The major goal of this commit is to provide the ability for consumers to easily view the project's Rules as "requirements" for the pre-release draft RHEL 6 STIG. This will help ensure productive consensus group meetings, by ensuring participants can view the Rules and generate feedback prior to the meetings. Usage of the project also ensures effective capture of consensus decisions. Mapping of the CCIs from the OS SRG continues (in parallel), which is an essential element for submitting the content as a STIG.
Jeffrey Blank (4): added Makerule, transform to create table for RHEL 6 STIG Profile (Pre-release Draft) cleanup of prose for sysctl network parameter settings * expurgated weird CCE description text * introduced usage of new macros for XCCDF sysctl description cleanup of prose for rsyslog logging * OVAL for these remains difficult * can we grab a filename from a text file, and then run tests on it? cleanup of prose for iptables
rhel6/src/Makefile | 8 +- rhel6/src/input/profiles/STIG-server.xml | 5 +- rhel6/src/input/system/logging.xml | 220 +++++++++++------- rhel6/src/input/system/network/iptables.xml | 51 +++-- rhel6/src/input/system/network/kernel.xml | 242 ++++++++++---------- rhel6/src/transforms/shorthand2xccdf.xslt | 15 ++ rhel6/src/transforms/xccdf-addprofiles.xslt | 1 + .../src/transforms/xccdf2table-profileccirefs.xslt | 170 ++++++++++++++ 8 files changed, 481 insertions(+), 231 deletions(-) create mode 100644 rhel6/src/transforms/xccdf2table-profileccirefs.xslt
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- rhel6/src/Makefile | 8 +- rhel6/src/input/profiles/STIG-server.xml | 5 +- rhel6/src/transforms/xccdf-addprofiles.xslt | 1 + .../src/transforms/xccdf2table-profileccirefs.xslt | 170 ++++++++++++++++++++ 4 files changed, 179 insertions(+), 5 deletions(-) create mode 100644 rhel6/src/transforms/xccdf2table-profileccirefs.xslt
diff --git a/rhel6/src/Makefile b/rhel6/src/Makefile index 6443905..bb94dec 100644 --- a/rhel6/src/Makefile +++ b/rhel6/src/Makefile @@ -74,12 +74,14 @@ guide: shorthand-guide shorthand2xccdf # tidy -m -xml -utf8 --indent-spaces=0 $(XCCDF_OUTPUT_DIR)/rhel5-shorthand.xml
table-profilenistrefs: shorthand-guide shorthand2xccdf -# xsltproc -o $(POLICYMAPPING_OUTPUT_DIR)/rhel6-table-nistrefs.html $(TRANS)/xccdf2table-nistrefs.xslt $(XCCDF_OUTPUT_DIR)/rhel6-xccdf.xml xsltproc -stringparam profile "desktop" -o $(OUT)/rhel6-table-nistrefs-desktop.html $(TRANS)/xccdf2table-profilenistrefs.xslt $(OUT)/rhel6-xccdf.xml xsltproc -stringparam profile "server" -o $(OUT)/rhel6-table-nistrefs-server.html $(TRANS)/xccdf2table-profilenistrefs.xslt $(OUT)/rhel6-xccdf.xml xsltproc -stringparam profile "common" -o $(OUT)/rhel6-table-nistrefs-common.html $(TRANS)/xccdf2table-profilenistrefs.xslt $(OUT)/rhel6-xccdf.xml xsltproc -stringparam profile "ftp" -o $(OUT)/rhel6-table-nistrefs-ftp.html $(TRANS)/xccdf2table-profilenistrefs.xslt $(OUT)/rhel6-xccdf.xml
+table-profileccirefs: shorthand-guide shorthand2xccdf + xsltproc -stringparam profile "stig-server" -o $(OUT)/rhel6-table-stig-server.html $(TRANS)/xccdf2table-profileccirefs.xslt $(OUT)/rhel6-xccdf.xml + table-refs: shorthand-guide shorthand2xccdf xsltproc -stringparam ref "nist" -o $(OUT)/rhel6-table-nistrefs.html $(TRANS)/xccdf2table-byref.xslt $(OUT)/rhel6-xccdf.xml xsltproc -stringparam ref "cnss" -o $(OUT)/rhel6-table-cnssrefs.html $(TRANS)/xccdf2table-byref.xslt $(OUT)/rhel6-xccdf.xml @@ -93,11 +95,11 @@ table-srgmap: shorthand-guide shorthand2xccdf # the map-to-items filename must be provided relative to the root of the main document being processed xsltproc -stringparam map-to-items "../$(OUT)/rhel6-xccdf.xml" -o $(OUT)/rhel6-table-srgmap.html $(TRANS)/table-srgmap.xslt $(REFS)/disa-os-srg-v1r1.xml
-table-stig: +table-stig-rhel5: xsltproc -o $(OUT)/rhel5-table-stig.html $(TRANS)/xccdf2table-stig.xslt $(REFS)/disa-stig-rhel5-v1r0.6-xccdf.xml xsltproc -o $(OUT)/rhel5-table-stig-manual.html $(TRANS)/xccdf2table-stig.xslt $(REFS)/disa-stig-rhel5-v1r0.6-xccdf-manual.xml
-tables: table-refs table-profilenistrefs table-srgmap +tables: table-profilenistrefs table-profileccirefs table-refs table-srgmap table-stig-rhel5
content: shorthand-guide shorthand2xccdf guide checks # the relabelids.py script chdirs to ./output, so refer to files from there. diff --git a/rhel6/src/input/profiles/STIG-server.xml b/rhel6/src/input/profiles/STIG-server.xml index 3a7e4a1..5ccf94c 100644 --- a/rhel6/src/input/profiles/STIG-server.xml +++ b/rhel6/src/input/profiles/STIG-server.xml @@ -1,6 +1,7 @@ <Profile id="stig-server" extends="common" xmlns="http://checklists.nist.gov/xccdf/1.1" > -<title>Draft STIG (RHEL 6 Server)</title> -<description>This profile represents a RHEL 6 Server STIG.</description> +<title>Pre-release Draft STIG for RHEL 6 Server</title> +<description>This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO.</description> +<select idref="rpm_verify_permissions" selected="true"/> <select idref="disable_xwindows_with_runlevel" selected="true"/> <select idref="packagegroup_xwindows_remove" selected="true"/> <select idref="disable_dhcp_client" selected="true"/> diff --git a/rhel6/src/transforms/xccdf-addprofiles.xslt b/rhel6/src/transforms/xccdf-addprofiles.xslt index 0041dcd..1d3dadc 100644 --- a/rhel6/src/transforms/xccdf-addprofiles.xslt +++ b/rhel6/src/transforms/xccdf-addprofiles.xslt @@ -12,6 +12,7 @@ <xsl:apply-templates select="document('../input/profiles/desktop.xml')" /> <xsl:apply-templates select="document('../input/profiles/server.xml')" /> <xsl:apply-templates select="document('../input/profiles/ftp.xml')" /> + <xsl:apply-templates select="document('../input/profiles/STIG-server.xml')" /> </xsl:if> </xsl:template>
