Here are the revisions to previous patches for Tickets #23,26.
Michael Palmiotto (1): M1 Incomplete Guidance - Account and Access Control
Mike Palmiotto (1): M1 Incomplete Guidance - Logging and Auditing
.../checks/accounts_disabled_after_expiration.xml | 24 ++++ ...counts_login_shell_timeout_implemented_bash.xml | 45 ++++++++ ...counts_login_shell_timeout_implemented_tcsh.xml | 25 +++++ .../input/checks/accounts_netrc_files_checked.xml | 25 +++++ .../accounts_user_dot_files_not_world_writable.xml | 33 ++++++ .../checks/audit_rules_logon_modification.xml | 34 ++++++ .../checks/audit_rules_session_modification.xml | 47 ++++++++ .../checks/libuser_login_defs_userdefaults.xml | 50 +++++++++ .../checks/logwatch_configured_on_logserver.xml | 71 ++++++++++++ .../src/input/checks/rsyslog_messages_captured.xml | 70 ++++++++++++ rhel6/src/input/profiles/common.xml | 42 +++++++- rhel6/src/input/system/accounts/accounts.xml | 27 +++++ rhel6/src/input/system/accounts/pam.xml | 38 +++++++- rhel6/src/input/system/accounts/physical.xml | 63 +++++++++++ .../system/accounts/restrictions/restrictions.xml | 114 ++++++++++++++++++++ rhel6/src/input/system/accounts/session.xml | 24 ++++ rhel6/src/input/system/auditing.xml | 77 +++++++++++++- rhel6/src/input/system/logging.xml | 67 ++++++++++++ 18 files changed, 873 insertions(+), 3 deletions(-) create mode 100644 rhel6/src/input/checks/accounts_disabled_after_expiration.xml create mode 100644 rhel6/src/input/checks/accounts_login_shell_timeout_implemented_bash.xml create mode 100644 rhel6/src/input/checks/accounts_login_shell_timeout_implemented_tcsh.xml create mode 100644 rhel6/src/input/checks/accounts_netrc_files_checked.xml create mode 100644 rhel6/src/input/checks/accounts_user_dot_files_not_world_writable.xml create mode 100644 rhel6/src/input/checks/audit_rules_logon_modification.xml create mode 100644 rhel6/src/input/checks/audit_rules_session_modification.xml create mode 100644 rhel6/src/input/checks/libuser_login_defs_userdefaults.xml create mode 100644 rhel6/src/input/checks/logwatch_configured_on_logserver.xml create mode 100644 rhel6/src/input/checks/rsyslog_messages_captured.xml
Signed-off-by: Michael Palmiotto mpalmiotto@tresys.com --- .../checks/accounts_disabled_after_expiration.xml | 24 ++++ ...counts_login_shell_timeout_implemented_bash.xml | 45 ++++++++ ...counts_login_shell_timeout_implemented_tcsh.xml | 25 +++++ .../input/checks/accounts_netrc_files_checked.xml | 25 +++++ .../accounts_user_dot_files_not_world_writable.xml | 33 ++++++ .../checks/libuser_login_defs_userdefaults.xml | 50 +++++++++ rhel6/src/input/profiles/common.xml | 42 +++++++- rhel6/src/input/system/accounts/accounts.xml | 27 +++++ rhel6/src/input/system/accounts/pam.xml | 38 +++++++- rhel6/src/input/system/accounts/physical.xml | 63 +++++++++++ .../system/accounts/restrictions/restrictions.xml | 114 ++++++++++++++++++++ rhel6/src/input/system/accounts/session.xml | 24 ++++ 12 files changed, 508 insertions(+), 2 deletions(-) create mode 100644 rhel6/src/input/checks/accounts_disabled_after_expiration.xml create mode 100644 rhel6/src/input/checks/accounts_login_shell_timeout_implemented_bash.xml create mode 100644 rhel6/src/input/checks/accounts_login_shell_timeout_implemented_tcsh.xml create mode 100644 rhel6/src/input/checks/accounts_netrc_files_checked.xml create mode 100644 rhel6/src/input/checks/accounts_user_dot_files_not_world_writable.xml create mode 100644 rhel6/src/input/checks/libuser_login_defs_userdefaults.xml
diff --git a/rhel6/src/input/checks/accounts_disabled_after_expiration.xml b/rhel6/src/input/checks/accounts_disabled_after_expiration.xml new file mode 100644 index 0000000..334c1dd --- /dev/null +++ b/rhel6/src/input/checks/accounts_disabled_after_expiration.xml @@ -0,0 +1,24 @@ +<def-group> + <definition class="compliance" id="accounts_disabled_after_expiration" version="1"> + <metadata> + <title> Ensure Accounts Set to Disable After Password Expiration</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id="TODO" source="CCE" /> + <description> Check for INACTIVE line in useradd.</description> + </metadata> + <criteria operator="AND"> + <criterion comment="inactive set" test_ref="test_accounts_disabled_after_expiration_inactive" /> + </criteria> + </definition> + <ind:textfilecontent54_test check="all" comment="inactive set in useradd" id="test_accounts_disabled_after_expiration_inactive" version="1"> + <ind:object object_ref="object_accounts_disabled_after_expiration_inactive" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_accounts_disabled_after_expiration_inactive" version="1"> + ind:path/etc/default</ind:path> + ind:filenameuseradd</ind:filename> + <ind:pattern operation="pattern match">^INACTIVE=[\d{1,3}]\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> +</def-group> diff --git a/rhel6/src/input/checks/accounts_login_shell_timeout_implemented_bash.xml b/rhel6/src/input/checks/accounts_login_shell_timeout_implemented_bash.xml new file mode 100644 index 0000000..2f8b818 --- /dev/null +++ b/rhel6/src/input/checks/accounts_login_shell_timeout_implemented_bash.xml @@ -0,0 +1,45 @@ +<def-group> + <definition class="compliance" id="accounts_login_shell_timeout_implemented_bash" version="1"> + <metadata> + <title> Implement Inactivity Time-out for bash Login Shell</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id="CCE-3707-7" source="CCE" /> + <description> Check if login shells set to automatically log users out after a certain period of inactivity.</description> + </metadata> + <criteria operator="AND"> + <criterion comment="check readonly line" test_ref="test_accounts_login_shell_timeout_implemented_bash_readonly" /> + <criterion comment="check timeout line" test_ref="test_accounts_login_shell_timeout_implemented_bash_idle" /> + <criterion comment="check export line" test_ref="test_accounts_login_shell_timeout_implemented_bash_export" /> + </criteria> + </definition> + + <ind:textfilecontent54_test check="all" comment="readonly timeout" id="test_accounts_login_shell_timeout_implemented_bash_readonly" version="1"> + <ind:object object_ref="object_accounts_login_shell_timeout_implemented_bash_readonly" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_accounts_login_shell_timeout_implemented_bash_readonly" version="1"> + ind:path/etc/profile.d</ind:path> + ind:filenametmout.sh</ind:filename> + <ind:pattern operation="pattern match">^readonly[\s]+TMOUT\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + <ind:textfilecontent54_test check="all" comment="idle timeout" id="test_accounts_login_shell_timeout_implemented_bash_idle" version="1"> + <ind:object object_ref="object_accounts_login_shell_timeout_implemented_bash_idle" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_accounts_login_shell_timeout_implemented_bash_idle" version="1"> + ind:path/etc/profile.d</ind:path> + ind:filenametmout.sh</ind:filename> + <ind:pattern operation="pattern match">^TMOUT=\d{3,5}\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + <ind:textfilecontent54_test check="all" comment="export timeout" id="test_accounts_login_shell_timeout_implemented_bash_export" version="1"> + <ind:object object_ref="object_accounts_login_shell_timeout_implemented_bash_export" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_accounts_login_shell_timeout_implemented_bash_export" version="1"> + ind:path/etc/profile.d</ind:path> + ind:filenametmout.sh</ind:filename> + <ind:pattern operation="pattern match">^export[\s]+TMOUT\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> +</def-group> diff --git a/rhel6/src/input/checks/accounts_login_shell_timeout_implemented_tcsh.xml b/rhel6/src/input/checks/accounts_login_shell_timeout_implemented_tcsh.xml new file mode 100644 index 0000000..ce067ce --- /dev/null +++ b/rhel6/src/input/checks/accounts_login_shell_timeout_implemented_tcsh.xml @@ -0,0 +1,25 @@ +<def-group> + <definition class="compliance" id="accounts_login_shell_timeout_implemented_tcsh" version="1"> + <metadata> + <title> Check tcsh Inactivity Time-out</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id="CCE-3689-7" source="CCE" /> + <description> Check if tcsh login shell is set to log users out after period of inactivity.</description> + </metadata> + <criteria> + <criterion comment="tcsh time-out check" test_ref="test_accounts_login_shell_timeout_implemented_tcsh" /> + </criteria> + </definition> + + <ind:textfilecontent54_test check="all" comment="tcsh" id="test_accounts_login_shell_timeout_implemented_tcsh" version="1"> + <ind:object object_ref="object_accounts_login_shell_timeout_implemented_tcsh" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_accounts_login_shell_timeout_implemented_tcsh" version="1"> + ind:path/etc/profile.d</ind:path> + ind:filenameautologout.csh</ind:filename> + <ind:pattern operation="pattern match">^set[\s]+-r[\s]+autologout[\s]+\d{1,3}\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> +</def-group> diff --git a/rhel6/src/input/checks/accounts_netrc_files_checked.xml b/rhel6/src/input/checks/accounts_netrc_files_checked.xml new file mode 100644 index 0000000..2a4a6ca --- /dev/null +++ b/rhel6/src/input/checks/accounts_netrc_files_checked.xml @@ -0,0 +1,25 @@ +<def-group> + <definition class="compliance" id="accounts_netrc_files_checked" version="1"> + <metadata> + <title>Ensure No .netrc Files</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id="CCE-TODO" source="CCE" /> + <description>Check that .netrc files are missing from all user accounts.</description> + </metadata> + <criteria > + <criterion comment=".netrc files" test_ref="test_accounts_netrc_files_checked" negate="true" /> + </criteria> + </definition> + <unix:file_test check="all" check_existence="at_least_one_exists" comment="home directories" id="test_accounts_netrc_files_checked" version="1"> + <unix:object object_ref="object_accounts_netrc_files_checked" /> + </unix:file_test> + <unix:file_object comment=".netrc files" id="object_accounts_netrc_files_checked" version="1"> + <unix:behaviors recurse="files" recurse_direction="down" max_depth="1" recurse_file_system="all" /> + <unix:path operation="equals">/home</unix:path> + <unix:filename operation="pattern match">.netrc</unix:filename> + </unix:file_object> +</def-group> + + diff --git a/rhel6/src/input/checks/accounts_user_dot_files_not_world_writable.xml b/rhel6/src/input/checks/accounts_user_dot_files_not_world_writable.xml new file mode 100644 index 0000000..82a9e45 --- /dev/null +++ b/rhel6/src/input/checks/accounts_user_dot_files_not_world_writable.xml @@ -0,0 +1,33 @@ +<def-group> + <definition class="compliance" id="accounts_user_dot_files_not_world_writable" version="1"> + <metadata> + <title>Ensure User Dot Files not World Writable</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id="CCE-TODO" source="CCE" /> + <description>File permissions should be set correctly for dot-files for all user accounts.