Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/xml/SCAP/results-xccdf.xml
diff options
context:
space:
mode:
Diffstat (limited to 'xml/SCAP/results-xccdf.xml')
-rw-r--r--xml/SCAP/results-xccdf.xml326
1 files changed, 326 insertions, 0 deletions
diff --git a/xml/SCAP/results-xccdf.xml b/xml/SCAP/results-xccdf.xml
new file mode 100644
index 0000000..db19a4c
--- /dev/null
+++ b/xml/SCAP/results-xccdf.xml
@@ -0,0 +1,326 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.gentoo.dev.swift_benchmark_gentoo-20130917-1" resolved="1">
+ <status date="2013-09-17">draft</status>
+ <title>Gentoo Security Benchmark</title>
+ <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
+ This benchmarks helps people in improving their system configuration to be
+ more resilient against attacks and vulnerabilities.
+ </description>
+ <platform idref="cpe:/o:gentoo:linux"/>
+ <version>20130917.1</version>
+ <model system="urn:xccdf:scoring:default"/>
+ <Profile id="xccdf_org.gentoo.dev.swift_profile_intensive">
+ <title>Default server setup settingsIntensive validation profile</title>
+ <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
+ In this profile, we verify common settings for Gentoo Linux
+ configurations. The tests that are enabled in this profile can be ran
+ without visibly impacting the performance of the system.
+
+ This profile extends the default server profile by including tests that
+ are more intensive to run on a system. Tests such as full file system
+ scans to find world-writable files or directories have an otherwise too
+ large impact on the performance of a server.
+ </description>
+ <select idref="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="true"/>
+ </Profile>
+ <Profile id="xccdf_org.gentoo.dev.swift_profile_default">
+ <title>Default server setup settings</title>
+ <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
+ In this profile, we verify common settings for Gentoo Linux
+ configurations. The tests that are enabled in this profile can be ran
+ without visibly impacting the performance of the system.
+ </description>
+ <select idref="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="true"/>
+ </Profile>
+ <Group id="xccdf_org.gentoo.dev.swift_group_intro">
+ <title>Introduction</title>
+ <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
+ Since years, Gentoo Linux has a Gentoo Security Handbook
+ which provides a good insight in secure system
+ configuration for a Gentoo systems. Although this is important, an
+ improved method for describing and tuning a systems' security state has
+ emerged: SCAP, or the <h:em xmlns:h="http://www.w3.org/1999/xhtml">Security Content Automation Protocol</h:em>.
+ <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
+ <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
+ As such, this benchmark is an update on the security
+ handbook, including both the in-depth explanation of settings as well as
+ the means to validate if a system complies with this or not. Now, during
+ the development of this benchmark document, we did not include all
+ information from the Gentoo Security Handbook as some of the settings are
+ specific to a service that is not all that default on a Gentoo Linux
+ system. Although these settings are important as well, it is our believe
+ that this is best done in separate benchmarks for those services instead.
+ <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
+ <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
+ Where applicable, this benchmark will refer to a different hardening guide
+ for specific purposes (such as the Hardening OpenSSH benchmark).
+ </description>
+ <reference href="http://www.gentoo.org/doc/en/security/security-handbook.xml">Gentoo
+ Security Handbook</reference>
+ <Group id="xccdf_org.gentoo.dev.swift_group_intro-security">
+ <title>This is no security policy</title>
+ <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
+ It is <h:em xmlns:h="http://www.w3.org/1999/xhtml">very important</h:em> to realize that this document is not a
+ policy. You are not obliged to follow this if you want a secure system
+ nor do you need to agree with everything said in the document.
+ <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
+ <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
+ The purpose of this document is to guide you in your quest to hardening
+ your system. It will provide pointers that could help you decide in
+ particular configuration settings and will do this hopefully using
+ sufficient background information to make a good choice.
+ <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
+ <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
+ You <h:em xmlns:h="http://www.w3.org/1999/xhtml">will</h:em> find settings you don't agree with. That's fine, but
+ if you disagree with <h:em xmlns:h="http://www.w3.org/1999/xhtml">why</h:em> we do this, we would like to hear it
+ and we'll add the feedback to the guide.
