Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/xml/SCAP/results-xccdf.xml
diff options
context:
space:
mode:
Diffstat (limited to 'xml/SCAP/results-xccdf.xml')
-rw-r--r--xml/SCAP/results-xccdf.xml326
1 files changed, 0 insertions, 326 deletions
diff --git a/xml/SCAP/results-xccdf.xml b/xml/SCAP/results-xccdf.xml
deleted file mode 100644
index db19a4c..0000000
--- a/xml/SCAP/results-xccdf.xml
+++ /dev/null
@@ -1,326 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.gentoo.dev.swift_benchmark_gentoo-20130917-1" resolved="1">
- <status date="2013-09-17">draft</status>
- <title>Gentoo Security Benchmark</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- This benchmarks helps people in improving their system configuration to be
- more resilient against attacks and vulnerabilities.
- </description>
- <platform idref="cpe:/o:gentoo:linux"/>
- <version>20130917.1</version>
- <model system="urn:xccdf:scoring:default"/>
- <Profile id="xccdf_org.gentoo.dev.swift_profile_intensive">
- <title>Default server setup settingsIntensive validation profile</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- In this profile, we verify common settings for Gentoo Linux
- configurations. The tests that are enabled in this profile can be ran
- without visibly impacting the performance of the system.
-
- This profile extends the default server profile by including tests that
- are more intensive to run on a system. Tests such as full file system
- scans to find world-writable files or directories have an otherwise too
- large impact on the performance of a server.
- </description>
- <select idref="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="true"/>
- </Profile>
- <Profile id="xccdf_org.gentoo.dev.swift_profile_default">
- <title>Default server setup settings</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- In this profile, we verify common settings for Gentoo Linux
- configurations. The tests that are enabled in this profile can be ran
- without visibly impacting the performance of the system.
- </description>
- <select idref="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="true"/>
- </Profile>
- <Group id="xccdf_org.gentoo.dev.swift_group_intro">
- <title>Introduction</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- Since years, Gentoo Linux has a Gentoo Security Handbook
- which provides a good insight in secure system
- configuration for a Gentoo systems. Although this is important, an
- improved method for describing and tuning a systems' security state has
- emerged: SCAP, or the <h:em xmlns:h="http://www.w3.org/1999/xhtml">Security Content Automation Protocol</h:em>.
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- As such, this benchmark is an update on the security
- handbook, including both the in-depth explanation of settings as well as
- the means to validate if a system complies with this or not. Now, during
- the development of this benchmark document, we did not include all
- information from the Gentoo Security Handbook as some of the settings are
- specific to a service that is not all that default on a Gentoo Linux
- system. Although these settings are important as well, it is our believe
- that this is best done in separate benchmarks for those services instead.
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- Where applicable, this benchmark will refer to a different hardening guide
- for specific purposes (such as the Hardening OpenSSH benchmark).
- </description>
- <reference href="http://www.gentoo.org/doc/en/security/security-handbook.xml">Gentoo
- Security Handbook</reference>
- <Group id="xccdf_org.gentoo.dev.swift_group_intro-security">
- <title>This is no security policy</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- It is <h:em xmlns:h="http://www.w3.org/1999/xhtml">very important</h:em> to realize that this document is not a
- policy. You are not obliged to follow this if you want a secure system
- nor do you need to agree with everything said in the document.
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- The purpose of this document is to guide you in your quest to hardening
- your system. It will provide pointers that could help you decide in
- particular configuration settings and will do this hopefully using
- sufficient background information to make a good choice.
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- You <h:em xmlns:h="http://www.w3.org/1999/xhtml">will</h:em> find settings you don't agree with. That's fine, but
- if you disagree with <h:em xmlns:h="http://www.w3.org/1999/xhtml">why</h:em> we do this, we would like to hear it
- and we'll add the feedback to the guide.
- </description>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_intro-scap">
- <title>A little more about SCAP and OVAL</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- Within SCAP, NIST has defined some new standards of which XCCDF and OVAL
- are notably important in light of the guide you are currently using.
- <h:ul xmlns:h="http://www.w3.org/1999/xhtml">
- <h:li>
- XCCDF (Extensible Configuration Checklist Description Format) is
- a specification language for writing security checklists and benchmarks
- (such as the one you are reading now)
- </h:li>
- <h:li>
- OVAL (Open Vulnerability and Assessment Language) is a standard to describe
- and validate system settings
- </h:li>
- </h:ul>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- Thanks to the OVAL and XCCDF standards, a security engineer can now describe
- how the state of a system should be configured, how this can be checked
- automatically and even report on these settings. Furthermore, within the
- description, the engineer can make "profiles" of different states (such as
- a profile for a workstation, server (generic), webserver, LDAP server,
- ...) and reusing the states (rules) identified in a more global scope.