</description> + </metadata> + <criteria > + <criterion comment="user dot files" test_ref="test_accounts_user_dot_files_not_world_writable" negate="true" /> + </criteria> + </definition> + <unix:file_test check="all" check_existence="at_least_one_exists" comment="home directories" id="test_accounts_user_dot_files_not_world_writable" version="1"> + <unix:object object_ref="object_accounts_user_dot_files_not_world_writable" /> + <unix:state state_ref="state_dot_files_wrong_perm" /> + </unix:file_test> + <unix:file_object comment="user dot files" id="object_accounts_user_dot_files_not_world_writable" version="1"> + <unix:behaviors recurse="files" recurse_direction="down" max_depth="1" recurse_file_system="all" /> + <unix:path operation="equals">/home</unix:path> + <unix:filename operation="pattern match">.*</unix:filename> + <filter action="include">state_dot_files_wrong_perm</filter> + </unix:file_object> + <unix:file_state id="state_dot_files_wrong_perm" version="1" operator="OR"> + <unix:suid datatype="boolean">true</unix:suid> + <unix:sgid datatype="boolean">true</unix:sgid> + <unix:sticky datatype="boolean">true</unix:sticky> + <unix:gwrite datatype="boolean">true</unix:gwrite> + <unix:owrite datatype="boolean">true</unix:owrite> + </unix:file_state> +</def-group> + diff --git a/rhel6/src/input/checks/libuser_login_defs_userdefaults.xml b/rhel6/src/input/checks/libuser_login_defs_userdefaults.xml new file mode 100644 index 0000000..66345a5 --- /dev/null +++ b/rhel6/src/input/checks/libuser_login_defs_userdefaults.xml @@ -0,0 +1,50 @@ +<def-group> + <definition class="compliance" id="libuser_login_defs_userdefaults" version="1"> + <metadata> + <title>Check if Password Parameters are Removed from libuser.conf</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id="TODO" source="CCE" /> + <description> Make sure the password password parameters are removed from libuser.conf.</description> + </metadata> + <criteria operator="AND"> + + <criterion comment="shadowmin removed" test_ref="test_libuser_login_defs_removed_shadowmin" /> + <criterion comment="shadowmax removed" test_ref="test_libuser_login_defs_removed_shadowmax" /> + <criterion comment="shadowwarn removed" test_ref="test_libuser_login_defs_removed_shadowwarn" /> + + </criteria> + </definition> + + <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="shadowmin removed from login.defs" id="test_libuser_login_defs_removed_shadowmin" version="1"> + <ind:object object_ref="object_libuser_login_defs_removed_shadowmin" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_libuser_login_defs_removed_shadowmin" version="1"> + ind:path/etc</ind:path> + ind:filenamelogin.defs</ind:filename> + <ind:pattern operation="pattern match">^LU_SHADOWMIN\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="shadowmax removed from login.defs" id="test_libuser_login_defs_removed_shadowmax" version="1"> + <ind:object object_ref="object_libuser_login_defs_removed_shadowmax" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_libuser_login_defs_removed_shadowmax" version="1"> + ind:path/etc</ind:path> + ind:filenamelogin.defs</ind:filename> + <ind:pattern operation="pattern match">^LU_SHADOWMAX\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="shadowwarn removed from login.defs" id="test_libuser_login_defs_removed_shadowwarn" version="1"> + <ind:object object_ref="object_libuser_login_defs_removed_shadowwarn" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_libuser_login_defs_removed_shadowwarn" version="1"> + ind:path/etc</ind:path> + ind:filenamelogin.defs</ind:filename> + <ind:pattern operation="pattern match">^LU_SHADOWWARNING\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/rhel6/src/input/profiles/common.xml b/rhel6/src/input/profiles/common.xml index 20853f5..8ac2554 100644 --- a/rhel6/src/input/profiles/common.xml +++ b/rhel6/src/input/profiles/common.xml @@ -20,6 +20,18 @@ <select idref="selinux_unlabeled_device_files" selected="true"/> <select idref="restrict_root_console_logins" selected="true"/> <select idref="restrict_serial_port_logins" selected="true"/> + +<select idref="verify_libuser_login_defs_import" selected="true"/> +<select idref="verify_libuser_login_defs_userdefaults" selected="true"/> +<select idref="verify_accounts_disabled_after_expiration" selected="true"/> +<!--<select idref="pam_ccreds_removed" selected="true"/> --> +<select idref="ensure_dot_files_not_world_writable" selected="true" /> +<select idref="ensure_no_netrc_files" selected="true" /> + +<!--<select idref="login_shell_inactivity_timeout" selected="true"/> --> +<select idref="login_shell_timeout_bash" selected="true"/> +<select idref="login_shell_timeout_tcsh" selected="true"/> + <select idref="no_shelllogin_for_systemaccounts" selected="true"/> <select idref="no_empty_passwords" selected="true"/> <select idref="no_hashes_outside_shadow" selected="true"/> @@ -76,15 +88,26 @@ <select idref="install_openswan" selected="true"/> <select idref="package_rsyslog_installed" selected="true"/> <select idref="enable_rsyslog" selected="true"/> + +<select idref="ensure_rsyslog_messages_captured" selected="true"/> + <select idref="userowner_rsyslog_files" selected="true"/> <select idref="groupowner_rsyslog_files" selected="true"/> <select idref="rsyslog_file_permissions" selected="true"/> <select idref="rsyslog_send_messages_to_logserver" selected="true"/> <!-- <select idref="rsyslog_accept_remote_messages" selected="true"/> --> <select idref="ensure_logrotate_activated" selected="true"/> + <select idref="enable_auditd_service" selected="true"/> <select idref="enable_auditd_bootloader" selected="true"/> + +<select idref="configure_logwatch_on_logserver" selected="true"/> +<select idref="disable_logwatch_for_logserver" selected="true"/> + <select idref="audit_time_rules" selected="true"/> +<select idref="configure_auditd_data_retention" selected="true"/> +<!--<select idref="configure_auditd_data_retention" selected="true"/> --> + <select idref="audit_account_changes" selected="true"/> <select idref="audit_network_modifications" selected="true"/> <select idref="audit_mac_changes" selected="true"/> @@ -93,6 +116,10 @@ <select idref="audit_privileged_commands" selected="true"/> <select idref="audit_media_exports" selected="true"/> <select idref="audit_file_deletions" selected="true"/> + +<select idref="audit_manual_logon_edits" selected="true"/> +<select idref="audit_manual_session_edits" selected="true"/> + <select idref="audit_sysadmin_actions" selected="true"/> <select idref="audit_kernel_module_loading" selected="true"/> <select idref="audit_config_immutable" selected="true"/> @@ -144,7 +171,7 @@ <!-- <select idref="postfix_package_installation" selected="true"/> --> <select idref="postfix_network_listening" selected="true"/> <select idref="ldap_client_tls_checkpeer" selected="true"/> -<select idref="package_openldap-servers_removed" selected="true"/> +<select idref="package_openldap-servers_removed" selected="true"/> <select idref="service_nfslock_disabled" selected="true"/> <select idref="service_rpcgssd_disabled" selected="true"/> <select idref="service_rpcidmapd_disabled" selected="true"/> @@ -165,6 +192,19 @@ <select idref="disable_smb_server" selected="true"/> <select idref="require_smb_client_signing" selected="true"/> <select idref="require_smb_client_signing_mount.cifs" selected="true"/> + +<!--<select idref="select_squid_listening_port" selected="true"/> +<select idref="verify_default_secure_settings" selected="true"/> +<select idref="change_default_insecure_settings" selected="true"/> +<select idref="configure_authentication" selected="true"/> +<select idref="access_control_lists" selected="true"/> +<select idref="configure_icp" selected="true"/> +<select idref="allow_proxy_server_access" selected="true"/> +<seelect idref="forward_logs_to_syslogd" selected="true"/> +<select idref="run_squid_in_chroot_jail" selected="true"/> +<select idref="lower_privileges" selected="true"/> +--> + <select idref="disable_squid" selected="true"/> <select idref="uninstall_squid" selected="true"/> <select idref="disable_snmpd" selected="true"/> diff --git a/rhel6/src/input/system/accounts/accounts.xml b/rhel6/src/input/system/accounts/accounts.xml index fbdeb39..e5b61a6 100644 --- a/rhel6/src/input/system/accounts/accounts.xml +++ b/rhel6/src/input/system/accounts/accounts.xml @@ -8,4 +8,31 @@ access to accounts, particularly to privileged accounts, is a necessary part of securing a system. This section introduces mechanisms for restricting access to accounts under RHEL6.</description> + +<Group id="all_human_users_group"> +<title> Create and Maintain a Group Containing All Human Users</title> +<description> +Identify all user accounts on the system which correspond to human users. Depending on your system +configuration, this may be all entries in <tt>/etc/passwd</tt> with UID values of at least 500. Once, you have +identified such a set of users, create a group named usergroup (substitute some name appropriate to your +environment) and populate it with each human user: +<pre># groupadd <i>usergroup</i> +# usermod -G <i>usergroup human1</i> +# usermod -G <i>usergroup human2</i> +... +# usermod -G <i>usergroup humanN</i></pre> +Then modify your procedure for creating new user accounts by adding <tt>-G</tt> <i>usergroup</i> to the set of flags with +which <tt>useradd</tt> is invoked, so that new human users will be placed in the correct group by default. + +Creating a group of human users does not, by itself, enhance system security. However, as you work on securing +your system, you will often find commands which never need to be run by system accounts, or which are only +ever needed by users logged into the graphical console (which should only ever be available to human users, even +on workstations). Once a group of users has been created, it is easy to restrict access to a given command, for +instance <i>/path/to/graphical/command</i>, to authorized users: +<pre># chgrp <i>usergroup /path/to/graphical/command</i> +# chmod 750 <i>/path/graphical/command</i></pre> +Without a group of human users, it is necessary to restrict access by somehow preventing each system account +from running the command, which is an error-prone process even when it is possible at all.</description> +<!-- <oval id="accounts_all_human_users_group_maintained" /> --> +</Group> </Group> diff --git a/rhel6/src/input/system/accounts/pam.xml b/rhel6/src/input/system/accounts/pam.xml index bc91277..34af4f9 100644 --- a/rhel6/src/input/system/accounts/pam.xml +++ b/rhel6/src/input/system/accounts/pam.xml @@ -309,6 +309,31 @@ prevents direct password guessing attacks.
