commit: 68e7c5b954197805e82752021032cf8e0fc97a96
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Mar 30 15:43:55 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Mar 30 15:43:55 2014 +0000
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=68e7c5b9
Handle version and add in hidepid check
---
xml/SCAP/Makefile | 2 ++
xml/SCAP/gentoo-oval.xml | 35 +++++++++++++++++++++++++++++++++++
xml/SCAP/gentoo-xccdf.xml | 20 +++++++++++++++++---
3 files changed, 54 insertions(+), 3 deletions(-)
diff --git a/xml/SCAP/Makefile b/xml/SCAP/Makefile
index f0b8628..1a48ecf 100644
--- a/xml/SCAP/Makefile
+++ b/xml/SCAP/Makefile
@@ -28,6 +28,8 @@ prep:
-cp -R bin/ ~/tmp/
-cp ~/tmp/gentoo-oval.xml ~/tmp/cpe-oval.xml
-sed -i 's|gentoo-oval.xml|cpe-oval.xml|g' ~/tmp/gentoo-cpe.xml
+ -sed -i "s|@@VERSION@@|`date +%Y%m%d`|g" ~/tmp/gentoo-xccdf.xml
+ -sed -i "s|@@DATE@@|`date +%Y-%m-%d`|g" ~/tmp/gentoo-xccdf.xml
upload:
-pushd ~/tmp; scp gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml
gentoo-ds.xml guide-gentoo-xccdf.html report-gentoo-oval.html
report-gentoo-xccdf.html $(location)/; popd;
diff --git a/xml/SCAP/gentoo-oval.xml b/xml/SCAP/gentoo-oval.xml
index a031348..7f6e674 100644
--- a/xml/SCAP/gentoo-oval.xml
+++ b/xml/SCAP/gentoo-oval.xml
@@ -547,6 +547,21 @@
</criteria>
</definition>
+ <definition id="oval:org.gentoo.dev.swift:def:33" version="1"
class="compliance">
+ <metadata>
+ <title>/proc is mounted with hidepid=1 or hidepid=2</title>
+ <affected family="unix">
+ <platform>Gentoo Linux</platform>
+ </affected>
+ <description>
+ The /proc file system should be mounted with hidepid=1 or 2 so that
other users' processes are not visible to non-authorized accounts.
+ </description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:34" comment="/proc is
mounted with hidepid=1 or hidepid=2" />
+ </criteria>
+ </definition>
+
</definitions>
<tests>
@@ -824,6 +839,16 @@
<ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:13" />
</ind-def:textfilecontent54_test>
+ <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:34"
+ version="1" check="all" check_existence="all_exist"
+ comment="Tests that /proc is mounted with hidepid=1 or hidepid=2 option">
+ <!-- /proc partition -->
+ <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:21" />
+ <!-- "hidepid=[12]" mount option -->
+ <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:14" />
+ </lin-def:partition_test>
+
+
</tests>
<objects>
@@ -944,6 +969,11 @@
<ind-def:instance operation="greater than or equal"
datatype="int">1</ind-def:instance>
</ind-def:textfilecontent54_object>
+ <lin-def:partition_object id="oval:org.gentoo.dev.swift:obj:21"
+ version="1" comment="The /proc file system">
+ <lin-def:mount_point>/proc</lin-def:mount_point>
+ </lin-def:partition_object>
+
</objects>
<states>
@@ -1013,6 +1043,11 @@
<ind-def:text datatype="string" operation="pattern match"
entity_check="all">(console|tty[[:digit:]]+)</ind-def:text>
</ind-def:textfilecontent54_state>
+ <lin-def:partition_state id="oval:org.gentoo.dev.swift:ste:14"
+ version="1" comment="hidepid=1 or hidepid=2 mount option">
+ <lin-def:mount_options entity_check="at least one" operation="pattern
match">hidepid=[12]</lin-def:mount_options>
+ </lin-def:partition_state>
+
</states>
<variables>
diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml
index 5fe590d..3c3afcd 100644
--- a/xml/SCAP/gentoo-xccdf.xml
+++ b/xml/SCAP/gentoo-xccdf.xml
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8"?>
-<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2";
xmlns:h="http://www.w3.org/1999/xhtml";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
id="xccdf_org.gentoo.dev.swift_benchmark_gentoo-20140326-1"
xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd"
resolved="0">
- <status date="2014-03-26">draft</status>
+<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2";
xmlns:h="http://www.w3.org/1999/xhtml";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
id="xccdf_org.gentoo.dev.swift_benchmark_gentoo-@@VERSION@@-1"
xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd"
resolved="0">
+ <status date="@@DATE@@">draft</status>
<title>Gentoo Security Benchmark</title>
<description>
This benchmarks helps people in improving their system configuration to be
more resilient against attacks and vulnerabilities.
</description>
<platform idref="cpe:/o:gentoo:linux"/>
- <version>20140326.1</version>
+ <version>@@VERSION@@</version>
<model system="urn:xccdf:scoring:default" />
<model system="urn:xccdf:scoring:flat" />
<model system="urn:xccdf:scoring:flat-unweighted" />
@@ -101,6 +101,8 @@
<select idref="xccdf_org.gentoo.dev.swift_rule_PORTAGE_GPG_DIR-nonempty"
selected="true" />
<!-- Make sure /etc/securetty only contains console and tty's -->
<select idref="xccdf_org.gentoo.dev.swift_rule_securetty-limitentries"
selected="true" />
+ <!-- Make sure /proc is mounted with hidepid=1 or hidepid=2 -->
+ <select idref="xccdf_org.gentoo.dev.swift_rule_proc-hidepid"
selected="true" />
</Profile>
<Profile id="xccdf_org.gentoo.dev.swift_profile_default"
extends="xccdf_org.gentoo.dev.swift_profile_default-oval">
<title>Default server setup settings</title>
@@ -1009,6 +1011,18 @@ mount -o remount,usrquota,grpquota /home
</description>
<reference
href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0499680a42141d86417a8fbaa8c8db806bea1201";>Kernel
commit introducing
the hidepid support</reference>
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_proc-hidepid"
selected="false" severity="medium" weight="1.7">
+ <title>The /proc file system is mounted with hidepid=1 or
hidepid=2</title>
+ <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_proc-hidepid">Mount
/proc with hidepid=1 or hidepid=2</fixtext>
+ <fix id="xccdf_org.gentoo.dev.swift_fix_proc-hidepid"
+ system="urn:xccdf:fix:system:commands"
+ platform="cpe:/o:gentoo:linux" complexity="low" disruption="low"
reboot="false">
+mount -o remount,hidepid=2 /proc
+ </fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5";>
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:33"
href="gentoo-oval.xml" />
+ </check>
+ </Rule>
</Group>
</Group> <!-- system-fs -->
<Group id="xccdf_org.gentoo.dev.swift_group_system-services">
