This patch includes descriptions for:
* permissions section (File Permissions And Masks),
* and descriptions for four rules related to checking
permissions and ownership of shared library files and
system executables (descriptions taken from RHEL6)
Pushed to master (since it's just descriptions addons
for Fedora, that already exist in RHEL6).
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
From a2a717c8a84d2e1fa24e0688a5052a4f6de9f0e5 Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky <[email protected]>
Date: Thu, 28 Nov 2013 18:36:52 +0100
Subject: [PATCH] [Fedora] Include descriptions for permissions section, and
rules for checking permissions and ownership of shared library files and
system executables
Signed-off-by: Jan Lieskovsky <[email protected]>
---
Fedora/input/guide.xslt | 8 ++
Fedora/input/profiles/common.xml | 7 ++
Fedora/input/system/permissions/files.xml | 107 ++++++++++++++++++++++++
Fedora/input/system/permissions/permissions.xml | 7 ++
Fedora/scap-security-guide.spec | 6 +-
5 files changed, 134 insertions(+), 1 deletion(-)
create mode 100644 Fedora/input/system/permissions/files.xml
create mode 100644 Fedora/input/system/permissions/permissions.xml
diff --git a/Fedora/input/guide.xslt b/Fedora/input/guide.xslt
index e0880e2..68f1870 100644
--- a/Fedora/input/guide.xslt
+++ b/Fedora/input/guide.xslt
@@ -26,6 +26,7 @@
<xsl:copy-of select="@*|node()" />
<xsl:apply-templates select="document('system/settings/settings.xml')" />
<xsl:apply-templates select="document('system/software/software.xml')" />
+ <xsl:apply-templates select="document('system/permissions/permissions.xml')" />
<xsl:apply-templates select="document('system/accounts/accounts.xml')" />
</xsl:copy>
</xsl:template>
@@ -60,6 +61,13 @@
</xsl:copy>
</xsl:template>
+ <xsl:template match="Group[@id='permissions']">
+ <xsl:copy>
+ <xsl:copy-of select="@*|node()" />
+ <xsl:apply-templates select="document('system/permissions/files.xml')" />
+ </xsl:copy>
+ </xsl:template>
+
<xsl:template match="Group[@id='services']">
<xsl:copy>
<xsl:copy-of select="@*|node()" />
diff --git a/Fedora/input/profiles/common.xml b/Fedora/input/profiles/common.xml
index ad1acd9..b345a37 100644
--- a/Fedora/input/profiles/common.xml
+++ b/Fedora/input/profiles/common.xml
@@ -9,6 +9,13 @@
<select idref="ensure_gpgcheck_globally_activated" selected="true"/>
<select idref="ensure_gpgcheck_never_disabled" selected="true"/>
+<!-- File Permissions And Masks -->
+ <!-- Verify File Permissions Within Some Important Directories -->
+ <select idref="file_permissions_library_dirs" selected="true"/>
+ <select idref="file_ownership_library_dirs" selected="true"/>
+ <select idref="file_permissions_binary_dirs" selected="true"/>
+ <select idref="file_ownership_binary_dirs" selected="true"/>
+
<!-- Account and Access Control section rules -->
<!-- Protect Accounts by Restricting Password-Based Login section rules -->
<!-- Restrict Root Logins section rules -->
diff --git a/Fedora/input/system/permissions/files.xml b/Fedora/input/system/permissions/files.xml
new file mode 100644
index 0000000..c15482c
--- /dev/null
+++ b/Fedora/input/system/permissions/files.xml
@@ -0,0 +1,107 @@
+<Group id="permissions_within_important_dirs">
+<title>Verify File Permissions Within Some Important Directories</title>
+<description>Some directories contain files whose confidentiality or integrity
+is notably important and may also be susceptible to misconfiguration over time,
+particularly if unpackaged software is installed. As such, an argument exists
+to verify that files' permissions within these directories remain configured
+correctly and restrictively.
+</description>
+
+<Rule id="file_permissions_library_dirs" severity="medium">
+<title>Verify that Shared Library Files Have Restrictive Permissions</title>
+<description>System-wide shared library files, which are linked to executables
+during process load time or run time, are stored in the following directories
+by default:
+<pre>/lib
+/lib64
+/usr/lib
+/usr/lib64
+</pre>
+Kernel modules, which can be added to the kernel during runtime, are stored in
+<tt>/lib/modules</tt>. All files in these directories should not be
+group-writable or world-writable. If any file in these directories is found to
+be group-writable or world-writable, correct its permission with the following
+command:
+<pre># chmod go-w <i>FILE</i></pre>
+</description>
+<rationale>Files from shared library directories are loaded into the address
+space of processes (including privileged ones) or of the kernel itself at
+runtime. Restrictive permissions are necessary to protect the integrity of the
+system.