</Group>
+<!-- Removed: Too complicated to enforce +<Rule id="restrict_userhelper_execution"> +<title> Restrict Execution of <tt>userhelper</tt> to Console Users</title> +<description> +If your environment has defined a group, <i>usergroup</i> containing all the human users of your system, restrict +execution of the <tt>userhelper</tt> program to only that group: +<pre># chgrp usergroup /usr/sbin/userhelper +# chmod 4710 /usr/sbin/userhelper</pre> +The <tt>userhelper</tt> program provides authentication for graphical services which must run with <tt>root</tt> privileges, +such as the <tt>system-config<tt>- family of graphical configuration utilities. Only human users logged into the system +console are likely to ever have a legitimate need to run these utilities. This step provides some protection against +possible flaws in <tt>userhelper</tt>'s implementation, and against further privilege escalation when system accounts +are compromised. See Section 2.3.2.2 for more information on creating a group of human users. +The <tt>userhelper</tt> program is configured by the files in <tt>/etc/security/console.apps/</tt>. Each file specifies, for +some program, what user the program should run as, and what program should be executed after successful +authentication. +Note: The configuration in <tt>/etc/security/console.apps/</tt> is applied in combination with the PAM configura- +tion of the service defined in <tt>/etc/pam.d/</tt>. First, <tt>userhelper</tt> determines what user the service should run as. +(Typically, this will be <tt>root</tt>.) Next, <tt>userhelper</tt> uses the PAM API to allow the user who ran the program to +attempt to authenticate as the desired user. The PAM API exchange is wrapped in a GUI if the application's +configuration requests one.</description> +<ident cce="4185-5, 3952-9" /> +<oval id="accounts_pam_userhelper_execution_restricted" /> +</Rule> +-->
<Rule id="set_password_hashing_algorithm"> <title>Set Password Hashing Algorithm</title> @@ -374,7 +399,18 @@ compromised could be used yet again by an attacker. <oval id="accounts_password_reuse_limit" value="password_history_retain_number"/> <ref nist="IA-5" /> </Rule> -</Group> +</Group> <!-- End <Group id="limiting_password_reuse"> -->
+<!--<Rule id="pam_ccreds_removed"> +<title> Remove the <tt>pam_ccreds</tt> Package if Possible</title> +<description> +Unless its credential caching functionality is required, remove the <tt>pam_ccreds</tt> package: +<pre># yum erase pam_ccreds</pre> +The <tt>pam_ccreds</tt> package contains the setuid program <tt>/usr/sbin/ccreds_validate</tt> and should be removed +unless it provides essential functionality. Any credentials cached on a system would also be compromised if an +attacker obtains control of the system.</description> +<oval id="package_pam_ccreds_removed" /> +</Rule> + No longer exists in RHEL6 --> </Group>
diff --git a/rhel6/src/input/system/accounts/physical.xml b/rhel6/src/input/system/accounts/physical.xml index 45ad144..b4a3e76 100644 --- a/rhel6/src/input/system/accounts/physical.xml +++ b/rhel6/src/input/system/accounts/physical.xml @@ -7,6 +7,23 @@ there are some steps which, if taken, make it more difficult for an attacker to quickly or undetectably modify a system from its console.</description>
+<Group id="bios_password"> +<title>Set BIOS Password</title> +<description>BIOS (on x86 systems) is the first code to execute during system startup and controls many important +system parameters, including which devices the system will try to boot from, and in which order. +Assign a password to prevent any unauthorized changes to the BIOS configuration. The exact steps will +vary depending on your machine, but are likely to include: +1.Reboot the machine. +2.Press the appropriate key during the initial boot screen (F2 is typical). +3.Navigate the BIOS configuration menu to add a password. +The exact process will be system-specific and the system's hardware manual may provide detailed instructions. +This password should prevent attackers with physical access from attempting to change important parameters. +However, an attacker with physical access can usually clear the BIOS password. The password should be +written down and stored in a physically-secure location, such as a safe, in the event that it is forgotten + and must be retrieved. +</description> +</Group> + <Group id="bootloader"> <title>Set Boot Loader Password</title> <description>During the boot process, the boot loader is @@ -133,6 +150,52 @@ services, weakening system security. <ref nist="CM-7, IA-4, SC-2"/> </Rule>
+<Group id="login_shell_inactivity_timeout"> +<description> +If the system does not run X Windows, then the login shells can be configured to automatically log users out after +a period of inactivity. The following instructions are not practical for systems which run X Windows, as they +will close terminal windows in the X environment. + +The example time-out here of 15 minutes should be adjusted to whatever your security policy requires. The +readonly line for bash and the -r option for tcsh can be omitted if policy allows users to override the value. +The automatic shell logout only occurs when the shell is the foreground process. If, for example, a vi session is +left idle, then automatic logout would not occur. +When logging in through a remote connection, as with SSH, it may be more effective to set the timeout value +directly through that service. Section referenced elsewhere.</description> + +<Rule id="login_shell_timeout_bash"> +<title> Implement Inactivity Time-out for Login Shells</title> +<description> +If the system does not run X Windows, then the login shells can be configured to automatically log users out after +a period of inactivity. The following instructions are not practical for systems which run X Windows, as they +will close terminal windows in the X environment. +To implement a 15-minute idle time-out for the default <tt>/bin/bash</tt> shell, create a new file +<tt>tmout.sh</tt> in the directory <tt>/etc/profile.d</tt> with the following lines: + +<pre>TMOUT=900 +readonly TMOUT +export TMOUT</pre> + + +Similar actions should be taken for any other login shells used. +</description> +<ident cce="3707-7" /> +<oval id="accounts_login_shell_timeout_implemented_bash" /> +</Rule> + +<Rule id="login_shell_timeout_tcsh"> +<title>Inactivity Time-out for <tt>tcsh</tt> Shell</title> +<description> +To implement a 15-minute idle time-out for the <tt>tcsh</tt> shell, create a new file <tt>autologout.csh</tt> + in the directory <tt>/etc/profile.d</tt> with the following line: + + +<pre>set -r autologout 15</pre> +</description> +<ident cce="3689-7" /> +<oval id="accounts_login_shell_timeout_implemented_tcsh" /> +</Rule> +</Group>
<Group id="screen_locking"> <title>Configure Screen Locking</title> diff --git a/rhel6/src/input/system/accounts/restrictions/restrictions.xml b/rhel6/src/input/system/accounts/restrictions/restrictions.xml index febead6..7006bf7 100644 --- a/rhel6/src/input/system/accounts/restrictions/restrictions.xml +++ b/rhel6/src/input/system/accounts/restrictions/restrictions.xml @@ -10,4 +10,118 @@ console. Therefore, mechanisms for accessing accounts by entering usernames and passwords should be restricted to those which are operationally necessary.</description>
+<!-- +<Rule id="limit_su_access_to_root"> +<title> Limit <tt>su</tt> Access to the Root Account</title> +<description>"1.Ensure that the group <tt>wheel</tt> exists, and that the usernames of all administrators who should be allowed +to execute commands as root are members of that group. +<pre># grep ^wheel /etc/group</pre> +2.Edit the file <tt>/etc/pam.d/su</tt>. Add, uncomment, or correct the line: +<pre>auth required pam_wheel.so use_uid</pre> +The <tt>su</tt> command allows a user to gain the privileges of another user by entering the password for that user's +account. It is desirable to restrict the root user so that only known administrators are ever allowed to access the +root account. This restricts password-guessing against the root account by unauthorized users or by accounts +which have been compromised. <br /> +By convention, the group <tt>wheel</tt> contains all users who are allowed to run privileged commands. The PAM +module <tt>pam_wheel.so</tt> is used to restrict root access to this set of users.</description> +<ident cce="14088-9, 15047-4" /> +<oval id="accounts_su_access_limited" /> +<ref nist="AC-2, AC-3, CM-6" /> +</Rule> +--> + +<Group id="configure_sudo"> +<title> Verify <tt>sudo</tt> is Configured to Improve Auditing of Root Access</title> +<description> +The <tt>sudo</tt> command allows fine-grained control over which users can execute commands using other accounts. +The primary benefit of <tt>sudo</tt> when configured as above is that it provides an audit trail of every command run +by a privileged user. It is possible for a malicious administrator to circumvent this restriction, but, if there is an +established procedure that all root commands are run using <tt>sudo</tt>, then it is easy for an auditor to detect unusual +behavior when this procedure is not followed. <br /> +</description> + +<warning> +Editing <tt>/etc/sudoers</tt> by hand can be dangerous, since a configuration error may make it impossible to access +the root account remotely. The recommended means of editing this file is using the <tt>visudo</tt> command, which +checks the file's syntax for correctness before allowing it to be saved. <br /> + +Note that <tt>sudo</tt> allows any attacker who gains access to the password of an administrator account to run commands +as root. This is a downside which must be weighed against the benefits of increased audit capability and of being +able to heavily restrict the use of the high-value root password (which can be logistically difficult to change +often). As a basic precaution, <i>never</i> use the <tt>NOPASSWD</tt> directive, which would allow anyone with access to an administrator account to execute commands as root without knowing the administrator's password. <br /> +</warning> + +<Group id="admin_user_group"> +<title>Create and Use One Group for All Admin</title> +<description>Ensure that a group <i>ADMINS</i> exists, and that the usernames of all administrators who should be allowed +to execute commands as root are members of that group. +<pre># grep ^<i>ADMINS</i> /etc/group</pre> + +Edit the file <tt>/etc/sudoers</tt>. Add, uncomment, or correct the line: +<pre>%ADMINS ALL=(ALL) ALL</pre> +<pre>%<i>ADMINS</i> ALL=(ALL) ALL</pre> + +</description> +</Group> + +<!