- </description>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_intro-using">
- <title>Using this guide</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- The guide you are currently reading is the guide generated from this SCAP
- content (more specifically, the XCCDF document) using <h:b xmlns:h="http://www.w3.org/1999/xhtml">openscap</h:b>,
- a free software implementation for handling SCAP content. Within Gentoo,
- the package <h:code xmlns:h="http://www.w3.org/1999/xhtml">app-forensics/openscap</h:code> provides the tools, and
- the following command is used to generate the HTML output:
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- <h:pre xmlns:h="http://www.w3.org/1999/xhtml">### Command to generate this guide ###
-# <h:b>oscap xccdf generate guide scap-gentoo-xccdf.xml &gt; output.html</h:b>
- </h:pre>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- Secondly, together with this XCCDF XML, you will also find an OVAL XML file.
- The two files combined allow you to automatically validate various settings as
- documented in the benchmark.
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- Now, to validate the tests, you can use the following commands:
- <h:pre xmlns:h="http://www.w3.org/1999/xhtml">### Testing the rules mentioned in the XCCDF document ###
-# <h:b>oscap xccdf eval --profile xccdf_org.gentoo.dev.swift_profile_default scap-gentoo-xccdf.xml</h:b></h:pre>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- To generate a full report in HTML as well, you can use the next command:
- <h:pre xmlns:h="http://www.w3.org/1999/xhtml">### Testing the rules and generating an HTML report ###
-# <h:b>oscap xccdf eval --profile xccdf_org.gentoo.dev.swift_profile_default --results xccdf-results.xml --report report.html scap-gentoo-xccdf.xml</h:b></h:pre>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- Finally, this benchmark will suggest some settings which you do not want
- to enable. That is perfectly fine - even more, some settings might even
- raise eyebrows left and right. We will try to document the reasoning behind
- the settings but you are free to deviate from them. If that is the case,
- you might want to disable the rules in the XCCDF document so that they are
- not checked on your system.
- </description>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_intro-profiles">
- <title>Available XCCDF Profiles</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- As mentioned earlier, the XCCDF document supports multiple profiles. For the time
- being, two profiles are defined:
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- <h:ul xmlns:h="http://www.w3.org/1999/xhtml" xmlns="http://checklists.nist.gov/xccdf/1.2">
- <h:li>
- The <em>default</em> profile contains tests that are quick to validate
- </h:li>
- <h:li>
- The <em>intensive</em> profile contains all tests, including those that
- take a while (for instance because they perform full file system scans)
- </h:li>
- </h:ul>
- Substitute the profile information in the commands above with the profile you want to test on.
- </description>
- </Group>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_preinstallation">
- <title>Before You Start</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- Before you start deploying Gentoo Linux and start hardening it, it is wise
- to take a step back and think about what you want to accomplish. Setting
- up a more secured Gentoo Linux isn't a goal, but a means to reach
- something. Most likely, you are considering setting up a Gentoo Linux
- powered server. What is this server for? Where will you put it? What other
- services will you want to run on the same OS? Etc.
- </description>
- <Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-architecturing">
- <title>Infrastructure Architecturing</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- When considering your entire IT architecture, many architecturing
- frameworks exist to write down and further design your infrastructure.
- There are very elaborate ones, like TOGAF (The Open Group Architecture
- Framework), but smaller ones exist as well.
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- A well written and maintained infrastructure architecture helps you
- position new services or consider the impact of changes on existing
- components. And the reason for mentioning such a well designed architecture
- in a hardening guide is not weird.
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- Security is about reducing risks, not about harassing people or making
- work for a system administrator harder. And reducing risks also means
- that you need to keep a clear eye out on your architecture and all its
- components. If you do not know what you are integrating, where you are
- putting it or why, then you have more issues to consider than hardening
- a system.
- </description>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-requirements">
- <title>Mapping Requirements</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- When you design a service, you need to take both functional and
- non-functional requirements into account. That does sound like
- overshooting for a simple server installation, but it is not. Have you
- considered auditing? Where do the audit logs need to be sent to? What
- about authentication? Centrally managed, or manually set? And the server
- you are installing, will it only host a particular service, or will it
- provide several services?
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- When hosting multiple services on the same server, make sure that the
- server is positioned within your network on an acceptable segment. It is
- not safe to host your central LDAP infrastructure on the same system as
- your web server that is facing the Internet.
- </description>
- <reference href="https://www.ibm.com/developerworks/rational/library/4706.html">IBM DeveloperWorks article on "Capturing Architectural Requirements"</reference>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-nonsoftware">
- <title>Non-Software Security Concerns</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- From the next chapter onwards, we will only focus on the software side
- hardening. There are of course also non-software concerns that you
- should investigate.
- </description>
- <reference href="https://www.rfc-editor.org/info/rfc2196">Site Security
- Handbook (RFC2196)</reference>
- <Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-nonsoftware-physical">
- <title>Physical Security</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- Make sure that your system is only accessible (physically) by trusted
- people. Fully hardening your system, only to have a malicious person
- take out the harddisk and run away with your confidential data is not
- something you want to experience.