+ </description>
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_intro-scap">
+ <title>A little more about SCAP and OVAL</title>
+ <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
+ Within SCAP, NIST has defined some new standards of which XCCDF and OVAL
+ are notably important in light of the guide you are currently using.
+ <h:ul xmlns:h="http://www.w3.org/1999/xhtml">
+ <h:li>
+ XCCDF (Extensible Configuration Checklist Description Format) is
+ a specification language for writing security checklists and benchmarks
+ (such as the one you are reading now)
+ </h:li>
+ <h:li>
+ OVAL (Open Vulnerability and Assessment Language) is a standard to describe
+ and validate system settings
+ </h:li>
+ </h:ul>
+ <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
+ Thanks to the OVAL and XCCDF standards, a security engineer can now describe
+ how the state of a system should be configured, how this can be checked
+ automatically and even report on these settings. Furthermore, within the
+ description, the engineer can make "profiles" of different states (such as
+ a profile for a workstation, server (generic), webserver, LDAP server,
+ ...) and reusing the states (rules) identified in a more global scope.
+ </description>
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_intro-using">
+ <title>Using this guide</title>
+ <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
+ The guide you are currently reading is the guide generated from this SCAP
+ content (more specifically, the XCCDF document) using <h:b xmlns:h="http://www.w3.org/1999/xhtml">openscap</h:b>,
+ a free software implementation for handling SCAP content. Within Gentoo,
+ the package <h:code xmlns:h="http://www.w3.org/1999/xhtml">app-forensics/openscap</h:code> provides the tools, and
+ the following command is used to generate the HTML output:
+ <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
+ <h:pre xmlns:h="http://www.w3.org/1999/xhtml">### Command to generate this guide ###
+# <h:b>oscap xccdf generate guide scap-gentoo-xccdf.xml &gt; output.html</h:b>
+ </h:pre>
+ <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
+ Secondly, together with this XCCDF XML, you will also find an OVAL XML file.
+ The two files combined allow you to automatically validate various settings as
+ documented in the benchmark.
+ <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
+ <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
+ Now, to validate the tests, you can use the following commands:
+ <h:pre xmlns:h="http://www.w3.org/1999/xhtml">### Testing the rules mentioned in the XCCDF document ###
+# <h:b>oscap xccdf eval --profile xccdf_org.gentoo.dev.swift_profile_default scap-gentoo-xccdf.xml</h:b></h:pre>
+ <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
+ To generate a full report in HTML as well, you can use the next command:
+ <h:pre xmlns:h="http://www.w3.org/1999/xhtml">### Testing the rules and generating an HTML report ###
+# <h:b>oscap xccdf eval --profile xccdf_org.gentoo.dev.swift_profile_default --results xccdf-results.xml --report report.html scap-gentoo-xccdf.xml</h:b></h:pre>
+ <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
+ <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
+ Finally, this benchmark will suggest some settings which you do not want
+ to enable. That is perfectly fine - even more, some settings might even
+ raise eyebrows left and right. We will try to document the reasoning behind
+ the settings but you are free to deviate from them. If that is the case,
+ you might want to disable the rules in the XCCDF document so that they are
+ not checked on your system.
+ </description>
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_intro-profiles">
+ <title>Available XCCDF Profiles</title>
+ <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
+ As mentioned earlier, the XCCDF document supports multiple profiles. For the time
+ being, two profiles are defined:
+ <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
+ <h:ul xmlns:h="http://www.w3.org/1999/xhtml" xmlns="http://checklists.nist.gov/xccdf/1.2">
+ <h:li>
+ The <em>default</em> profile contains tests that are quick to validate
+ </h:li>
+ <h:li>
+ The <em>intensive</em> profile contains all tests, including those that
+ take a while (for instance because they perform full file system scans)
+ </h:li>
+ </h:ul>
+ Substitute the profile information in the commands above with the profile you want to test on.