--<Rule id="verify_wheel_exists"> +<description> +Ensure that the group <tt>wheel</tt> exists, and that the usernames of all administrators who should be allowed +to execute commands as root are members of that group. +<pre># grep ^wheel /etc/group</pre></description> +<oval id="accounts_wheel_exists" /> +</Rule> + +<Rule id="verify_sudo_audit_trail"> +<description>Edit the file <tt>/etc/sudoers</tt>. Add, uncomment, or correct the line: +<pre>%wheel ALL=(ALL) ALL</pre> +</description> +<oval id="accounts_root_auditing_improved" /> +</Rule> +</Group> +--> + +<Group id="remove_password_parameters"> +<title> Remove Password Parameters from <tt>libuser.conf</tt></title> +<description>The <tt>/etc/libuser.conf</tt> file contains configuration options for the libuser library, which is intended to implement +a standardized interface for manipulating and administering user and group accounts. By default, it sources +password settings from <tt>/etc/login.defs</tt>, but it can override these parameters. The man page <tt>libuser.conf(5)</tt> contains more information.</description> + +<Rule id="verify_libuser_login_defs_import"> +<title>Verify Line Under Import Section</title> +<description> +Ensure the following line exists within the file <tt>/etc/libuser.conf</tt> under the <tt>[import]</tt> section. +<pre>login_defs = /etc/login.defs</pre></description> +<oval id="libuser_login_defs_import" /> +</Rule> + +<Rule id="verify_libuser_login_defs_userdefaults"> +<title>Verify Lines do not Appear in Userdefaults Section</title> +<description> +Ensure that no lines beginning with the following appear in the <tt>[userdefaults]</tt> section of the file, as +these override settings from <tt>/etc/login.defs</tt>: +<pre>LU_SHADOWMAX +LU_SHADOWMIN +LU_SHADOWWARNING</pre></description> +<oval id="libuser_login_defs_userdefaults" /> +</Rule> +</Group> + + +<Rule id="verify_accounts_disabled_after_expiration"> +<title> Set Accounts to Disable After Password Expiration</title> +<description> +In order to automatically disable local accounts some number of <i>DAYS</i> after password expiration, add or +modify the following line in <tt>/etc/default/useradd</tt>: +<pre>INACTIVE=<i>DAYS</i></pre> +For example, if <pre>INACTIVE=30</pre> and if the password is currently on the verge of expiration, then 30 days remain +until the account is automatically disabled. If the password will not expire for another 60 days, then 90 days +remain until the account is automatically disabled. See <tt>useradd(8)</tt> for more information. +Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period +of inactivity for users in your environment. Setting the timeout too low incurs support costs and also has the +potential to impact availability of the system to legitimate users.</description> +<oval id="accounts_disabled_after_expiration" /> +</Rule> + +</Group> </Group> diff --git a/rhel6/src/input/system/accounts/session.xml b/rhel6/src/input/system/accounts/session.xml index 00b5a8d..f7e6530 100644 --- a/rhel6/src/input/system/accounts/session.xml +++ b/rhel6/src/input/system/accounts/session.xml @@ -114,6 +114,19 @@ groups or ACLs. <ref nist="AC-3, CM-6"/> </Rule>
+<Rule id="ensure_dot_files_not_world_writable"> +<title> Ensure that User Dot-Files are not World-writable</title> +<description> +For each human user <i>USER</i> of the system, view the permissions of all dot-files in the user's home directory: +<pre># ls -ld /home/USER /.[A-Za-z0-9]*</pre> +Ensure that none of these files are group- or world-writable. Correct each misconfigured file <i>FILE</i> by exe- +cuting: +<pre># chmod go-w /home/USER /FILE</pre> +A user who can modify another user's configuration files can likely execute commands with the other user's +privileges, including stealing data, destroying files, or launching further attacks on the system.</description> +<oval id="accounts_user_dot_files_not_world_writable" /> +</Rule> + <Group id="user_umask"> <title>Ensure that Users Have Sensible Umask Values</title> <description> @@ -168,6 +181,17 @@ operator="equals" interactive="0"> <value selector="077">077</value> </Value>
+<Group id="ensure_no_netrc_files"> +<title> Ensure that Users do not Have <tt>.netrc</tt> Files</title> +<description> +For each human user <i>USER</i> of the system, ensure that the user has no <tt>.netrc</tt> file. The command: +<pre># ls -l /home/<i>USER</i> /.netrc</pre> +should return the error "No such file or directory". If any user has such a file, approach that user to discuss +removing this file. +The <tt>.netrc</tt> file is a configuration file used to make unattended logins to other systems via FTP. When this file +exists, it frequently contains unencrypted passwords which may be used to attack other systems.</description> +</Group> + <Rule id="user_umask_bashrc"> <title> Ensure the Default Bash Umask is Set Correctly
Signed-off-by: Mike Palmiotto mpalmiotto@tresys.com --- .../checks/audit_rules_logon_modification.xml | 34 +++++++++ .../checks/audit_rules_session_modification.xml | 47 ++++++++++++ .../checks/logwatch_configured_on_logserver.xml | 71 ++++++++++++++++++ .../src/input/checks/rsyslog_messages_captured.xml | 70 ++++++++++++++++++ rhel6/src/input/system/auditing.xml | 77 +++++++++++++++++++- rhel6/src/input/system/logging.xml | 67 +++++++++++++++++ 6 files changed, 365 insertions(+), 1 deletions(-) create mode 100644 rhel6/src/input/checks/audit_rules_logon_modification.xml create mode 100644 rhel6/src/input/checks/audit_rules_session_modification.xml create mode 100644 rhel6/src/input/checks/logwatch_configured_on_logserver.xml create mode 100644 rhel6/src/input/checks/rsyslog_messages_captured.xml
diff --git a/rhel6/src/input/checks/audit_rules_logon_modification.xml b/rhel6/src/input/checks/audit_rules_logon_modification.xml new file mode 100644 index 0000000..97d170d --- /dev/null +++ b/rhel6/src/input/checks/audit_rules_logon_modification.xml @@ -0,0 +1,34 @@ +<def-group> + <definition class="compliance" id="audit_rules_logon_modification" version="1"> + <metadata> + <title> Record Attempts to Alter Logon and Logout Events</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id=" CCE-14904-7" source="CCE" /> + <description> Audit attempted manual edits of files involved in storing logon events.</description> + </metadata> + <criteria operator = "AND"> + <criterion comment="watch on lastlog" test_ref="test_audit_rules_logon_modification_lastlog" /> + <criterion comment="watch on faillog" test_ref="test_audit_rules_logon_modification_faillog" /> + </criteria> + </definition> + <ind:textfilecontent54_test check="all" comment="lastlog watch" id="test_audit_rules_logon_modification_lastlog" version="1"> + <ind:object object_ref="object_audit_rules_logon_modification_lastlog" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_audit_rules_logon_modification_lastlog" version="1"> + ind:path/etc/audit</ind:path> + ind:filenameaudit.rules</ind:filename> + <ind:pattern operation="pattern match">^-w[\s]+/var/log/lastlog[\s]+-p[\s]+wa[\s]+-k[\s]+logins\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + <ind:textfilecontent54_test check="all" comment="faillog watch" id="test_audit_rules_logon_modification_faillog" version="1"> + <ind:object object_ref="object_audit_rules_logon_modification_faillog" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_audit_rules_logon_modification_faillog" version="1"> + ind:path/etc/audit</ind:path> + ind:filenameaudit.rules</ind:filename> + <ind:pattern operation="pattern match">^-w[\s]+/var/log/faillog[\s]+-p[\s]+wa[\s]+-k[\s]+logins\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> +</def-group> diff --git a/rhel6/src/input/checks/audit_rules_session_modification.xml b/rhel6/src/input/checks/audit_rules_session_modification.xml new file mode 100644 index 0000000..22b0cb6 --- /dev/null +++ b/rhel6/src/input/checks/audit_rules_session_modification.xml @@ -0,0 +1,47 @@ +<def-group> + <definition class="compliance" id="audit_rules_session_modification" version="1"> + <metadata> + <title></title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id="CCE-14679-5" source="CCE" /> + <description>Ensure that watches are placed on utmp, btmp, and wtmp, sessions.