diff --git a/rhel6/src/transforms/xccdf2table-profileccirefs.xslt b/rhel6/src/transforms/xccdf2table-profileccirefs.xslt new file mode 100644 index 0000000..94197b3 --- /dev/null +++ b/rhel6/src/transforms/xccdf2table-profileccirefs.xslt @@ -0,0 +1,170 @@ +<?xml version="1.0" encoding="utf-8" standalone="yes"?> +<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml%22%3E + +<!-- this style sheet expects parameter $profile, which is the id of the Profile to be shown --> + +<xsl:include href="constants.xslt"/> + + <xsl:template match="/"> + <html> + <head> + <title><xsl:value-of select="/cdf:Benchmark/cdf:Profile[@id=$profile]/cdf:title" /></title> + </head> + <body> + <br/> + <br/> + <div style="text-align: center; font-size: x-large; font-weight:bold"><xsl:value-of select="/cdf:Benchmark/cdf:Profile[@id=$profile]/cdf:title" /></div> + <div style="text-align: center; font-size: normal "><xsl:value-of select="/cdf:Benchmark/cdf:Profile[@id=$profile]/cdf:description" /></div> + <br/> + <br/> + <xsl:apply-templates select="cdf:Benchmark"/> + </body> + </html> + </xsl:template> + + + <xsl:template match="cdf:Benchmark"> + <style type="text/css"> + table + { + border-collapse:collapse; + } + table,th, td + { + border: 1px solid black; + vertical-align: top; + padding: 3px; + } + thead + { + display: table-header-group; + font-weight: bold; + } + </style> + <table> + <thead> + <td>Vuln ID</td> + <td>GEN ID</td> + <td>Title</td> + <td>Discussion (Rationale)</td> + <td>Fix Text (Description)</td> + <!-- <td>Variable Setting</td> --> + <td>CCI Ref</td> + </thead> + + <xsl:call-template name="profileplate"> + <xsl:with-param name="profileid" select="$profile" /> + </xsl:call-template> + </table> + </xsl:template> + + <!-- recursively-called, to handle Profile "extends" behavior --> + <xsl:template match="cdf:Profile" name="profileplate"> + <xsl:param name="profileid" /> + xsl:comment Entered Profile: <xsl:value-of select="$profileid" /> </xsl:comment> + + <xsl:for-each select="/cdf:Benchmark/cdf:Profile[@id=$profileid]"> + <xsl:if test="@extends"> + <xsl:variable name="extendedprofile" select="@extends" /> + <xsl:call-template name="profileplate"> + <xsl:with-param name="profileid" select="$extendedprofile" /> + </xsl:call-template> + </xsl:if> + </xsl:for-each> + + <xsl:for-each select="/cdf:Benchmark/cdf:Profile[@id=$profileid]/cdf:select"> + <xsl:variable name="idrefer" select="@idref" /> + <xsl:variable name="enabletest" select="@selected" /> + <xsl:for-each select="/cdf:Benchmark/cdf:Group"> + <xsl:call-template name="groupplate"> + <xsl:with-param name="idreference" select="$idrefer" /> + <xsl:with-param name="enabletest" select="$enabletest" /> + </xsl:call-template> + </xsl:for-each> + </xsl:for-each> + + </xsl:template> + + <xsl:template match="cdf:Group" name="groupplate"> + <xsl:param name="idreference" /> + <xsl:param name="enabletest" /> + <!-- Group cdf:title --> + <xsl:for-each select="cdf:Group"> + <xsl:call-template name="groupplate"> + <xsl:with-param name="idreference" select="$idreference" /> + <xsl:with-param name="enabletest" select="$enabletest" /> + </xsl:call-template> + </xsl:for-each> + + <xsl:for-each select="cdf:Rule"> + <xsl:call-template name="ruleplate"> + <xsl:with-param name="idreference" select="$idreference" /> + <xsl:with-param name="enabletest" select="$enabletest" /> + </xsl:call-template> + </xsl:for-each> + </xsl:template> + + + <xsl:template match="cdf:Rule" name="ruleplate"> + <xsl:param name="idreference" /> + <xsl:param name="enabletest" /> + <xsl:if test="@id=$idreference and $enabletest='true'"> + <tr> + <td> TBD<!--extract value of Vuln-ID (stored as reference or note or ident) when mapping is available --></td> + <td> TBD<!--extract value of GEN-ID (stored as reference or note or ident) when mapping is available --></td> + <td> <xsl:value-of select="cdf:title" /></td> + <!-- call template to grab text and also child nodes (which should all be xhtml) --> + <td> <xsl:apply-templates select="cdf:rationale"/> </td> + <td> <xsl:apply-templates select="cdf:description"/> </td> + <!-- need to resolve <sub idref=""> here --> + <!-- <td> TODO: print refine-value from profile associated with rule </td> --> + <td> + <xsl:for-each select="cdf:reference[@href=$disa-cciuri]"> + <xsl:variable name="cci_formatted" select='format-number(self::node()[text()], "000000")' /> + <xsl:variable name="cci_expanded" select="concat('CCI-', $cci_formatted)" /> + <xsl:value-of select="$cci_expanded"/> + <br/> + </xsl:for-each> + </td> + </tr> + </xsl:if> + </xsl:template> + + + <xsl:template match="cdf:check"> + <xsl:for-each select="cdf:check-export"> + <xsl:variable name="rulevar" select="@value-id" /> + <!--<xsl:value-of select="$rulevar" />:--> + <xsl:for-each select="/cdf:Benchmark/cdf:Profile[@id=$profile]/cdf:refine-value"> + <xsl:if test="@idref=$rulevar"> + <xsl:value-of select="@selector" /> + </xsl:if> + </xsl:for-each> + </xsl:for-each> + </xsl:template> + + + <!-- getting rid of XHTML namespace --> + <xsl:template match="xhtml:*"> + <xsl:element name="{local-name()}"> + <xsl:apply-templates select="node()|@*"/> + </xsl:element> + </xsl:template> + + <xsl:template match="@*|node()"> + xsl:copy + <xsl:apply-templates select="@*|node()"/> + </xsl:copy> + </xsl:template> + + <xsl:template match="cdf:description"> + <!-- print all the text and children (xhtml elements) of the description --> + <xsl:apply-templates select="@*|node()" /> + </xsl:template> + + <xsl:template match="cdf:rationale"> + <!-- print all the text and children (xhtml elements) of the description --> + <xsl:apply-templates select="@*|node()" /> + </xsl:template> + +</xsl:stylesheet>
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- rhel6/src/input/system/network/kernel.xml | 242 ++++++++++++++--------------- rhel6/src/transforms/shorthand2xccdf.xslt | 15 ++ 2 files changed, 135 insertions(+), 122 deletions(-)
diff --git a/rhel6/src/input/system/network/kernel.xml b/rhel6/src/input/system/network/kernel.xml index 9a3baca..a9eebd8 100644 --- a/rhel6/src/input/system/network/kernel.xml +++ b/rhel6/src/input/system/network/kernel.xml @@ -1,46 +1,50 @@ <Group id="network-kernel"> <title>Kernel Parameters Which Affect Networking</title> -<description>The <tt>sysctl</tt> utility is used to set a number of -parameters which affect the operation of the Linux kernel. Several -of these parameters are specific to networking, and the -configuration options in this section are recommended.</description> +<description>The <tt>sysctl</tt> utility is used to set +parameters which affect the operation of the Linux kernel. Kernel parameters +which affect networking and have security implications are described here. +</description>
<Group id="network_host_parameters"> <title>Network Parameters for Hosts Only</title> -<description>Is this system going to be used as a firewall or -gateway to pass IP traffic between different networks? -<br />If not, edit the file <tt>/etc/sysctl.conf</tt> and add or -correct the following lines: -<pre>net.ipv4.ip_forward = 0 -net.ipv4.conf.all.send_redirects = 0 -net.ipv4.conf.default.send_redirects = 0</pre> -These settings disable hosts from performing network -functionality which is only appropriate for routers.</description> +<description>If the system is not going to be used as a router, then certain +kernel parameters should be set to ensure that the host will not perform routing +of network traffic.</description>
