Prose and OVAL checks for Proxy.
Michael Palmiotto (1): M1 Incomplete Guidance - Proxy
.../service_squid_acls_configured_filemaker.xml | 40 ++ .../checks/service_squid_acls_configured_ftp.xml | 40 ++ .../service_squid_acls_configured_gopher.xml | 40 ++ .../service_squid_acls_configured_gss_http.xml | 40 ++ .../service_squid_acls_configured_http-mgmt.xml | 40 ++ .../checks/service_squid_acls_configured_http.xml | 40 ++ .../checks/service_squid_acls_configured_https.xml | 40 ++ .../service_squid_acls_configured_localhost.xml | 30 ++ .../service_squid_acls_configured_multiling.xml | 40 ++ .../checks/service_squid_acls_configured_wais.xml | 40 ++ .../service_squid_authentication_configured.xml | 30 ++ ...ervice_squid_default_insecure_forwarded_for.xml | 30 ++ .../service_squid_default_insecure_log_mime.xml | 30 ++ ...id_default_insecure_suppress_version_string.xml | 30 ++ .../service_squid_default_insecure_underscore.xml | 30 ++ .../input/checks/service_squid_logs_forwarded.xml | 30 ++ .../checks/service_squid_privileges_lowered.xml | 70 +++ .../checks/squid_default_secure_cache_group.xml | 30 ++ .../checks/squid_default_secure_cache_user.xml | 30 ++ .../checks/squid_default_secure_hostnames.xml | 30 ++ .../input/checks/squid_default_secure_passive.xml | 30 ++ .../checks/squid_default_secure_reply_header.xml | 30 ++ .../checks/squid_default_secure_request_header.xml | 30 ++ .../input/checks/squid_default_secure_sanity.xml | 30 ++ .../squid_default_secured_ignore_unknown.xml | 30 ++ .../input/checks/system_proxy_access_allowed.xml | 30 ++ rhel6/src/input/profiles/common.xml | 39 ++- rhel6/src/input/services/squid.xml | 536 ++++++++++++++++++++ 28 files changed, 1476 insertions(+), 9 deletions(-) create mode 100644 rhel6/src/input/checks/service_squid_acls_configured_filemaker.xml create mode 100644 rhel6/src/input/checks/service_squid_acls_configured_ftp.xml create mode 100644 rhel6/src/input/checks/service_squid_acls_configured_gopher.xml create mode 100644 rhel6/src/input/checks/service_squid_acls_configured_gss_http.xml create mode 100644 rhel6/src/input/checks/service_squid_acls_configured_http-mgmt.xml create mode 100644 rhel6/src/input/checks/service_squid_acls_configured_http.xml create mode 100644 rhel6/src/input/checks/service_squid_acls_configured_https.xml create mode 100644 rhel6/src/input/checks/service_squid_acls_configured_localhost.xml create mode 100644 rhel6/src/input/checks/service_squid_acls_configured_multiling.xml create mode 100644 rhel6/src/input/checks/service_squid_acls_configured_wais.xml create mode 100644 rhel6/src/input/checks/service_squid_authentication_configured.xml create mode 100644 rhel6/src/input/checks/service_squid_default_insecure_forwarded_for.xml create mode 100644 rhel6/src/input/checks/service_squid_default_insecure_log_mime.xml create mode 100644 rhel6/src/input/checks/service_squid_default_insecure_suppress_version_string.xml create mode 100644 rhel6/src/input/checks/service_squid_default_insecure_underscore.xml create mode 100644 rhel6/src/input/checks/service_squid_logs_forwarded.xml create mode 100644 rhel6/src/input/checks/service_squid_privileges_lowered.xml create mode 100644 rhel6/src/input/checks/squid_default_secure_cache_group.xml create mode 100644 rhel6/src/input/checks/squid_default_secure_cache_user.xml create mode 100644 rhel6/src/input/checks/squid_default_secure_hostnames.xml create mode 100644 rhel6/src/input/checks/squid_default_secure_passive.xml create mode 100644 rhel6/src/input/checks/squid_default_secure_reply_header.xml create mode 100644 rhel6/src/input/checks/squid_default_secure_request_header.xml create mode 100644 rhel6/src/input/checks/squid_default_secure_sanity.xml create mode 100644 rhel6/src/input/checks/squid_default_secured_ignore_unknown.xml create mode 100644 rhel6/src/input/checks/system_proxy_access_allowed.xml
Signed-off-by: Michael Palmiotto mpalmiotto@tresys.com --- .../service_squid_acls_configured_filemaker.xml | 40 ++ .../checks/service_squid_acls_configured_ftp.xml | 40 ++ .../service_squid_acls_configured_gopher.xml | 40 ++ .../service_squid_acls_configured_gss_http.xml | 40 ++ .../service_squid_acls_configured_http-mgmt.xml | 40 ++ .../checks/service_squid_acls_configured_http.xml | 40 ++ .../checks/service_squid_acls_configured_https.xml | 40 ++ .../service_squid_acls_configured_localhost.xml | 30 ++ .../service_squid_acls_configured_multiling.xml | 40 ++ .../checks/service_squid_acls_configured_wais.xml | 40 ++ .../service_squid_authentication_configured.xml | 30 ++ ...ervice_squid_default_insecure_forwarded_for.xml | 30 ++ .../service_squid_default_insecure_log_mime.xml | 30 ++ ...id_default_insecure_suppress_version_string.xml | 30 ++ .../service_squid_default_insecure_underscore.xml | 30 ++ .../input/checks/service_squid_logs_forwarded.xml | 30 ++ .../checks/service_squid_privileges_lowered.xml | 70 +++ .../checks/squid_default_secure_cache_group.xml | 30 ++ .../checks/squid_default_secure_cache_user.xml | 30 ++ .../checks/squid_default_secure_hostnames.xml | 30 ++ .../input/checks/squid_default_secure_passive.xml | 30 ++ .../checks/squid_default_secure_reply_header.xml | 30 ++ .../checks/squid_default_secure_request_header.xml | 30 ++ .../input/checks/squid_default_secure_sanity.xml | 30 ++ .../squid_default_secured_ignore_unknown.xml | 30 ++ .../input/checks/system_proxy_access_allowed.xml | 30 ++ rhel6/src/input/profiles/common.xml | 39 ++- rhel6/src/input/services/squid.xml | 536 ++++++++++++++++++++ 28 files changed, 1476 insertions(+), 9 deletions(-) create mode 100644 rhel6/src/input/checks/service_squid_acls_configured_filemaker.xml create mode 100644 rhel6/src/input/checks/service_squid_acls_configured_ftp.xml create mode 100644 rhel6/src/input/checks/service_squid_acls_configured_gopher.xml create mode 100644 rhel6/src/input/checks/service_squid_acls_configured_gss_http.xml create mode 100644 rhel6/src/input/checks/service_squid_acls_configured_http-mgmt.xml create mode 100644 rhel6/src/input/checks/service_squid_acls_configured_http.xml create mode 100644 rhel6/src/input/checks/service_squid_acls_configured_https.xml create mode 100644 rhel6/src/input/checks/service_squid_acls_configured_localhost.xml create mode 100644 rhel6/src/input/checks/service_squid_acls_configured_multiling.xml create mode 100644 rhel6/src/input/checks/service_squid_acls_configured_wais.xml create mode 100644 rhel6/src/input/checks/service_squid_authentication_configured.xml create mode 100644 rhel6/src/input/checks/service_squid_default_insecure_forwarded_for.xml create mode 100644 rhel6/src/input/checks/service_squid_default_insecure_log_mime.xml create mode 100644 rhel6/src/input/checks/service_squid_default_insecure_suppress_version_string.xml create mode 100644 rhel6/src/input/checks/service_squid_default_insecure_underscore.xml create mode 100644 rhel6/src/input/checks/service_squid_logs_forwarded.xml create mode 100644 rhel6/src/input/checks/service_squid_privileges_lowered.xml create mode 100644 rhel6/src/input/checks/squid_default_secure_cache_group.xml create mode 100644 rhel6/src/input/checks/squid_default_secure_cache_user.xml create mode 100644 rhel6/src/input/checks/squid_default_secure_hostnames.xml create mode 100644 rhel6/src/input/checks/squid_default_secure_passive.xml create mode 100644 rhel6/src/input/checks/squid_default_secure_reply_header.xml create mode 100644 rhel6/src/input/checks/squid_default_secure_request_header.xml create mode 100644 rhel6/src/input/checks/squid_default_secure_sanity.xml create mode 100644 rhel6/src/input/checks/squid_default_secured_ignore_unknown.xml create mode 100644 rhel6/src/input/checks/system_proxy_access_allowed.xml
