[Fedora] Add OVAL check to test if there's is remote NTP server configured for time data [Fedora] Add system settings section for the guide (to track system wide hardening configurations) [Fedora] Include disable prelink rule and OVAL check for it
This patch adds the following: * provide OVAL check to test if /etc/ntp.conf contains 'server' entry (based on RHEL6's one, just slightly modified), * introduce new system/settings section for the guide (to track universal system wide configurations / principles, which wouldn't fall into other more specific category), * include 'disable_prelink' rule as a representative of such a system settings rule. Add OVAL check for it (based on RHEL6's one). Please review. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
From b334f90974b953b209f09bc75a35d0af0cf85498 Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky <[email protected]> Date: Mon, 25 Nov 2013 17:00:53 +0100 Subject: [PATCH] [Fedora] Add OVAL check to test if there's is remote NTP server configured for time data [Fedora] Add system settings section for the guide (to track system wide hardening configurations) [Fedora] Include disable prelink rule and OVAL check for it Signed-off-by: Jan Lieskovsky <[email protected]> --- Fedora/input/checks/disable_prelink.xml | 31 +++++++++++++++++++++++ Fedora/input/checks/ntp_remote_server.xml | 32 ++++++++++++++++++++++++ Fedora/input/guide.xslt | 8 ++++++ Fedora/input/profiles/common.xml | 4 ++- Fedora/input/services/ntp.xml | 2 +- Fedora/input/system/settings/disable_prelink.xml | 22 ++++++++++++++++ Fedora/input/system/settings/settings.xml | 8 ++++++ Fedora/scap-security-guide.spec | 9 ++++++- 8 files changed, 113 insertions(+), 3 deletions(-) create mode 100644 Fedora/input/checks/disable_prelink.xml create mode 100644 Fedora/input/checks/ntp_remote_server.xml create mode 100644 Fedora/input/system/settings/disable_prelink.xml create mode 100644 Fedora/input/system/settings/settings.xml diff --git a/Fedora/input/checks/disable_prelink.xml b/Fedora/input/checks/disable_prelink.xml new file mode 100644 index 0000000..aadf296 --- /dev/null +++ b/Fedora/input/checks/disable_prelink.xml @@ -0,0 +1,31 @@ +<def-group> + <definition class="compliance" id="disable_prelink" version="1"> + <metadata> + <title>Disable Prelinking</title> + <affected family="unix"> + <platform>Fedora 19</platform> + </affected> + <description>The prelinking feature can interfere with the operation of + checksum integrity tools (e.g. AIDE), mitigates the protection provided + by ASLR, and requires additional CPU cycles by software upgrades. + </description> + </metadata> + <criteria> + <criterion comment="Ensure prelinking is disabled" test_ref="test_prelinking_no" /> + </criteria> + </definition> + + <ind:textfilecontent54_test check="all" check_existence="all_exist" + comment="Tests whether prelinking is disabled" + id="test_prelinking_no" version="1"> + + <ind:object object_ref="obj_prelinking_no" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object id="obj_prelinking_no" version="1"> + <ind:filepath>/etc/sysconfig/prelink</ind:filepath> + <ind:pattern operation="pattern match">^PRELINKING=no$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/Fedora/input/checks/ntp_remote_server.xml b/Fedora/input/checks/ntp_remote_server.xml new file mode 100644 index 0000000..18f3b38 --- /dev/null +++ b/Fedora/input/checks/ntp_remote_server.xml @@ -0,0 +1,32 @@ +<def-group> + <definition class="compliance" id="ntp_remote_server" version="1"> + <metadata> + <title>Specify a Remote NTP Server for Time Data</title> + <affected family="unix"> + <platform>Fedora 19</platform> + </affected> + <description> + A remote NTP Server for time synchronization should be specified + </description> + </metadata> + <criteria comment="ntp.conf conditions are met"> + <criterion test_ref="test_ntp_remote_server" /> + </criteria> + </definition> + + <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" + comment="Ensure at least one NTP server is set" id="test_ntp_remote_server" + version="1"> + + <ind:object object_ref="obj_ntp_remote_server" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object comment="Ensure at least one NTP server is set" + id="obj_ntp_remote_server" version="1"> + + <ind:filepath>/etc/ntp.conf</ind:filepath> + <ind:pattern operation="pattern match">^[\s]*server[\s]+.