>From 46afac66ca5d0a1b331c1194d25b9485fcf078e3 Mon Sep 17 00:00:00 2001 From: Shawn Wells <[email protected]> Date: Wed, 23 Jan 2013 20:08:35 -0500 Subject: [PATCH 2/6] Creation of USGCB profile
Began buildout of a profile which maps to requirements that drove the RHEL5 USGCB. Did not add to build system since this is far from ready. Submitting patch now for peer review -- typos, syntax errors, etc. - Left off at CCE-3840-6, need to complete some 150 more mappings & inclusions - At some point (aka, last) will review USGCB-->NIST mappings and update ours - Only included "bare requirements" that are in RHEL5 USGCB, have not added any additional content. Building out profile for basis of discussion. --- RHEL6/input/profiles/usgcb-rhel6-server.xml | 150 +++++++++++++++++++++++++++ RHEL6/input/system/network/kernel.xml | 2 +- 2 files changed, 151 insertions(+), 1 deletions(-) create mode 100644 RHEL6/input/profiles/usgcb-rhel6-server.xml diff --git a/RHEL6/input/profiles/usgcb-rhel6-server.xml b/RHEL6/input/profiles/usgcb-rhel6-server.xml new file mode 100644 index 0000000..6cf2d31 --- /dev/null +++ b/RHEL6/input/profiles/usgcb-rhel6-server.xml @@ -0,0 +1,150 @@ +<Profile id="usgcb-rhel6-server" xmlns="http://checklists.nist.gov/xccdf/1.1"; > +<title>United States Government Configuration Baseline (USGCB)</title> +<description>This profile is a working draft for a USGCB submission against RHEL6 Server.</description> + +<select idref="partition_for_tmp" selected="true" /> +<select idref="partition_for_var" selected="true" /> +<select idref="partition_for_var_log" selected="true" /> +<select idref="partition_for_var_log_audit" selected="true" /> +<select idref="partition_for_home" selected="true" /> +<select idref="ensure_redhat_gpgkey_installed" selected="true" /> +<select idref="service_rhnsd_disabled" selected="true" /> +<select idref="security_patches_up_to_date" selected="true" /> +<select idref="ensure_gpgcheck_globally_activated" selected="true" /> +<select idref="ensure_gpgcheck_never_disabled" selected="true" /> +<select idref="install_aide" selected="true" /> +<select idref="rpm_verify_permissions" selected="true" /> +<select idref="rpm_verify_hashes" selected="true" /> +<select idref="mountopt_nodev_on_nonroot_partitions" selected="true" /> +<select idref="mountopt_nodev_on_removable_partitions" selected="true" /> +<select idref="mount_option_tmp_nodev" selected="true" /> +<select idref="mount_option_dev_shm_nodev" selected="true" /> +<select idref="mountopt_noexec_on_removable_partitions" selected="true" /> +<select idref="mountopt_nosuid_on_removable_partitions" selected="true" /> +<select idref="mount_option_tmp_nodev" selected="true" /> +<select idref="mount_option_tmp_nosuid" selected="true" /> +<select idref="mount_option_tmp_noexec" selected="true" /> +<select idref="mount_option_dev_shm_nodev" selected="true" /> +<select idref="mount_option_dev_shm_nosuid" selected="true" /> +<select idref="mount_option_dev_shm_noexec" selected="true" /> +<select idref="mount_option_var_tmp_bind_var" selected="true" /> +<select idref="disable_module_cramfs" selected="true" /> +<select idref="disable_module_freevxfs" selected="true" /> +<select idref="disable_module_hfs" selected="true" /> +<select idref="disable_module_hfsplus" selected="true" /> +<select idref="disable_module_jffs2" selected="true" /> +<select idref="disable_module_squashfs" selected="true" /> +<select idref="disable_module_udf" selected="true" /> +<select idref="perms_gshadow_file" selected="true" /> <!-- RHEL5 had this as chmod 400, RHEL6 as 0000 --> +<select idref="userowner_gshadow_file" selected="true" /> +<select idref="groupowner_gshadow_file" selected="true" /> +<select idref="perms_shadow_file" selected="true" /> <!