From 3d3194ac9b1b2ba298ceb126f022ac4100c0843b Mon Sep 17 00:00:00 2001 From: Sven Vermeulen Date: Wed, 18 Sep 2013 15:51:27 +0200 Subject: Add /tmp test --- xml/SCAP/.gitignore | 3 + xml/SCAP/Makefile | 13 +- xml/SCAP/gentoo-oval.xml | 62 +++++++ xml/SCAP/gentoo-xccdf.xml | 446 ++++++++++++++++++++++++++++------------------ 4 files changed, 347 insertions(+), 177 deletions(-) diff --git a/xml/SCAP/.gitignore b/xml/SCAP/.gitignore index f943490..d62a6b5 100644 --- a/xml/SCAP/.gitignore +++ b/xml/SCAP/.gitignore @@ -3,3 +3,6 @@ report.html gentoo-oval.xml.result.xml results-xccdf.xml remediate.sh +guide.docbook +guide.fo +guide.pdf diff --git a/xml/SCAP/Makefile b/xml/SCAP/Makefile index ac0b4e2..fcbf549 100644 --- a/xml/SCAP/Makefile +++ b/xml/SCAP/Makefile @@ -1,4 +1,4 @@ -all: report.html guide.html remediate.sh +all: report.html guide.html remediate.sh #guide.pdf report.html: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml oscap xccdf eval --cpe gentoo-cpe.xml --profile xccdf_org.gentoo.dev.swift_profile_default --results results-xccdf.xml --oval-results --report report.html gentoo-xccdf.xml @@ -6,6 +6,15 @@ report.html: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml guide.html: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml oscap xccdf generate guide --profile xccdf_org.gentoo.dev.swift_profile_default --output guide.html gentoo-xccdf.xml +guide.docbook: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml + oscap xccdf generate guide --profile xccdf_org.gentoo.dev.swift_profile_default --format docbook --output guide.docbook gentoo-xccdf.xml + +guide.fo: guide.docbook + xsltproc --output guide.fo --stringparam paper.type A4 /usr/share/sgml/docbook/xsl-stylesheets/fo/docbook.xsl guide.docbook + +guide.pdf: guide.fo + fop guide.fo guide.pdf + remediate.sh: results-xccdf.xml oscap xccdf generate fix --output remediate.sh results-xccdf.xml chmod 0644 remediate.sh @@ -14,6 +23,6 @@ eval: oscap xccdf eval --cpe gentoo-cpe.xml --profile xccdf_org.gentoo.dev.swift_profile_default gentoo-xccdf.xml clean: - -rm results-xccdf.xml report.html guide.html gentoo-oval.xml.results.xml remediate.sh + -rm results-xccdf.xml report.html guide.html gentoo-oval.xml.results.xml remediate.sh guide.docbook guide.pdf guide.fo .PHONY: all eval clean diff --git a/xml/SCAP/gentoo-oval.xml b/xml/SCAP/gentoo-oval.xml index b520353..9fa2c1e 100644 --- a/xml/SCAP/gentoo-oval.xml +++ b/xml/SCAP/gentoo-oval.xml @@ -71,6 +71,41 @@ + + + The /home file system is mounted with the nodev option + + Gentoo Linux + + + This definition tests whether the /home partition is mounted with the nodev + mount option. + + + + + + + + + + + The /tmp location must be a separate file system + + Gentoo Linux + + + + This definition tests whether the /tmp location is a separate file + system. + + + + + + + + @@ -97,6 +132,22 @@ + + + + + + + + + + + + @@ -110,6 +161,12 @@ version="1" comment="The /home partition"> /home + + + /tmp + + @@ -119,6 +176,11 @@ nosuid + + nodev + + + + Introduction @@ -58,31 +63,32 @@ This is no security policy It is very important to realize that this document is not a - policy. You are not obliged to follow this if you want a secure system - nor do you need to agree with everything said in the document. - - - The purpose of this document is to guide you in your quest to hardening - your system. It will provide pointers that could help you decide in - particular configuration settings and will do this hopefully using - sufficient background information to make a good choice. - - - You will find settings you don't agree with. That's fine, but - if you disagree with why we do this, we would like to hear it - and we'll add the feedback to the guide. + policy. There is no obligation to follow this to make a secure system + nor should everything in this document be agreed upon. What we document is + a set of common best practices with the explanation (why is it a best practice) + and method (how to implement the best practice). + + + The purpose of this document is to guide readers in their quest to hardening + their systems. It will provide pointers that could help in deciding + particular configuration settings and will do this hopefully using + sufficient background information to allow readers to make a good choice. + + + Readers might find settings they don't agree with. That's fine, but + if there is disagreement about why it is documented, we would + like to hear it so we can update the guide accordingly. A little more about SCAP and OVAL Within SCAP, NIST has defined some new standards of which XCCDF and OVAL - are notably important in light of the guide you are currently using. + are notably important in light of this guide. XCCDF (Extensible Configuration Checklist Description Format) is a specification language for writing security checklists and benchmarks - (such as the one you are reading now) OVAL (Open Vulnerability and Assessment Language) is a standard to describe @@ -101,80 +107,77 @@ Using this guide - The guide you are currently reading is the guide generated from this SCAP - content (more specifically, the XCCDF document) using openscap, - a free software implementation for handling SCAP content. Within Gentoo, - the package app-forensics/openscap provides the tools, and - the following command is used to generate the HTML output: + This guide is generated from SCAP content (more specifically, the XCCDF document) + using openscap, a free software implementation for handling SCAP content. + Within Gentoo, the package app-forensics/openscap provides the tools, + and the following command is used to generate the HTML output: - ### Command to generate this guide ### -# oscap xccdf generate guide gentoo-xccdf.xml > output.html + # oscap xccdf generate guide gentoo-xccdf.xml > output.html - Secondly, together with this XCCDF XML, you will also find an OVAL XML file. - The two files combined allow you to automatically validate various settings as - documented in the benchmark. - - - Now, to validate the tests, you can use the following commands: - ### Testing the rules mentioned in the XCCDF document ### -# oscap xccdf eval --profile xccdf_org.gentoo.dev.swift_profile_default gentoo-xccdf.xml + Secondly, together with this XCCDF XML, an OVAL XML file is made available. + The two files combined allow OVAL interpreters to automatically validate + various settings as documented in the benchmark. + + + To validate the tests, the following commands can be used: + # oscap xccdf eval --profile xccdf_org.gentoo.dev.swift_profile_default gentoo-xccdf.xml To generate a full report in HTML as well, you can use the next command: - ### Testing the rules and generating an HTML report ### -# oscap xccdf eval --profile xccdf_org.gentoo.dev.swift_profile_default --results xccdf-results.xml --report report.html gentoo-xccdf.xml + # oscap xccdf eval --profile xccdf_org.gentoo.dev.swift_profile_default --results xccdf-results.xml --report report.html gentoo-xccdf.xml - - Finally, this benchmark will suggest some settings which you do not want - to enable. That is perfectly fine - even more, some settings might even + + Finally, this benchmark will suggest some settings that do not reflect the + will of the reader. That is perfectly fine - even more, some settings might even raise eyebrows left and right. We will try to document the reasoning behind the settings but you are free to deviate from them. If that is the case, - you might want to disable the rules in the XCCDF document so that they are - not checked on your system. + disable the rules in the XCCDF document or, better yet, create a new profile + and only refer to the tests that are required. Available XCCDF Profiles As mentioned earlier, the XCCDF document supports multiple profiles. For the time - being, two profiles are defined: - - - - The default profile contains tests that are quick to validate - - - The intensive profile contains all tests, including those that - take a while (for instance because they perform full file system scans) - - - Substitute the profile information in the commands above with the profile you want to test on. + being, two profiles are defined: + + + + The default profile (xccdf_org.gentoo.dev.swift_profile_default) contains + tests that are quick to validate + + + The intensive profile (xccdf_org.gentoo.dev.swift_profile_intensive) + contains all tests, including those that take a while (for instance because they + perform full file system scans) + + + Substitute the profile information in the commands above with the required profile. - Before You Start + Before we start - Before you start deploying Gentoo Linux and start hardening it, it is wise - to take a step back and think about what you want to accomplish. Setting + Before we start deploying Gentoo Linux and start hardening it, it is wise + to take a step back and think about what we want to accomplish. Setting up a more secured Gentoo Linux isn't a goal, but a means to reach something. Most likely, you are considering setting up a Gentoo Linux powered server. What is this server for? Where will you put it? What other services will you want to run on the same OS? Etc. - Infrastructure Architecturing + Infrastructure architecturing - When considering your entire IT architecture, many architecturing - frameworks exist to write down and further design your infrastructure. + When considering the entire IT architecture, many