1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
|
<?xml version="1.0" encoding="UTF-8"?>
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.gentoo.dev.swift_benchmark_gentoo-20130917-1" resolved="1">
<status date="2013-09-17">draft</status>
<title>Gentoo Security Benchmark</title>
<description xmlns:xhtml="http://www.w3.org/1999/xhtml">
This benchmarks helps people in improving their system configuration to be
more resilient against attacks and vulnerabilities.
</description>
<platform idref="cpe:/o:gentoo:linux"/>
<version>20130917.1</version>
<model system="urn:xccdf:scoring:default"/>
<Profile id="xccdf_org.gentoo.dev.swift_profile_intensive">
<title>Default server setup settingsIntensive validation profile</title>
<description xmlns:xhtml="http://www.w3.org/1999/xhtml">
In this profile, we verify common settings for Gentoo Linux
configurations. The tests that are enabled in this profile can be ran
without visibly impacting the performance of the system.
This profile extends the default server profile by including tests that
are more intensive to run on a system. Tests such as full file system
scans to find world-writable files or directories have an otherwise too
large impact on the performance of a server.
</description>
<select idref="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="true"/>
</Profile>
<Profile id="xccdf_org.gentoo.dev.swift_profile_default">
<title>Default server setup settings</title>
<description xmlns:xhtml="http://www.w3.org/1999/xhtml">
In this profile, we verify common settings for Gentoo Linux
configurations. The tests that are enabled in this profile can be ran
without visibly impacting the performance of the system.
</description>
<select idref="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="true"/>
</Profile>
<Group id="xccdf_org.gentoo.dev.swift_group_intro">
<title>Introduction</title>
<description xmlns:xhtml="http://www.w3.org/1999/xhtml">
Since years, Gentoo Linux has a Gentoo Security Handbook
which provides a good insight in secure system
configuration for a Gentoo systems. Although this is important, an
improved method for describing and tuning a systems' security state has
emerged: SCAP, or the <h:em xmlns:h="http://www.w3.org/1999/xhtml">Security Content Automation Protocol</h:em>.
<h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
<h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
As such, this benchmark is an update on the security
handbook, including both the in-depth explanation of settings as well as
the means to validate if a system complies with this or not. Now, during
the development of this benchmark document, we did not include all
information from the Gentoo Security Handbook as some of the settings are
specific to a service that is not all that default on a Gentoo Linux
system. Although these settings are important as well, it is our believe
that this is best done in separate benchmarks for those services instead.
<h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
<h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
Where applicable, this benchmark will refer to a different hardening guide
for specific purposes (such as the Hardening OpenSSH benchmark).
</description>
<reference href="http://www.gentoo.org/doc/en/security/security-handbook.xml">Gentoo
Security Handbook</reference>
<Group id="xccdf_org.gentoo.dev.swift_group_intro-security">
<title>This is no security policy</title>
<description xmlns:xhtml="http://www.w3.org/1999/xhtml">
It is <h:em xmlns:h="http://www.w3.org/1999/xhtml">very important</h:em> to realize that this document is not a
policy. You are not obliged to follow this if you want a secure system
nor do you need to agree with everything said in the document.
<h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
<h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
The purpose of this document is to guide you in your quest to hardening
your system. It will provide pointers that could help you decide in
particular configuration settings and will do this hopefully using
sufficient background information to make a good choice.
<h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
<h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
You <h:em xmlns:h="http://www.w3.org/1999/xhtml">will</h:em> find settings you don't agree with. That's fine, but
if you disagree with <h:em xmlns:h="http://www.w3.org/1999/xhtml">why</h:em> we do this, we would like to hear it
and we'll add the feedback to the guide.
</description>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_intro-scap">
<title>A little more about SCAP and OVAL</title>
<description xmlns:xhtml="http://www.w3.org/1999/xhtml">
Within SCAP, NIST has defined some new standards of which XCCDF and OVAL
are notably important in light of the guide you are currently using.
<h:ul xmlns:h="http://www.w3.org/1999/xhtml">
<h:li>
XCCDF (Extensible Configuration Checklist Description Format) is
a specification language for writing security checklists and benchmarks
(such as the one you are reading now)
</h:li>
<h:li>
OVAL (Open Vulnerability and Assessment Language) is a standard to describe
and validate system settings
</h:li>
</h:ul>
<h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
Thanks to the OVAL and XCCDF standards, a security engineer can now describe
how the state of a system should be configured, how this can be checked
automatically and even report on these settings. Furthermore, within the
description, the engineer can make "profiles" of different states (such as
a profile for a workstation, server (generic), webserver, LDAP server,
...) and reusing the states (rules) identified in a more global scope.
</description>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_intro-using">
<title>Using this guide</title>
<description xmlns:xhtml="http://www.w3.org/1999/xhtml">
The guide you are currently reading is the guide generated from this SCAP
content (more specifically, the XCCDF document) using <h:b xmlns:h="http://www.w3.org/1999/xhtml">openscap</h:b>,
a free software implementation for handling SCAP content. Within Gentoo,
the package <h:code xmlns:h="http://www.w3.org/1999/xhtml">app-forensics/openscap</h:code> provides the tools, and
the following command is used to generate the HTML output:
<h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
<h:pre xmlns:h="http://www.w3.org/1999/xhtml">### Command to generate this guide ###
# <h:b>oscap xccdf generate guide scap-gentoo-xccdf.xml > output.html</h:b>
</h:pre>
<h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
Secondly, together with this XCCDF XML, you will also find an OVAL XML file.