-- RHEL5 as 400, RHEL6 as 000 --> +<select idref="userowner_shadow_file" selected="true" /> +<select idref="groupowner_shadow_file" selected="true" /> +<select idref="perms_group_file" selected="true" /> +<select idref="userowner_group_file" selected="true" /> +<select idref="groupowner_group_file" selected="true" /> +<select idref="file_permissions_etc_passwd" selected="true" /> +<select idref="userowner_passwd_file" selected="true" /> +<select idref="groupowner_passwd_file" selected="true" /> +<select idref="sticky_world_writable_dirs" selected="true" /> +<select idref="world_writeable_files" selected="true" /> +<select idref="no_unpackaged_sgid_files" selected="true" /> +<select idref="no_unpackaged_suid_files" selected="true" /> +<select idref="no_files_unowned_by_user" selected="true" /> +<select idref="no_files_unowned_by_group" selected="true" /> +<select idref="world_writable_files_system_ownership" selected="true" /> +<refine-value idref="var_umask_for_daemons" selector="027"/> +<select idref="set_daemon_umask" selected="true" /> +<select idref="disable_setuid_coredumps" selected="true" /> +<select idref="disable_users_coredumps" selected="true" /> +<select idref="enable_randomize_va_space" selected="true" /> +<select idref="enable_execshield" selected="true" /> +<select idref="install_PAE_kernel_on_x86" selected="true" /> +<select idref="restrict_root_console_logins" selected="true" /> <!-- slightly different language than rhel5 --> +<select idref="restrict_serial_port_logins" selected="true" /> +<select idref="no_empty_passwords" selected="true" /> +<select idref="no_hashes_outside_shadow" selected="true" /> +<select idref="no_uidzero_except_root" selected="true" /> +<refine-value idref="var_password_warn_age" selector="14"/> +<select idref="password_warn_age" selected="true" /> +<refine-value idref="var_password_max_age" selector="60" /> +<select idref="password_max_age" selected="true" /> +<refine-value idref="var_password_min_len" selector="12" /> +<select idref="password_min_len" selected="true" /> +<refine-value idref="password_retry" selector="3" /> +<select idref="password_retry" selected="true" /> +<refine-value idref="var_password_pam_cracklib_dcredit" selector="1" /> +<select idref="password_require_digits" selected="true" /> +<refine-value idref="var_password_pam_cracklib_ucredit" selector="1" /> +<select idref="password_require_uppercases" selected="true" /> +<refine-value idref="var_password_pam_cracklib_lcredit" selector="1" /> +<select idref="password_require_lowercases" selected="true" /> +<refine-value idref="var_password_pam_cracklib_ocredit" selector="1" /> +<select idref="password_require_specials" selected="true" /> +<refine-value idref="var_password_pam_cracklib_difok" selector="3" /> +<select idref="password_require_diffchars" selected="true" /> +<refine-value idref="var_accounts_passwords_pam_faillock_deny" selector="5" /> +<select idref="deny_password_attempts" selected="true" /> +<select idref="set_password_hashing_algorithm_systemauth" selected="true" /> +<select idref="set_password_hashing_algorithm_logindefs" selected="true" /> +<refine-value idref="password_history_retain_number" selector="24" /> +<select idref="limiting_password_reuse" selected="true" /> +<select idref="root_path_no_dot" selected="true" /> +<select idref="root_path_no_groupother_writable" selected="true" /> +<select idref="homedir_perms_no_groupwrite_worldread" selected="true" /> +<refine-value idref="umask_user_value" selector="077" /> +<select idref="user_umask_bashrc" selected="true" /> +<select idref="user_umask_cshrc" selected="true" /> +<select idref="user_umask_profile" selected="true" /> +<select idref="user_umask_logindefs" selected="true" /> +<select idref="user_owner_grub_conf" selected="true" /> +<select idref="group_owner_grub_conf" selected="true" /> +<select idref="permissions_grub_conf" selected="true" /> +<select idref="bootloader_password" selected="true" /> +<select idref="disable_interactive_boot" selected="true" /> +<refine-value idref="inactivity_timeout_value" selector="15" /> +<select