<Rule id="disable_sysctl_ipv4_default_send_redirects"> -<title>Disable net.ipv4.conf.default.send_redirects Kernel Runtime Parameter</title> -<description>The default setting for sending ICMP redirects should -be disabled for network interfaces.</description> -<rationale>This setting is only appropriate for routers and it should be disabled on all other systems.</rationale> +<title>Disable Kernel Parameter for Sending ICMP Redirects by Default</title> +<description> +<sysctl-desc-macro sysctl="net.ipv4.conf.default.send_redirects" value="0" /> +</description> +<rationale>Sending ICMP redirects permits the system to instruct other systems +to update their routing information. The ability to send ICMP redirects is +only appropriate for routers.</rationale> <ident cce="4151-7" /> <oval id="sysctl_net_ipv4_conf_default_send_redirects" /> <ref nist="AC-4, SC-5, SC-7" /> </Rule>
<Rule id="disable_sysctl_ipv4_all_send_redirects"> -<title>Disable net.ipv4.conf.all.send_redirects Kernel Runtime Parameter</title> -<description>Sending ICMP redirects should be disabled for all interfaces.</description> -<rationale>This setting is only appropriate for routers and it should be disabled on all other systems.</rationale> +<title>Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces</title> +<description> +<sysctl-desc-macro sysctl="net.ipv4.conf.all.send_redirects" value="0" /> +</description> +<rationale>Sending ICMP redirects permits the system to instruct other systems +to update their routing information. The ability to send ICMP redirects is +only appropriate for routers.</rationale> <ident cce="4155-8" /> <oval id="sysctl_net_ipv4_conf_all_send_redirects" /> <ref nist="CM-6" /> </Rule>
<Rule id="disable_sysctl_ipv4_ip_forward"> -<title>Disable net.ipv4.ip_forward Kernel Runtime Parameter</title> -<description>IP forwarding should be disabled.</description> -<rationale>The ability to forward packets between two networks is only appropriate for routers. This setting -should be disabled on all other systems.</rationale> +<title>Disable Kernel Parameter for IP Forwarding</title> +<description> +<sysctl-desc-macro sysctl="net.ipv4.ip_forward" value="0" /> +</description> +<rationale>IP forwarding permits the kernel to forward packets from one network +interface to another. The ability to forward packets between two networks is +only appropriate for routers.</rationale> <ident cce="3561-8" /> <oval id="sysctl_net_ipv4_ip_forward" /> <ref nist="AC-3, CM-6, CM-7, SC-5" /> @@ -48,24 +52,10 @@ should be disabled on all other systems.</rationale> </Group>
<Group id="network_host_and_router_parameters"> -<title>Set Network Related Kernel Runtime Parameters</title> -<description>Edit the file <tt>/etc/sysctl.conf</tt> and add or correct the -following lines: -<pre>net.ipv4.conf.all.accept_source_route = 0 -net.ipv4.conf.all.accept_redirects = 0 -net.ipv4.conf.all.secure_redirects = 0 -net.ipv4.conf.all.log_martians = 1 -net.ipv4.conf.default.accept_source_route = 0 -net.ipv4.conf.default.accept_redirects = 0 -net.ipv4.conf.default.secure_redirects = 0 -net.ipv4.icmp_echo_ignore_broadcasts = 1 -net.ipv4.icmp_ignore_bogus_error_messages = 1 -net.ipv4.tcp_syncookies = 1 -net.ipv4.conf.all.rp_filter = 1 -net.ipv4.conf.default.rp_filter = 1</pre> -These options improve Linux's ability to defend against -certain types of IPv4 protocol attacks. -</description> +<title>Network Related Kernel Runtime Parameters for Hosts and Routers</title> +<description>Certain kernel parameters should be set for systems which are +acting as either hosts or routers to improve the system's ability defend +against certain types of IPv4 protocol attacks.</description>
<Value id="sysctl_net_ipv4_conf_all_accept_source_route_value" type="string" operator="equals" interactive="0"> @@ -151,11 +141,10 @@ via broadcast/multicast</description> </Value>
-<Value id="sysctl_net_ipv4_icmp_ignore_bogus_error_messages_value" type="string" +<Value id="sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value" type="string" operator="equals" interactive="0"> -<title>net.ipv4.icmp_ignore_bogus_error_messages</title> -<description>Enable to prevent certain types of -attacks</description> +<title>net.ipv4.icmp_ignore_bogus_error_responses</title> +<description>Enable to prevent unnecessary logging</description> <value selector="">1</value> <value selector="enabled">1</value> <value selector="disabled">0</value> @@ -197,11 +186,11 @@ operator="equals" interactive="0"> </Value>
<Rule id="set_sysctl_net_ipv4_conf_all_accept_source_route"> -<title>Set net.ipv4.conf.all.accept_source_route Kernel Runtime Parameter</title> -<description>Accepting source routed packets should be: -<sub idref="sysctl_net_ipv4_conf_all_accept_source_route_value" />for all interfaces -as appropriate.</description> -<rationale>This feature of the IPv4 protocol has few legitimate +<title>Disable Kernel Parameter for Accepting Source-Routed Packets for All Interfaces</title> +<description> +<sysctl-desc-macro sysctl="net.ipv4.conf.all.accept_source_route" value="0" /> +</description> +<rationale>Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.</rationale> <ident cce="4236-6" /> <oval id="sysctl_net_ipv4_conf_all_accept_source_route" value="sysctl_net_ipv4_conf_all_accept_source_route_value" /> @@ -209,11 +198,11 @@ uses. It should be disabled unless it is absolutely required.</rationale> </Rule>
<Rule id="set_sysctl_net_ipv4_conf_all_accept_redirects"> -<title>Set net.ipv4.conf.all.accept_redirects Kernel Runtime Parameter</title> -<description>Accepting ICMP redirects should be: -<sub idref="sysctl_net_ipv4_conf_all_accept_redirects_value" />for all interfaces -as appropriate.</description> -<rationale>This feature of the IPv4 protocol has few legitimate +<title>Disable Kernel Parameter for Accepting ICMP Redirects for All Interfaces</title> +<description> +<sysctl-desc-macro sysctl="net.ipv4.conf.all.accept_redirects" value="0" /> +</description> +<rationale>Accepting ICMP redirects has few legitimate uses. It should be disabled unless it is absolutely required.</rationale> <ident cce="4217-6" /> <oval id="sysctl_net_ipv4_conf_all_accept_redirects" value="sysctl_net_ipv4_conf_all_accept_redirects_value" /> @@ -222,26 +211,27 @@ uses. It should be disabled unless it is absolutely required.</rationale>
