diff options
-rw-r--r-- | xml/SCAP/gentoo-xccdf.xml | 41 |
1 files changed, 36 insertions, 5 deletions
diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml index 25621c0..d2bf154 100644 --- a/xml/SCAP/gentoo-xccdf.xml +++ b/xml/SCAP/gentoo-xccdf.xml @@ -1,13 +1,13 @@ <?xml version="1.0" encoding="UTF-8"?> <Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:h="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.gentoo.dev.swift_benchmark_gentoo-20130917-1" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" resolved="0"> - <status date="2013-12-20">draft</status> + <status date="2014-02-01">draft</status> <title>Gentoo Security Benchmark</title> <description> This benchmarks helps people in improving their system configuration to be more resilient against attacks and vulnerabilities. </description> <platform idref="cpe:/o:gentoo:linux"/> - <version>20131220.1</version> + <version>20140201.1</version> <model system="urn:xccdf:scoring:default" /> <model system="urn:xccdf:scoring:flat" /> <model system="urn:xccdf:scoring:flat-unweighted" /> @@ -57,7 +57,7 @@ <select idref="xccdf_org.gentoo.dev.swift_rule_partition-varlog-nodev" selected="true" /> <!-- The /var/log/audit partition is mounted with nodev --> <select idref="xccdf_org.gentoo.dev.swift_rule_partition-varlogaudit-nodev" selected="true" /> - <!-- The /home partition is mounted with nodev --> + <!-- The /home partition is moounted with nodev --> <select idref="xccdf_org.gentoo.dev.swift_rule_partition-home-nodev" selected="true" /> <!-- The /tmp partition is mounted with nodev --> <select idref="xccdf_org.gentoo.dev.swift_rule_partition-tmp-nodev" selected="true" /> @@ -99,6 +99,8 @@ <select idref="xccdf_org.gentoo.dev.swift_rule_FEATURES-webrsync-gpg" selected="true" /> <!-- Make sure PORTAGE_GPG_DIR is set --> <select idref="xccdf_org.gentoo.dev.swift_rule_PORTAGE_GPG_DIR-nonempty" selected="true" /> + <!-- Make sure /etc/securetty only contains console and tty's --> + <select idref="xccdf_org.gentoo.dev.swift_rule_securetty-limitentries" selected="true" /> </Profile> <Profile id="xccdf_org.gentoo.dev.swift_profile_default" extends="xccdf_org.gentoo.dev.swift_profile_default-oval"> <title>Default server setup settings</title> @@ -701,7 +703,7 @@ for file systems are explained. </description> <Group id="xccdf_org.gentoo.dev.swift_group_system-fs-mountoptions"> - <title>Appropriate mount options for the file systems</title> + <title>Using no* mount options for the file systems</title> <description> <h:p> Non-root file systems should be mounted with the <h:em>nodev</h:em> mount option. @@ -988,6 +990,26 @@ mount -o remount,usrquota,grpquota /home </check> </Rule> </Group> <!-- system-fs-quotas --> + <Group id="xccdf_org.gentoo.dev.swift_group_system-fs-hidepid"> + <title>Hiding process information through hidepid</title> + <description> + <h:p> + In order to hide process information from other users, the <h:code>/proc</h:code> file system needs to be + mounted with the <h:code>hidepid</h:code> option. With value 0, the default behavior is used, meaning that + all process information is world readable. + </h:p> + <h:p> + When the value 1 is passed, the process information is not readable, but process directories are still shown + in the <h:code>/proc</h:code> mount. In order to truly hide this information, pass on the value 2. + </h:p> + <h:p> + In order to allow a particular group of people to see other people's processes, the <h:code>gid=</h:code> + option can be used to exempt this group from the PID hiding. + </h:p> + </description> + <reference href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0499680a42141d86417a8fbaa8c8db806bea1201">Kernel commit introducing + the hidepid support</reference> + </Group> </Group> <!-- system-fs --> <Group id="xccdf_org.gentoo.dev.swift_group_system-services"> <title>System services</title> @@ -1399,8 +1421,8 @@ PORTAGE_GPG_DIR="/etc/portage/gpg" <h:p> TODO looks like this has become a lot more difficult to obtain </h:p> - <reference href="https://help.ubuntu.com/community/Grub2/Passwords">GRUB2 Passwords (Ubuntu wiki)</reference> </description> + <reference href="https://help.ubuntu.com/community/Grub2/Passwords">GRUB2 Passwords (Ubuntu wiki)</reference> </Group> <Group id="xccdf_org.gentoo.dev.swift_group_system-bootloader-grub1pass"> <title>Password protect GRUB (legacy)</title> @@ -1504,6 +1526,15 @@ tty1 ... tty12</h:pre> </description> + <Rule id="xccdf_org.gentoo.dev.swift_rule_securetty-limitentries" selected="false" severity="low" weight="0.0"> + <title>/etc/securetty is limited to console and tty's</title> + <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_securetty-limitentries"> + Edit /etc/securetty and make sure only 'console' and 'tty[0-9]*' are defined. + </fixtext> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:32" href="gentoo-oval.xml" /> + </check> + </Rule> </Group> <Group id="xccdf_org.gentoo.dev.swift_group_system-auth-userlogin"> <title>Allow only known users to login</title> |