architecturing + frameworks exist to write down and further design infrastructure. There are very elaborate ones, like TOGAF (The Open Group Architecture Framework), but smaller ones exist as well. - A well written and maintained infrastructure architecture helps you + A well written and maintained infrastructure architecture helps to position new services or consider the impact of changes on existing - components. And the reason for mentioning such a well designed architecture - in a hardening guide is not weird. + components. Security is about reducing risks, not about harassing people or making @@ -186,130 +189,223 @@ - Mapping Requirements + Mapping requirements - When you design a service, you need to take both functional and + When designing a service, we need to take both functional and non-functional requirements into account. That does sound like - overshooting for a simple server installation, but it is not. Have you - considered auditing? Where do the audit logs need to be sent to? What - about authentication? Centrally managed, or manually set? And the server - you are installing, will it only host a particular service, or will it - provide several services? + overshooting for a simple server installation, but it is not. Is + auditing considered? Where should the audit logs be sent to? What + about authentication? Centrally managed, or manually set? And the server, + will it only host a particular service, or will it provide several services? When hosting multiple services on the same server, make sure that the - server is positioned within your network on an acceptable segment. It is - not safe to host your central LDAP infrastructure on the same system as - your web server that is facing the Internet. + server is positioned within the network on an acceptable segment. It is + not safe to host central LDAP infrastructure on the same system as + a web server that is facing the Internet. IBM DeveloperWorks article on "Capturing Architectural Requirements" - Non-Software Security Concerns + Non-software security concerns - From the next chapter onwards, we will only focus on the software side - hardening. There are of course also non-software concerns that you - should investigate. + From the next chapter onwards, our focus will be on the software side + hardening. There are of course also non-software concerns that need to be + taken care of. - Site Security - Handbook (RFC2196) + Site Security Handbook (RFC2196) - Physical Security + Physical security - Make sure that your system is only accessible (physically) by trusted - people. Fully hardening your system, only to have a malicious person - take out the harddisk and run away with your confidential data is not - something you want to experience. + Make sure that the system is only accessible (physically) by trusted + people. Fully hardening a system, only to have a malicious person + take out the harddisk and run away with the confidential data is not + something we want to experience. When physical security cannot be guaranteed (like with laptops), make sure that theft of the device only results in the loss of the hardware - and not of the data and software on it (backups), and also that the - data on it cannot be read by unauthorized people. We will come back on - disk encryption later. + and not of the data and software on it (take backups!), and also that the + data on it cannot be read by unauthorized people. + We will describe disk encryption later. Data - Center Physical Security Checklist (SANS, PDF) + href="http://www.sans.org/reading_room/whitepapers/awareness/data-center-physical-security-checklist_416">Data Center Physical Security Checklist (SANS, PDF) - Policies and Contractual Agreements + Policies and contractual agreements - Create or validate the security policies in your organization. This is + Create or validate the security policies in the organization. This is not only as a stick (against internal people who might want to abuse their powers) but also to document and describe why certain decisions are made (both architecturally as otherwise). + + + Make sure that the reasoning for the guidelines is clear. If the policies ever + need to be adjusted towards new environments or concepts (like "bring your own + device") having the reasons for the (old) guidelines documented will make it much + easier to write new ones. Technical - Writing for IT Security Policies in Five Easy Steps (SANS, - PDF) + href="http://www.sans.org/reading_room/whitepapers/policyissues/technical-writing-security-policies-easy-steps_492">Technical Writing for IT Security Policies in Five Easy Steps (SANS, PDF) Information - Security Policy Templates (SANS) + href="https://www.sans.org/security-resources/policies/">Information Security Policy Templates (SANS) - Installation Configuration + Installation configuration - Let's focus now on the OS hardening. Gentoo Linux allows you to update the - system as you want after installation, but it might be interesting to - consider the following aspects during installation if you do not want a - huge migration project later. + Let's focus now on the OS hardening. Gentoo Linux allows us to update various + parts of the system after installation, but it might be interesting to + consider the following aspects during (or before) installation if we do not want + to risk a huge migration project later. - Storage Configuration + Storage configuration - Your storage is of utmost importance in any environment. It needs to be - sufficiently fast, not to jeopardize performance, but also secure and - manageable yet still remain flexible to handle future changes. + Storage is of utmost importance in any environment. It needs to be + sufficiently fast (performance), but also secure and + manageable while remaining flexible to handle future changes. Partitioning - Know which locations in your file system structure you want on a + Know which locations in the file system structure need to be on a different partition or logical volume. Separate locations allow for a - more distinct segregation (for instance, hard links between different + more distinct segregation (for instance, no hard links between different file systems) and low-level protection (file system corruption impact, but also putting the right data on the right storage media). Filesystem Hierarchy Standard + + Separate file systems for important locations + + Having a separate file system for important locations has several advantages, but + we need to weigh those advantages against the disadvantages of separate file + systems. + + + Let's start with the disadvantages: + + + Separate file systems mean that you need to do better disk space control + (governing free space). A file system that is given too much free space + means that disk space is being wasted, but a file system that is not given + enough free disk space will need to be grown quickly - if possibile. This + also means that creating a proper partitioning setup with many different + partitions (file systems) will take some time and calculations; many users + have no good idea how much space they need to make available for a file system. + + + Some file system locations need to be available early in the boot process. + If those locations reside on different file systems, special precautions need + to be taken to make those file systems available when the system is booted + (such as creating an initial ram file system). + + + The advantages on the other hand: + + + A sudden disk space growth will eventually be stopped by the limits of the + file system. If a non-critical file system is full, the impact on the overall + system is limited. Without separate file systems, a full file system might + jeopardise the availability of the entire system. + + + Specific mount options can be enabled on the file systems that improve the + security of the file system (permissions) as well as performance. Such mount + options include ownership details, allowing (or disallowing) setuid binaries, + device files and more. + + + Different file systems can be hosted on different devices (or even on network + shares), allowing administrators to pick the most efficient storage device + for a particular file system. + + + Considering these pros and cons, it is recommended to have at least the following + file system locations to be on a different file system: + + + /tmp as this is a world-writable location and requires + specific mount options. When possible, this location can be made a + tmpfs file system. + + + + + Test if /tmp is a separate file system + + Create a file system for /tmp; make sure it is added in + the /etc/fstab file and reboot the system. + + + + + + /home Location The /home location should be on its own partition, allowing the administrator to mount this location with specific - options targetting the file systems' security settings or quota. - - - Next to the separate file system, it should also be mounted with - the nosuid mount option. When a vulnerability in a - software, or a rogue user, would somehow place a setuid binary in - this home directory in order to create a simple backdoor to gain - root privileges, this mount option disables the setuid ability. + options targetting the file systems' security settings or quota. It + also prevents the system to become unresponsive when a user starts + filling up his home directory, although quota support can be