<Rule id="set_sysctl_net_ipv4_conf_all_secure_redirects"> -<title>Set net.ipv4.conf.all.secure_redirects Kernel Runtime Parameter</title> -<description>Accepting "secure" ICMP redirects (those from gateways -listed in the default gateways list) should be: -<sub idref="sysctl_net_ipv4_conf_all_secure_redirects_value" />for all interfaces -as appropriate.</description> -<rationale>This feature of the IPv4 protocol has few legitimate -uses. It should be disabled unless it is absolutely required.</rationale> +<title>Disable Kernel Parameter for Accepting Secure Redirects for All Interfaces</title> +<description> +<sysctl-desc-macro sysctl="net.ipv4.conf.all.secure_redirects" value="0" /> +</description> +<rationale>Accepting "secure" ICMP redirects (from those gateways listed as +default gateways) has few legitimate uses. It should be disabled unless it is +absolutely required.</rationale> <ident cce="3472-8" /> <oval id="sysctl_net_ipv4_conf_all_secure_redirects" value="sysctl_net_ipv4_conf_all_secure_redirects_value" /> <ref nist="CM-7, AC-4" /> </Rule>
<Rule id="set_sysctl_net_ipv4_conf_all_log_martians"> -<title>Set net.ipv4.conf.all.log_martians Kernel Runtime Parameter</title> -<description>Logging of "martian" packets (those with impossible -addresses) should be: -<sub idref="sysctl_net_ipv4_conf_all_log_martians_value" />for all interfaces -as appropriate.</description> -<rationale>The presence of suspicious packets, such as spoofed packets, source-routed packets, and redirects -could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.</rationale> +<title>Enable Kernel Parameter to Log Martian Packets</title> +<description> +<sysctl-desc-macro sysctl="net.ipv4.conf.all.log_martians" value="1" /> +</description> +<rationale>The presence of "martian" packets (which have impossible addresses) +as well as spoofed packets, source-routed packets, and redirects could be a +sign of nefarious network activity. Logging these packets enables this activity +to be detected.</rationale> <ident cce="4320-8" /> <oval id="sysctl_net_ipv4_conf_all_log_martians" value="sysctl_net_ipv4_conf_all_log_martians_value" /> <ref nist="CM-7" /> @@ -249,12 +239,11 @@ could be a sign of nefarious network activity. Logging these packets enables thi
<Rule id="set_sysctl_net_ipv4_conf_default_accept_source_route"> -<title>Set net.ipv4.conf.default.accept_source_route Kernel Runtime Parameter</title> -<description>The default setting for accepting source routed -packets should be: -<sub idref="sysctl_net_ipv4_conf_default_accept_source_route_value" />for all interfaces -as appropriate.</description> -<rationale>This feature of the IPv4 protocol has few legitimate +<title>Disable Kernel Parameter for Accepting Source-Routed Packets By Default</title> +<description> +<sysctl-desc-macro sysctl="net.ipv4.conf.default.accept_source_route" value="0" /> +</description> +<rationale>Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.</rationale> <ident cce="4091-5" /> <oval id="sysctl_net_ipv4_conf_all_accept_source_route" value="sysctl_net_ipv4_conf_all_accept_source_route_value" /> @@ -263,11 +252,10 @@ uses. It should be disabled unless it is absolutely required.</rationale>
<Rule id="set_sysctl_net_ipv4_conf_default_accept_redirects"> -<title>Set net.ipv4.conf.default.accept_redirects Kernel Runtime Parameter</title> -<description>The default setting for accepting ICMP redirects -should be: -<sub idref="sysctl_net_ipv4_conf_default_accept_redirects_value" />for all interfaces -as appropriate.</description> +<title>Disable Kernel Parameter for Accepting ICMP Redirects By Default</title> +<description> +<sysctl-desc-macro sysctl="net.ipv4.conf.default.accept_redirects" value="0" /> +</description> <rationale>This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.</rationale> <ident cce="4186-3" /> @@ -277,14 +265,13 @@ uses. It should be disabled unless it is absolutely required.</rationale>
<Rule id="set_sysctl_net_ipv4_conf_default_secure_redirects"> -<title>Set net.ipv4.conf.default.secure_redirects Kernel Runtime Parameter</title> -<description>The default setting for accepting "secure" ICMP -redirects (those from gateways listed in the default gateways list) -should be: -<sub idref="sysctl_net_ipv4_conf_default_secure_redirects_value" />for all interfaces -as appropriate.</description> -<rationale>This feature of the IPv4 protocol has few legitimate -uses. It should be disabled unless it is absolutely required.</rationale> +<title>Disable Kernel Parameter for Accepting Secure Redirects By Default</title> +<description> +<sysctl-desc-macro sysctl="net.ipv4.conf.default.secure_redirects" value="0" /> +</description> +<rationale>Accepting "secure" ICMP redirects (from those gateways listed as +default gateways) has few legitimate uses. It should be disabled unless it is +absolutely required.</rationale> <ident cce="3339-9" /> <oval id="sysctl_net_ipv4_conf_default_secure_redirects" value="sysctl_net_ipv4_conf_default_secure_redirects_value" /> <ref nist="AC-4, SC-5, SC-7" /> @@ -292,62 +279,73 @@ uses. It should be disabled unless it is absolutely required.</rationale>
<Rule id="set_sysctl_net_ipv4_icmp_echo_ignore_broadcasts"> -<title>Set net.ipv4.icmp_echo_ignore_broadcasts Kernel Runtime Parameter</title> -<description>Ignoring ICMP echo requests (pings) sent to broadcast -/ multicast addresses should be: -<sub idref="sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value" />for all interfaces -as appropriate.</description> -<rationale>This setting prevents attacks against the ICMP protocol.</rationale> +<title>Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests</title> +<description> +<sysctl-desc-macro sysctl="net.ipv4.icmp_echo_ignore_broadcasts" value="1" /> +</description> +<rationale>Ignoring ICMP echo requests (pings) sent to broadcast or multicast +addresses makes the system slightly more difficult to enumerate on the network. +</rationale> <ident cce="3644-2" /> <oval id="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" value="sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value" /> <ref nist="AC-3, CM-6, CM-7, SC-5" /> </Rule>