</description> + </metadata> + <criteria operator="AND"> + <criterion comment="watch on wtmp" test_ref="test_audit_rules_session_modification_wtmp" /> + <criterion comment="watch on utmp" test_ref="test_audit_rules_session_modification_utmp" /> + <criterion comment="watch on btmp" test_ref="test_audit_rules_session_modification_btmp" /> + </criteria> + </definition> + + <ind:textfilecontent54_test check="all" comment="wtmp session watch" id="test_audit_rules_session_modification_wtmp" version="1"> + <ind:object object_ref="object_audit_rules_session_modification_wtmp" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_audit_rules_session_modification_wtmp" version="1"> + ind:path/etc/audit</ind:path> + ind:filenameaudit.rules</ind:filename> + <ind:pattern operation="pattern match">^-w[\s]+/var/log/wtmp[\s]+wa[\s]+-k[\s]+session\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_test check="all" comment="utmp session watch" id="test_audit_rules_session_modification_utmp" version="1"> + <ind:object object_ref="object_audit_rules_session_modification_utmp" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_audit_rules_session_modification_utmp" version="1"> + ind:path/etc/audit</ind:path> + ind:filenameaudit.rules</ind:filename> + <ind:pattern operation="pattern match">^-w[\s]+/var/log/utmp[\s]+wa[\s]+-k[\s]+session\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_test check="all" comment="btmp session watch" id="test_audit_rules_session_modification_btmp" version="1"> + <ind:object object_ref="object_audit_rules_session_modification_btmp" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_audit_rules_session_modification_btmp" version="1"> + ind:path/etc/audit</ind:path> + ind:filenameaudit.rules</ind:filename> + <ind:pattern operation="pattern match">^-w[\s]+/var/log/btmp[\s]+wa[\s]+-k[\s]+session\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> +</def-group> diff --git a/rhel6/src/input/checks/logwatch_configured_on_logserver.xml b/rhel6/src/input/checks/logwatch_configured_on_logserver.xml new file mode 100644 index 0000000..2a99b92 --- /dev/null +++ b/rhel6/src/input/checks/logwatch_configured_on_logserver.xml @@ -0,0 +1,71 @@ +<def-group> + <definition class="compliance" id="logwatch_configured_on_logserver" version="1"> + <metadata> + <title>Ensure Logwatch Configured on the Central Log Server</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id="CCE-4323-2" source="CCE" /> + <description>Check if logwatch service is enabled and configured.</description> + </metadata> + <criteria operator="AND"> + <criterion comment="hostlimit" test_ref="test_logwatch_configured_on_logserver_hostlimit" /> + <criterion comment="splithosts" test_ref="test_logwatch_configured_on_logserver_splithosts" /> + <criterion comment="multiemail" test_ref="test_logwatch_configured_on_logserver_multiemail" /> + <criterion comment="service" test_ref="test_logwatch_configured_on_logserver_service" /> + + </criteria> + </definition> + + <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Test HostLimit" id="test_logwatch_configured_on_logserver_hostlimit" version="1"> + <ind:object object_ref="object_logwatch_configured_on_logserver_hostlimit" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_state id="state_logwatch_configured_on_logserver_hostlimit" version="1"> + <ind:subexpression operation="equals">no</ind:subexpression> + </ind:textfilecontent54_state> + <ind:textfilecontent54_object id="object_logwatch_configured_on_logserver_hostlimit" version="1"> + ind:path/etc/logwatch/conf</ind:path> + ind:filenamelogwatch.conf</ind:filename> + <ind:pattern operation="pattern match">^[\s]HostLimit[\s]*=[\s]*[\w]+\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Test SplitHosts" id="test_logwatch_configured_on_logserver_splithosts" version="1"> + <ind:object object_ref="object_logwatch_configured_on_logserver_splithosts" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_state id="state_logwatch_configured_on_logserver_splithosts" version="1"> + <ind:subexpression operation="equals">yes</ind:subexpression> + </ind:textfilecontent54_state> + <ind:textfilecontent54_object id="object_logwatch_configured_on_logserver_splithosts" version="1"> + ind:path/etc/logwatch/conf</ind:path> + ind:filenamelogwatch.conf</ind:filename> + <ind:pattern operation="pattern match">^[\s]SplitHosts[\s]*=[\s]*[\w]+\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Test MultiEmail" id="test_logwatch_configured_on_logserver_multiemail" version="1"> + <ind:object object_ref="object_logwatch_configured_on_logserver_multiemail" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_state id="state_logwatch_configured_on_logserver_multiemail" version="1"> + <ind:subexpression operation="equals">no</ind:subexpression> + </ind:textfilecontent54_state> + <ind:textfilecontent54_object id="object_logwatch_configured_on_logserver_multiemail" version="1"> + ind:path/etc/logwatch/conf</ind:path> + ind:filenamelogwatch.conf</ind:filename> + <ind:pattern operation="pattern match">^[\s]MultiEmail[\s]*=[\s]*[\w]+\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Test Service" id="test_logwatch_configured_on_logserver_service" version="1"> + <ind:object object_ref="object_logwatch_configured_on_logserver_service" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_state id="state_logwatch_configured_on_logserver_service" version="1"> + <ind:subexpression operation="equals">-zz-disk_space</ind:subexpression> + </ind:textfilecontent54_state> + <ind:textfilecontent54_object id="object_logwatch_configured_on_logserver_service" version="1"> + ind:path/etc/logwatch/conf</ind:path> + ind:filenamelogwatch.conf</ind:filename> + <ind:pattern operation="pattern match">^[\s]Service[\s]*=[\s]*-zz-disk_space+\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> +</def-group> diff --git a/rhel6/src/input/checks/rsyslog_messages_captured.xml b/rhel6/src/input/checks/rsyslog_messages_captured.xml new file mode 100644 index 0000000..0639653 --- /dev/null +++ b/rhel6/src/input/checks/rsyslog_messages_captured.xml @@ -0,0 +1,70 @@ +<def-group> + <definition class="compliance" id="rsyslog_messages_captured" + version="1"> + <metadata> + <title>Ensure Important Messages are Captured</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id="TODO" source="CCE" /> + <description>Make sure appropriate lines are in rsyslog.conf. </description> + </metadata> + <criteria operator="AND"> + <criterion comment="messages" test_ref="test_rsyslog_messages_captured_messages" /> + <criterion comment="kern.log" test_ref="test_rsyslog_messages_captured_kern" /> + <criterion comment="daemon.log" test_ref="test_rsyslog_messages_captured_daemon" /> + <criterion comment="syslog" test_ref="test_rsyslog_messages_captured_syslog" /> + <criterion comment="unused.log" test_ref="test_rsyslog_messages_captured_unused" /> + </criteria> + </definition> + + <ind:textfilecontent54_test check="all" comment="messages" id="test_rsyslog_messages_captured_messages" version="1"> + <ind:object object_ref="object_rsyslog_messages_captured_messages" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_rsyslog_messages_captured_messages" version="1"> + ind:path/etc</ind:path> + ind:filenamersyslog.conf</ind:filename> + <ind:pattern operation="pattern match">^auth.*[\s]*,[\s]*user.*[\s]+/var/log/messages$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_test check="all" comment="kern.log" id="test_rsyslog_messages_captured_kern" version="1"> + <ind:object object_ref="object_rsyslog_messages_captured_kern" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_rsyslog_messages_captured_kern" version="1"> + ind:path/etc</ind:path> + ind:filenamersyslog.conf</ind:filename> +<ind:pattern operation="pattern match">^kern.*[\s]+/var/log/kern.log$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_test check="all" comment="daemon.log" id="test_rsyslog_messages_captured_daemon" version="1"> + <ind:object object_ref="object_rsyslog_messages_captured_daemon" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_rsyslog_messages_captured_daemon" version="1"> + ind:path/etc</ind:path> + ind:filenamersyslog.conf</ind:filename> +<ind:pattern operation="pattern match">^daemon.*[\s]+/var/log/daemon.log$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_test check="all" comment="syslog" id="test_rsyslog_messages_captured_syslog" version="1"> + <ind:object object_ref="object_rsyslog_messages_captured_syslog" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_rsyslog_messages_captured_syslog" version="1"> + ind:path/etc</ind:path> + ind:filenamersyslog.conf</ind:filename> + <ind:pattern operation="pattern match">^syslog.*[\s]+/var/log/syslog$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_test check="all" comment="unused" id="test_rsyslog_messages_captured_unused" version="1"> + <ind:object object_ref="object_rsyslog_messages_captured_unused" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_rsyslog_messages_captured_unused" version="1"> + ind:path/etc</ind:path> + ind:filenamersyslog.conf</ind:filename> + <ind:pattern operation="pattern match">^lpr,news,uucp,local0,local1,local2,local3,local4,local5,local6.*[\s]+/var/log/unused.log$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> +</def-group> diff --git a/rhel6/src/input/system/auditing.xml b/rhel6/src/input/system/auditing.xml index e75754f..1d18eaf 100644 --- a/rhel6/src/input/system/auditing.xml +++ b/rhel6/src/input/system/auditing.xml @@ -95,6 +95,51 @@ process during boot. <ref nist="AU-2" /> </Rule>