+$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/Fedora/input/guide.xslt b/Fedora/input/guide.xslt index 2dc4231..e0880e2 100644 --- a/Fedora/input/guide.xslt +++ b/Fedora/input/guide.xslt @@ -24,11 +24,19 @@ <xsl:template match="Group[@id='system']"> <xsl:copy> <xsl:copy-of select="@*|node()" /> + <xsl:apply-templates select="document('system/settings/settings.xml')" /> <xsl:apply-templates select="document('system/software/software.xml')" /> <xsl:apply-templates select="document('system/accounts/accounts.xml')" /> </xsl:copy> </xsl:template> + <xsl:template match="Group[@id='settings']"> + <xsl:copy> + <xsl:copy-of select="@*|node()" /> + <xsl:apply-templates select="document('system/settings/disable_prelink.xml')" /> + </xsl:copy> + </xsl:template> + <xsl:template match="Group[@id='software']"> <xsl:copy> <xsl:copy-of select="@*|node()" /> diff --git a/Fedora/input/profiles/common.xml b/Fedora/input/profiles/common.xml index 330b002..ad1acd9 100644 --- a/Fedora/input/profiles/common.xml +++ b/Fedora/input/profiles/common.xml @@ -2,6 +2,8 @@ <title>Common Profile for General-Purpose Fedora Systems</title> <description>This profile contains items common to general-purpose Fedora installations.</description> + <select idref="disable_prelink" selected="true"/> + <!-- Installing and Maintaining Software section rules --> <!-- Updating Software section rules --> <select idref="ensure_gpgcheck_globally_activated" selected="true"/> @@ -23,7 +25,7 @@ <select idref="gid_passwd_group_same" selected="true"/> <select idref="no_netrc_files" selected="true"/> <!-- Set Password Expiration Parameters section rules --> - <refine-value idref="var_accounts_password_minlen_login_defs" selector="12" /> + <refine-value idref="var_accounts_password_minlen_login_defs" selector="12"/> <select idref="accounts_password_minlen_login_defs" selected="true"/> <refine-value idref="var_accounts_minimum_age_login_defs" selector="7"/> <select idref="accounts_minimum_age_login_defs" selected="true"/> diff --git a/Fedora/input/services/ntp.xml b/Fedora/input/services/ntp.xml index 37d3611..cf5fe50 100644 --- a/Fedora/input/services/ntp.xml +++ b/Fedora/input/services/ntp.xml @@ -58,7 +58,7 @@ data. <rationale>Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events. </rationale> -<!-- <oval id="ntp_remote_server" /> --> +<oval id="ntp_remote_server" /> <ref nist="AU-8(1)" disa="160" /> </Rule> diff --git a/Fedora/input/system/settings/disable_prelink.xml b/Fedora/input/system/settings/disable_prelink.xml new file mode 100644 index 0000000..ed9b492 --- /dev/null +++ b/Fedora/input/system/settings/disable_prelink.xml @@ -0,0 +1,22 @@ +<Rule id="disable_prelink"> +<title>Disable Prelinking</title> +<description> +The prelinking feature changes binaries in an attempt to decrease their startup +time. In order to disable it, change or add the following line inside the file +<tt>/etc/sysconfig/prelink</tt>: +<pre>PRELINKING=no</pre> +Next, run the following command to return binaries to a normal, non-prelinked +state: +<pre># /sbin/prelink -ua</pre> +</description> +<rationale> +The prelinking feature can interfere with the operation of checksum integrity +tools (e.g. AIDE), because it modifies binaries to speed up their startup time. +Also it makes the location of shared libraries very predictable, mitigating +the efficiency of address space layout randomization (ASLR) protection mechanism. +In addition, each upgrade of an application or a library requires prelink to be +run again. +</rationale> +<oval id="disable_prelink" /> +<ref nist="CM-6(d),CM-6(3),SC-28, SI-7" /> +</Rule> diff --git a/Fedora/input/system/settings/settings.xml b/Fedora/input/system/settings/settings.xml new file mode 100644 index 0000000..9bd860c --- /dev/null +++ b/Fedora/input/system/settings/settings.xml @@ -0,0 +1,8 @@ +<Group id="settings"> +<title>General System Wide Configuration Settings</title> +<description>The following sections contain information on +various security-relevant configuration settings that in +particular way modify the behaviour of the system as a whole. +</description> + +</Group> diff --git a/Fedora/scap-security-guide.spec b/Fedora/scap-security-guide.spec index ec056f3..c0ead6c 100644 --- a/Fedora/scap-security-guide.spec +++ b/Fedora/scap-security-guide.spec @@ -5,7 +5,7 @@ # file one level up - in the main scap-security-guide directory (instead of # this one). -%global fedorassgversion 4.rc4 +%global fedorassgversion 4.rc5 Name: scap-security-guide Version: 0.1.%{fedorassgversion} @@ -53,6 +53,13 @@ cp -a Fedora/input/auxiliary/scap-security-guide.8 %{buildroot}%{_mandir}/en/man %doc Fedora/LICENSE Fedora/output/ssg-fedora-guide.html %changelog +* Mon Nov 25 2013 Jan iankko Lieskovsky <[email protected]> 0.1.4.rc5-1 +- Add OVAL check to test if there's is remote NTP server configured for + time data +- Add system settings section for the guide (to track system wide + hardening configurations) +- Include disable prelink rule and OVAL check for it + * Mon Nov 25 2013 Jan iankko Lieskovsky <[email protected]> 0.1.4.rc4-1 - Initial OVAL check if ntpd service is enabled. Add package_installed OVAL templating directory structure and functionality. -- 1.8.3.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