+</rationale>
+<ref nist="AC-6" disa="1499"/>
+<!-- <oval id="file_permissions_library_dirs" /> -->
+</Rule>
+
+<Rule id="file_ownership_library_dirs" severity="medium">
+<title>Verify that Shared Library Files Have Root Ownership</title>
+<description>System-wide shared library files, which are linked to executables
+during process load time or run time, are stored in the following directories
+by default:
+<pre>/lib
+/lib64
+/usr/lib
+/usr/lib64
+</pre>
+Kernel modules, which can be added to the kernel during runtime, are also
+stored in <tt>/lib/modules</tt>. All files in these directories should be owned
+by the <tt>root</tt> user. If the directory, or any file in these directories,
+is found to be owned by a user other than root correct its ownership with the
+following command:
+<pre># chown root <i>FILE</i></pre>
+</description>
+<rationale>Files from shared library directories are loaded into the address
+space of processes (including privileged ones) or of the kernel itself at
+runtime. Proper ownership is necessary to protect the integrity of the system.
+</rationale>
+<ref nist="AC-6" disa="1499"/>
+<!-- <oval id="file_ownership_library_dirs" /> -->
+</Rule>
+
+<Rule id="file_permissions_binary_dirs" severity="medium">
+<title>Verify that System Executables Have Restrictive Permissions</title>
+<description>
+System executables are stored in the following directories by default:
+<pre>/bin
+/usr/bin
+/usr/local/bin
+/sbin
+/usr/sbin
+/usr/local/sbin</pre>
+All files in these directories should not be group-writable or world-writable.
+If any file <i>FILE</i> in these directories is found to be group-writable or
+world-writable, correct its permission with the following command:
+<pre># chmod go-w <i>FILE</i></pre>
+</description>
+<rationale>System binaries are executed by privileged users, as well as system
+services, and restrictive permissions are necessary to ensure execution of
+these programs cannot be co-opted.
+</rationale>
+<ref nist="AC-6" disa="1499"/>
+<!-- <oval id="file_permissions_binary_dirs" /> -->
+</Rule>
+
+<Rule id="file_ownership_binary_dirs" severity="medium">
+<title>Verify that System Executables Have Root Ownership</title>
+<description>
+System executables are stored in the following directories by default:
+<pre>/bin
+/usr/bin
+/usr/local/bin
+/sbin
+/usr/sbin
+/usr/local/sbin</pre>
+All files in these directories should be owned by the <tt>root</tt> user. If
+any file <i>FILE</i> in these directories is found to be owned by a user other
+than root, correct its ownership with the following command:
+<pre># chown root <i>FILE</i></pre>
+</description>
+<rationale>System binaries are executed by privileged users as well as system
+services, and restrictive permissions are necessary to ensure that their
+execution of these programs cannot be co-opted.
+</rationale>
+<!-- <oval id="file_ownership_binary_dirs" /> -->
+<ref nist="AC-6" disa="1499"/>
+</Rule>
+
+</Group>
diff --git a/Fedora/input/system/permissions/permissions.xml b/Fedora/input/system/permissions/permissions.xml
new file mode 100644
index 0000000..bfd8d1e
--- /dev/null
+++ b/Fedora/input/system/permissions/permissions.xml
@@ -0,0 +1,7 @@
+<Group id="permissions">
+<title>File Permissions and Masks</title>
+<description>Traditional Unix security relies heavily on file and
+directory permissions to prevent unauthorized users from reading or
+modifying files to which they should not have access.
+</description>
+</Group>
diff --git a/Fedora/scap-security-guide.spec b/Fedora/scap-security-guide.spec
index 930edad..e21aae4 100644
--- a/Fedora/scap-security-guide.spec
+++ b/Fedora/scap-security-guide.spec
@@ -5,7 +5,7 @@
# file one level up - in the main scap-security-guide directory (instead of
# this one).
-%global fedorassgversion 4.rc6
+%global fedorassgversion 4.rc7
Name: scap-security-guide
Version: 0.1.%{fedorassgversion}
@@ -54,6 +54,10 @@ cp -a Fedora/input/auxiliary/scap-security-guide.8 %{buildroot}%{_mandir}/en/man
%doc Fedora/LICENSE Fedora/output/ssg-fedora-guide.html
%changelog
+* Thu Nov 28 2013 Jan iankko Lieskovsky <[email protected]> 0.1.4.rc7-1
+- Include descriptions for permissions section, and rules for checking
+ permissions and ownership of shared library files and system executables
+
* Tue Nov 26 2013 Jan iankko Lieskovsky <[email protected]> 0.1.4.rc6-1
- Adjust service-enable-macro, service-disable-macro XSLT transforms
definition to evaluate to proper systemd syntax
--
1.8.3.1
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