+ </description>
+ </Group>
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_preinstallation">
+ <title>Before You Start</title>
+ <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
+ Before you start deploying Gentoo Linux and start hardening it, it is wise
+ to take a step back and think about what you want to accomplish. Setting
+ up a more secured Gentoo Linux isn't a goal, but a means to reach
+ something. Most likely, you are considering setting up a Gentoo Linux
+ powered server. What is this server for? Where will you put it? What other
+ services will you want to run on the same OS? Etc.
+ </description>
+ <Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-architecturing">
+ <title>Infrastructure Architecturing</title>
+ <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
+ When considering your entire IT architecture, many architecturing
+ frameworks exist to write down and further design your infrastructure.
+ There are very elaborate ones, like TOGAF (The Open Group Architecture
+ Framework), but smaller ones exist as well.
+ <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
+ <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
+ A well written and maintained infrastructure architecture helps you
+ position new services or consider the impact of changes on existing
+ components. And the reason for mentioning such a well designed architecture
+ in a hardening guide is not weird.
+ <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
+ <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
+ Security is about reducing risks, not about harassing people or making
+ work for a system administrator harder. And reducing risks also means
+ that you need to keep a clear eye out on your architecture and all its
+ components. If you do not know what you are integrating, where you are
+ putting it or why, then you have more issues to consider than hardening
+ a system.
+ </description>
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-requirements">
+ <title>Mapping Requirements</title>
+ <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
+ When you design a service, you need to take both functional and
+ non-functional requirements into account. That does sound like
+ overshooting for a simple server installation, but it is not. Have you
+ considered auditing? Where do the audit logs need to be sent to? What
+ about authentication? Centrally managed, or manually set? And the server
+ you are installing, will it only host a particular service, or will it
+ provide several services?
+ <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
+ <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
+ When hosting multiple services on the same server, make sure that the
+ server is positioned within your network on an acceptable segment. It is
+ not safe to host your central LDAP infrastructure on the same system as
+ your web server that is facing the Internet.
+ </description>
+ <reference href="https://www.ibm.com/developerworks/rational/library/4706.html">IBM DeveloperWorks article on "Capturing Architectural Requirements"</reference>
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-nonsoftware">
+ <title>Non-Software Security Concerns</title>
+ <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
+ From the next chapter onwards, we will only focus on the software side
+ hardening. There are of course also non-software concerns that you
+ should investigate.
+ </description>
+ <reference href="https://www.rfc-editor.org/info/rfc2196">Site Security
+ Handbook (RFC2196)</reference>
+ <Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-nonsoftware-physical">
+ <title>Physical Security</title>
+ <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
+ Make sure that your system is only accessible (physically) by trusted
+ people. Fully hardening your system, only to have a malicious person
+ take out the harddisk and run away with your confidential data is not
+ something you want to experience.
+ <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
+ <h:br xmlns:h="http://www.w3.org/1999/xhtml"/>
+ When physical security cannot be guaranteed (like with laptops), make
+ sure that theft of the device only results in the loss of the hardware
+ and not of the data and software on it (backups), and also that the
+ data on it cannot be read by unauthorized people. We will come back on
+ disk encryption later.
+ </description>
+ <reference href="http://www.sans.org/reading_room/whitepapers/awareness/data-center-physical-security-checklist_416">Data
+ Center Physical Security Checklist (SANS, PDF)</reference>
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_preinstallation-nonsoftware-policies">
+ <title>Policies and Contractual Agreements</title>
+ <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
+ Create or validate the security policies in your organization. This is
+ not only as a stick (against internal people who might want to abuse
+ their powers) but also to document and describe why certain decisions
+ are made (both architecturally as otherwise).
+ </description>
+ <reference href="http://www.sans.org/reading_room/whitepapers/policyissues/technical-writing-security-policies-easy-steps_492">Technical
+ Writing for IT Security Policies in Five Easy Steps (SANS,
+ PDF)</reference>
+ <reference href="https://www.sans.org/security-resources/policies/">Information
+ Security Policy Templates (SANS)</reference>
+ </Group>
+ </Group>
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_installation">
+ <title>Installation Configuration</title>
+ <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
+ Let's focus now on the OS hardening. Gentoo Linux allows you to update the
+ system as you want after installation, but it might be interesting to
+ consider the following aspects during installation if you do not want a
+ huge migration project later.