diff --git a/rhel6/src/input/checks/service_squid_acls_configured_filemaker.xml b/rhel6/src/input/checks/service_squid_acls_configured_filemaker.xml new file mode 100644 index 0000000..3fdad9c --- /dev/null +++ b/rhel6/src/input/checks/service_squid_acls_configured_filemaker.xml @@ -0,0 +1,40 @@ +<def-group> + <definition class="compliance" id="service_squid_acls_configured_filemaker" version="1"> + <metadata> + <title>ACLs Configured for filemaker Traffic</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id=" CCE-4519-5" source="CCE" /> + <description>filemaker not in acl allow list</description> + </metadata> + + <criteria operator="AND"> + + <criterion comment=" filemaker not in acl" test_ref="test_service_squid_acls_configured_filemaker_noacl" /> + <criterion comment=" filemaker not in allow list" test_ref="test_service_squid_acls_configured_filemaker_deny" /> + + </criteria> + + </definition> + + <ind:textfilecontent54_test check="all" check_existence="none_exist" comment=" filemaker not in acl" id="test_service_squid_acls_configured_filemaker_noacl" version="1"> + <ind:object object_ref="object_service_squid_acls_configured_filemaker_noacl" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_service_squid_acls_configured_filemaker_noacl" version="1"> + ind:path /etc/squid</ind:path> + ind:filename squid.conf</ind:filename> + <ind:pattern operation="pattern match">^acl[\s]+filemaker[\s]+src[\s]+[\d{1,3}].[\d{1,3}].[\d{1,3}]/591\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + <ind:textfilecontent54_test check="all" check_existence="none_exist" comment=" filemaker not in allow list" id="test_service_squid_acls_configured_filemaker_deny" version="1"> + <ind:object object_ref="object_service_squid_acls_configured_filemaker_deny" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_service_squid_acls_configured_filemaker_deny" version="1"> + ind:path /etc/squid</ind:path> + ind:filename squid.conf</ind:filename> + <ind:pattern operation="pattern match">^http_access[\s]+allow[\s]+filemaker\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/rhel6/src/input/checks/service_squid_acls_configured_ftp.xml b/rhel6/src/input/checks/service_squid_acls_configured_ftp.xml new file mode 100644 index 0000000..9c6fc35 --- /dev/null +++ b/rhel6/src/input/checks/service_squid_acls_configured_ftp.xml @@ -0,0 +1,40 @@ +<def-group> + <definition class="compliance" id="service_squid_acls_configured_ftp" version="1"> + <metadata> + <title>ACLs Configured for ftp Traffic</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id=" CCE-4255-6" source="CCE" /> + <description>ftp in acl allow list</description> + </metadata> + + <criteria operator="AND"> + + <criterion comment=" ftp in allow list" test_ref="test_service_squid_acls_configured_ftp_allow" /> + <criterion comment=" ftp in acl" test_ref="test_service_squid_acls_configured_ftp_acl" /> + + </criteria> + + </definition> + + <ind:textfilecontent54_test check="all" comment=" ftp in allow list" id="test_service_squid_acls_configured_ftp_allow" version="1"> + <ind:object object_ref="object_service_squid_acls_configured_ftp_allow" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_service_squid_acls_configured_ftp_allow" version="1"> + ind:path /etc/squid</ind:path> + ind:filename squid.conf</ind:filename> + <ind:pattern operation="pattern match">^http_access[\s]+allow[\s]+ftp\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + <ind:textfilecontent54_test check="all" comment=" ftp in acl" id="test_service_squid_acls_configured_ftp_acl" version="1"> + <ind:object object_ref="object_service_squid_acls_configured_ftp_acl" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_service_squid_acls_configured_ftp_acl" version="1"> + ind:path /etc/squid</ind:path> + ind:filename squid.conf</ind:filename> + <ind:pattern operation="pattern match">^acl[\s]+ftp[\s]+src[\s]+[\d{1,3}].[\d{1,3}].[\d{1,3}]/21\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/rhel6/src/input/checks/service_squid_acls_configured_gopher.xml b/rhel6/src/input/checks/service_squid_acls_configured_gopher.xml new file mode 100644 index 0000000..831dd1e --- /dev/null +++ b/rhel6/src/input/checks/service_squid_acls_configured_gopher.xml @@ -0,0 +1,40 @@ +<def-group> + <definition class="compliance" id="service_squid_acls_configured_gopher" version="1"> + <metadata> + <title>ACLs Configured for gopher Traffic</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id=" CCE-4127-7" source="CCE" /> + <description>gopher not in acl allow list</description> + </metadata> + + <criteria operator="AND"> + + <criterion comment=" gopher not in acl" test_ref="test_service_squid_acls_configured_gopher_noacl" /> + <criterion comment=" gopher in allow list" test_ref="test_service_squid_acls_configured_gopher_deny" /> + + </criteria> + + </definition> + + <ind:textfilecontent54_test check="all" check_existence="none_exist" comment=" gopher not in acl" id="test_service_squid_acls_configured_gopher_noacl" version="1"> + <ind:object object_ref="object_service_squid_acls_configured_gopher_noacl" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_service_squid_acls_configured_gopher_noacl" version="1"> + ind:path /etc/squid</ind:path> + ind:filename squid.conf</ind:filename> + <ind:pattern operation="pattern match">^acl[\s]+gopher[\s]+src[\s]+[\d{1,3}].[\d{1,3}].[\d{1,3}]/70\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + <ind:textfilecontent54_test check="all" check_existence="none_exist" comment=" gopher in allow list" id="test_service_squid_acls_configured_gopher_deny" version="1"> + <ind:object object_ref="object_service_squid_acls_configured_gopher_deny" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_service_squid_acls_configured_gopher_deny" version="1"> + ind:path /etc/squid</ind:path> + ind:filename squid.conf</ind:filename> + <ind:pattern operation="pattern match">^http_access[\s]+allow[\s]+gopher\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/rhel6/src/input/checks/service_squid_acls_configured_gss_http.xml b/rhel6/src/input/checks/service_squid_acls_configured_gss_http.xml new file mode 100644 index 0000000..c574f7b --- /dev/null +++ b/rhel6/src/input/checks/service_squid_acls_configured_gss_http.xml @@ -0,0 +1,40 @@ +<def-group> + <definition class="compliance" id="service_squid_acls_configured_gss_http" version="1"> + <metadata> + <title>ACLs Configured for gss-http Traffic</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id=" CCE-4511-2" source="CCE" /> + <description>gss-http not in acl allow list</description> + </metadata> + + <criteria operator="AND"> + + <criterion comment=" gss-http not in acl" test_ref="test_service_squid_acls_configured_gss_http_noacl" /> + <criterion comment=" gss-http not in allow list" test_ref="test_service_squid_acls_configured_gss_http_deny" /> + + </criteria> + + </definition> + + <ind:textfilecontent54_test check="all" check_existence="none_exist" comment=" gss-http not in acl" id="test_service_squid_acls_configured_gss_http_noacl" version="1"> + <ind:object object_ref="object_service_squid_acls_configured_gss_http_noacl" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_service_squid_acls_configured_gss_http_noacl" version="1"> + ind:path /etc/squid</ind:path> + ind:filename squid.conf</ind:filename> + <ind:pattern operation="pattern match">^acl[\s]+gss-http[\s]+src[\s]+[\d{1,3}].[\d{1,3}].