The two files combined allow you to automatically validate various settings as
documented in the benchmark.
<h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
<h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
Now, to validate the tests, you can use the following commands:
<h:pre xmlns:h="http://www.w3.org/1999/xhtml">### Testing the rules mentioned in the XCCDF document ###
# <h:b>oscap xccdf eval --profile xccdf_org.gentoo.dev.swift_profile_default scap-gentoo-xccdf.xml</h:b></h:pre>
<h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
To generate a full report in HTML as well, you can use the next command:
<h:pre xmlns:h="http://www.w3.org/1999/xhtml">### Testing the rules and generating an HTML report ###
# <h:b>oscap xccdf eval --profile xccdf_org.gentoo.dev.swift_profile_default --results xccdf-results.xml --report report.html scap-gentoo-xccdf.xml</h:b></h:pre>
<h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
<h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
Finally, this benchmark will suggest some settings which you do not want
to enable. That is perfectly fine - even more, some settings might even
raise eyebrows left and right. We will try to document the reasoning behind
the settings but you are free to deviate from them. If that is the case,
you might want to disable the rules in the XCCDF document so that they are
not checked on your system.
</description>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_intro-profiles">
<title>Available XCCDF Profiles</title>
<description xmlns:xhtml="http://www.w3.org/1999/xhtml">
As mentioned earlier, the XCCDF document supports multiple profiles. For the time
being, two profiles are defined:
<h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
<h:ul xmlns:h="http://www.w3.org/1999/xhtml" xmlns="http://checklists.nist.gov/xccdf/1.2">
<h:li>
The <em>default</em> profile contains tests that are quick to validate
</h:li>
<h:li>
The <em>intensive</em> profile contains all tests, including those that
take a while (for instance because they perform full file system scans)
</h:li>
</h:ul>
Substitute the profile information in the commands above with the profile you want to test on.
</description>
</Group>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_preinstallation">
<title>Before You Start</title>
<description xmlns:xhtml="http://www.w3.org/1999/xhtml">
Before you start deploying Gentoo Linux and start hardening it, it is wise
to take a step back and think about what you want to accomplish. Setting
up a more secured Gentoo Linux isn't a goal, but a means to reach
something. Most likely, you are considering setting up a Gentoo Linux
powered server. What is this server for? Where will you put it? What other
services will you want to run on the same OS? Etc.
</description>
<Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-architecturing">
<title>Infrastructure Architecturing</title>
<description xmlns:xhtml="http://www.w3.org/1999/xhtml">
When considering your entire IT architecture, many architecturing
frameworks exist to write down and further design your infrastructure.
There are very elaborate ones, like TOGAF (The Open Group Architecture
Framework), but smaller ones exist as well.
<h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
<h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
A well written and maintained infrastructure architecture helps you
position new services or consider the impact of changes on existing
components. And the reason for mentioning such a well designed architecture
in a hardening guide is not weird.
<h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
<h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
Security is about reducing risks, not about harassing people or making
work for a system administrator harder. And reducing risks also means
that you need to keep a clear eye out on your architecture and all its
components. If you do not know what you are integrating, where you are
putting it or why, then you have more issues to consider than hardening
a system.
</description>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-requirements">
<title>Mapping Requirements</title>
<description xmlns:xhtml="http://www.w3.org/1999/xhtml">
When you design a service, you need to take both functional and
non-functional requirements into account. That does sound like
overshooting for a simple server installation, but it is not. Have you
considered auditing? Where do the audit logs need to be sent to? What
about authentication? Centrally managed, or manually set? And the server
you are installing, will it only host a particular service, or will it
provide several services?
<h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
<h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
When hosting multiple services on the same server, make sure that the
server is positioned within your network on an acceptable segment. It is
not safe to host your central LDAP infrastructure on the same system as
your web server that is facing the Internet.
</description>
<reference href="https://www.ibm.com/developerworks/rational/library/4706.html">IBM DeveloperWorks article on "Capturing Architectural Requirements"</reference>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-nonsoftware">
<title>Non-Software Security Concerns</title>
<description xmlns:xhtml="http://www.w3.org/1999/xhtml">
From the next chapter onwards, we will only focus on the software side
hardening. There are of course also non-software concerns that you
should investigate.
</description>
<reference href="https://www.rfc-editor.org/info/rfc2196">Site Security
Handbook (RFC2196)</reference>
<Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-nonsoftware-physical">
<title>Physical Security</title>
<description xmlns:xhtml="http://www.w3.org/1999/xhtml">
Make sure that your system is only accessible (physically) by trusted
people. Fully hardening your system, only to have a malicious person
take out the harddisk and run away with your confidential data is not
something you want to experience.