+ </description>
+ <Group id="xccdf_org.gentoo.dev.swift_group_installation-storage">
+ <title>Storage Configuration</title>
+ <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
+ Your storage is of utmost importance in any environment. It needs to be
+ sufficiently fast, not to jeopardize performance, but also secure and
+ manageable yet still remain flexible to handle future changes.
+ </description>
+ <Group id="xccdf_org.gentoo.dev.swift_group_installation-storage-partitioning">
+ <title>Partitioning</title>
+ <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
+ Know which locations in your file system structure you want on a
+ different partition or logical volume. Separate locations allow for a
+ more distinct segregation (for instance, hard links between different
+ file systems) and low-level protection (file system corruption impact,
+ but also putting the right data on the right storage media).
+ </description>
+ <reference href="http://www.pathname.com/fhs/">Filesystem Hierarchy
+ Standard</reference>
+ <Group id="xccdf_org.gentoo.dev.swift_group_installation-storage-partitioning-home">
+ <title>/home Location</title>
+ <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
+ The <h:code xmlns:h="http://www.w3.org/1999/xhtml">/home</h:code> location should be on its own partition,
+ allowing the administrator to mount this location with specific
+ options targetting the file systems' security settings or quota.
+ </description>
+ <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="true">
+ <title>Test if /home is a separate partition</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:2" href="gentoo-oval.xml"/>
+ </check>
+ </Rule>
+ </Group>
+ </Group>
+ </Group>
+ </Group>
+ <TestResult id="xccdf_org.open-scap_testresult_default-profile" start-time="2013-09-17T20:24:00" end-time="2013-09-17T20:24:00">
+ <title>OSCAP Scan Result</title>
+ <identity authenticated="false" privileged="false">swift</identity>
+ <target>hpl</target>
+ <target-address>127.0.0.1</target-address>
+ <target-address>192.168.1.3</target-address>
+ <target-address>192.168.100.1</target-address>
+ <target-address>::1</target-address>
+ <target-address>fe80::f27b:cbff:fe0f:5a3b</target-address>
+ <target-address>2001:db8:81:e2:0:26b5:365b:5072</target-address>
+ <target-address>fe80::2045:eaff:fe47:e569</target-address>
+ <target-facts>
+ <fact name="urn:xccdf:fact:scanner:name" type="string">OpenSCAP</fact>
+ <fact name="urn:xccdf:fact:scanner:version" type="string">0.9.8</fact>
+ <fact name="urn:xccdf:fact:ethernet:MAC" type="string">00:00:00:00:00:00</fact>
+ <fact name="urn:xccdf:fact:ethernet:MAC" type="string">F0:7B:CB:0F:5A:3B</fact>
+ <fact name="urn:xccdf:fact:ethernet:MAC" type="string">22:45:EA:47:E5:69</fact>
+ <fact name="urn:xccdf:fact:ethernet:MAC" type="string">00:00:00:00:00:00</fact>
+ <fact name="urn:xccdf:fact:ethernet:MAC" type="string">F0:7B:CB:0F:5A:3B</fact>
+ <fact name="urn:xccdf:fact:ethernet:MAC" type="string">22:45:EA:47:E5:69</fact>
+ <fact name="urn:xccdf:fact:ethernet:MAC" type="string">22:45:EA:47:E5:69</fact>
+ </target-facts>
+ <rule-result idref="xccdf_org.gentoo.dev.swift_rule_partition-home" time="2013-09-17T20:24:00" weight="1.000000">
+ <result>pass</result>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:2" href="gentoo-oval.xml"/>
+ </check>
+ </rule-result>
+ <score system="urn:xccdf:scoring:default" maximum="100.000000">100.000000</score>
+ </TestResult>
+</Benchmark>