[\d{1,3}]/488\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + <ind:textfilecontent54_test check="all" check_existence="none_exist" comment=" gss-http not in allow list" id="test_service_squid_acls_configured_gss_http_deny" version="1"> + <ind:object object_ref="object_service_squid_acls_configured_gss_http_deny" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_service_squid_acls_configured_gss_http_deny" version="1"> + ind:path /etc/squid</ind:path> + ind:filename squid.conf</ind:filename> + <ind:pattern operation="pattern match">^http_access[\s]+allow[\s]+gss-http\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/rhel6/src/input/checks/service_squid_acls_configured_http-mgmt.xml b/rhel6/src/input/checks/service_squid_acls_configured_http-mgmt.xml new file mode 100644 index 0000000..0f78685 --- /dev/null +++ b/rhel6/src/input/checks/service_squid_acls_configured_http-mgmt.xml @@ -0,0 +1,40 @@ +<def-group> + <definition class="compliance" id="service_squid_acls_configured_http-mgmt" version="1"> + <metadata> + <title>ACLs Configured for http-mgmt Traffic</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id=" CCE-4373-7" source="CCE" /> + <description>http-mgmt not in acl allow list</description> + </metadata> + + <criteria operator="AND"> + + <criterion comment=" http-mgmt not in acl" test_ref="test_service_squid_acls_configured_http-mgmt_noacl" /> + <criterion comment=" http-mgmt not in allow list" test_ref="test_service_squid_acls_configured_http-mgmt_deny" /> + + </criteria> + + </definition> + + <ind:textfilecontent54_test check="all" check_existence="none_exist" comment=" http-mgmt not in acl" id="test_service_squid_acls_configured_http-mgmt_noacl" version="1"> + <ind:object object_ref="object_service_squid_acls_configured_http-mgmt_noacl" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_service_squid_acls_configured_http-mgmt_noacl" version="1"> + ind:path /etc/squid</ind:path> + ind:filename squid.conf</ind:filename> + <ind:pattern operation="pattern match">^acl[\s]+http-mgmt[\s]+src[\s]+[\d{1,3}].[\d{1,3}].[\d{1,3}]/280\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + <ind:textfilecontent54_test check="all" check_existence="none_exist" comment=" http-mgmt not in allow list" id="test_service_squid_acls_configured_http-mgmt_deny" version="1"> + <ind:object object_ref="object_service_squid_acls_configured_http-mgmt_deny" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_service_squid_acls_configured_http-mgmt_deny" version="1"> + ind:path /etc/squid</ind:path> + ind:filename squid.conf</ind:filename> + <ind:pattern operation="pattern match">^http_access[\s]+allow[\s]+http-mgmt\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/rhel6/src/input/checks/service_squid_acls_configured_http.xml b/rhel6/src/input/checks/service_squid_acls_configured_http.xml new file mode 100644 index 0000000..b391cc9 --- /dev/null +++ b/rhel6/src/input/checks/service_squid_acls_configured_http.xml @@ -0,0 +1,40 @@ +<def-group> + <definition class="compliance" id="service_squid_acls_configured_http" version="1"> + <metadata> + <title>ACLs Configured for http Traffic</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id=" CCE-4607-8" source="CCE" /> + <description>http in acl allow list</description> + </metadata> + + <criteria operator="AND"> + + <criterion comment=" http in allow list" test_ref="test_service_squid_acls_configured_http_allow" /> + <criterion comment=" http in acl" test_ref="test_service_squid_acls_configured_http_acl" /> + + </criteria> + + </definition> + + <ind:textfilecontent54_test check="all" comment=" http in allow list" id="test_service_squid_acls_configured_http_allow" version="1"> + <ind:object object_ref="object_service_squid_acls_configured_http_allow" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_service_squid_acls_configured_http_allow" version="1"> + ind:path /etc/squid</ind:path> + ind:filename squid.conf</ind:filename> + <ind:pattern operation="pattern match">^http_access[\s]+allow[\s]+http\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + <ind:textfilecontent54_test check="all" comment=" http in acl" id="test_service_squid_acls_configured_http_acl" version="1"> + <ind:object object_ref="object_service_squid_acls_configured_http_acl" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_service_squid_acls_configured_http_acl" version="1"> + ind:path /etc/squid</ind:path> + ind:filename squid.conf</ind:filename> + <ind:pattern operation="pattern match">^acl[\s]+http[\s]+src[\s]+[\d{1,3}].[\d{1,3}].[\d{1,3}]/80\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/rhel6/src/input/checks/service_squid_acls_configured_https.xml b/rhel6/src/input/checks/service_squid_acls_configured_https.xml new file mode 100644 index 0000000..efa8801 --- /dev/null +++ b/rhel6/src/input/checks/service_squid_acls_configured_https.xml @@ -0,0 +1,40 @@ +<def-group> + <definition class="compliance" id="service_squid_acls_configured_https" version="1"> + <metadata> + <title>ACLs Configured for https Traffic</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id=" CCE-4529-4" source="CCE" /> + <description>https in acl allow list</description> + </metadata> + + <criteria operator="AND"> + + <criterion comment=" https in allow list" test_ref="test_service_squid_acls_configured_https_allow" /> + <criterion comment=" https in acl" test_ref="test_service_squid_acls_configured_https_acl" /> + + </criteria> + + </definition> + + <ind:textfilecontent54_test check="all" comment=" https in allow list" id="test_service_squid_acls_configured_https_allow" version="1"> + <ind:object object_ref="object_service_squid_acls_configured_https_allow" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_service_squid_acls_configured_https_allow" version="1"> + ind:path /etc/squid</ind:path> + ind:filename squid.conf</ind:filename> + <ind:pattern operation="pattern match">^http_access[\s]+allow[\s]+https\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + <ind:textfilecontent54_test check="all" comment=" https in acl" id="test_service_squid_acls_configured_https_acl" version="1"> + <ind:object object_ref="object_service_squid_acls_configured_https_acl" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_service_squid_acls_configured_https_acl" version="1"> + ind:path /etc/squid</ind:path> + ind:filename squid.conf</ind:filename> + <ind:pattern operation="pattern match">^acl[\s]+https[\s]+src[\s]+[\d{1,3}].[\d{1,3}].[\d{1,3}]/443\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/rhel6/src/input/checks/service_squid_acls_configured_localhost.xml b/rhel6/src/input/checks/service_squid_acls_configured_localhost.xml new file mode 100644 index 0000000..b7c642a --- /dev/null +++ b/rhel6/src/input/checks/service_squid_acls_configured_localhost.xml @@ -0,0 +1,30 @@ +<def-group> + <definition class="compliance" id="service_squid_acls_configured_localhost" version="1"> + <metadata> + <title>ACLs Configured Proxy localhost Access</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id=" CCE-4413-1" source="CCE" /> + <description>proxy access to localhost denied</description> + </metadata> + + <criteria operator="AND"> + + <criterion comment="localhost not in allow list" test_ref="test_service_squid_acls_configured_localhost_deny" /> + + </criteria> + + </definition> + + <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="localhost not in allow list" id="test_service_squid_acls_configured_localhost_deny" version="1"> + <ind:object object_ref="object_service_squid_acls_configured_localhost_deny" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_service_squid_acls_configured_localhost_deny" version="1"> + ind:path /etc/squid</ind:path> + ind:filename squid.conf</ind:filename> + <ind:pattern operation="pattern match">^http_access[\s]+allow[\s]+to_localhost\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/rhel6/src/input/checks/service_squid_acls_configured_multiling.xml b/rhel6/src/input/checks/service_squid_acls_configured_multiling.xml new file mode 100644 index 0000000..33b03e7 --- /dev/null +++ b/rhel6/src/input/checks/service_squid_acls_configured_multiling.xml @@ -0,0 +1,40 @@ +<def-group> + <definition class="compliance" id="service_squid_acls_configured_multiling" version="1"> + <metadata> + <title>ACLs Configured for multiling http Traffic</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id=" CCE-4466-9" source="CCE" /> + <description>multiling-http commented from acl allow list</description> + </metadata> + + <criteria operator="AND"> + + <criterion comment=" mutltiling-http not in acl" test_ref="test_service_squid_acls_configured_multiling_noacl" /> + <criterion comment=" multiling-http not in allow list" test_ref="test_service_squid_acls_configured_multiling_deny" /> + + </criteria> + + </definition> + + <ind:textfilecontent54_test check="all" check_existence="none_exist" comment=" mutltiling-http not in acl" id="test_service_squid_acls_configured_multiling_noacl" version="1"> + <ind:object object_ref="object_service_squid_acls_configured_multiling_noacl" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_service_squid_acls_configured_multiling_noacl" version="1"> + ind:path /etc/squid</ind:path> + ind:filename squid.conf</ind:filename> + <ind:pattern operation="pattern match">^acl[\s]+multiling-http[\s]+src[\s]+[\d{1,3}].[\d{1,3}].[\d{1,3}]/777\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + <ind:textfilecontent54_test check="all" check_existence="none_exist" comment=" multiling-http not in allow list" id="test_service_squid_acls_configured_multiling_deny" version="1"> + <ind:object object_ref="object_service_squid_acls_configured_multiling_deny" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_service_squid_acls_configured_multiling_deny" version="1"> + ind:path /etc/squid</ind:path> + ind:filename squid.conf</ind:filename> + <ind:pattern operation="pattern match">^http_access[\s]+allow[\s]+multiling-http\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/rhel6/src/input/checks/service_squid_acls_configured_wais.xml b/rhel6/src/input/checks/service_squid_acls_configured_wais.xml new file mode 100644 index 0000000..8df9ec8 --- /dev/null +++ b/rhel6/src/input/checks/service_squid_acls_configured_wais.xml @@ -0,0 +1,40 @@ +<def-group> + <definition class="compliance" id="service_squid_acls_configured_wais" version="1"> + <metadata> + <title>ACLs Configured for wais Traffic</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id=" CCE-3610-3" source="CCE" /> + <description>wais commented from acl allow list</description> + </metadata> + + <criteria operator="AND"> + + <criterion comment=" wais not in acl" test_ref="test_service_squid_acls_configured_wais_noacl" /> + <criterion comment=" wais not in allow list" test_ref="test_service_squid_acls_configured_wais_deny" /> + + </criteria> + + </definition> + + <ind:textfilecontent54_test check="all" check_existence="none_exist" comment=" wais not in acl" id="test_service_squid_acls_configured_wais_noacl" version="1"> + <ind:object object_ref="object_service_squid_acls_configured_wais_noacl" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_service_squid_acls_configured_wais_noacl" version="1"> + ind:path /etc/squid</ind:path> + ind:filename squid.conf</ind:filename> + <ind:pattern operation="pattern match">^acl[\s]+wais[\s]+src[\s]+[\d{1,3}].[\d{1,3}].[\d{1,3}]/210\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + <ind:textfilecontent54_test check="all" check_existence="none_exist" comment=" wais not in allow list" id="test_service_squid_acls_configured_wais_deny" version="1"> + <ind:object object_ref="object_service_squid_acls_configured_wais_deny" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_service_squid_acls_configured_wais_deny" version="1"> + ind:path /etc/squid</ind:path> + ind:filename squid.conf</ind:filename> + <ind:pattern operation="pattern match">^http_access[\s]+allow[\s]+wais\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/rhel6/src/input/checks/service_squid_authentication_configured.xml b/rhel6/src/input/checks/service_squid_authentication_configured.xml new file mode 100644 index 0000000..c21349c --- /dev/null +++ b/rhel6/src/input/checks/service_squid_authentication_configured.xml @@ -0,0 +1,30 @@ +<def-group> + <definition class="compliance" id="service_squid_authentication_configured" version="1"> + <metadata> + <title>Ensure Squid Authentication Configured (if Applicable)</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id="TODO" source="CCE" /> + <description>Ensure ACL Forced to Require Authentication</description> + </metadata> + + <criteria operator="AND"> + + <criterion comment=" proxy_auth required" test_ref="test_service_squid_authentication_configured_acl" /> + + </criteria> + + </definition> + + <ind:textfilecontent54_test check="all" comment=" proxy_auth required" id="test_service_squid_authentication_configured_acl" version="1"> + <ind:object object_ref="object_service_squid_authentication_configured_acl" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_service_squid_authentication_configured_acl" version="1"> + ind:path /etc/squid</ind:path> + ind:filename squid.conf</ind:filename> + <ind:pattern operation="pattern match">^acl[\s]+[\w(_)*]+[\s]+proxy_auth[\s]+REQUIRED\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/rhel6/src/input/checks/service_squid_default_insecure_forwarded_for.xml b/rhel6/src/input/checks/service_squid_default_insecure_forwarded_for.xml new file mode 100644 index 0000000..c4d9d10 --- /dev/null +++ b/rhel6/src/input/checks/service_squid_default_insecure_forwarded_for.xml @@ -0,0 +1,30 @@ +<def-group> + <definition class="compliance" id="service_squid_default_insecure_forwarded_for" version="1"> + <metadata> + <title>Verify Default Insecure Forwarded Option</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id=" CCE-4181-4" source="CCE" /> + <description>Ensure that forwarded_for option is off</description> + </metadata> + + <criteria operator="AND"> + + <criterion comment=" forwarded_for off" test_ref="test_service_squid_default_insecure_forwarded_for_off" /> + + </criteria> + + </definition> + + <ind:textfilecontent54_test check="all" comment=" forwarded_for off" id="test_service_squid_default_insecure_forwarded_for_off" version="1"> + <ind:object object_ref="object_service_squid_default_insecure_forwarded_for_off" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_service_squid_default_insecure_forwarded_for_off" version="1"> + ind:path /etc/squid</ind:path> + ind:filename squid.conf</ind:filename> + <ind:pattern operation="pattern match">^forwarded_for[\s]+off\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/rhel6/src/input/checks/service_squid_default_insecure_log_mime.xml b/rhel6/src/input/checks/service_squid_default_insecure_log_mime.xml new file mode 100644 index 0000000..987a689 --- /dev/null +++ b/rhel6/src/input/checks/service_squid_default_insecure_log_mime.xml @@ -0,0 +1,30 @@ +<def-group> + <definition class="compliance" id="service_squid_default_insecure_log_mime" version="1"> + <metadata> + <title>Verify Default Insecure MIME Logged</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id=" CCE-4577-3" source="CCE" /> + <description>Ensure that inseucre default HTTP MIME headers are logged.