Introduce 'Service' Fedora's guide section, and include XCCDF descriptions for selected ntpd and sshd rules. OVAL checks and remediations for them to follow later once confirmed as working. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
From 52c6f3323ace4797fbbd270db85fe22f1ecf9719 Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky <jlieskov@redhat.com> Date: Fri, 22 Nov 2013 18:47:25 +0100 Subject: [PATCH] [Fedora] Include Services section and XCCDF description for selected ntpd's sshd's rules Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com> --- Fedora/input/guide.xslt | 9 ++++ Fedora/input/profiles/common.xml | 10 +++++ Fedora/input/services/ntp.xml | 65 +++++++++++++++++++++++++++ Fedora/input/services/services.xml | 15 +++++++ Fedora/input/services/ssh.xml | 92 ++++++++++++++++++++++++++++++++++++++ Fedora/scap-security-guide.spec | 6 ++- 6 files changed, 196 insertions(+), 1 deletion(-) create mode 100644 Fedora/input/services/ntp.xml create mode 100644 Fedora/input/services/services.xml create mode 100644 Fedora/input/services/ssh.xml diff --git a/Fedora/input/guide.xslt b/Fedora/input/guide.xslt index d99da5a..2dc4231 100644 --- a/Fedora/input/guide.xslt +++ b/Fedora/input/guide.xslt @@ -17,6 +17,7 @@ </Value> <xsl:apply-templates select="document('intro/intro.xml')" /> <xsl:apply-templates select="document('system/system.xml')" /> + <xsl:apply-templates select="document('services/services.xml')" /> </xsl:copy> </xsl:template> @@ -51,6 +52,14 @@ </xsl:copy> </xsl:template> + <xsl:template match="Group[@id='services']"> + <xsl:copy> + <xsl:copy-of select="@*|node()" /> + <xsl:apply-templates select="document('services/ntp.xml')" /> + <xsl:apply-templates select="document('services/ssh.xml')" /> + </xsl:copy> + </xsl:template> + <!-- copy everything else through to final output --> <xsl:template match="@*|node()"> <xsl:copy> diff --git a/Fedora/input/profiles/common.xml b/Fedora/input/profiles/common.xml index a1d7f53..330b002 100644 --- a/Fedora/input/profiles/common.xml +++ b/Fedora/input/profiles/common.xml @@ -32,4 +32,14 @@ <refine-value idref="var_accounts_password_warn_age_login_defs" selector="7"/> <select idref="accounts_password_warn_age_login_defs" selected="true"/> +<!-- Services --> + <!-- Network Time Protocol --> + <select idref="service_ntpd_enabled" selected="true"/> + <select idref="ntpd_specify_remote_server" selected="true"/> + <!-- SSH Server --> + <select idref="sshd_disable_root_login" selected="true"/> + <select idref="sshd_disable_empty_passwords" selected="true"/> + <select idref="sshd_set_idle_timeout" selected="true"/> + <select idref="sshd_set_keepalive" selected="true"/> + </Profile> diff --git a/Fedora/input/services/ntp.xml b/Fedora/input/services/ntp.xml new file mode 100644 index 0000000..7462f4a --- /dev/null +++ b/Fedora/input/services/ntp.xml @@ -0,0 +1,65 @@ +<Group id="ntp"> +<title>Network Time Protocol</title> +<description>The Network Time Protocol is used to manage the system clock over +a network. Computer clocks are not very accurate, so time will drift +unpredictably on unmanaged systems. Central time protocols can be used both to +ensure that time is consistent among a network of machines, and that their time +is consistent with the outside world. +<br /><br /> +If every system on a network reliably reports the same time, then it is much +easier to correlate log messages in case of an attack. In addition, a number of +cryptographic protocols (such as Kerberos) use timestamps to prevent certain +types of attacks. If your network does not have synchronized time, these +protocols may be unreliable or even unusable. +<br /><br /> +Depending on the specifics of the network, global time accuracy may be just as +important as local synchronization, or not very important at all. If your +network is connected to the Internet, using a public timeserver (or one +provided by your enterprise) provides globally accurate timestamps which may be +essential in investigating or responding to an attack which originated