
- pre.code { background: #ccc; padding:.2em; }
- ul.toc-struct li { list-style-type: none; }
- div.xccdf-rule { margin-left: 10%; }
- div#footer, p.remark, .link { font-size:.8em; }
- thead tr td { font-weight:bold; text-align:center; }
- .hidden { display:none; }
- td.score-bar { text-align:center; }
- td.score-bar span.media { width:100%; min-width:7em; height:.8em; display:block; margin:0; padding:0; }
- .oval-results { font-size:.8em; overflow:auto; }
- div#guide-top-table table { width: 100%; }
- td#common-info { min-width: 25.0em; border-right: 1px solid #000; }
- td#versions-revisions { width: 25.0em; }
- </style>
- <style type="text/css" media="screen">
- div#content, div#header, div#footer { margin-left:1em; margin-right:1em; }
- div#content { background-color: white; padding:2em; }
- div#footer, div#header { color:white; text-align:center; }
- a, a:visited { color:blue; text-decoration:underline; }
- div#content p.link { text-align:right; font-size:.8em; }
- div#footer a { color:white; }
- div.xccdf-group, div.xccdf-rule { border-left: 3px solid white; padding-left:.3em; }
- div.xccdf-group:target, div.xccdf-rule:target { border-left-color:#ccc; }
- .toc-struct li:target { background:#ddd; }
- abbr { border-bottom: 1px black dotted; }
- abbr.date { border-bottom:none; }
- pre.code { overflow:auto; }
- table tbody tr:hover { background: #ccc; }
- div.raw table tbody tr:hover { background: transparent !important; }
- </style>
- <style type="text/css" media="print">
- @page { margin:3cm; }
- html, body { background-color:white; font-family:serif; }
- .link { display:none; }
- a, a:visited { color:black; text-decoration:none; }
- div#header, div#footer { text-align:center; }
- div#header { padding-top:36%; }
- h1 { vertical-align:center; }
- h2 { page-break-before:always; }
- h3, h4, h5 { page-break-after:avoid; }
- pre.code { background: #ccc; }
- div#footer { margin-top:auto; }
- .toc-struct { page-break-after:always; }
- </style>
- </head>
- <body>
- <div id="xccdf_org.open-scap_testresult_default-profile">
- <div id="header">
- <h1>XCCDF test result</h1>
- </div>
- <div id="content">
- <div id="intro">
- <h2>Introduction</h2>
- <div>
- <h3>Test Result</h3>
- <div id="test-result-summary">
- <table>
- <thead>
- <tr>
- <td>Result ID</td>
- <td>Profile</td>
- <td>Start time</td>
- <td>End time</td>
- <td>Benchmark</td>
- <td>Benchmark version</td>
- </tr>
- </thead>
- <tbody>
- <tr>
- <td align="center">xccdf_org.open-scap_testresult_default-profile</td>
- <td align="center">
- (Default profile)
- </td>
- <td align="center">
- <abbr title="2013-09-17T20:24:00" class="date">2013-09-17 20:24</abbr>
- </td>
- <td align="center">
- <abbr title="2013-09-17T20:24:00" class="date">2013-09-17 20:24</abbr>
- </td>
- <td align="center">
- <span>embedded</span>
- </td>
- <td align="center">20130917.1</td>
- </tr>
- </tbody>
- </table>
- </div>
- </div>
- <div>
- <h3>Target info</h3>
- <div class="raw">
- <table>
- <tbody>
- <tr>
- <td valign="top">
- <h4>Targets</h4>
- <ul class="itemizedlist">
- <li>hpl</li>
- </ul>
- </td>
- <td valign="top">
- <h4>Addresses</h4>
- <ul class="itemizedlist">
- <li>127.0.0.1</li>
- <li>192.168.1.3</li>
- <li>192.168.100.1</li>
- <li>::1</li>
- <li>fe80::f27b:cbff:fe0f:5a3b</li>
- <li>2001:db8:81:e2:0:26b5:365b:5072</li>
- <li>fe80::2045:eaff:fe47:e569</li>
- </ul>
- </td>
- <td></td>
- <td valign="top">
- <h4>Platforms</h4>
- <ul class="itemizedlist">
- <li>cpe:/o:gentoo:linux</li>
- </ul>
- </td>
- <td valign="top"></td>
- </tr>
- </tbody>
- </table>
- </div>
- </div>
- <div>
- <h3>Score</h3>
- <div>
- <table>
- <thead>
- <tr>
- <td>system</td>
- <td>score</td>
- <td>max</td>
- <td>%</td>
- <td>bar</td>
- </tr>
- </thead>
- <tbody>
- <tr id="score-urn-xccdf-scoring-default">