</description> + </metadata> + + <criteria operator="AND"> + + <criterion comment=" log_mime_hdrs on" test_ref="test_service_squid_default_insecure_log_mime_on" /> + + </criteria> + + </definition> + + <ind:textfilecontent54_test check="all" comment=" log_mime_hdrs on" id="test_service_squid_default_insecure_log_mime_on" version="1"> + <ind:object object_ref="object_service_squid_default_insecure_log_mime_on" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_service_squid_default_insecure_log_mime_on" version="1"> + ind:path /etc/squid</ind:path> + ind:filename squid.conf</ind:filename> + <ind:pattern operation="pattern match">^log_mime_hdrs[\s]+on\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/rhel6/src/input/checks/service_squid_default_insecure_suppress_version_string.xml b/rhel6/src/input/checks/service_squid_default_insecure_suppress_version_string.xml new file mode 100644 index 0000000..d636182 --- /dev/null +++ b/rhel6/src/input/checks/service_squid_default_insecure_suppress_version_string.xml @@ -0,0 +1,30 @@ +<def-group> + <definition class="compliance" id="service_squid_default_insecure_suppress_version_string" version="1"> + <metadata> + <title>Verify Default Insecure Version String Suppressed</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id=" CCE-4494-1" source="CCE" /> + <description>Ensure that version string is suppressed</description> + </metadata> + + <criteria operator="AND"> + + <criterion comment=" httpd_suppress_version_string on" test_ref="test_service_squid_default_insecure_suppress_version_string_on" /> + + </criteria> + + </definition> + + <ind:textfilecontent54_test check="all" comment=" httpd_suppress_version_string on" id="test_service_squid_default_insecure_suppress_version_string_on" version="1"> + <ind:object object_ref="object_service_squid_default_insecure_suppress_version_string_on" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_service_squid_default_insecure_suppress_version_string_on" version="1"> + ind:path /etc/squid</ind:path> + ind:filename squid.conf</ind:filename> + <ind:pattern operation="pattern match">^httpd_suppress_version_string[\s]+on\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/rhel6/src/input/checks/service_squid_default_insecure_underscore.xml b/rhel6/src/input/checks/service_squid_default_insecure_underscore.xml new file mode 100644 index 0000000..05c5055 --- /dev/null +++ b/rhel6/src/input/checks/service_squid_default_insecure_underscore.xml @@ -0,0 +1,30 @@ +<def-group> + <definition class="compliance" id="service_squid_default_insecure_underscore" version="1"> + <metadata> + <title>Verify Default Insecure Underscore off</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id=" CCE-4344-8" source="CCE" /> + <description>Ensure that allow_underscore option is turrned off.</description> + </metadata> + + <criteria operator="AND"> + + <criterion comment=" allow_underscore off" test_ref="test_service_squid_default_insecure_underscore_off" /> + + </criteria> + + </definition> + + <ind:textfilecontent54_test check="all" comment=" allow_underscore off" id="test_service_squid_default_insecure_underscore_off" version="1"> + <ind:object object_ref="object_service_squid_default_insecure_underscore_off" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_service_squid_default_insecure_underscore_off" version="1"> + ind:path /etc/squid</ind:path> + ind:filename squid.conf</ind:filename> + <ind:pattern operation="pattern match">^allow_underscore[\s]+off\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/rhel6/src/input/checks/service_squid_logs_forwarded.xml b/rhel6/src/input/checks/service_squid_logs_forwarded.xml new file mode 100644 index 0000000..bb323e1 --- /dev/null +++ b/rhel6/src/input/checks/service_squid_logs_forwarded.xml @@ -0,0 +1,30 @@ +<def-group> + <definition class="compliance" id="service_squid_logs_forwarded" version="1"> + <metadata> + <title>Forwarded Log Messages to Syslog Daemon</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id="TODO" source="CCE" /> + <description>Check if Squid sends messages to syslog.</description> + </metadata> + + <criteria> + + <criterion comment=" logs forwarded" test_ref="test_service_squid_logs_forwarded_squid_opts" /> + + </criteria> + + </definition> + + <ind:textfilecontent54_test check="all" comment=" logs forwarded" id="test_service_squid_logs_forwarded_squid_opts" version="1"> + <ind:object object_ref="object_service_squid_logs_forwarded_squid_opts" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_service_squid_logs_forwarded_squid_opts" version="1"> + ind:path /etc/init.d</ind:path> + ind:filename squid</ind:filename> + <ind:pattern operation="pattern match">^SQUID_OPTS="${SQUID_OPTS:-"-D"}[\s]+-s"\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/rhel6/src/input/checks/service_squid_privileges_lowered.xml b/rhel6/src/input/checks/service_squid_privileges_lowered.xml new file mode 100644 index 0000000..e704e05 --- /dev/null +++ b/rhel6/src/input/checks/service_squid_privileges_lowered.xml @@ -0,0 +1,70 @@ +<def-group> + <definition class="compliance" id="service_squid_privileges_lowered" version="1"> + <metadata> + <title>Service Entry Privileges Lowered</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id="TODO" source="CCE" /> + <description>Ensure service entry is modified to lower priveleges</description> + </metadata> + + <criteria operator="AND"> + + <criterion comment=" squid status" test_ref="test_service_squid_privileges_lowered_status" /> + <criterion comment=" subsys remove" test_ref="test_service_squid_privileges_lowered_rm_subsys" /> + <criterion comment=" bin determined" test_ref="test_service_squid_privileges_lowered_determine_bin" /> + <criterion comment=" pid changed" test_ref="test_service_squid_privileges_lowered_change_pid" /> + <criterion comment=" new pid location" test_ref="test_service_squid_privileges_lowered_new_pid_loc" /> + + </criteria> + + </definition> + + <ind:textfilecontent54_test check="all" comment=" squid status" id="test_service_squid_privileges_lowered_status" version="1"> + <ind:object object_ref="object_service_squid_privileges_lowered_status" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_service_squid_privileges_lowered_status" version="1"> + ind:path /etc/init.d</ind:path> + ind:filename squid</ind:filename> + <ind:pattern operation="pattern match">^status[\s]+squid\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + <ind:textfilecontent54_test check="all" comment=" subsys remove" id="test_service_squid_privileges_lowered_rm_subsys" version="1"> + <ind:object object_ref="object_service_squid_privileges_lowered_rm_subsys" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_service_squid_privileges_lowered_rm_subsys" version="1"> + ind:path /etc/init.d</ind:path> + ind:filename squid</ind:filename> + <ind:pattern operation="pattern match">^rm[\s]+-f[\s]+/var/lock/subsys/squid\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + <ind:textfilecontent54_test check="all" comment=" bin determined" id="test_service_squid_privileges_lowered_determine_bin" version="1"> + <ind:object object_ref="object_service_squid_privileges_lowered_determine_bin" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_service_squid_privileges_lowered_determine_bin" version="1"> + ind:path /etc/init.d</ind:path> + ind:filename squid</ind:filename> + <ind:pattern operation="pattern match">^[[\s]+-f[\s]+/usr/sbin/squid[\s]+][\s]+&&[\s]+SQUID="sudo[\s]+-u[\s]+squid[\s]+squid"\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + <ind:textfilecontent54_test check="all" comment=" pid changed" id="test_service_squid_privileges_lowered_change_pid" version="1"> + <ind:object object_ref="object_service_squid_privileges_lowered_change_pid" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_service_squid_privileges_lowered_change_pid" version="1"> + ind:path /etc/init.d</ind:path> + ind:filename squid</ind:filename> + <ind:pattern operation="pattern match">^[[\s]+$RETVAL[\s]+-eq[\s]+0[\s]+][\s]+&&[\s]+touch[\s]+/var/lock/subsys/squid\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + <ind:textfilecontent54_test check="all" comment=" new pid location" id="test_service_squid_privileges_lowered_new_pid_loc" version="1"> + <ind:object object_ref="object_service_squid_privileges_lowered_new_pid_loc" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_service_squid_privileges_lowered_new_pid_loc" version="1"> + ind:path /etc/init.d</ind:path> + ind:filename squid</ind:filename> + <ind:pattern operation="pattern match">^[\w(_)*]+[\s]+/var/spool/squid/squid.pid\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/rhel6/src/input/checks/squid_default_secure_cache_group.xml b/rhel6/src/input/checks/squid_default_secure_cache_group.xml new file mode 100644 index 0000000..9d072e7 --- /dev/null +++ b/rhel6/src/input/checks/squid_default_secure_cache_group.xml @@ -0,0 +1,30 @@ +<def-group> + <definition class="compliance" id="squid_default_secure_cache_group" version="1"> + <metadata> + <title>Ensure default cache group specified.