+<!-- +<Group id="configure_auditd_data_retention"> +<title> Configure <tt>auditd</tt> Data Retention</title> +<description> +<ul> + +<li> Determine <i>STOREMB</i>, the amount of audit data (in megabytes) which should be retained in each log +file. Edit the file <tt>/etc/audit/auditd.conf</tt>. Add or modify the following line:</li> +<pre>max_log_file = <i>STOREMB</i></tt> + +<li>Use a dedicated partition (or logical volume) for log files. It is straightforward to create such a partition +or logical volume during system installation time. The partition should be larger than the maximum +space which <tt>auditd</tt> will ever use, which is the maximum size of each log file (<tt>max_log_file</tt>) multiplied +by the number of log files (<tt>num_logs</tt>). Ensure the partition is mounted on <tt>/var/log/audit</tt>.</li> + +<li>If your site requires that the machine be disabled when auditing cannot be performed, configure <tt>auditd</tt> +to halt the system when disk space for auditing runs low. Edit <tt>/etc/audit/auditd.conf</tt>, and add or +correct the following lines:</li> +<pre>space_left_action = email +action_mail_acct = root +admin_space_left_action = halt</pre> +</ul> +The default action to take when the logs reach their maximum size is to rotate the log files, discarding the +oldest one. If it is more important to retain all possible auditing information, even if that opens the possibility +of running out of space and taking the action defined by <tt>admin_space_left_action</tt>, add or correct the line: +<pre>max_log_file_action = keep_logs</pre> +By default, <tt>auditd</tt> retains 4 log files of size 5Mb apiece. For a busy system or a system which is thoroughly +auditing system activity, this is likely to be insuffcient. +The log file size needed will depend heavily on what types of events are being audited. First configure auditing +to log all the events of interest. Then monitor the log size manually for awhile to determine what file size will +allow you to keep the required data for the correct time period. +Using a dedicated partition for <tt>/var/log/audit</tt> prevents the <tt>auditd</tt> logs from disrupting system functionality if +they fill, and, more importantly, prevents other activity in <tt>/var</tt> from filling the partition and stopping the audit +trail. (The audit logs are size-limited and therefore unlikely to grow without bound unless configured to do so.) +Some machines may have requirements that no actions occur which cannot be audited. If this is the case, then +<tt>auditd</tt> can be configured to halt the machine if it runs out of space. +<b>Note:</b> Since older logs are rotated, configuring <tt>auditd</tt> this way does not prevent older logs from being rotated +away before they can be viewed. +<i>If your system is configured to halt when logging cannot be performed, make sure this can never +happen under normal circumstances! Ensure that <tt>/var/log/audit</tt> is on its own partition, and +that this partition is larger than the maximum amount of data <tt>auditd</tt> will retain normally.</i></description> +<oval id="service_auditd_data_retention_configured" /> +</Group> +--> + <Group id="auditd_configure_rules"> <title>Configure <tt>auditd</tt> Rules for Comprehensive Auditing</title> <description>The <tt>auditd</tt> program can perform comprehensive @@ -171,7 +216,6 @@ to capture events that modify account changes: <ref nist="AU-2(a)" /> </Rule>
- <Rule id="audit_network_modifications"> <title>Record Events that Modify the System’s Network Environment</title> <description>Add the following to <tt>/etc/audit/audit.rules</tt>, setting @@ -205,6 +249,37 @@ anything other than administrator action. All changes to MAC policy should be au <ref nist="AU-2" /> </Rule>
+<Rule id="audit_manual_logon_edits"> +<title> Record Attempts to Alter Logon and Logout Events</title> +<description> +The audit system already collects login info for all users and root. To watch for attempted manual edits of +files involved in storing logon events, add the following to <tt>/etc/audit/audit.rules</tt>: +<pre> +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +</pre> +</description> +<ident cce="14904-7" /> +<oval id="audit_rules_logon_modification" /> +<ref nist="TODO" /> +</Rule> + + +<Rule id="audit_manual_session_edits"> +<title> Record Attempts to Alter Process and Session Initiation Information</title> +<description> +The audit system already collects process information for all users and root. To watch for attempted manual +edits of files involved in storing such process information, add the following to <tt>/etc/audit/audit.rules</tt>: +<pre> +-w /var/run/utmp -p wa -k session +-w /var/log/btmp -p wa -k session +-w /var/log/wtmp -p wa -k session +</pre> +</description> +<ident cce="14679-5" /> +<oval id="audit_rules_session_modification" /> +<ref nist="TODO" /> +</Rule>
<Rule id="audit_dac_actions"> <title>Ensure <tt>auditd</tt> Collects Discretionary Access Control diff --git a/rhel6/src/input/system/logging.xml b/rhel6/src/input/system/logging.xml index 839484e..fc6b311 100644 --- a/rhel6/src/input/system/logging.xml +++ b/rhel6/src/input/system/logging.xml @@ -54,6 +54,25 @@ logging services. <ref nist="AU-2" /> </Rule>
+<Rule id="ensure_rsyslog_messages_captured"> +<title> Ensure Important Messages are Captured</title> +<description> +Edit the file <tt>/etc/rsyslog.conf</tt>. Add or correct whichever of the following lines are appropriate for your +environment: +<pre> +auth.*,user.* /var/log/messages +kern.* /var/log/kern.log +daemon.* /var/log/daemon.log +syslog.* /var/log/syslog +lpr,news,uucp,local0,local1,local2,local3,local4,local5,local6.* /var/log/unused.log +</pre> +See the man page <tt>rsyslog.conf(5)</tt> for more information. +<i>By default,</i> <tt>rsyslog</tt> <i>uses a timestamp format that Logwatch does not understand. If your en- +vironment uses Logwatch, edit the file <tt>/etc/rsyslog.conf</tt> and add or edit the following line:</i> +<pre>$ ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat</pre></description> +<oval id="rsyslog_messages_captured" /> +</Rule> + <Group id="log_file_permissions"> <title>Confirm Existence and Permissions of System Log Files</title> <description>For each log file LOGFILE referenced in @@ -297,4 +316,52 @@ if the /var/log partition becomes full.</rationale> <ref nist="AU-2, AU-9, CM-6" /> </Rule> </Group> + +<Rule id="configure_logwatch_on_logserver"> +<title> Configure Logwatch on the Central Log Server</title> +<description> +Is this machine the central log server? If so, edit the file <tt>/etc/logwatch/conf/logwatch.conf</tt>. Add or +correct the following lines: +<pre> +HostLimit = no +SplitHosts = yes +MultiEmail = no +Service = -zz-disk_space +</pre> +Ensure that <tt>logwatch.pl</tt> is run nightly from <tt>cron</tt>. (This is the default): +<pre># cd /etc/cron.daily +# ln -s /usr/share/logwatch/scripts/logwatch.pl 0logwatch +</pre> +On a central logserver, you want Logwatch to summarize all syslog entries, including those which did not originate +on the logserver itself. The <tt>HostLimit</tt> setting tells Logwatch to report on all hosts, not just the one on which it +is running. +If <tt>SplitHosts</tt> is set, Logwatch will separate entries by hostname. This makes the report longer but significantly +more usable. If it is not set, then Logwatch will not report which host generated a given log entry, and that +information is almost always necessary. If <tt>MultiEmail</tt> is set, then each host's information will be sent in a +separate e-mail message. This is a matter of preference. +The <tt>Service</tt> directive <tt>-zz-disk_space</tt> tells Logwatch not to run the <tt>zz-disk_space</tt> report, which reports on +free disk space. Since all log monitoring is being done on the central logserver, the disk space listing will always be +that of the logserver, regardless of which host is being monitored. This is confusing, so disable that service. Note +that this does mean that <tt>Logwatch</tt> will not monitor disk usage information. Many workarounds are possible, +such as running <tt>df</tt> on each host daily via <tt>cron</tt> and sending the output to <tt>syslog</tt> so that it will be reported to +the logserver.</description> +<ident cce="4323-2" /> +<oval id="logwatch_configured_on_logserver" /> +</Rule> + + +<Rule id="disable_logwatch_for_logserver"> +<title> Disable Logwatch on Clients if a Logserver Exists</title> +<description> +Does your site have a central logserver which has been configured to report on logs received from all systems? +If so: +<pre> +# rm /etc/cron.daily/0logwatch +</pre> +If no logserver exists, it will be necessary for each machine to run Logwatch individually. Using a central +logserver provides the security and reliability benefits discussed earlier, and also makes monitoring logs easier +and less time-intensive for administrators.</description> +<oval id="logwatch_disabled_for_logserver" /> +</Rule> </Group> +
Ah -- we already have an auditing check for CCEs 14904-7 and 14679-5, but they're wrong (and based on a since-corrected release of the guide). Thanks for the catch.
The old/wrong version had confused:
"Ensure auditd Collects Logon and Logout Events" with "Record Attempts to Alter Logon and Logout Events"
as well as
"Ensure auditd Collects Process and Session Initiation Information" with "Record Attempts to Alter Process and Session Initiation Information"
The second item in each is correct (as you have it). Could you alter the existing, incorrect XCCDF and OVAL rules instead? I believe that the text/title is wrong in the existing checks, but that that actual regex is correct/preferable; we do not want to force admins to call their key/label for an audit rule a particular thing. (They can call it whatever they'd like.) If you can make those mods, please consider this an auto-ACK for a commit/push (and also please post to the list).
The logwatch stuff mostly looks good, although I think we should break apart (into separate Rules/checks) each line for: HostLimit = no SplitHosts = yes
The other lines don't seem as security/accountability relevant, and might be appropriate for discussion only in a Group (if at all).
For the Rules about rsyslog, I would prefer not to try to tell people how to how to configure their rsyslog.conf. Creating a Rule+check implies that that's what we're trying to do. So, these things are really better as Groups.
Auditd data retention is quite an interesting section. Amazingly, I am actually going to suggest that it be broken apart, and some of it turned into Rules. I believe there is a requirement in the DISA OS SRG about disabling the system, if auditing becomes inoperative. Maybe take a look at the output of "make table-srgmap" (output/rhel6-table-srgmap.html) and see what this says we should make some rules for? It might be along the lines of CCI-001343/SRG-OS-000213.
I know I owe you review on some more patches -- thanks for the contributions.