- <td class="score-sys">urn:xccdf:scoring:default</td>
- <td class="score-val">100.00</td>
- <td class="score-max">100.00</td>
- <td class="score-percent">100.00%</td>
- <td class="score-bar">
- <span class="media">
- <svg xmlns="http://www.w3.org/2000/svg" xmlns:ovalres="http://oval.mitre.org/XMLSchema/oval-results-5" xmlns:sceres="http://open-scap.org/page/SCE_result_file" width="100%" height="100%" version="1.1" baseProfile="full">
- <rect width="100%" height="100%" fill="red"></rect>
- <rect height="100%" width="100.00%" fill="green"></rect>
- <rect height="100%" x="100.00%" width="2" fill="black"></rect>
- </svg>
- </span>
- </td>
- </tr>
- </tbody>
- </table>
- </div>
- </div>
- </div>
- <div id="results-overview">
- <h2>Results overview</h2>
- <div id="rule-results-summary">
- <h4>Rule Results Summary</h4>
- <table>
- <thead>
- <tr>
- <td>pass</td>
- <td>fixed</td>
- <td>fail</td>
- <td>error</td>
- <td>not selected</td>
- <td>not checked</td>
- <td>not applicable</td>
- <td>informational</td>
- <td>unknown</td>
- <td>total</td>
- </tr>
- </thead>
- <tbody>
- <tr class="result-legend">
- <td align="center" class="result-pass">
- <strong class="strong">1</strong>
- </td>
- <td align="center" class="result-fixed">
- <strong class="strong">0</strong>
- </td>
- <td align="center" class="result-fail">
- <strong class="strong">0</strong>
- </td>
- <td align="center" class="result-error">
- <strong class="strong">0</strong>
- </td>
- <td align="center" class="result-notselected">
- <strong class="strong">0</strong>
- </td>
- <td align="center" class="result-notchecked">
- <strong class="strong">0</strong>
- </td>
- <td align="center" class="result-notapplicable">
- <strong class="strong">0</strong>
- </td>
- <td align="center" class="result-informational">
- <strong class="strong">0</strong>
- </td>
- <td align="center" class="result-unknown">
- <strong class="strong">0</strong>
- </td>
- <td align="center">
- <strong class="strong">1</strong>
- </td>
- </tr>
- </tbody>
- </table>
- </div>
- <div>
- <h4 class="hidden">Rule results summary</h4>
- <table>
- <thead>
- <tr>
- <td>Title</td>
- <td>Result</td>
- </tr>
- </thead>
- <tbody>
- <tr class="result-pass">
- <td class="id">
- <a href="#ruleresult-idm2812214624720">Test if /home is a separate partition</a>
- </td>
- <td class="result">
- <strong class="strong">pass</strong>
- </td>
- </tr>
- </tbody>
- </table>
- </div>
- </div>
- <div id="results-details">
- <h2>Results details</h2>
- <div class="result-detail" id="ruleresult-idm2812214624720">
- <h3>Result for Test if /home is a separate partition</h3>
- <p class="result-pass">Result: <strong class="strong">pass</strong></p>
- <p>Rule ID: <strong class="strong">xccdf_org.gentoo.dev.swift_rule_partition-home</strong></p>
- <p>Time: <strong class="strong"><abbr title="2013-09-17T20:24:00" class="date">2013-09-17 20:24</abbr></strong></p>
- <p class="link">
- <a href="#results-overview">results overview</a>
- </p>
- </div>
- </div>
- </div>
- <div id="footer">
- <p> Generated by <a href="http://open-scap.org">OpenSCAP</a>
- (0.9.8)
- on <abbr title="2013-09-17T20:24:00+02:00" class="date">2013-09-17 20:24</abbr>.</p>
- </div>
- </div>
- </body>
-</html>
diff --git a/xml/SCAP/results-xccdf.xml b/xml/SCAP/results-xccdf.xml
deleted file mode 100644
index db19a4c..0000000
--- a/xml/SCAP/results-xccdf.xml
+++ /dev/null
@@ -1,326 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.gentoo.dev.swift_benchmark_gentoo-20130917-1" resolved="1">
- <status date="2013-09-17">draft</status>
- <title>Gentoo Security Benchmark</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- This benchmarks helps people in improving their system configuration to be
- more resilient against attacks and vulnerabilities.