</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id=" CCE-4454-5" source="CCE" /> + <description>Squid secure cache specified</description> + </metadata> + + <criteria operator="AND"> + + <criterion comment=" cache_effective_group" test_ref="test_squid_default_secure_cache_group_squid" /> + + </criteria> + + </definition> + + <ind:textfilecontent54_test check="all" comment=" cache_effective_group" id="test_squid_default_secure_cache_group_squid" version="1"> + <ind:object object_ref="object_squid_default_secure_cache_group_squid" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_squid_default_secure_cache_group_squid" version="1"> + ind:path /etc/squid</ind:path> + ind:filename squid.conf</ind:filename> + <ind:pattern operation="pattern match">^cache_effective_group[\s]+squid\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/rhel6/src/input/checks/squid_default_secure_cache_user.xml b/rhel6/src/input/checks/squid_default_secure_cache_user.xml new file mode 100644 index 0000000..d92da5d --- /dev/null +++ b/rhel6/src/input/checks/squid_default_secure_cache_user.xml @@ -0,0 +1,30 @@ +<def-group> + <definition class="compliance" id="squid_default_secure_cache_user" version="1"> + <metadata> + <title>Ensure EUID set to appropriate user.</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id=" CCE-3692-1" source="CCE" /> + <description>Squid secure cache user</description> + </metadata> + + <criteria operator="AND"> + + <criterion comment=" cache_effective_user" test_ref="test_squid_default_secure_cache_user_squid" /> + + </criteria> + + </definition> + + <ind:textfilecontent54_test check="all" comment=" cache_effective_user" id="test_squid_default_secure_cache_user_squid" version="1"> + <ind:object object_ref="object_squid_default_secure_cache_user_squid" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_squid_default_secure_cache_user_squid" version="1"> + ind:path /etc/squid</ind:path> + ind:filename squid.conf</ind:filename> + <ind:pattern operation="pattern match">^cache_effective_user[\s]+squid\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/rhel6/src/input/checks/squid_default_secure_hostnames.xml b/rhel6/src/input/checks/squid_default_secure_hostnames.xml new file mode 100644 index 0000000..210998f --- /dev/null +++ b/rhel6/src/input/checks/squid_default_secure_hostnames.xml @@ -0,0 +1,30 @@ +<def-group> + <definition class="compliance" id="squid_default_secure_hostnames" version="1"> + <metadata> + <title>Ensure Squid hostnames on</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id=" CCE-4503-9" source="CCE" /> + <description>Squid hostnames on</description> + </metadata> + + <criteria operator="AND"> + + <criterion comment=" check_hostnames" test_ref="test_squid_default_secure_hostnames_on" /> + + </criteria> + + </definition> + + <ind:textfilecontent54_test check="all" comment=" check_hostnames" id="test_squid_default_secure_hostnames_on" version="1"> + <ind:object object_ref="object_squid_default_secure_hostnames_on" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_squid_default_secure_hostnames_on" version="1"> + ind:path /etc/squid</ind:path> + ind:filename squid.conf</ind:filename> + <ind:pattern operation="pattern match">^check_hostnames[\s]+on\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/rhel6/src/input/checks/squid_default_secure_passive.xml b/rhel6/src/input/checks/squid_default_secure_passive.xml new file mode 100644 index 0000000..3767579 --- /dev/null +++ b/rhel6/src/input/checks/squid_default_secure_passive.xml @@ -0,0 +1,30 @@ +<def-group> + <definition class="compliance" id="squid_default_secure_passive" version="1"> + <metadata> + <title>Ensure Squid ftp enabled</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id=" CCE-4454-5" source="CCE" /> + <description>Squid ftp enabled</description> + </metadata> + + <criteria operator="AND"> + + <criterion comment=" ftp_passive" test_ref="test_squid_default_secure_passive_on" /> + + </criteria> + + </definition> + + <ind:textfilecontent54_test check="all" comment=" ftp_passive" id="test_squid_default_secure_passive_on" version="1"> + <ind:object object_ref="object_squid_default_secure_passive_on" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_squid_default_secure_passive_on" version="1"> + ind:path /etc/squid</ind:path> + ind:filename squid.conf</ind:filename> + <ind:pattern operation="pattern match">^ftp_passive[\s]+on\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/rhel6/src/input/checks/squid_default_secure_reply_header.xml b/rhel6/src/input/checks/squid_default_secure_reply_header.xml new file mode 100644 index 0000000..3420244 --- /dev/null +++ b/rhel6/src/input/checks/squid_default_secure_reply_header.xml @@ -0,0 +1,30 @@ +<def-group> + <definition class="compliance" id="squid_default_secure_reply_header" version="1"> + <metadata> + <title>Ensure reply header max size set.</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id=" CCE-4419-8" source="CCE" /> + <description>Squid reply header max</description> + </metadata> + + <criteria operator="AND"> + + <criterion comment=" reply_header_max_size" test_ref="test_squid_default_secure_reply_header_max" /> + + </criteria> + + </definition> + + <ind:textfilecontent54_test check="all" comment=" reply_header_max_size" id="test_squid_default_secure_reply_header_max" version="1"> + <ind:object object_ref="object_squid_default_secure_reply_header_max" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_squid_default_secure_reply_header_max" version="1"> + ind:path /etc/squid</ind:path> + ind:filename squid.conf</ind:filename> + <ind:pattern operation="pattern match">^reply_header_max_size[\s]+20[\s]+KB\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/rhel6/src/input/checks/squid_default_secure_request_header.xml b/rhel6/src/input/checks/squid_default_secure_request_header.xml new file mode 100644 index 0000000..76f9e86 --- /dev/null +++ b/rhel6/src/input/checks/squid_default_secure_request_header.xml @@ -0,0 +1,30 @@ +<def-group> + <definition class="compliance" id="squid_default_secure_request_header" version="1"> + <metadata> + <title>Ensure request header max size set</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id=" CCE-4353-9" source="CCE" /> + <description>Squid request header max</description> + </metadata> + + <criteria operator="AND"> + + <criterion comment=" request_header_max_size" test_ref="test_squid_default_secure_request_header_max" /> + + </criteria> + + </definition> + + <ind:textfilecontent54_test check="all" comment=" request_header_max_size" id="test_squid_default_secure_request_header_max" version="1"> + <ind:object object_ref="object_squid_default_secure_request_header_max" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_squid_default_secure_request_header_max" version="1"> + ind:path /etc/squid</ind:path> + ind:filename squid.conf</ind:filename> + <ind:pattern operation="pattern