outside +of your network. +<br /><br /> +A typical network setup involves a small number of internal systems operating +as NTP servers, and the remainder obtaining time information from those +internal servers. +<br /><br /> +More information on how to configure the NTP server software, including +configuration of cryptographic authentication for time data, is available at +http://www.ntp.org. +</description> + +<Rule id="service_ntpd_enabled" severity="medium"> +<title>Enable the NTP Daemon</title> +<description> <service-enable-macro service="ntpd" /> </description> +<rationale>Enabling the <tt>ntpd</tt> service ensures that the <tt>ntpd</tt> +service will be running and that the system will synchronize its time to any +servers specified. This is important whether the system is configured to be a +client (and synchronize only its own clock) or it is also acting as an NTP +server to other systems. Synchronizing time is essential for authentication +services such as Kerberos, but it is also important for maintaining accurate +logs and auditing possible security breaches. +<br /><br /> +The NTP daemon offers all of the functionality of <tt>ntpdate</tt>, which is +now deprecated. Additional information on this is available at +http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</rationale> +<!-- <oval id="service_ntpd_enabled" /> --> +<ref nist="AU-8(1)" disa="160" /> +</Rule> + +<Rule id="ntpd_specify_remote_server" severity="medium"> +<title>Specify a Remote NTP Server</title> +<description>To specify a remote NTP server for time synchronization, edit +the file <tt>/etc/ntp.conf</tt>. Add or correct the following lines, +substituting the IP or hostname of a remote NTP server for <em>ntpserver</em>: +<pre>server <i>ntpserver</i></pre> +This instructs the NTP software to contact that remote server to obtain time +data. +</description> +<rationale>Synchronizing with an NTP server makes it possible to collate system +logs from multiple sources or correlate computer events with real time events. +</rationale> +<!-- <oval id="ntp_remote_server" /> --> +<ref nist="AU-8(1)" disa="160" /> +</Rule> + +</Group> diff --git a/Fedora/input/services/services.xml b/Fedora/input/services/services.xml new file mode 100644 index 0000000..9d8ccfb --- /dev/null +++ b/Fedora/input/services/services.xml @@ -0,0 +1,15 @@ +<Group id="services"> +<title>Services</title> +<description> +The best protection against vulnerable software is running less software. This +section describes how to review the software which Fedora installs on a system +and disable software which is not needed. It then enumerates the software +packages installed on a default Fedora system and provides guidance about which +ones can be safely disabled. +<br /><br /> +Fedora provides a convenient minimal install option that essentially installs +the bare necessities for a functional system. When building Fedora servers, it +is highly recommended to select the minimal packages and then build up the +system from there. +</description> +</Group> diff --git a/Fedora/input/services/ssh.xml b/Fedora/input/services/ssh.xml new file mode 100644 index 0000000..b41b741 --- /dev/null +++ b/Fedora/input/services/ssh.xml @@ -0,0 +1,92 @@ +<Group id="ssh"> +<title>SSH Server</title> +<description>The SSH protocol is recommended for remote login and remote file +transfer. SSH provides confidentiality and integrity for data exchanged between +two systems, as well as server authentication, through the use of public key +cryptography. The implementation included with the system is called OpenSSH, +and more detailed documentation is available from its website, +http://www.openssh.org. Its server program is called <tt>sshd</tt> and +provided by the RPM package <tt>openssh-server</tt>.</description> + +<Group id="ssh_server"> +<title>Configure OpenSSH Server if Necessary</title> +<description>If the system needs to act as an SSH server, then certain changes +should be made to the OpenSSH daemon configuration file +<tt>/etc/ssh/sshd_config</tt>. The following recommendations can be applied +to this file. See the <tt>sshd_config(5)</tt> man page for more detailed +information.