- </description>
- <platform idref="cpe:/o:gentoo:linux"/>
- <version>20130917.1</version>
- <model system="urn:xccdf:scoring:default"/>
- <Profile id="xccdf_org.gentoo.dev.swift_profile_intensive">
- <title>Default server setup settingsIntensive validation profile</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- In this profile, we verify common settings for Gentoo Linux
- configurations. The tests that are enabled in this profile can be ran
- without visibly impacting the performance of the system.
-
- This profile extends the default server profile by including tests that
- are more intensive to run on a system. Tests such as full file system
- scans to find world-writable files or directories have an otherwise too
- large impact on the performance of a server.
- </description>
- <select idref="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="true"/>
- </Profile>
- <Profile id="xccdf_org.gentoo.dev.swift_profile_default">
- <title>Default server setup settings</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- In this profile, we verify common settings for Gentoo Linux
- configurations. The tests that are enabled in this profile can be ran
- without visibly impacting the performance of the system.
- </description>
- <select idref="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="true"/>
- </Profile>
- <Group id="xccdf_org.gentoo.dev.swift_group_intro">
- <title>Introduction</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- Since years, Gentoo Linux has a Gentoo Security Handbook
- which provides a good insight in secure system
- configuration for a Gentoo systems. Although this is important, an
- improved method for describing and tuning a systems' security state has
- emerged: SCAP, or the <h:em xmlns:h="http://www.w3.org/1999/xhtml">Security Content Automation Protocol</h:em>.
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- As such, this benchmark is an update on the security
- handbook, including both the in-depth explanation of settings as well as
- the means to validate if a system complies with this or not. Now, during
- the development of this benchmark document, we did not include all
- information from the Gentoo Security Handbook as some of the settings are
- specific to a service that is not all that default on a Gentoo Linux
- system. Although these settings are important as well, it is our believe
- that this is best done in separate benchmarks for those services instead.
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- Where applicable, this benchmark will refer to a different hardening guide
- for specific purposes (such as the Hardening OpenSSH benchmark).
- </description>
- <reference href="http://www.gentoo.org/doc/en/security/security-handbook.xml">Gentoo
- Security Handbook</reference>
- <Group id="xccdf_org.gentoo.dev.swift_group_intro-security">
- <title>This is no security policy</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- It is <h:em xmlns:h="http://www.w3.org/1999/xhtml">very important</h:em> to realize that this document is not a
- policy. You are not obliged to follow this if you want a secure system
- nor do you need to agree with everything said in the document.
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- The purpose of this document is to guide you in your quest to hardening
- your system. It will provide pointers that could help you decide in
- particular configuration settings and will do this hopefully using
- sufficient background information to make a good choice.
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- You <h:em xmlns:h="http://www.w3.org/1999/xhtml">will</h:em> find settings you don't agree with. That's fine, but
- if you disagree with <h:em xmlns:h="http://www.w3.org/1999/xhtml">why</h:em> we do this, we would like to hear it
- and we'll add the feedback to the guide.
- </description>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_intro-scap">
- <title>A little more about SCAP and OVAL</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- Within SCAP, NIST has defined some new standards of which XCCDF and OVAL
- are notably important in light of the guide you are currently using.
- <h:ul xmlns:h="http://www.w3.org/1999/xhtml">
- <h:li>
- XCCDF (Extensible Configuration Checklist Description Format) is
- a specification language for writing security checklists and benchmarks
- (such as the one you are reading now)
- </h:li>
- <h:li>
- OVAL (Open Vulnerability and Assessment Language) is a standard to describe
- and validate system settings
- </h:li>
- </h:ul>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- Thanks to the OVAL and XCCDF standards, a security engineer can now describe
- how the state of a system should be configured, how this can be checked
- automatically and even report on these settings. Furthermore, within the
- description, the engineer can make "profiles" of different states (such as
- a profile for a workstation, server (generic), webserver, LDAP server,
- ...) and reusing the states (rules) identified in a more global scope.
- </description>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_intro-using">
- <title>Using this guide</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- The guide you are currently reading is the guide generated from this SCAP
- content (more specifically, the XCCDF document) using <h:b xmlns:h="http://www.w3.org/1999/xhtml">openscap</h:b>,
- a free software implementation for handling SCAP content. Within Gentoo,
- the package <h:code xmlns:h="http://www.w3.org/1999/xhtml">app-forensics/openscap</h:code> provides the tools, and
- the following command is used to generate the HTML output:
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- <h:pre xmlns:h="http://www.w3.org/1999/xhtml">### Command to generate this guide ###
-# <h:b>oscap xccdf generate guide scap-gentoo-xccdf.xml &gt; output.html</h:b>
- </h:pre>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- Secondly, together with this XCCDF XML, you will also find an OVAL XML file.