-<Rule id="set_sysctl_net_ipv4_icmp_ignore_bogus_error_messages"> -<title>Set net.ipv4.icmp_ignore_bogus_error_messages Kernel Runtime Parameter</title> -<description>Ignoring bogus ICMP responses to broadcasts should be: -<sub idref="sysctl_net_ipv4_icmp_ignore_bogus_error_messages_value" />for all interfaces -as appropriate.</description> -<rationale>This setting prevents attacks against the ICMP protocol.</rationale> +<Rule id="set_sysctl_net_ipv4_icmp_ignore_bogus_error_responses"> +<title>Enable Kernel Parameter to Ignore Bogus ICMP Error Messages</title> +<description> +<sysctl-desc-macro sysctl="net.ipv4.icmp_ignore_bogus_error_responses" value="1" /> +</description> +<rationale>Ignoring bogus ICMP error responses reduces +log size, although some activity would not be logged.</rationale> <ident cce="4133-5" /> -<oval id="sysctl_net_ipv4_icmp_ignore_bogus_error_messages" value="sysctl_net_ipv4_icmp_ignore_bogus_error_messages_value" /> +<oval id="sysctl_net_ipv4_icmp_ignore_bogus_error_responses" value="sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value" /> <ref nist="AC-3, CM-6, CM-7, SC-5" /> </Rule>
<Rule id="set_sysctl_net_ipv4_tcp_syncookies"> -<title>Set net.ipv4.tcp_syncookies Kernel Runtime Parameter</title> -<description>Sending TCP syncookies should be: -<sub idref="sysctl_net_ipv4_tcp_syncookies_value" />for all interfaces -as appropriate.</description> -<rationale>This setting enables a cryptographic feature called SYN cookies to allow machines to continue to -accept legitimate connections when faced with a SYN flood attack.</rationale> +<title>Enable Kernel Parameter to Use TCP Syncookies</title> +<description> +<sysctl-desc-macro sysctl="net.ipv4.tcp_syncookies" value="1" /> +</description> +<rationale> A TCP SYN flood attack can cause a denial of service by filling a +system's TCP connection table with connections in the SYN_RCVD state. +Syncookies can be used to track a connection when a subsequent ACK is received, +verifying the initiator is attempting a valid connection and is not a flood +source. This feature is activated when a flood condition is detected, and +enables the system to continue servicing valid connection requests. +</rationale> <ident cce="4265-5" /> <oval id="sysctl_net_ipv4_tcp_syncookies" value="sysctl_net_ipv4_tcp_syncookies_value" /> <ref nist="CM-6, CM-7" /> </Rule>
<Rule id="set_sysctl_net_ipv4_conf_all_rp_filter"> -<title>Set net.ipv4.conf.all.rp_filter Kernel Runtime Parameter</title> -<description>Performing source validation by reverse path should -be: -<sub idref="sysctl_net_ipv4_conf_all_rp_filter_value" />for all interfaces -as appropriate.</description> -<rationale>This setting enables RFC-recommended source validation. It should not be used on machines which -are routers for very complicated networks, but is helpful for end hosts and routers serving small networks.</rationale> +<title>Enable Kernel Parameter to Use Reverse Path Filtering for All Interfaces</title> +<description> +<sysctl-desc-macro sysctl="net.ipv4.conf.all.rp_filter" value="1" /> +</description> +<rationale>Enabling reverse path filtering drops packets with source addresses +that should not have been able to be received on the interface they were +received on. It should not be used on systems which are routers for +complicated networks, but is helpful for end hosts and routers serving small +networks.</rationale> <ident cce="4080-8" /> <oval id="sysctl_net_ipv4_conf_all_rp_filter" value="sysctl_net_ipv4_conf_all_rp_filter_value" /> <ref nist="AC-4, SC-5, SC-7" /> </Rule>
<Rule id="set_sysctl_net_ipv4_conf_default_rp_filter"> -<title>Set net.ipv4.conf.default.rp_filter Kernel Runtime Parameter</title> -<description>The default setting for performing source validation -by reverse path should be: -<sub idref="sysctl_net_ipv4_conf_default_rp_filter_value" />for all interfaces -as appropriate.</description> -<rationale>This setting enables RFC-recommended source validation. It should not be used on machines which -are routers for very complicated networks, but is helpful for end hosts and routers serving small networks.</rationale> +<title>Enable Kernel Parameter to Use Reverse Path Filtering by Default</title> +<description> +<sysctl-desc-macro sysctl="net.ipv4.conf.default.rp_filter" value="1" /> +</description> +<rationale>Enabling reverse path filtering drops packets with source addresses +that should not have been able to be received on the interface they were +received on. It should not be used on systems which are routers for +complicated networks, but is helpful for end hosts and routers serving small +networks.</rationale> <ident cce="3840-6" /> <oval id="sysctl_net_ipv4_conf_default_rp_filter" value="sysctl_net_ipv4_conf_default_rp_filter_value" /> <ref nist="AC-4, SC-5, SC-7" /> diff --git a/rhel6/src/transforms/shorthand2xccdf.xslt b/rhel6/src/transforms/shorthand2xccdf.xslt index 0ef3222..c975973 100644 --- a/rhel6/src/transforms/shorthand2xccdf.xslt +++ b/rhel6/src/transforms/shorthand2xccdf.xslt @@ -162,6 +162,21 @@ exclude-result-prefixes="xccdf xhtml"> </xsl:copy> </xsl:template>
+ + + <!-- convenience macros for XCCDF prose --> + <xsl:template match="sysctl-desc-macro"> + The status of the xhtml:code<xsl:value-of select="@sysctl"/></xhtml:code> kernel parameter can be queried + by running the following command: + xhtml:pre$ sysctl <xsl:value-of select="@sysctl"/></xhtml:pre> + The output of the command should indicate a value of xhtml:code<xsl:value-of select="@value"/></xhtml:code>. + </xsl:template> + + <xsl:template match="service-disable-macro"> + The xhtml:code<xsl:value-of select="@service"/></xhtml:code> service can be disabled with the following command: + xhtml:pre# chkconfig <xsl:value-of select="@service"/> off</xhtml:pre> + </xsl:template> + <!-- CORRECTING TERRIBLE ABUSE OF NAMESPACES BELOW --> <!-- (expanding xhtml tags back into the xhtml namespace) --> <xsl:template match="br">
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- rhel6/src/input/system/logging.xml | 220 ++++++++++++++++++++++-------------- 1 files changed, 134 insertions(+), 86 deletions(-)
diff --git a/rhel6/src/input/system/logging.xml b/rhel6/src/input/system/logging.xml index 835f306..b13304f 100644 --- a/rhel6/src/input/system/logging.xml +++ b/rhel6/src/input/system/logging.xml @@ -4,7 +4,7 @@ many years. It has a number of downsides, including inconsistent log format, lack of authentication for received messages, and lack of authentication, encryption, or reliable transport for messages sent over a network. However, -due to its long history, syslog is an accepted standard which is supported by +due to its long history, syslog is a de facto standard which is supported by almost all Unix applications. <br/> <br/> @@ -37,7 +37,7 @@ system logging services.
