diff options
| -rw-r--r-- | xml/SCAP/Makefile | 2 | ||||
| -rw-r--r-- | xml/SCAP/gentoo-oval.xml | 35 | ||||
| -rw-r--r-- | xml/SCAP/gentoo-xccdf.xml | 20 |
3 files changed, 54 insertions, 3 deletions
diff --git a/xml/SCAP/Makefile b/xml/SCAP/Makefile index f0b8628..1a48ecf 100644 --- a/xml/SCAP/Makefile +++ b/xml/SCAP/Makefile @@ -28,6 +28,8 @@ prep: -cp -R bin/ ~/tmp/ -cp ~/tmp/gentoo-oval.xml ~/tmp/cpe-oval.xml -sed -i 's|gentoo-oval.xml|cpe-oval.xml|g' ~/tmp/gentoo-cpe.xml + -sed -i "s|@@VERSION@@|`date +%Y%m%d`|g" ~/tmp/gentoo-xccdf.xml + -sed -i "s|@@DATE@@|`date +%Y-%m-%d`|g" ~/tmp/gentoo-xccdf.xml upload: -pushd ~/tmp; scp gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml gentoo-ds.xml guide-gentoo-xccdf.html report-gentoo-oval.html report-gentoo-xccdf.html $(location)/; popd; diff --git a/xml/SCAP/gentoo-oval.xml b/xml/SCAP/gentoo-oval.xml index a031348..7f6e674 100644 --- a/xml/SCAP/gentoo-oval.xml +++ b/xml/SCAP/gentoo-oval.xml @@ -547,6 +547,21 @@ </criteria> </definition> + <definition id="oval:org.gentoo.dev.swift:def:33" version="1" class="compliance"> + <metadata> + <title>/proc is mounted with hidepid=1 or hidepid=2</title> + <affected family="unix"> + <platform>Gentoo Linux</platform> + </affected> + <description> + The /proc file system should be mounted with hidepid=1 or 2 so that other users' processes are not visible to non-authorized accounts. + </description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:34" comment="/proc is mounted with hidepid=1 or hidepid=2" /> + </criteria> + </definition> + </definitions> <tests> @@ -824,6 +839,16 @@ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:13" /> </ind-def:textfilecontent54_test> + <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:34" + version="1" check="all" check_existence="all_exist" + comment="Tests that /proc is mounted with hidepid=1 or hidepid=2 option"> + <!-- /proc partition --> + <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:21" /> + <!-- "hidepid=[12]" mount option --> + <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:14" /> + </lin-def:partition_test> + + </tests> <objects> @@ -944,6 +969,11 @@ <ind-def:instance operation="greater than or equal" datatype="int">1</ind-def:instance> </ind-def:textfilecontent54_object> + <lin-def:partition_object id="oval:org.gentoo.dev.swift:obj:21" + version="1" comment="The /proc file system"> + <lin-def:mount_point>/proc</lin-def:mount_point> + </lin-def:partition_object> + </objects> <states> @@ -1013,6 +1043,11 @@ <ind-def:text datatype="string" operation="pattern match" entity_check="all">(console|tty[[:digit:]]+)</ind-def:text> </ind-def:textfilecontent54_state> + <lin-def:partition_state id="oval:org.gentoo.dev.swift:ste:14" + version="1" comment="hidepid=1 or hidepid=2 mount option"> + <lin-def:mount_options entity_check="at least one" operation="pattern match">hidepid=[12]</lin-def:mount_options> + </lin-def:partition_state> + </states> <variables> diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml index 5fe590d..3c3afcd 100644 --- a/xml/SCAP/gentoo-xccdf.xml +++ b/xml/SCAP/gentoo-xccdf.xml @@ -1,13 +1,13 @@ <?xml version="1.0" encoding="UTF-8"?> -<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:h="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.gentoo.dev.swift_benchmark_gentoo-20140326-1" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" resolved="0"> - <status date="2014-03-26">draft</status> +<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:h="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.gentoo.dev.swift_benchmark_gentoo-@@VERSION@@-1" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" resolved="0"> + <status date="@@DATE@@">draft</status> <title>Gentoo Security Benchmark</title> <description> This benchmarks helps people in improving their system configuration to be more resilient against attacks and vulnerabilities. </description> <platform idref="cpe:/o:gentoo:linux"/> - <version>20140326.1</version> + <version>@@VERSION@@</version> <model system="urn:xccdf:scoring:default" /> <model system="urn:xccdf:scoring:flat" /> <model system="urn:xccdf:scoring:flat-unweighted" /> @@ -101,6 +101,8 @@ <select idref="xccdf_org.gentoo.dev.swift_rule_PORTAGE_GPG_DIR-nonempty" selected="true" /> <!-- Make sure /etc/securetty only contains console and tty's --> <select idref="xccdf_org.gentoo.dev.swift_rule_securetty-limitentries" selected="true" /> + <!-- Make sure /proc is mounted with hidepid=1 or hidepid=2 --> + <select idref="xccdf_org.gentoo.dev.swift_rule_proc-hidepid" selected="true" /> </Profile> <Profile id="xccdf_org.gentoo.dev.swift_profile_default" extends="xccdf_org.gentoo.dev.swift_profile_default-oval"> <title>Default server setup settings</title> @@ -1009,6 +1011,18 @@ mount -o remount,usrquota,grpquota /home </description> <reference href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0499680a42141d86417a8fbaa8c8db806bea1201">Kernel commit introducing the hidepid support</reference> + <Rule id="xccdf_org.gentoo.dev.swift_rule_proc-hidepid" selected="false" severity="medium" weight="1.7"> + <title>The /proc file system is mounted with hidepid=1 or hidepid=2</title> + <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_proc-hidepid">Mount /proc with hidepid=1 or hidepid=2</fixtext> + <fix id="xccdf_org.gentoo.dev.swift_fix_proc-hidepid" + system="urn:xccdf:fix:system:commands" + platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false"> +mount -o remount,hidepid=2 /proc + </fix> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:33" href="gentoo-oval.xml" /> + </check> + </Rule> </Group> </Group> <!-- system-fs --> <Group id="xccdf_org.gentoo.dev.swift_group_system-services"> |