- The two files combined allow you to automatically validate various settings as
- documented in the benchmark.
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- Now, to validate the tests, you can use the following commands:
- <h:pre xmlns:h="http://www.w3.org/1999/xhtml">### Testing the rules mentioned in the XCCDF document ###
-# <h:b>oscap xccdf eval --profile xccdf_org.gentoo.dev.swift_profile_default scap-gentoo-xccdf.xml</h:b></h:pre>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- To generate a full report in HTML as well, you can use the next command:
- <h:pre xmlns:h="http://www.w3.org/1999/xhtml">### Testing the rules and generating an HTML report ###
-# <h:b>oscap xccdf eval --profile xccdf_org.gentoo.dev.swift_profile_default --results xccdf-results.xml --report report.html scap-gentoo-xccdf.xml</h:b></h:pre>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- Finally, this benchmark will suggest some settings which you do not want
- to enable. That is perfectly fine - even more, some settings might even
- raise eyebrows left and right. We will try to document the reasoning behind
- the settings but you are free to deviate from them. If that is the case,
- you might want to disable the rules in the XCCDF document so that they are
- not checked on your system.
- </description>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_intro-profiles">
- <title>Available XCCDF Profiles</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- As mentioned earlier, the XCCDF document supports multiple profiles. For the time
- being, two profiles are defined:
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- <h:ul xmlns:h="http://www.w3.org/1999/xhtml" xmlns="http://checklists.nist.gov/xccdf/1.2">
- <h:li>
- The <em>default</em> profile contains tests that are quick to validate
- </h:li>
- <h:li>
- The <em>intensive</em> profile contains all tests, including those that
- take a while (for instance because they perform full file system scans)
- </h:li>
- </h:ul>
- Substitute the profile information in the commands above with the profile you want to test on.
- </description>
- </Group>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_preinstallation">
- <title>Before You Start</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- Before you start deploying Gentoo Linux and start hardening it, it is wise
- to take a step back and think about what you want to accomplish. Setting
- up a more secured Gentoo Linux isn't a goal, but a means to reach
- something. Most likely, you are considering setting up a Gentoo Linux
- powered server. What is this server for? Where will you put it? What other
- services will you want to run on the same OS? Etc.
- </description>
- <Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-architecturing">
- <title>Infrastructure Architecturing</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- When considering your entire IT architecture, many architecturing
- frameworks exist to write down and further design your infrastructure.
- There are very elaborate ones, like TOGAF (The Open Group Architecture
- Framework), but smaller ones exist as well.
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- A well written and maintained infrastructure architecture helps you
- position new services or consider the impact of changes on existing
- components. And the reason for mentioning such a well designed architecture
- in a hardening guide is not weird.
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- Security is about reducing risks, not about harassing people or making
- work for a system administrator harder. And reducing risks also means
- that you need to keep a clear eye out on your architecture and all its
- components. If you do not know what you are integrating, where you are
- putting it or why, then you have more issues to consider than hardening
- a system.
- </description>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-requirements">
- <title>Mapping Requirements</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- When you design a service, you need to take both functional and
- non-functional requirements into account. That does sound like
- overshooting for a simple server installation, but it is not. Have you
- considered auditing? Where do the audit logs need to be sent to? What
- about authentication? Centrally managed, or manually set? And the server
- you are installing, will it only host a particular service, or will it
- provide several services?
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- When hosting multiple services on the same server, make sure that the
- server is positioned within your network on an acceptable segment. It is
- not safe to host your central LDAP infrastructure on the same system as
- your web server that is facing the Internet.
- </description>
- <reference href="https://www.ibm.com/developerworks/rational/library/4706.html">IBM DeveloperWorks article on "Capturing Architectural Requirements"</reference>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-nonsoftware">
- <title>Non-Software Security Concerns</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- From the next chapter onwards, we will only focus on the software side
- hardening. There are of course also non-software concerns that you
- should investigate.
- </description>
- <reference href="https://www.rfc-editor.org/info/rfc2196">Site Security
- Handbook (RFC2196)</reference>
- <Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-nonsoftware-physical">
- <title>Physical Security</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- Make sure that your system is only accessible (physically) by trusted
- people. Fully hardening your system, only to have a malicious person
- take out the harddisk and run away with your confidential data is not
- something you want to experience.
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- When physical security cannot be guaranteed (like with laptops), make
- sure that theft of the device only results in the loss of the hardware
- and not of the data and software on it (backups), and also that the
- data on it cannot be read by unauthorized people. We will come back on
- disk encryption later.