idref="set_screensaver_inactivity_timeout" selected="true" /> +<select idref="enable_screensaver_after_idle" selected="true" /> +<select idref="enable_screensaver_password_lock" selected="true" /> +<select idref="set_blank_screensaver" selected="true" /> +<refine-value idref="login_banner_text" selector="usgcb_default" /> +<select idref="set_system_login_banner" selected="true" /> +<refine-value idref="var_selinux_state_name" selector="enforcing" /> +<select idref="set_selinux_state" selected="true" /> +<refine-value idref="var_selinux_policy_name" selector="targeted" /> +<select idref="set_selinux_policy" selected="true" /> +<select idref="enable_selinux_bootloader" selected="true" /> +<select idref="selinux_confinement_of_daemons" selected="true" /> +<select idref="selinux_unlabeled_device_files" selected="true" /> +<select idref="disable_sysctl_ipv4_ip_forward" selected="true" /> +<select idref="disable_sysctl_ipv4_all_send_redirects" selected="true" /> +<select idref="disable_sysctl_ipv4_default_send_redirects" selected="true" /> +<refine-value idref="sysctl_net_ipv4_conf_all_secure_redirects_value" selector="0" /> +<select idref="set_sysctl_net_ipv4_conf_all_secure_redirects" selected="true" /> +<refine-value idref="sysctl_net_ipv4_conf_all_accept_redirects_value" selector="disabled" /> +<select idef="set_sysctl_net_ipv4_conf_all_accept_redirects" selected="true" /> +<refine-value idref="sysctl_net_ipv4_conf_all_accept_source_route_value" selector="disabled" /> +<select idref="set_sysctl_net_ipv4_conf_default_accept_source_route" selected="true" /> +<refine-value idref="sysctl_net_ipv4_conf_default_secure_redirects_value" selector="disabled" /> +<select idref="set_sysctl_net_ipv4_conf_default_secure_redirects" selected="true" /> +<refine-value idref="sysctl_net_ipv4_conf_default_accept_redirects_value" selector="disabled" /> +<select idref="set_sysctl_net_ipv4_conf_default_accept_redirects" selected="true" /> +<refine-value idref="sysctl_net_ipv4_conf_default_accept_source_route_value" selector="disabled" /> +<select idref="set_sysctl_net_ipv4_conf_default_accept_source_route" selected="true" /> +<refine-value idref="sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value" selector="enabled" /> +<select idref="set_sysctl_net_ipv4_icmp_ignore_bogus_error_responses" selected="true" /> +<refine-value idref="sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value" selector="enabled" /> +<select idref="set_sysctl_net_ipv4_icmp_echo_ignore_broadcasts" selected="true" /> +<refine-value idref="sysctl_net_ipv4_conf_all_log_martians_value" selector="enabled" /> +<select idref="set_sysctl_net_ipv4_conf_all_log_martians" selected="true" /> +<refine-value idref="sysctl_net_ipv4_conf_all_rp_filter_value" selector="enabled" /> +<select idref="set_sysctl_net_ipv4_conf_all_rp_filter" selected="true" /> +<refine-value idref="sysctl_net_ipv4_tcp_syncookies_value" selector="enabled" /> +<select idref="set_sysctl_net_ipv4_tcp_syncookies" selected="true" /> + + +<!-- TO DO: + - Leaving off at RHEL5 CCE-3840-6 + - Would be good to review USGCB NIST mappings. Low(er) priority than completing the profile --> +</Profile> diff --git a/RHEL6/input/system/network/kernel.xml b/RHEL6/input/system/network/kernel.xml index dff93dd..0f80df2 100644 --- a/RHEL6/input/system/network/kernel.xml +++ b/RHEL6/input/system/network/kernel.xml @@ -277,7 +277,7 @@ to be detected.</rationale> <rationale>Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.</rationale> <ident cce="26983-7" /> -<oval id="sysctl_net_ipv4_conf_all_accept_source_route" value="sysctl_net_ipv4_conf_all_accept_source_route_value" /> +<oval id="sysctl_net_ipv4_conf_all_accept_source_route" value="sysctl_net_ipv4_conf_default_accept_source_route_value" /> <ref nist="AC-4,CM-7,SC-5,SC-7" disa="1551"/> <tested by="DS" on="20121024"/> </Rule> -- 1.7.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