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
- When physical security cannot be guaranteed (like with laptops), make
- sure that theft of the device only results in the loss of the hardware
- and not of the data and software on it (backups), and also that the
- data on it cannot be read by unauthorized people. We will come back on
- disk encryption later.
- </description>
- <reference href="http://www.sans.org/reading_room/whitepapers/awareness/data-center-physical-security-checklist_416">Data
- Center Physical Security Checklist (SANS, PDF)</reference>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-nonsoftware-policies">
- <title>Policies and Contractual Agreements</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- Create or validate the security policies in your organization. This is
- not only as a stick (against internal people who might want to abuse
- their powers) but also to document and describe why certain decisions
- are made (both architecturally as otherwise).
- </description>
- <reference href="http://www.sans.org/reading_room/whitepapers/policyissues/technical-writing-security-policies-easy-steps_492">Technical
- Writing for IT Security Policies in Five Easy Steps (SANS,
- PDF)</reference>
- <reference href="https://www.sans.org/security-resources/policies/">Information
- Security Policy Templates (SANS)</reference>
- </Group>
- </Group>
- </Group>
- <Group id="xccdf_org.gentoo.dev.swift_group_installation">
- <title>Installation Configuration</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- Let's focus now on the OS hardening. Gentoo Linux allows you to update the
- system as you want after installation, but it might be interesting to
- consider the following aspects during installation if you do not want a
- huge migration project later.
- </description>
- <Group id="xccdf_org.gentoo.dev.swift_group_installation-storage">
- <title>Storage Configuration</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- Your storage is of utmost importance in any environment. It needs to be
- sufficiently fast, not to jeopardize performance, but also secure and
- manageable yet still remain flexible to handle future changes.
- </description>
- <Group id="xccdf_org.gentoo.dev.swift_group_installation-storage-partitioning">
- <title>Partitioning</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- Know which locations in your file system structure you want on a
- different partition or logical volume. Separate locations allow for a
- more distinct segregation (for instance, hard links between different
- file systems) and low-level protection (file system corruption impact,
- but also putting the right data on the right storage media).
- </description>
- <reference href="http://www.pathname.com/fhs/">Filesystem Hierarchy
- Standard</reference>
- <Group id="xccdf_org.gentoo.dev.swift_group_installation-storage-partitioning-home">
- <title>/home Location</title>
- <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
- The <h:code xmlns:h="http://www.w3.org/1999/xhtml">/home</h:code> location should be on its own partition,
- allowing the administrator to mount this location with specific
- options targetting the file systems' security settings or quota.
- </description>
- <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="true">
- <title>Test if /home is a separate partition</title>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:2" href="gentoo-oval.xml"/>
- </check>
- </Rule>
- </Group>
- </Group>
- </Group>
- </Group>
- <TestResult id="xccdf_org.open-scap_testresult_default-profile" start-time="2013-09-17T20:24:00" end-time="2013-09-17T20:24:00">
- <title>OSCAP Scan Result</title>
- <identity authenticated="false" privileged="false">swift</identity>
- <target>hpl</target>
- <target-address>127.0.0.1</target-address>
- <target-address>192.168.1.3</target-address>
- <target-address>192.168.100.1</target-address>
- <target-address>::1</target-address>
- <target-address>fe80::f27b:cbff:fe0f:5a3b</target-address>
- <target-address>2001:db8:81:e2:0:26b5:365b:5072</target-address>
- <target-address>fe80::2045:eaff:fe47:e569</target-address>
- <target-facts>
- <fact name="urn:xccdf:fact:scanner:name" type="string">OpenSCAP</fact>
- <fact name="urn:xccdf:fact:scanner:version" type="string">0.9.8</fact>
- <fact name="urn:xccdf:fact:ethernet:MAC" type="string">00:00:00:00:00:00</fact>
- <fact name="urn:xccdf:fact:ethernet:MAC" type="string">F0:7B:CB:0F:5A:3B</fact>
- <fact name="urn:xccdf:fact:ethernet:MAC" type="string">22:45:EA:47:E5:69</fact>
- <fact name="urn:xccdf:fact:ethernet:MAC" type="string">00:00:00:00:00:00</fact>
- <fact name="urn:xccdf:fact:ethernet:MAC" type="string">F0:7B:CB:0F:5A:3B</fact>
- <fact name="urn:xccdf:fact:ethernet:MAC" type="string">22:45:EA:47:E5:69</fact>
- <fact name="urn:xccdf:fact:ethernet:MAC" type="string">22:45:EA:47:E5:69</fact>
- </target-facts>
- <rule-result idref="xccdf_org.gentoo.dev.swift_rule_partition-home" time="2013-09-17T20:24:00" weight="1.000000">
- <result>pass</result>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <check-content-ref name="oval:org.gentoo.dev.swift:def:2" href="gentoo-oval.xml"/>
- </check>
- </rule-result>
- <score system="urn:xccdf:scoring:default" maximum="100.000000">100.000000</score>
- </TestResult>
-</Benchmark>