On 04/25/2012 09:21 AM, Michael Palmiotto wrote:
Signed-off-by: Mike Palmiotto mpalmiotto@tresys.com
.../checks/audit_rules_logon_modification.xml | 34 +++++++++ .../checks/audit_rules_session_modification.xml | 47 ++++++++++++ .../checks/logwatch_configured_on_logserver.xml | 71 ++++++++++++++++++ .../src/input/checks/rsyslog_messages_captured.xml | 70 ++++++++++++++++++ rhel6/src/input/system/auditing.xml | 77 +++++++++++++++++++- rhel6/src/input/system/logging.xml | 67 +++++++++++++++++ 6 files changed, 365 insertions(+), 1 deletions(-) create mode 100644 rhel6/src/input/checks/audit_rules_logon_modification.xml create mode 100644 rhel6/src/input/checks/audit_rules_session_modification.xml create mode 100644 rhel6/src/input/checks/logwatch_configured_on_logserver.xml create mode 100644 rhel6/src/input/checks/rsyslog_messages_captured.xml
diff --git a/rhel6/src/input/checks/audit_rules_logon_modification.xml b/rhel6/src/input/checks/audit_rules_logon_modification.xml new file mode 100644 index 0000000..97d170d --- /dev/null +++ b/rhel6/src/input/checks/audit_rules_logon_modification.xml @@ -0,0 +1,34 @@ +<def-group>
<definition class="compliance" id="audit_rules_logon_modification" version="1">
<metadata>
<title> Record Attempts to Alter Logon and Logout Events</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id=" CCE-14904-7" source="CCE" />
<description> Audit attempted manual edits of files involved in storing logon events.</description>
</metadata>
<criteria operator = "AND">
<criterion comment="watch on lastlog" test_ref="test_audit_rules_logon_modification_lastlog" />
<criterion comment="watch on faillog" test_ref="test_audit_rules_logon_modification_faillog" />
</criteria>
</definition>
- <ind:textfilecontent54_test check="all" comment="lastlog watch" id="test_audit_rules_logon_modification_lastlog" version="1">
- <ind:object object_ref="object_audit_rules_logon_modification_lastlog" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_audit_rules_logon_modification_lastlog" version="1">
- ind:path/etc/audit</ind:path>
- ind:filenameaudit.rules</ind:filename>
- <ind:pattern operation="pattern match">^-w[\s]+/var/log/lastlog[\s]+-p[\s]+wa[\s]+-k[\s]+logins\s*$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
- <ind:textfilecontent54_test check="all" comment="faillog watch" id="test_audit_rules_logon_modification_faillog" version="1">
- <ind:object object_ref="object_audit_rules_logon_modification_faillog" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_audit_rules_logon_modification_faillog" version="1">
- ind:path/etc/audit</ind:path>
- ind:filenameaudit.rules</ind:filename>
- <ind:pattern operation="pattern match">^-w[\s]+/var/log/faillog[\s]+-p[\s]+wa[\s]+-k[\s]+logins\s*$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
+</def-group> diff --git a/rhel6/src/input/checks/audit_rules_session_modification.xml b/rhel6/src/input/checks/audit_rules_session_modification.xml new file mode 100644 index 0000000..22b0cb6 --- /dev/null +++ b/rhel6/src/input/checks/audit_rules_session_modification.xml @@ -0,0 +1,47 @@ +<def-group>
<definition class="compliance" id="audit_rules_session_modification" version="1">
<metadata>
<title></title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="CCE-14679-5" source="CCE" />
<description>Ensure that watches are placed on utmp, btmp, and wtmp, sessions.</description>
</metadata>
<criteria operator="AND">
<criterion comment="watch on wtmp" test_ref="test_audit_rules_session_modification_wtmp" />
<criterion comment="watch on utmp" test_ref="test_audit_rules_session_modification_utmp" />
<criterion comment="watch on btmp" test_ref="test_audit_rules_session_modification_btmp" />
</criteria>
</definition>
- <ind:textfilecontent54_test check="all" comment="wtmp session watch" id="test_audit_rules_session_modification_wtmp" version="1">
- <ind:object object_ref="object_audit_rules_session_modification_wtmp" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_audit_rules_session_modification_wtmp" version="1">
- ind:path/etc/audit</ind:path>
- ind:filenameaudit.rules</ind:filename>
- <ind:pattern operation="pattern match">^-w[\s]+/var/log/wtmp[\s]+wa[\s]+-k[\s]+session\s*$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
- <ind:textfilecontent54_test check="all" comment="utmp session watch" id="test_audit_rules_session_modification_utmp" version="1">
- <ind:object object_ref="object_audit_rules_session_modification_utmp" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_audit_rules_session_modification_utmp" version="1">
- ind:path/etc/audit</ind:path>
- ind:filenameaudit.rules</ind:filename>
- <ind:pattern operation="pattern match">^-w[\s]+/var/log/utmp[\s]+wa[\s]+-k[\s]+session\s*$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
- <ind:textfilecontent54_test check="all" comment="btmp session watch" id="test_audit_rules_session_modification_btmp" version="1">
- <ind:object object_ref="object_audit_rules_session_modification_btmp" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_audit_rules_session_modification_btmp" version="1">
- ind:path/etc/audit</ind:path>
- ind:filenameaudit.rules</ind:filename>
- <ind:pattern operation="pattern match">^-w[\s]+/var/log/btmp[\s]+wa[\s]+-k[\s]+session\s*$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
+</def-group> diff --git a/rhel6/src/input/checks/logwatch_configured_on_logserver.xml b/rhel6/src/input/checks/logwatch_configured_on_logserver.xml new file mode 100644 index 0000000..2a99b92 --- /dev/null +++ b/rhel6/src/input/checks/logwatch_configured_on_logserver.xml @@ -0,0 +1,71 @@ +<def-group>
<definition class="compliance" id="logwatch_configured_on_logserver" version="1">
<metadata>
<title>Ensure Logwatch Configured on the Central Log Server</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="CCE-4323-2" source="CCE" />
<description>Check if logwatch service is enabled and configured.</description>
</metadata>
<criteria operator="AND">
<criterion comment="hostlimit" test_ref="test_logwatch_configured_on_logserver_hostlimit" />
<criterion comment="splithosts" test_ref="test_logwatch_configured_on_logserver_splithosts" />
<criterion comment="multiemail" test_ref="test_logwatch_configured_on_logserver_multiemail" />
<criterion comment="service" test_ref="test_logwatch_configured_on_logserver_service" />
</criteria>
</definition>
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Test HostLimit" id="test_logwatch_configured_on_logserver_hostlimit" version="1">
- <ind:object object_ref="object_logwatch_configured_on_logserver_hostlimit" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_state id="state_logwatch_configured_on_logserver_hostlimit" version="1">
- <ind:subexpression operation="equals">no</ind:subexpression>
- </ind:textfilecontent54_state>
- <ind:textfilecontent54_object id="object_logwatch_configured_on_logserver_hostlimit" version="1">
- ind:path/etc/logwatch/conf</ind:path>
- ind:filenamelogwatch.conf</ind:filename>
- <ind:pattern operation="pattern match">^[\s]HostLimit[\s]*=[\s]*[\w]+\s*$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Test SplitHosts" id="test_logwatch_configured_on_logserver_splithosts" version="1">
- <ind:object object_ref="object_logwatch_configured_on_logserver_splithosts" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_state id="state_logwatch_configured_on_logserver_splithosts" version="1">
- <ind:subexpression operation="equals">yes</ind:subexpression>
- </ind:textfilecontent54_state>
- <ind:textfilecontent54_object id="object_logwatch_configured_on_logserver_splithosts" version="1">
- ind:path/etc/logwatch/conf</ind:path>
- ind:filenamelogwatch.conf</ind:filename>
- <ind:pattern operation="pattern match">^[\s]SplitHosts[\s]*=[\s]*[\w]+\s*$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Test MultiEmail" id="test_logwatch_configured_on_logserver_multiemail" version="1">
- <ind:object object_ref="object_logwatch_configured_on_logserver_multiemail" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_state id="state_logwatch_configured_on_logserver_multiemail" version="1">
- <ind:subexpression operation="equals">no</ind:subexpression>
- </ind:textfilecontent54_state>
- <ind:textfilecontent54_object id="object_logwatch_configured_on_logserver_multiemail" version="1">
- ind:path/etc/logwatch/conf</ind:path>
- ind:filenamelogwatch.conf</ind:filename>
- <ind:pattern operation="pattern match">^[\s]MultiEmail[\s]*=[\s]*[\w]+\s*$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Test Service" id="test_logwatch_configured_on_logserver_service" version="1">
- <ind:object object_ref="object_logwatch_configured_on_logserver_service" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_state id="state_logwatch_configured_on_logserver_service" version="1">
- <ind:subexpression operation="equals">-zz-disk_space</ind:subexpression>
- </ind:textfilecontent54_state>
- <ind:textfilecontent54_object id="object_logwatch_configured_on_logserver_service" version="1">
- ind:path/etc/logwatch/conf</ind:path>
- ind:filenamelogwatch.conf</ind:filename>
- <ind:pattern operation="pattern match">^[\s]Service[\s]*=[\s]*-zz-disk_space+\s*$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
+</def-group> diff --git a/rhel6/src/input/checks/rsyslog_messages_captured.xml b/rhel6/src/input/checks/rsyslog_messages_captured.xml new file mode 100644 index 0000000..0639653 --- /dev/null +++ b/rhel6/src/input/checks/rsyslog_messages_captured.xml @@ -0,0 +1,70 @@ +<def-group>
- <definition class="compliance" id="rsyslog_messages_captured"
- version="1">
<metadata>
<title>Ensure Important Messages are Captured</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="TODO" source="CCE" />
<description>Make sure appropriate lines are in rsyslog.conf. </description>
</metadata>
<criteria operator="AND">
<criterion comment="messages" test_ref="test_rsyslog_messages_captured_messages" />
<criterion comment="kern.log" test_ref="test_rsyslog_messages_captured_kern" />
<criterion comment="daemon.log" test_ref="test_rsyslog_messages_captured_daemon" />
<criterion comment="syslog" test_ref="test_rsyslog_messages_captured_syslog" />
<criterion comment="unused.log" test_ref="test_rsyslog_messages_captured_unused" />
</criteria>
</definition>
- <ind:textfilecontent54_test check="all" comment="messages" id="test_rsyslog_messages_captured_messages" version="1">
- <ind:object object_ref="object_rsyslog_messages_captured_messages" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_rsyslog_messages_captured_messages" version="1">
- ind:path/etc</ind:path>
- ind:filenamersyslog.conf</ind:filename>
- <ind:pattern operation="pattern match">^auth.*[\s]*,[\s]*user.*[\s]+/var/log/messages$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
- <ind:textfilecontent54_test check="all" comment="kern.log" id="test_rsyslog_messages_captured_kern" version="1">
- <ind:object object_ref="object_rsyslog_messages_captured_kern" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_rsyslog_messages_captured_kern" version="1">
- ind:path/etc</ind:path>
- ind:filenamersyslog.conf</ind:filename>
+<ind:pattern operation="pattern match">^kern.*[\s]+/var/log/kern.log$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
- <ind:textfilecontent54_test check="all" comment="daemon.log" id="test_rsyslog_messages_captured_daemon" version="1">
- <ind:object object_ref="object_rsyslog_messages_captured_daemon" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_rsyslog_messages_captured_daemon" version="1">
- ind:path/etc</ind:path>
- ind:filenamersyslog.conf</ind:filename>
+<ind:pattern operation="pattern match">^daemon.*[\s]+/var/log/daemon.log$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
- <ind:textfilecontent54_test check="all" comment="syslog" id="test_rsyslog_messages_captured_syslog" version="1">
- <ind:object object_ref="object_rsyslog_messages_captured_syslog" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_rsyslog_messages_captured_syslog" version="1">
- ind:path/etc</ind:path>
- ind:filenamersyslog.conf</ind:filename>
- <ind:pattern operation="pattern match">^syslog.*[\s]+/var/log/syslog$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
- <ind:textfilecontent54_test check="all" comment="unused" id="test_rsyslog_messages_captured_unused" version="1">
- <ind:object object_ref="object_rsyslog_messages_captured_unused" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_rsyslog_messages_captured_unused" version="1">
- ind:path/etc</ind:path>
- ind:filenamersyslog.conf</ind:filename>
- <ind:pattern operation="pattern match">^lpr,news,uucp,local0,local1,local2,local3,local4,local5,local6.*[\s]+/var/log/unused.log$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
+</def-group> diff --git a/rhel6/src/input/system/auditing.xml b/rhel6/src/input/system/auditing.xml index e75754f..1d18eaf 100644 --- a/rhel6/src/input/system/auditing.xml +++ b/rhel6/src/input/system/auditing.xml @@ -95,6 +95,51 @@ process during boot.