<h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
<h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
When physical security cannot be guaranteed (like with laptops), make
sure that theft of the device only results in the loss of the hardware
and not of the data and software on it (backups), and also that the
data on it cannot be read by unauthorized people. We will come back on
disk encryption later.
</description>
<reference href="http://www.sans.org/reading_room/whitepapers/awareness/data-center-physical-security-checklist_416">Data
Center Physical Security Checklist (SANS, PDF)</reference>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-nonsoftware-policies">
<title>Policies and Contractual Agreements</title>
<description xmlns:xhtml="http://www.w3.org/1999/xhtml">
Create or validate the security policies in your organization. This is
not only as a stick (against internal people who might want to abuse
their powers) but also to document and describe why certain decisions
are made (both architecturally as otherwise).
</description>
<reference href="http://www.sans.org/reading_room/whitepapers/policyissues/technical-writing-security-policies-easy-steps_492">Technical
Writing for IT Security Policies in Five Easy Steps (SANS,
PDF)</reference>
<reference href="https://www.sans.org/security-resources/policies/">Information
Security Policy Templates (SANS)</reference>
</Group>
</Group>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_installation">
<title>Installation Configuration</title>
<description xmlns:xhtml="http://www.w3.org/1999/xhtml">
Let's focus now on the OS hardening. Gentoo Linux allows you to update the
system as you want after installation, but it might be interesting to
consider the following aspects during installation if you do not want a
huge migration project later.
</description>
<Group id="xccdf_org.gentoo.dev.swift_group_installation-storage">
<title>Storage Configuration</title>
<description xmlns:xhtml="http://www.w3.org/1999/xhtml">
Your storage is of utmost importance in any environment. It needs to be
sufficiently fast, not to jeopardize performance, but also secure and
manageable yet still remain flexible to handle future changes.
</description>
<Group id="xccdf_org.gentoo.dev.swift_group_installation-storage-partitioning">
<title>Partitioning</title>
<description xmlns:xhtml="http://www.w3.org/1999/xhtml">
Know which locations in your file system structure you want on a
different partition or logical volume. Separate locations allow for a
more distinct segregation (for instance, hard links between different
file systems) and low-level protection (file system corruption impact,
but also putting the right data on the right storage media).
</description>
<reference href="http://www.pathname.com/fhs/">Filesystem Hierarchy
Standard</reference>
<Group id="xccdf_org.gentoo.dev.swift_group_installation-storage-partitioning-home">
<title>/home Location</title>
<description xmlns:xhtml="http://www.w3.org/1999/xhtml">
The <h:code xmlns:h="http://www.w3.org/1999/xhtml">/home</h:code> location should be on its own partition,
allowing the administrator to mount this location with specific
options targetting the file systems' security settings or quota.
</description>
<Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="true">
<title>Test if /home is a separate partition</title>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.gentoo.dev.swift:def:2" href="gentoo-oval.xml"/>
</check>
</Rule>
</Group>
</Group>
</Group>
</Group>
<TestResult id="xccdf_org.open-scap_testresult_default-profile" start-time="2013-09-17T20:24:00" end-time="2013-09-17T20:24:00">
<title>OSCAP Scan Result</title>
<identity authenticated="false" privileged="false">swift</identity>
<target>hpl</target>
<target-address>127.0.0.1</target-address>
<target-address>192.168.1.3</target-address>
<target-address>192.168.100.1</target-address>
<target-address>::1</target-address>
<target-address>fe80::f27b:cbff:fe0f:5a3b</target-address>
<target-address>2001:db8:81:e2:0:26b5:365b:5072</target-address>
<target-address>fe80::2045:eaff:fe47:e569</target-address>
<target-facts>
<fact name="urn:xccdf:fact:scanner:name" type="string">OpenSCAP</fact>
<fact name="urn:xccdf:fact:scanner:version" type="string">0.9.8</fact>
<fact name="urn:xccdf:fact:ethernet:MAC" type="string">00:00:00:00:00:00</fact>
<fact name="urn:xccdf:fact:ethernet:MAC" type="string">F0:7B:CB:0F:5A:3B</fact>
<fact name="urn:xccdf:fact:ethernet:MAC" type="string">22:45:EA:47:E5:69</fact>
<fact name="urn:xccdf:fact:ethernet:MAC" type="string">00:00:00:00:00:00</fact>
<fact name="urn:xccdf:fact:ethernet:MAC" type="string">F0:7B:CB:0F:5A:3B</fact>
<fact name="urn:xccdf:fact:ethernet:MAC" type="string">22:45:EA:47:E5:69</fact>
<fact name="urn:xccdf:fact:ethernet:MAC" type="string">22:45:EA:47:E5:69</fact>
</target-facts>
<rule-result idref="xccdf_org.gentoo.dev.swift_rule_partition-home" time="2013-09-17T20:24:00" weight="1.000000">
<result>pass</result>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.gentoo.dev.swift:def:2" href="gentoo-oval.xml"/>
</check>
</rule-result>
<score system="urn:xccdf:scoring:default" maximum="100.000000">100.000000</score>
</TestResult>
</Benchmark>
|