<Rule id="service_rsyslog_enabled"> -<title>Enable Rsyslog Daemon (rsyslog)</title> +<title>Enable Rsyslog Service (rsyslog)</title> <description>The <tt>rsyslog</tt> service provides syslog-style logging by default on RHEL 6. The <tt>rsyslog</tt> service can be activated with the following command: <pre># chkconfig rsyslog on</pre> @@ -51,38 +51,31 @@ logging services, which are essential to system administration. </Rule>
-<Group id="ensure_rsyslog_messages_captured"> -<title> Ensure Important Messages are Captured</title> +<Group id="ensure_rsyslog_log_file_configuration"> +<title>Ensure Proper Configuration of Log Files</title> <description> -Edit the file <tt>/etc/rsyslog.conf</tt>. Add or correct whichever of the following lines are appropriate for your -environment: -<pre> -auth.*,user.* /var/log/messages -kern.* /var/log/kern.log -daemon.* /var/log/daemon.log -syslog.* /var/log/syslog -lpr,news,uucp,local0,local1,local2,local3,local4,local5,local6.* /var/log/unused.log -</pre> +The file <tt>/etc/rsyslog.conf</tt> controls where log message are written. +These are controlled by lines called <i>rules</i>, which consist of a +<i>selector</i> and an <i>action</i>. +These rules are often customized depending on the role of the system, the +requirements of the environment, and whatever may enable +the administrator to most effectively make use of log data. +The default rules in RHEL 6 are: +<pre>*.info;mail.none;authpriv.none;cron.none /var/log/messages +authpriv.* /var/log/secure +mail.* -/var/log/maillog +cron.* /var/log/cron +*.emerg * +uucp,news.crit /var/log/spooler +local7.* /var/log/boot.log</pre> See the man page <tt>rsyslog.conf(5)</tt> for more information. -<i>By default,</i> <tt>rsyslog</tt> <i>uses a timestamp format that Logwatch does not understand. If your en- -vironment uses Logwatch, edit the file <tt>/etc/rsyslog.conf</tt> and add or edit the following line:</i> -<pre>$ ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat</pre></description> -</Group> - -<Group id="log_file_permissions"> -<title>Confirm Existence and Permissions of System Log Files</title> -<description>For each log file LOGFILE referenced in -<tt>/etc/rsyslog.conf</tt>, run the commands: -<pre># touch LOGFILE -# chown root:root LOGFILE -# chmod 0600 LOGFILE</pre> -Rsyslog will refuse to log to a file which does not exist. -All messages intended for that file will be silently discarded, so -it is important to verify that all log files exist. Some logs may -contain sensitive information, so it is better to restrict -permissions so that only administrative users can read or write -logfiles.</description> +<i>Note that the <tt>rsyslog</tt> daemon can be configured to use a timestamp format that +some log processing programs may not understand. If this occurs, +edit the file <tt>/etc/rsyslog.conf</tt> and add or edit the following line:</i> +<pre>$ ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat</pre> +</description>
+<!-- These values are not currently used. --> <Value id="file_owner_logfiles_value" type="string" operator="equals" interactive="0"> <title>User who owns log files</title> @@ -99,10 +92,38 @@ operator="equals" interactive="0"> <value selector="root">root</value> </Value>
+<Rule id="rsyslog_logfiles_exist"> +<title>Ensure Log Files Exist</title> +<description> +The log files written by <tt>rsyslog</tt> are determined by the second part of each rule line in +<tt>/etc/rsyslog.conf</tt>. These typically all appear in <tt>/var/log</tt>. +For any log file <i>LOGFILE</i> referenced in <tt>/etc/rsyslog.conf</tt> which +does not already exist the following commands will create it and apply proper +permissions: +<pre># touch <i>LOGFILE</i> +# chown root:root <i>LOGFILE</i> +# chmod 0600 <i>LOGFILE</i></pre> +</description> +<rationale>If a log file referenced by <tt>rsyslog</tt> does not exist, rsyslog +will not create it and important log messages can be lost. +</rationale> +<ident cce="18095-0" /> +<ref nist="AC-3, CM-6" /> +</Rule> + <Rule id="userowner_rsyslog_files"> -<title>RSyslog Log Files Owned By Appropriate User</title> -<description>All <tt>rsyslog</tt> log files should be owned by the -appropriate user.</description> +<title>Ensure Log Files Are Owned By Appropriate User</title> +<description>The owner of all log files written by +<tt>rsyslog</tt> should be root. +These log files are determined by the second part of each Rule line in +<tt>/etc/rsyslog.conf</tt> and typically all appear in <tt>/var/log</tt>. +For each log file <i>LOGFILE</i> referenced in <tt>/etc/rsyslog.conf</tt>, +run the following command to inspect the file's owner: +<pre>$ ls -l <i>LOGFILE</i></pre> +If the owner is not <tt>root</tt>, run the following command to +correct this: +<pre># chown root <i>LOGFILE</i></pre> +</description> <rationale>The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.</rationale> @@ -112,9 +133,18 @@ protected from unauthorized access.</rationale> </Rule>
<Rule id="groupowner_rsyslog_files"> -<title>RSyslog Log Files Owned By Appropriate Group</title> -<description>All <tt>rsyslog</tt> log files should be owned by the -appropriate group.</description> +<title>Ensure Log Files Are Owned By Appropriate Group</title> +<description>The group-owner of all log files written by +<tt>rsyslog</tt> should be root. +These log files are determined by the second part of each Rule line in +<tt>/etc/rsyslog.conf</tt> and typically all appear in <tt>/var/log</tt>. +For each log file <i>LOGFILE</i> referenced in <tt>/etc/rsyslog.conf</tt>, +run the following command to inspect the file's group owner: +<pre>$ ls -l <i>LOGFILE</i></pre> +If the owner is not <tt>root</tt>, run the following command to +correct this: +<pre># chgrp root <i>LOGFILE</i></pre> +</description> <rationale>The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.</rationale> @@ -125,10 +155,20 @@ protected from unauthorized access.</rationale>