match">^request_header_max_size[\s]+20[\s]+KB\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/rhel6/src/input/checks/squid_default_secure_sanity.xml b/rhel6/src/input/checks/squid_default_secure_sanity.xml new file mode 100644 index 0000000..5273c73 --- /dev/null +++ b/rhel6/src/input/checks/squid_default_secure_sanity.xml @@ -0,0 +1,30 @@ +<def-group> + <definition class="compliance" id="squid_default_secure_sanity" version="1"> + <metadata> + <title>Ensure Squid sanitycheck on</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id=" CCE-4459-4" source="CCE" /> + <description>Squid sanitycheck on</description> + </metadata> + + <criteria operator="AND"> + + <criterion comment=" ftp_sanitycheck" test_ref="test_squid_default_secure_sanity_on" /> + + </criteria> + + </definition> + + <ind:textfilecontent54_test check="all" comment=" ftp_sanitycheck" id="test_squid_default_secure_sanity_on" version="1"> + <ind:object object_ref="object_squid_default_secure_sanity_on" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_squid_default_secure_sanity_on" version="1"> + ind:path /etc/squid</ind:path> + ind:filename squid.conf</ind:filename> + <ind:pattern operation="pattern match">^ftp_sanitycheck[\s]+on\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/rhel6/src/input/checks/squid_default_secured_ignore_unknown.xml b/rhel6/src/input/checks/squid_default_secured_ignore_unknown.xml new file mode 100644 index 0000000..d9d6e4e --- /dev/null +++ b/rhel6/src/input/checks/squid_default_secured_ignore_unknown.xml @@ -0,0 +1,30 @@ +<def-group> + <definition class="compliance" id="squid_default_secured_ignore_unknown" version="1"> + <metadata> + <title>Ensure ignore unknown nameservers enabled as appropriate.</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id=" CCE-4476-8" source="CCE" /> + <description>Squid ignore unknown</description> + </metadata> + + <criteria operator="AND"> + + <criterion comment=" ignore_unknown_nameservers" test_ref="test_squid_default_secured_ignore_unknown_on" /> + + </criteria> + + </definition> + + <ind:textfilecontent54_test check="all" comment=" ignore_unknown_nameservers" id="test_squid_default_secured_ignore_unknown_on" version="1"> + <ind:object object_ref="object_squid_default_secured_ignore_unknown_on" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_squid_default_secured_ignore_unknown_on" version="1"> + ind:path /etc/squid</ind:path> + ind:filename squid.conf</ind:filename> + <ind:pattern operation="pattern match">^ignore_unknown_nameservers[\s]+on\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/rhel6/src/input/checks/system_proxy_access_allowed.xml b/rhel6/src/input/checks/system_proxy_access_allowed.xml new file mode 100644 index 0000000..496f2d0 --- /dev/null +++ b/rhel6/src/input/checks/system_proxy_access_allowed.xml @@ -0,0 +1,30 @@ +<def-group> + <definition class="compliance" id="system_proxy_access_allowed" version="1"> + <metadata> + <title>Configured iptables to Allow Access to the Proxy Server</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id="TODO" source="CCE" /> + <description>Check inbound access to Squid proxy service.</description> + </metadata> + + <criteria operator="AND"> + + <criterion comment=" inbound access to squid proxy service" test_ref="test_system_proxy_access_allowed_netwk_mask" /> + + </criteria> + + </definition> + + <ind:textfilecontent54_test check="all" comment=" inbound access to squid proxy service" id="test_system_proxy_access_allowed_netwk_mask" version="1"> + <ind:object object_ref="object_system_proxy_access_allowed_netwk_mask" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_system_proxy_access_allowed_netwk_mask" version="1"> + ind:path /etc/sysconfig</ind:path> + ind:filename iptables"</ind:filename> + <ind:pattern operation="pattern match">^-A[\s]+RH-Firewall-1-INPUT[\s]+-s[\s]+netwk[\s]+/mask[\s]+-m[\s]+state[\s]+--state[\s]+NEW[\s]+-p[\s]+tcp[\s]+--dport[\s]+\d{4}[\s]+-j[\s]+ACCEPT\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/rhel6/src/input/profiles/common.xml b/rhel6/src/input/profiles/common.xml index 8ac2554..4574619 100644 --- a/rhel6/src/input/profiles/common.xml +++ b/rhel6/src/input/profiles/common.xml @@ -193,17 +193,38 @@ <select idref="require_smb_client_signing" selected="true"/> <select idref="require_smb_client_signing_mount.cifs" selected="true"/>
-<!--<select idref="select_squid_listening_port" selected="true"/> -<select idref="verify_default_secure_settings" selected="true"/> -<select idref="change_default_insecure_settings" selected="true"/> -<select idref="configure_authentication" selected="true"/> -<select idref="access_control_lists" selected="true"/> -<select idref="configure_icp" selected="true"/> +<select idref="proxy_filemaker_configured" selected="true"/> +<select idref="proxy_ftp_configured" selected="true"/> +<select idref="proxy_gopher_configured" selected="true"/> +<select idref="proxy_gss-http_configured" selected="true"/> +<select idref="proxy_http-mgmt_configured" selected="true"/> +<select idref="proxy_https_configured" selected="true"/> +<select idref="proxy_http_configured" selected="true"/> +<select idref="proxy_localhost_configured" selected="true"/> +<select idref="proxy_multiling_configured" selected="true"/> +<select idref="proxy_wais_configured" selected="true"/> + + +<select idref="verify_forwarded_for_off" selected="true"/> +<select idref="verify_log_mime_hdrs_on" selected="true"/> +<select idref="verify_suppress_version_string_on" selected="true"/> +<select idref="verify_allow_underscore_off" selected="true"/> + +<select idref="lower_privileges" selected="true"/> + +<select idref="verify_cache_effective_group" selected="true"/> +<select idref="verify_cache_effective_user" selected="true"/> +<select idref="verify_ignore_unknown_nameservers" selected="true"/> +<select idref="verify_ftp_check_hostnames" selected="true"/> +<select idref="verify_ftp_passive_on" selected="true"/> +<select idref="verify_reply_header_max" selected="true"/> +<select idref="verify_request_header_max" selected="true"/> +<select idref="verify_ftp_sanitycheck_on" selected="true"/> + <select idref="allow_proxy_server_access" selected="true"/> -<seelect idref="forward_logs_to_syslogd" selected="true"/> +<select idref="forward_logs_to_syslogd" selected="true"/> <select idref="run_squid_in_chroot_jail" selected="true"/> -<select idref="lower_privileges" selected="true"/> ---> +
<select idref="disable_squid" selected="true"/> <select idref="uninstall_squid" selected="true"/> diff --git a/rhel6/src/input/services/squid.xml b/rhel6/src/input/services/squid.xml index 80dc4a4..e13573a 100644 --- a/rhel6/src/input/services/squid.xml +++ b/rhel6/src/input/services/squid.xml @@ -44,5 +44,541 @@ removing it provides a safeguard against its activation. <oval id="package_squid_removed" /> </Rule> </Group> + +<Group id="configure_squid"> +<title> Configure Squid if Necessary</title> +<description> +The Squid configuration file is /etc/squid/squid.conf. The following recommendations can be applied to this +file. +Note: If a particular tag is not present in the configuration file, Squid falls back to the default setting (which +is often illustrated by a comment).