diff options
author | Sven Vermeulen <sven.vermeulen@siphos.be> | 2013-12-20 14:32:36 +0100 |
---|---|---|
committer | Sven Vermeulen <sven.vermeulen@siphos.be> | 2013-12-20 14:32:36 +0100 |
commit | 690de9d64b0e276bd79bc0201bd6659d63ffdf5a (patch) | |
tree | 9715e0af549f27c05e089b29d00ebec383720ea9 /xml | |
parent | Add /var and /home quota mount options check (diff) | |
download | hardened-docs-690de9d64b0e276bd79bc0201bd6659d63ffdf5a.tar.gz hardened-docs-690de9d64b0e276bd79bc0201bd6659d63ffdf5a.tar.bz2 hardened-docs-690de9d64b0e276bd79bc0201bd6659d63ffdf5a.zip |
Add test for global USE flag declarations (ssl, tcpd, pam)
Diffstat (limited to 'xml')
-rw-r--r-- | xml/SCAP/gentoo-oval.xml | 94 | ||||
-rw-r--r-- | xml/SCAP/gentoo-xccdf.xml | 33 |
2 files changed, 127 insertions, 0 deletions
diff --git a/xml/SCAP/gentoo-oval.xml b/xml/SCAP/gentoo-oval.xml index 3fb4adb..8e64c26 100644 --- a/xml/SCAP/gentoo-oval.xml +++ b/xml/SCAP/gentoo-oval.xml @@ -457,6 +457,51 @@ </criteria> </definition> + <definition id="oval:org.gentoo.dev.swift:def:27" version="1" class="compliance"> + <metadata> + <title>In make.conf 'pam' is declared as a global USE flag</title> + <affected family="unix"> + <platform>Gentoo Linux</platform> + </affected> + <description> + The USE declaration in make.conf should have 'pam' set as a global USE flag. + </description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:28" comment="'pam' is set as a global USE flag in make.conf" /> + </criteria> + </definition> + + <definition id="oval:org.gentoo.dev.swift:def:28" version="1" class="compliance"> + <metadata> + <title>In make.conf 'tcpd' is declared as a global USE flag</title> + <affected family="unix"> + <platform>Gentoo Linux</platform> + </affected> + <description> + The USE declaration in make.conf should have 'tcpd' set as a global USE flag. + </description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:29" comment="'tcpd' is set as a global USE flag in make.conf" /> + </criteria> + </definition> + + <definition id="oval:org.gentoo.dev.swift:def:29" version="1" class="compliance"> + <metadata> + <title>In make.conf 'ssl' is declared as a global USE flag</title> + <affected family="unix"> + <platform>Gentoo Linux</platform> + </affected> + <description> + The USE declaration in make.conf should have 'ssl' set as a global USE flag. + </description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:30" comment="'ssl' is set as a global USE flag in make.conf" /> + </criteria> + </definition> + </definitions> <tests> @@ -680,6 +725,33 @@ <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:7" /> </lin-def:partition_test> + <ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:28" + version="1" check="at least one" check_existence="all_exist" + comment="Tests that 'pam' is set as a global USE flag in make.conf"> + <!-- USE declaration in make.conf --> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:17" /> + <!-- Match for pam --> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:8" /> + </ind-def:textfilecontent54_test> + + <ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:29" + version="1" check="at least one" check_existence="all_exist" + comment="Tests that 'tcpd' is set as a global USE flag in make.conf"> + <!-- USE declaration in make.conf --> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:17" /> + <!-- Match for tcpd --> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:9" /> + </ind-def:textfilecontent54_test> + + <ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:30" + version="1" check="at least one" check_existence="all_exist" + comment="Tests that 'ssl' is set as a global USE flag in make.conf"> + <!-- USE declaration in make.conf --> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:17" /> + <!