<Rule id="rsyslog_file_permissions"> -<title>RSyslog Log Files Have Correct Permissions</title> -<description>File permissions for all <tt>rsyslog</tt> log files should be -set correctly.</description> -<rationale>The log files generated by rsyslog contain valuable information regarding system +<title>Ensure Log Files Have Correct Permissions</title> +<description>The file permissions for all log files written by +<tt>rsyslog</tt> should be +set to 600 or more restrictive. +These log files are determined by the second part of each Rule line in +<tt>/etc/rsyslog.conf</tt> and typically all appear in <tt>/var/log</tt>. +For each log file <i>LOGFILE</i> referenced in <tt>/etc/rsyslog.conf</tt>, +run the following command to inspect the file's permissions: +<pre>$ ls -l <i>LOGFILE</i></pre> +If the permissions are not 600 or more restrictive, +run the following command to correct this: +<pre># chmod 0600 <i>LOGFILE</i></pre> +</description> +<rationale>Log files can contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.</rationale> <ident cce="18095-0" /> @@ -139,10 +179,7 @@ protected from unauthorized access.</rationale>
<Group id="rsyslog_sending_messages"> <title>Rsyslog Logs Sent To Remote Host</title> -<description>Edit <tt>/etc/rsyslog.conf</tt>. Add or correct the line: -<pre>*.* @loghost.example.com</pre> -where <tt>loghost.example.com</tt> is the name of your central log server. -<br /><br /> +<description> If system logs are to be useful in detecting malicious activities, it is necessary to send logs to a remote server. An intruder who has compromised the root account on a machine may @@ -164,14 +201,36 @@ better to store log messages both centrally and on each host, so that they can be correlated if necessary.</description>
<Rule id="rsyslog_send_messages_to_logserver"> -<title>Rsyslog Logs Sent To Remote Host</title> -<description>Rsyslog logs should be sent to a remote loghost or not -as appropriate</description> -<rationale>Forwarding log messages to a remote loghost gives a system administrator a -centralized place to view the status of hosts within the enterprise. The forwarded -messages also serve as a backup of sorts should a compromise be dectected. Should a -compromise occur, the backup log entries could be used to check the host's logs for -consistency.</rationale> +<title>Ensure Logs Sent To Remote Host</title> +<description> +To configure rsyslog to send logs to a remote log server, +open <tt>/etc/rsyslog.conf</tt> and read and understand the last section of the file, +which describes the multiple directives necessary to activate remote +logging. +Along with these other directives, the system can be configured +to forward its logs to a particular log server by +adding or correcting one of the following lines, +substituting <tt><i>loghost.example.com</i></tt> appropriately. +The choice +of protocol depends on the environment of the system; although TCP and RELP +provide more reliable message delivery, they may not be supported in all +environments. +<br/> +To use UDP for log message delivery: +<pre>*.* @<i>loghost.example.com</i></pre> +<br/> +To use TCP for log message delivery: +<pre>*.* @@<i>loghost.example.com</i></pre> +<br/> +To use RELP for log message delivery: +<pre>*.* :omrelp:<i>loghost.example.com</i></pre> +</description> +<rationale>A log server (loghost) receives syslog messages from one or more +systems. This data can be used as an additional log source in the event a +system is compromised and its local logs are suspect. Forwarding log messages +to a remote loghost also provides system administrators with a centralized +place to view the status of multiple hosts within the enterprise. +</rationale> <ident cce="17248-6" /> <oval id="rsyslog_remote_loghost" /> <ref nist="AU-2, AU-9" /> @@ -179,42 +238,21 @@ consistency.</rationale> </Group>
<Group id="rsyslog_accepting_remote_messages"> -<title>Configure <tt>rsyslogd</tt> to Accept Remote Messages Only As Needed</title> +<title>Configure <tt>rsyslogd</tt> to Accept Remote Messages If Acting as a Log Server</title> <description> By default, RHEL6's <tt>rsyslog</tt> does not listen over the network -for log messages. If needed, the modules <tt>imtcp.so</tt> and <tt>imudp.so</tt> -(and others) enable the daemon to receive messages from other systems and for the system +for log messages. If needed, modules can be enabled to allow +the rsyslog daemon to receive messages from other systems and for the system thus to act as a log server. If the machine is not a log server, then lines concerning these modules should remain commented out. <br /><br /> </description>
-<!--<description>Is this machine the central log server for your -organization? If so, edit the file <tt>/etc/sysconfig/rsyslog</tt>. Add -or correct the following line: -<pre>SYSLOGD_OPTIONS="-m 0 -r -s example.com "</pre> -where <tt>example.com</tt> is the name of your domain. -<br /><br /> -If the machine is not a log server, edit <tt>/etc/sysconfig/syslog</tt>, -and instead add or correct the line: -<pre>SYSLOGD_OPTIONS="-m 0"</pre> -By default, RHEL6's <tt>rsyslog</tt> does not listen over the network -for log messages. The <tt>-r</tt> flag enables <tt>rsyslogd</tt> to listen over a -network, and should be used only if necessary. The <tt>-s example.com</tt> -flag strips the domain name <tt>example.com</tt> from each sending machine's -hostname before logging messages from that host, to reduce the -amount of redundant information placed in log files. See the -<tt>rsyslogd(8)</tt> man page for further information.</description> ---> - <Rule id="rsyslog_accept_remote_messages_none"> <title>Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server</title> <description>The <tt>rsyslog</tt> daemon should not accept remote messages unless the system acts as a log server. -<br/> -TODO: See how /etc/sysconfig/rsyslog plays or interferes or overwrites here. -<br/> To ensure that it is not listening on the network, ensure the following lines are <i>not</i> found in <tt>/etc/rsyslog.conf</tt>: <pre>$ModLoad imtcp.so @@ -238,9 +276,6 @@ rsyslog by configuring it not to listen on the network. <title>Enable rsyslog to Accept Messages via TCP, if Acting As Log Server</title> <description>The <tt>rsyslog</tt> daemon should not accept remote messages unless the system acts as a log server. -<br/> -TODO: See how /etc/sysconfig/rsyslog plays or interferes or overwrites here. -<br/> If the system needs to act as a central log server, add the following lines to <tt>/etc/rsyslog.conf</tt> to enable reception of messages over TCP: <pre>$ModLoad imtcp.so @@ -258,10 +293,10 @@ messages over a reliable TCP connection.