</description> + +<Rule id="sshd_disable_root_login" severity="medium"> +<title>Disable SSH Root Login</title> +<description>The root user should never be allowed to login to a system +directly over a network. To disable root login via SSH, add or correct the +following line in <tt>/etc/ssh/sshd_config</tt>: +<pre>PermitRootLogin no</pre> +</description> +<rationale> +Permitting direct root login reduces auditable information about who ran +privileged commands on the system and also allows direct attack attempts on +root's password. +</rationale> +<!-- <oval id="sshd_disable_root_login" /> --> +<ref nist="AC-6(2),IA-2(1)" disa="770" /> +</Rule> + +<Rule id="sshd_disable_empty_passwords" severity="high"> +<title>Disable SSH Access via Empty Passwords</title> +<description>To explicitly disallow remote login from accounts with empty +passwords, add or correct the following line in <tt>/etc/ssh/sshd_config</tt>: +<pre>PermitEmptyPasswords no</pre> +Any accounts with empty passwords should be disabled immediately, and PAM +configuration should prevent users from being able to assign themselves empty +passwords. +</description> +<rationale> +Configuring this setting for the SSH daemon provides additional assurance that +remote login via SSH will require a password, even in the event of +misconfiguration elsewhere. +</rationale> +<!-- <oval id="sshd_disable_empty_passwords" /> --> +<ref disa="765,766"/> +</Rule> + +<Rule id="sshd_set_idle_timeout"> +<title>Set SSH Idle Timeout Interval</title> +<description>SSH allows administrators to set an idle timeout interval. +After this interval has passed, the idle user will be automatically logged out. +<br /><br /> +To set an idle timeout interval, edit the following line in +<tt>/etc/ssh/sshd_config</tt> as follows: +<pre>ClientAliveInterval <b>INTERVAL</b></pre> +The timeout <b>INTERVAL</b> is given in seconds. To have a timeout of 15 +minutes, set <b>interval</b> to 900. +<br /><br /> +If a shorter timeout has already been set for the login shell, that value will +preempt any SSH setting made here. Keep in mind that some processes may stop +SSH from correctly detecting that the user is idle. +</description> +<rationale> +Causing idle users to be automatically logged out guards against compromises +one system leading trivially to compromises on another. +</rationale> +<!-- <oval id="sshd_set_idle_timeout" value="sshd_idle_timeout_value"/> --> +<ref disa="879,1133"/> +</Rule> + +<Rule id="sshd_set_keepalive"> +<title>Set SSH Client Alive Count</title> +<description>To ensure the SSH idle timeout occurs precisely when the +<tt>ClientAliveCountMax</tt> is set, edit <tt>/etc/ssh/sshd_config</tt> as +follows: +<pre>ClientAliveCountMax 0</pre> +</description> +<rationale> +This ensures a user login will be terminated as soon as the +<tt>ClientAliveCountMax</tt> is reached. +</rationale> +<!-- <oval id="sshd_set_keepalive" /> --> +<ref disa="879,1133"/> +</Rule> + +</Group> +</Group> diff --git a/Fedora/scap-security-guide.spec b/Fedora/scap-security-guide.spec index 3c88ddd..40d79b5 100644 --- a/Fedora/scap-security-guide.spec +++ b/Fedora/scap-security-guide.spec @@ -5,7 +5,7 @@ # file one level up - in the main scap-security-guide directory (instead of # this one). -%global fedorassgversion 4.rc2 +%global fedorassgversion 4.rc3 Name: scap-security-guide Version: 0.1.%{fedorassgversion} @@ -53,6 +53,10 @@ cp -a Fedora/input/auxiliary/scap-security-guide.8 %{buildroot}%{_mandir}/en/man %doc Fedora/LICENSE Fedora/output/ssg-fedora-guide.html %changelog +* Fri Nov 22 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.4.rc3-1 +- Include services section, and XCCDF description for selected ntpd's + sshd's service rules + * Tue Nov 19 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.4.rc2-1 - Include remediations for login.defs' based password minimum, maximum and warning age rules-- 1.8.3.1