-- Match for ssl --> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:10" /> + </ind-def:textfilecontent54_test> + </tests> <objects> @@ -772,6 +844,13 @@ <lin-def:mount_point>/var</lin-def:mount_point> </lin-def:partition_object> + <ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:17" + version="2" comment="Portage make.conf global USE settings"> + <ind-def:filepath>/etc/portage/make.conf</ind-def:filepath> + <ind-def:pattern operation="pattern match">^USE=.*</ind-def:pattern> + <ind-def:instance operation="greater than or equal" datatype="int">1</ind-def:instance> + </ind-def:textfilecontent54_object> + </objects> <states> @@ -811,6 +890,21 @@ <lin-def:mount_options entity_check="at least one" operation="pattern match">(usr|grp)quota</lin-def:mount_options> </lin-def:partition_state> + <ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:8" + version="1" comment="Matching pam"> + <ind-def:text datatype="string" operation="pattern match" entity_check="all">( |")pam( |")</ind-def:text> + </ind-def:textfilecontent54_state> + + <ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:9" + version="1" comment="Matching tcpd"> + <ind-def:text datatype="string" operation="pattern match" entity_check="all">( |")tcpd( |")</ind-def:text> + </ind-def:textfilecontent54_state> + + <ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:10" + version="1" comment="Matching ssl"> + <ind-def:text datatype="string" operation="pattern match" entity_check="all">( |")ssl( |")</ind-def:text> + </ind-def:textfilecontent54_state> + </states> <!-- diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml index 1057fb3..b53b1e8 100644 --- a/xml/SCAP/gentoo-xccdf.xml +++ b/xml/SCAP/gentoo-xccdf.xml @@ -89,6 +89,12 @@ <select idref="xccdf_org.gentoo.dev.swift_rule_hostsallow-exists" selected="true" /> <!-- Verify that /etc/at/at.allow exists --> <select idref="xccdf_org.gentoo.dev.swift_rule_atallow-exists" selected="true" /> + <!-- Make sure USE=pam is set --> + <select idref="xccdf_org.gentoo.dev.swift_rule_USE-pam" selected="true" /> + <!-- Make sure USE=tcpd is set --> + <select idref="xccdf_org.gentoo.dev.swift_rule_USE-tcpd" selected="true" /> + <!-- Make sure USE=ssl is set --> + <select idref="xccdf_org.gentoo.dev.swift_rule_USE-ssl" selected="true" /> </Profile> <Profile id="xccdf_org.gentoo.dev.swift_profile_default" extends="xccdf_org.gentoo.dev.swift_profile_default-oval"> <title>Default server setup settings</title> @@ -1271,6 +1277,33 @@ sed -i -e 's:^rc_shell=.*:rc_shell="/sbin/sulogin":g' /etc/rc.conf <h:pre> USE="... pam tcpd ssl"</h:pre> </description> + <Rule id="xccdf_org.gentoo.dev.swift_rule_USE-pam" selected="false" severity="low" weight="0.0"> + <title>USE="pam" is set</title> + <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_USE-pam"> + Edit /etc/portage/make.conf and make sure that 'pam' is in the USE declaration + </fixtext> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:27" href="gentoo-oval.xml" /> + </check> + </Rule> + <Rule id="xccdf_org.gentoo.dev.swift_rule_USE-tcpd" selected="false" severity="low" weight="0.0"> + <title>USE="tcpd" is set</title> + <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_USE-tcpd"> + Edit /etc/portage/make.conf and make sure that 'tcpd' is in the USE declaration + </fixtext> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:28" href="gentoo-oval.xml" /> + </check> + </Rule> + <Rule id="xccdf_org.gentoo.dev.swift_rule_USE-ssl" selected="false" severity="low" weight="0.0"> + <title>USE="ssl" is set</title> + <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_USE-ssl"> + Edit /etc/portage/make.conf and make sure that 'ssl' is in the USE declaration + </fixtext> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:29" href="gentoo-oval.xml" /> + </check> + </Rule> </Group> <Group id="xccdf_org.gentoo.dev.swift_group_system-portage-webrsync"> <title>Fetching signed portage tree</title> |