<Rule id="rsyslog_accept_remote_messages_udp"> <title>Enable rsyslog to Accept Messages via UDP, if Acting As Log Server</title> -<description> -If the system needs to act as a central log server, and it also must receive -messages from systems which can only send them in the traditional UDP -format, then ensure the following lines exist in <tt>/etc/syslog.conf</tt>: +<description>The <tt>rsyslog</tt> daemon should not accept remote messages +unless the system acts as a log server. +If the system needs to act as a central log server, add the following lines to +<tt>/etc/rsyslog.conf</tt> to enable reception of messages over UDP: <pre>$ModLoad imudp.so $InputUDPServerRun 514</pre> </description> @@ -301,13 +336,26 @@ rotated more often than once a day, some other mechanism must be used.</description>
<Rule id="ensure_logrotate_activated"> -<title>Ensure Logs Are Rotated</title> -<description>The <tt>logrotate</tt> (<tt>rsyslog</tt> rotater) service should be +<title>Ensure Logrotate Runs Periodically</title> +<description>The <tt>logrotate</tt> service must be configured to run +periodically in order to perform its log rotation function.</description> +<rationale>Log files that are not properly rotated run the risk of growing so large +that they fill up the /var/log partition. Valuable logging information could be lost +if the /var/log partition becomes full.</rationale> +<ident cce="4182-2" /> +<!-- TODO: this needs cleanup --> +<ref nist="AU-2, AU-9, CM-6" /> +</Rule> + +<Rule id="ensure_logrotate_rotates_all_files"> +<title>Ensure Logrotate Runs Periodically</title> +<description>The <tt>logrotate</tt> service should be enabled.</description> <rationale>Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full.</rationale> <ident cce="4182-2" /> +<!-- TODO: this needs cleanup --> <oval id="logrotate_rotate_all_files" /> <ref nist="AU-2, AU-9, CM-6" /> </Rule>
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- rhel6/src/input/system/network/iptables.xml | 51 +++++++++++++++++--------- 1 files changed, 33 insertions(+), 18 deletions(-)
diff --git a/rhel6/src/input/system/network/iptables.xml b/rhel6/src/input/system/network/iptables.xml index a0c836c..5918507 100644 --- a/rhel6/src/input/system/network/iptables.xml +++ b/rhel6/src/input/system/network/iptables.xml @@ -70,7 +70,9 @@ IPv6 lacks reliable connection-tracking functionality.</description> <Rule id="enable_ip6tables"> <title>Verify ip6tables Enabled</title> <description> The <tt>ip6tables</tt> service can be enabled with the following -command: <pre># service ip6tables restart # chkconfig ip6tables on</pre> +commands: +<pre># service ip6tables restart +# chkconfig ip6tables on</pre> </description> <rationale>The <tt>ip6tables</tt> service provides the system's host-based firewalling capability for IPv6 and ICMPv6. @@ -128,28 +130,41 @@ requirements. Otherwise, this program should not be used to make changes to the firewall configuration because it re-writes the saved configuration file.</warning>
-<Group id="default_iptables_policies"> -<title>Change the Default Policies</title> -<description>Change the default policy to DROP (from ACCEPT) for -the INPUT and FORWARD built-in chains: -<pre>*filter -:INPUT DROP [0:0] -:FORWARD DROP [0:0]</pre> -Changing the default policy in this way implements proper -design for a firewall, i.e. any packets which are not explicitly -permitted should not be accepted.</description> - <Rule id="set_iptables_default_rule"> -<title>Set Default Firewall Policy</title> -<description>Change the default policy to DROP (from ACCEPT) for -the INPUT built-in chain.</description> -<rationale>In iptables the default policy is applied only after all the applicable rules in the table -are examined for a match. Connection attempts that are not explicitly authorized should be denied by default.</rationale> +<title>Set Default Iptables Policy for Incoming Packets</title> +<description>To set the default policy to DROP (instead of ACCEPT) for +the built-in INPUT chain which processes incoming packets, +add or correct the following line in +<tt>/etc/sysconfig/iptables</tt>: +<pre>:INPUT DROP [0:0]</pre> +</description> +<rationale>In <tt>iptables</tt> the default policy is applied only after all +the applicable rules in the table are examined for a match. Setting the +default policy to <tt>DROP</tt> implements proper design for a firewall, i.e. +any packets which are not explicitly permitted should not be +accepted.</rationale> <ident cce="14264-6" /> <oval id="iptables_default_policy_drop" /> <ref nist="AC-4, CM-6" disa="1109" /> </Rule> -</Group><!--<Group id="default_iptables_policies">--> + +<Rule id="set_iptables_default_rule_forward"> +<title>Set Default Iptables Policy for Forwarded Packets</title> +<description>To set the default policy to DROP (instead of ACCEPT) for +the built-in FORWARD chain which processes packets that will be forwarded from +one interface to another, +add or correct the following line in +<tt>/etc/sysconfig/iptables</tt>: +<pre>:FORWARD DROP [0:0]</pre> +</description> +<rationale>In <tt>iptables</tt> the default policy is applied only after all +the applicable rules in the table are examined for a match. Setting the +default policy to <tt>DROP</tt> implements proper design for a firewall, i.e. +any packets which are not explicitly permitted should not be +accepted.</rationale> +<ident cce="14264-6" /> +<ref nist="AC-4, CM-6" disa="1109" /> +</Rule>
<Rule id="iptables_icmp_disabled"> <title>Restrict ICMP Message Types</title>
On 6/24/12 4:41 PM, Jeffrey Blank wrote:
The major goal of this commit is to provide the ability for consumers to easily view the project's Rules as "requirements" for the pre-release draft RHEL 6 STIG. This will help ensure productive consensus group meetings, by ensuring participants can view the Rules and generate feedback prior to the meetings. Usage of the project also ensures effective capture of consensus decisions. Mapping of the CCIs from the OS SRG continues (in parallel), which is an essential element for submitting the content as a STIG.
Jeffrey Blank (4): added Makerule, transform to create table for RHEL 6 STIG Profile (Pre-release Draft) cleanup of prose for sysctl network parameter settings * expurgated weird CCE description text * introduced usage of new macros for XCCDF sysctl description cleanup of prose for rsyslog logging * OVAL for these remains difficult * can we grab a filename from a text file, and then run tests on it? cleanup of prose for iptables
rhel6/src/Makefile | 8 +- rhel6/src/input/profiles/STIG-server.xml | 5 +- rhel6/src/input/system/logging.xml | 220 +++++++++++------- rhel6/src/input/system/network/iptables.xml | 51 +++-- rhel6/src/input/system/network/kernel.xml | 242 ++++++++++---------- rhel6/src/transforms/shorthand2xccdf.xslt | 15 ++ rhel6/src/transforms/xccdf-addprofiles.xslt | 1 + .../src/transforms/xccdf2table-profileccirefs.xslt | 170 ++++++++++++++ 8 files changed, 481 insertions(+), 231 deletions(-) create mode 100644 rhel6/src/transforms/xccdf2table-profileccirefs.xslt
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/scap-security-guide
Ack
scap-security-guide@lists.fedorahosted.org
-
Jeffrey Blank -
Shawn Wells