- </description>
- <reference href="http://www.sans.org/reading_room/whitepapers/awareness/data-center-physical-security-checklist_416">Data
- Center Physical Security Checklist (SANS, PDF)</reference>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-nonsoftware-policies">
- <title>Policies and Contractual Agreements</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- Create or validate the security policies in your organization. This is
- not only as a stick (against internal people who might want to abuse
- their powers) but also to document and describe why certain decisions
- are made (both architecturally as otherwise).
- </description>
- <reference href="http://www.sans.org/reading_room/whitepapers/policyissues/technical-writing-security-policies-easy-steps_492">Technical
- Writing for IT Security Policies in Five Easy Steps (SANS,
- PDF)</reference>
- <reference href="https://www.sans.org/security-resources/policies/">Information
- Security Policy Templates (SANS)</reference>
- </Group>
- </Group>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_installation">
- <title>Installation Configuration</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- Let's focus now on the OS hardening. Gentoo Linux allows you to update the
- system as you want after installation, but it might be interesting to
- consider the following aspects during installation if you do not want a
- huge migration project later.
- </description>
- <Group id="xccdf_org.gentoo.dev.swift_group_installation-storage">
- <title>Storage Configuration</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- Your storage is of utmost importance in any environment. It needs to be
- sufficiently fast, not to jeopardize performance, but also secure and
- manageable yet still remain flexible to handle future changes.
- </description>
- <Group id="xccdf_org.gentoo.dev.swift_group_installation-storage-partitioning">
- <title>Partitioning</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- Know which locations in your file system structure you want on a
- different partition or logical volume. Separate locations allow for a
- more distinct segregation (for instance, hard links between different
- file systems) and low-level protection (file system corruption impact,
- but also putting the right data on the right storage media).
- </description>
- <reference href="http://www.pathname.com/fhs/">Filesystem Hierarchy
- Standard</reference>
- <Group id="xccdf_org.gentoo.dev.swift_group_installation-storage-partitioning-home">
- <title>/home Location</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- The <h:code xmlns:h="http://www.w3.org/1999/xhtml">/home</h:code> location should be on its own partition,
- allowing the administrator to mount this location with specific
- options targetting the file systems' security settings or quota.
- </description>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="true">
- <title>Test if /home is a separate partition</title>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:2" href="gentoo-oval.xml"/>
- </check>
- </Rule>
- </Group>
- </Group>
- </Group>
- </Group>
- <TestResult id="xccdf_org.open-scap_testresult_default-profile" start-time="2013-09-17T20:24:00" end-time="2013-09-17T20:24:00">
- <title>OSCAP Scan Result</title>
- <identity authenticated="false" privileged="false">swift</identity>
- <target>hpl</target>
- <target-address>127.0.0.1</target-address>
- <target-address>192.168.1.3</target-address>
- <target-address>192.168.100.1</target-address>
- <target-address>::1</target-address>
- <target-address>fe80::f27b:cbff:fe0f:5a3b</target-address>
- <target-address>2001:db8:81:e2:0:26b5:365b:5072</target-address>
- <target-address>fe80::2045:eaff:fe47:e569</target-address>
- <target-facts>
- <fact name="urn:xccdf:fact:scanner:name" type="string">OpenSCAP</fact>
- <fact name="urn:xccdf:fact:scanner:version" type="string">0.9.8</fact>
- <fact name="urn:xccdf:fact:ethernet:MAC" type="string">00:00:00:00:00:00</fact>
- <fact name="urn:xccdf:fact:ethernet:MAC" type="string">F0:7B:CB:0F:5A:3B</fact>
- <fact name="urn:xccdf:fact:ethernet:MAC" type="string">22:45:EA:47:E5:69</fact>
- <fact name="urn:xccdf:fact:ethernet:MAC" type="string">00:00:00:00:00:00</fact>
- <fact name="urn:xccdf:fact:ethernet:MAC" type="string">F0:7B:CB:0F:5A:3B</fact>
- <fact name="urn:xccdf:fact:ethernet:MAC" type="string">22:45:EA:47:E5:69</fact>
- <fact name="urn:xccdf:fact:ethernet:MAC" type="string">22:45:EA:47:E5:69</fact>
- </target-facts>
- <rule-result idref="xccdf_org.gentoo.dev.swift_rule_partition-home" time="2013-09-17T20:24:00" weight="1.000000">
- <result>pass</result>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:2" href="gentoo-oval.xml"/>
- </check>
- </rule-result>
- <score system="urn:xccdf:scoring:default" maximum="100.000000">100.000000</score>
- </TestResult>
-</Benchmark>