<ref nist="AU-2" /> </Rule>
+<!-- +<Group id="configure_auditd_data_retention"> +<title> Configure <tt>auditd</tt> Data Retention</title> +<description> +<ul>
+<li> Determine <i>STOREMB</i>, the amount of audit data (in megabytes) which should be retained in each log +file. Edit the file <tt>/etc/audit/auditd.conf</tt>. Add or modify the following line:</li> +<pre>max_log_file = <i>STOREMB</i></tt>
+<li>Use a dedicated partition (or logical volume) for log files. It is straightforward to create such a partition +or logical volume during system installation time. The partition should be larger than the maximum +space which <tt>auditd</tt> will ever use, which is the maximum size of each log file (<tt>max_log_file</tt>) multiplied +by the number of log files (<tt>num_logs</tt>). Ensure the partition is mounted on <tt>/var/log/audit</tt>.</li>
+<li>If your site requires that the machine be disabled when auditing cannot be performed, configure <tt>auditd</tt> +to halt the system when disk space for auditing runs low. Edit <tt>/etc/audit/auditd.conf</tt>, and add or +correct the following lines:</li> +<pre>space_left_action = email +action_mail_acct = root +admin_space_left_action = halt</pre> +</ul> +The default action to take when the logs reach their maximum size is to rotate the log files, discarding the +oldest one. If it is more important to retain all possible auditing information, even if that opens the possibility +of running out of space and taking the action defined by <tt>admin_space_left_action</tt>, add or correct the line: +<pre>max_log_file_action = keep_logs</pre> +By default, <tt>auditd</tt> retains 4 log files of size 5Mb apiece. For a busy system or a system which is thoroughly +auditing system activity, this is likely to be insuffcient. +The log file size needed will depend heavily on what types of events are being audited. First configure auditing +to log all the events of interest. Then monitor the log size manually for awhile to determine what file size will +allow you to keep the required data for the correct time period. +Using a dedicated partition for <tt>/var/log/audit</tt> prevents the <tt>auditd</tt> logs from disrupting system functionality if +they fill, and, more importantly, prevents other activity in <tt>/var</tt> from filling the partition and stopping the audit +trail. (The audit logs are size-limited and therefore unlikely to grow without bound unless configured to do so.) +Some machines may have requirements that no actions occur which cannot be audited. If this is the case, then +<tt>auditd</tt> can be configured to halt the machine if it runs out of space. +<b>Note:</b> Since older logs are rotated, configuring <tt>auditd</tt> this way does not prevent older logs from being rotated +away before they can be viewed. +<i>If your system is configured to halt when logging cannot be performed, make sure this can never +happen under normal circumstances! Ensure that <tt>/var/log/audit</tt> is on its own partition, and +that this partition is larger than the maximum amount of data <tt>auditd</tt> will retain normally.</i></description> +<oval id="service_auditd_data_retention_configured" /> +</Group> +-->
<Group id="auditd_configure_rules"> <title>Configure <tt>auditd</tt> Rules for Comprehensive Auditing</title> <description>The <tt>auditd</tt> program can perform comprehensive @@ -171,7 +216,6 @@ to capture events that modify account changes: <ref nist="AU-2(a)" /> </Rule>
<Rule id="audit_network_modifications"> <title>Record Events that Modify the System’s Network Environment</title> <description>Add the following to <tt>/etc/audit/audit.rules</tt>, setting @@ -205,6 +249,37 @@ anything other than administrator action. All changes to MAC policy should be au <ref nist="AU-2" /> </Rule>
+<Rule id="audit_manual_logon_edits"> +<title> Record Attempts to Alter Logon and Logout Events</title> +<description> +The audit system already collects login info for all users and root. To watch for attempted manual edits of +files involved in storing logon events, add the following to <tt>/etc/audit/audit.rules</tt>: +<pre> +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +</pre> +</description> +<ident cce="14904-7" /> +<oval id="audit_rules_logon_modification" /> +<ref nist="TODO" /> +</Rule>
+<Rule id="audit_manual_session_edits"> +<title> Record Attempts to Alter Process and Session Initiation Information</title> +<description> +The audit system already collects process information for all users and root. To watch for attempted manual +edits of files involved in storing such process information, add the following to <tt>/etc/audit/audit.rules</tt>: +<pre> +-w /var/run/utmp -p wa -k session +-w /var/log/btmp -p wa -k session +-w /var/log/wtmp -p wa -k session +</pre> +</description> +<ident cce="14679-5" /> +<oval id="audit_rules_session_modification" /> +<ref nist="TODO" /> +</Rule>
<Rule id="audit_dac_actions"> <title>Ensure <tt>auditd</tt> Collects Discretionary Access Control diff --git a/rhel6/src/input/system/logging.xml b/rhel6/src/input/system/logging.xml index 839484e..fc6b311 100644 --- a/rhel6/src/input/system/logging.xml +++ b/rhel6/src/input/system/logging.xml @@ -54,6 +54,25 @@ logging services. <ref nist="AU-2" /> </Rule>
+<Rule id="ensure_rsyslog_messages_captured"> +<title> Ensure Important Messages are Captured</title> +<description> +Edit the file <tt>/etc/rsyslog.conf</tt>. Add or correct whichever of the following lines are appropriate for your +environment: +<pre> +auth.*,user.* /var/log/messages +kern.* /var/log/kern.log +daemon.* /var/log/daemon.log +syslog.* /var/log/syslog +lpr,news,uucp,local0,local1,local2,local3,local4,local5,local6.* /var/log/unused.log +</pre> +See the man page <tt>rsyslog.conf(5)</tt> for more information. +<i>By default,</i> <tt>rsyslog</tt> <i>uses a timestamp format that Logwatch does not understand. If your en- +vironment uses Logwatch, edit the file <tt>/etc/rsyslog.conf</tt> and add or edit the following line:</i> +<pre>$ ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat</pre></description> +<oval id="rsyslog_messages_captured" /> +</Rule>
<Group id="log_file_permissions"> <title>Confirm Existence and Permissions of System Log Files</title> <description>For each log file LOGFILE referenced in @@ -297,4 +316,52 @@ if the /var/log partition becomes full.</rationale> <ref nist="AU-2, AU-9, CM-6" /> </Rule> </Group> + +<Rule id="configure_logwatch_on_logserver"> +<title> Configure Logwatch on the Central Log Server</title> +<description> +Is this machine the central log server? If so, edit the file <tt>/etc/logwatch/conf/logwatch.conf</tt>. Add or +correct the following lines: +<pre> +HostLimit = no +SplitHosts = yes +MultiEmail = no +Service = -zz-disk_space +</pre> +Ensure that <tt>logwatch.pl</tt> is run nightly from <tt>cron</tt>. (This is the default): +<pre># cd /etc/cron.daily +# ln -s /usr/share/logwatch/scripts/logwatch.pl 0logwatch +</pre> +On a central logserver, you want Logwatch to summarize all syslog entries, including those which did not originate +on the logserver itself. The <tt>HostLimit</tt> setting tells Logwatch to report on all hosts, not just the one on which it +is running. +If <tt>SplitHosts</tt> is set, Logwatch will separate entries by hostname. This makes the report longer but significantly +more usable. If it is not set, then Logwatch will not report which host generated a given log entry, and that +information is almost always necessary. If <tt>MultiEmail</tt> is set, then each host's information will be sent in a +separate e-mail message. This is a matter of preference. +The <tt>Service</tt> directive <tt>-zz-disk_space</tt> tells Logwatch not to run the <tt>zz-disk_space</tt> report, which reports on +free disk space. Since all log monitoring is being done on the central logserver, the disk space listing will always be +that of the logserver, regardless of which host is being monitored. This is confusing, so disable that service. Note +that this does mean that <tt>Logwatch</tt> will not monitor disk usage information. Many workarounds are possible, +such as running <tt>df</tt> on each host daily via <tt>cron</tt> and sending the output to <tt>syslog</tt> so that it will be reported to +the logserver.</description> +<ident cce="4323-2" /> +<oval id="logwatch_configured_on_logserver" /> +</Rule> + + +<Rule id="disable_logwatch_for_logserver"> +<title> Disable Logwatch on Clients if a Logserver Exists</title> +<description> +Does your site have a central logserver which has been configured to report on logs received from all systems? +If so: +<pre> +# rm /etc/cron.daily/0logwatch +</pre> +If no logserver exists, it will be necessary for each machine to run Logwatch individually. Using a central +logserver provides the security and reliability benefits discussed earlier, and also makes monitoring logs easier +and less time-intensive for administrators.</description> +<oval id="logwatch_disabled_for_logserver" /> +</Rule> </Group> +
On 4/27/12 11:55 AM, Michael Palmiotto wrote:
I'd like to push these commits as well. Is this patch ACK-worthy?
I've merged the changes into my local branch successfully. The core content of your patches was VERY needed - awesome job on identifying this prose as needed. I'm going to review in more depth this weekend and verify the checks work before signing off.
(This is, of course, assuming someone else wasn't already stepping their way through this content before acking)
scap-security-guide@lists.fedorahosted.org