used + to mitigate this risk as well. + + + Next to the separate file system, it should also be mounted with + the nosuid mount option. When a vulnerability in a + software, or a rogue user, would somehow place a setuid binary in + this home directory in order to create a simple backdoor to gain + root privileges, this mount option disables the setuid ability. + + + There is also no reason for the /home location to + contain any device files, so mount it with nodev too. + If an attacker would somehow be able to create sensitive device files + with the rights for him to read/write to those device files, then he + might be able to impact the system security. - - Test if /home is a separate partition - + + Test if /home is a separate partition + + Create a file system for the user home files and mount it at /home + after migrating the users' files to it. + + - - - - Test if /home is mounted with nosuid - Mount /home with nosuid mount option - - + + + + Test if /home is mounted with nosuid + Mount /home with nosuid mount option + + mount -o remount,nosuid /home - - - - - + + + + + + + Test if /home is mounted with nodev + Mount /home with nodev mount option + +mount -o remount,nodev /home + + + + + @@ -326,7 +422,7 @@ mount -o remount,nosuid /home toolchain is selected, not one of the -hardenedno* as those are toolchains where specific settings are disabled. The -vanilla one is a toolchain with no hardened patches. - ### Using the appropriate hardened toolchain ### + # gcc-config -l [1] x86_64-pc-linux-gnu-4.4.5 * [2] x86_64-pc-linux-gnu-4.4.5-hardenednopie @@ -340,18 +436,18 @@ mount -o remount,nosuid /home Use a Mandatory Access Control system Linux uses, by default, what is called a Discretionary Access Control - system. This means, amongst other things, that a user can control which files others - can access, but also that he is able to leak information towards other users. - - - With a Mandatory Access Control system in place, the security administrator - of a system defines security policies to which the entire system should adhere to. Users - then can "play" within the defined fields of this policy, but cannot extend this policy themselves. - - - Linux supports a few of these MAC systems. SELinux is a popular one, grSecurity RBAC system - is another, TOMOYO exists as well, etc. It is advisable to use such a MAC system, but its - configuration and testing of these settings are beyond the scope of this benchmark for now. + system. This means, amongst other things, that a user can control which files others + can access, but also that he is able to leak information towards other users. + + + With a Mandatory Access Control system in place, the security administrator + of a system defines security policies to which the entire system should adhere to. Users + then can "play" within the defined fields of this policy, but cannot extend this policy themselves. + + + Linux supports a few of these MAC systems. SELinux is a popular one, grSecurity RBAC system + is another, TOMOYO exists as well, etc. It is advisable to use such a MAC system, but its + configuration and testing of these settings are beyond the scope of this benchmark for now. Gentoo Hardened SELinux project page @@ -374,7 +470,7 @@ mount -o remount,nosuid /home Mount options can be set in /etc/fstab in the fourth column. - ### Setting mount options### + # vim /etc/fstab [...] tmpfs /tmp tmpfs defaults,nosuid,noexec,nodev 0 0 @@ -410,15 +506,15 @@ tmpfs /tmp tmpfs defaults,nosuid,noexec,nodev 0 0### Sample /etc/fstab line for /tmp ### + tmpfs /tmp tmpfs defaults,nosuid,noexec,nodev 0 0 Also, the location must have the sticky bit set (cfr the trailing 't' in the - output of ls -ld). - ### Sticky bit for /tmp must be set ### + output of ls -ld). + # ls -ld /tmp drwxrwxrwt 9 root root 260 Dec 27 16:00 /tmp Of course, using tmpfs does not give you freedom nor a - secure means to write security sensitive information in /tmp. + secure means to write security sensitive information in /tmp. @@ -428,7 +524,7 @@ drwxrwxrwt 9 root root 260 Dec 27 16:00 /tmp To reduce the risk of an exploit being launched, it is adviseable to mount this partition with the nosuid,nodev mount options. - ### Sample /etc/fstab line for /home ### + /dev/mapper/volgrp-home /home ext4 noatime,nosuid,nodev,data=journal 0 2 @@ -445,19 +541,19 @@ drwxrwxrwt 9 root root 260 Dec 27 16:00 /tmp Next, install the sys-fs/quota package. - ### Installing quota ### + # emerge quota Then add usrquota and grpquota to the partitions (in /etc/fstab) where you want to enable quotas on. For instance, the following snippet from /etc/fstab enables quotas on /var and /home. - ### Example quota definition in /etc/fstab ### + /dev/mapper/volgrp-home /home ext4 noatime,nodev,nosuid,usrquota,grpquota 0 0 /dev/mapper/volgrp-var /var ext4 noatime,usrquota,grpquota 0 0 Finally, add the quota service to the boot runlevel. - ### Adding quota to the boot runlevel ### + # rc-update add quota boot Reboot the system so that the partitions are mounted with the correct mount options and that the quota service is running. Then you can @@ -466,7 +562,7 @@ drwxrwxrwt 9 root root 260 Dec 27 16:00 /tmp Managing Disk Usage with Quotas (LinuxHomeNetworking) - Gentoo Linux Kernel Configuration - shorthand notation information + Gentoo Linux Kernel Configuration - shorthand notation information @@ -513,7 +609,7 @@ drwxrwxrwt 9 root root 260 Dec 27 16:00 /tmp booting in single user mode requires the user to enter the root password. This is already done by default in Gentoo and is part of /etc/inittab's definition: - ### Ensure sulogin is available for single user mode ### + su0:S:wait:/sbin/rc single su1:S:wait:/sbin/sulogin @@ -537,10 +633,10 @@ su0:S:wait:/sbin/rc single The SSH service is used for secure remote access towards a system, but also to provide secure file transfers. It is very commonly found on Unix/Linux - systems to proper hardening is definitely in place. - - - Please use the "Hardening OpenSSH" guide for the necessary instructions. + systems to proper hardening is definitely in place. + + + Please use the "Hardening OpenSSH" guide for the necessary instructions. @@ -650,7 +746,7 @@ su0:S:wait:/sbin/rc single You should set the USE flags globally in /etc/make.conf. - ### Setting the USE flag in /etc/make.conf ### + USE="... pam tcpd ssl" @@ -659,15 +755,15 @@ USE="... pam tcpd ssl" Gentoo Portage supports fetching signed tree snapshots using emerge-webrsync. This is documented in the Gentoo Handbook, - but as it is quite easy, here you can find the instructions again: - ### Using emerge-webrsync with GPG signatures ### + but as it is quite easy, here you can find the instructions again: + # mkdir -p /etc/portage/gpg # chmod 0700 /etc/portage/gpg # gpg - -homedir /etc/portage/gpg - -keyserver subkeys.pgp.net - -recv-keys 0x239C75C4 0x96D8BF6D # gpg - -homedir /etc/portage/gpg - -edit-key 0x239C75C4 trust # gpg - -homedir /etc/portage/gpg - -edit-key 0x96D8BF6D trust After this, you can edit /etc/make.conf: - ### Editing make.conf for signed portage trees ### + FEATURES="webrsync-gpg" PORTAGE_GPG_DIR="/etc/portage/gpg" SYNC="" @@ -680,9 +776,9 @@ SYNC="" The Linux kernel should be configured using a sane security standard in mind. When using grSecurity, additional security-enhancing settings can be enabled. - - - For further details, I refer to the "Hardening the Linux kernel" guide. + + + For further details, I refer to the "Hardening the Linux kernel" guide. Gentoo Kernel Configuration Guide - Shorthand notation information @@ -708,7 +804,7 @@ SYNC="" the configuration file, you can hash it. Just start grub and, in the grub-shell, type md5crypt. - ### Getting a hashed password for GRUB ### + # grub GRUB version 0.92 (640K lower / 3072K upper memory) @@ -740,7 +836,7 @@ grub> quit /etc/lilo.conf file. It is also possible to do this on a per-image level. - ### Setting a password for LILO in /etc/lilo.conf ### + password=abc123 restricted delay=3 @@ -782,7 +878,7 @@ image=/boot/bzImage A recommended setting is to only allow root user login through the console and the physical terminals (tty0-tty12). - ### /etc/securetty ### + console tty0 tty1 @@ -840,7 +936,7 @@ tty12 More information on these files and their syntax can be obtained through their manual pages. - ### Reading the limits manual pages ### + # man limits.conf # man limits @@ -866,7 +962,7 @@ tty12 pam_cracklib.so library. You can then use this in the appropriate /etc/pam.d/* files. For instance, for the /etc/pam.d/passwd definition: - ### Sample /etc/pam.d/passwd setting with cracklib ### + auth required pam_unix.so shadow nullok account required pam_unix.so password required pam_cracklib.so difok=3 retry=3 minlen=8 dcredit=-2 ocredit=-2 @@ -934,19 +1030,19 @@ session required pam_unix.so You can use find to locate such files or directories. - ### Using find to find world writable files and directories ### + # find / -perm +o=w ! \( -type d -perm +o=t \) ! -type l -print The above command shows world writable files and locations, unless it is a directory with the sticky bit set, or a symbolic link (whose world writable privilege is not accessible anyhow). - + World writeable directories must have sticky bit set - World writeable directories must have sticky bit set - - - - + World writeable directories must have sticky bit set + + + + Limit Setuid and Setgid File and Directory Usage -- cgit v1.2.3-65-gdbad