</description> + +<Rule id="select_squid_listening_port"> +<title> Listen on Uncommon Port</title> +<description> +The default listening port for the Squid service is 3128. As such, it is frequently scanned by adversaries looking +for proxy servers. +Select an arbitrary (but uncommon) high port to use as the Squid listening port and make the corresponding +change to the configuration file: +<pre>http_port port </pre> +Run the following command to add a new SELinux port mapping for the service: +<pre># semanage port -a -t http_cache_port_t -p tcp port</pre></description> +<oval id="squid_listening_port_uncommon" /> +</Rule> + +<Group id="verify_default_secure_settings"> +<title>Configure Default Secure Settings</title> +<description>Several security-enhancing settings in the Squid configuration file are enabled by default, but appear as comments +in the configuration file. In these instances, the explicit directive is not present, +which means it is implicitly enabled. If you are operating with a default configuration file, this section can be +ignored. +Ensure that the following security settings are NOT explicitly changed from their default values: +</description> +<!--<ident cce="4454-5, 4353-9, 4503-9, 3585-7, 4419-8, 3692-1, 4459-4, 4476-8" />--> + +<Rule id="verify_ftp_passive_on"> +<title> Verify FTP Passive Connections are Forced</title> +<description> +<pre>ftp_passive on</pre> +<tt>ftp passive</tt> forces FTP passive connections.</description> +<ident cce="4454-5" /> +<oval id="squid_default_secure_passive" /> +</Rule> + +<Rule id="verify_ftp_sanitycheck_on"> +<title></title> +<description> +<pre>ftp_sanitycheck on</pre> +<tt>ftp sanitycheck</tt> performs additional sanity checks on FTP data connections. +</description> +<ident cce="4459-4" /> +<oval id="squid_default_secure_sanity" /> +</Rule> + +<Rule id="verify_ftp_check_hostnames_on"> +<title></title> +<description> +<pre>check_hostnames on</pre> +<tt>check hostnames</tt> ensures that hostnames meet RFC compliance. +</description> +<ident cce="4503-9" /> +<oval id="squid_default_secure_hostnames" /> +</Rule> + +<Rule id="verify_request_header_max"> +<title></title> +<description> +<pre>request_header_max_size 20 KB</pre> +<tt>request header max size</tt> and <tt>reply header max size</tt> place an upper limit on HTTP header length, precau- +tions against denial-of-service and buffer overflow vulnerabilities. +</description> +<ident cce="4353-9" /> +<oval id="squid_default_secure_request_header" /> +</Rule> + +<Rule id="verify_reply_header_max"> +<title></title> +<description> +<pre>reply_header_max_size 20 KB</pre> +<tt> header max size</tt> and <tt>reply header max size</tt> place an upper limit on HTTP header length, precau- +tions against denial-of-service and buffer overflow vulnerabilities. +</description> +<ident cce="4419-8" /> +<oval id="squid_default_secure_reply_header" /> +</Rule> + +<Rule id="verify_cache_effective_user"> +<title></title> +<description> +<pre>cache_effective_user squid</pre> +<tt>cache effective user</tt> and <tt>cache effective group</tt> designate the EUID and EGID of Squid following initial- +ization (it is essential that the EUID/EGID be set to an unprivileged sandbox account). +</description> +<ident cce="3692-1" /> +<oval id="squid_default_secure_cache_user" /> +</Rule> + +<Rule id="verify_cache_effective_group"> +<title></title> +<description> +<pre>cache_effective_group squid</pre> +<tt>cache effective group</tt> designate the EUID and EGID of Squid following initial- +ization (it is essential that the EUID/EGID be set to an unprivileged sandbox account). +</description> +<ident cce="4476-8" /> +<oval id="squid_default_secure_cache_group" /> +</Rule> + +<Rule id="verify_ignore_unknown_nameservers"> +<title></title> +<description> +<pre>ignore_unknown_nameservers on</pre> +<tt>ignore unknown nameservers</tt> checks to make sure that DNS responses come from the same IP the request was +sent to. +</description> +<ident cce="3585-7" /> +<oval id= "squid_default_secured_ignore_unknown" /> +</Rule> </Group>
+<Group id="change_default_insecure_settings"> +<title> Change Default Insecure Settings</title> +<description> +The default configuration settings for the following tags are considered to be weak security and NOT recom- +mended: +<ul> +<li><tt>allow_underscore</tt> enforces RFC 1034 compliance on hostnames by disallowing the use of underscores.</li> +<li><tt>httpd</tt> suppress version string prevents Squid from revealing version information in web headers and error +pages.</li> +<li><tt>forwarded_for</tt> reveals proxy client IP addresses in HTTP headers and should be disabled to prevent the leakage of internal network configuration details. </li> +<li><tt>log_mime_hdrs</tt> enables logging of HTTP response/request headers.</li> +</ul> +</description> +<!--<ident cce="4181-4, 4577-3, 4344-8, 4494-1" /> +<oval id="service_squid_default_insecure_changed" />--> + +<Rule id="verify_forwarded_for_off"> +<title> Change Default Insecure Settings</title> +<description> +The default configuration settings for the following tags are considered to be weak security and NOT recom- +mended. +Add or modify the configuration file to include the following lines: +<pre> +forwarded_for off +</pre> +<tt>forwarded_for</tt> reveals proxy client IP addresses in HTTP headers and should be disabled to prevent the leakage +of internal network configuration details. +</description> +<ident cce="4181-4"/> +<oval id="service_squid_default_insecure_forwarded_for" /> +</Rule> + +<Rule id="verify_log_mime_hdrs_on"> +<title> Change Default Insecure Settings</title> +<description> +Add or modify the configuration file to include the following lines: +<pre> +log_mime_hdrs on +</pre> +<tt>log_mime_hdrs</tt> enables logging of HTTP response/request headers.</description> +<ident cce="4577-3"/> +<oval id="service_squid_default_insecure_log_mime" /> +</Rule> + +<Rule id="verify_suppress_version_string_on"> +<title> Change Default Insecure Settings</title> +<description> +Add or modify the configuration file to include the following lines: +<pre> +httpd_suppress_version_string on +</pre> +<tt>httpd</tt> suppress version string prevents Squid from revealing version information in web headers and error +pages. +</description> +<ident cce="4494-1"/> +<oval id="service_squid_default_insecure_suppress_version_string" /> + +</Rule> + +<Rule id="verify_allow_underscore_off"> +<title> Change Default Insecure Settings</title> +<description> +Add or modify the configuration file to include the following lines: +<pre>allow_underscore off +</pre> +<tt>allow_underscore</tt> enforces RFC 1034 compliance on hostnames by disallowing the use of underscores. +</description> +<ident cce="4344-8"/> +<oval id="service_squid_default_insecure_underscore" /> +</Rule> +</Group> <!-- End <Group id="change_default_insecure_settings"> --> + +<Rule id="configure_authentication"> +<title> Configure Authentication if Applicable</title> +<description> +Note: Authentication cannot be used in the case of transparent proxies due to limitations of the TCP/IP +protocol. +Similar to web servers, two of the available options are Basic and Digest authentication. The other options are +NTLM and Negotiate authentication. Basic authentication transmits passwords in +plain-text and is susceptible to passive monitoring. If network sniffing is a concern, basic authentication should +not be used. Negotiate is the newest and most secure protocol. It attempts to use Kerberos authentication and +falls back to NTLM if it cannot. It should be noted that Kerberos requires a third-party Key Distribution Center +(KDC) to function properly, whereas the other methods of authentication are two-party schemes. + +Squid also offers the ability to choose a custom external authenticator. Designating an external authenticator +(also known as a "helper" module) allows Squid to offer pluggable third-party authentication schemes. LDAP is +one example of a helper module that exists and is in use today. +There are comments under the <tt>auth_param</tt> tag inside <tt>/etc/squid/squid.conf</tt> that provide extensive detail on how to configure each of these methods. If authentication is necessary, choose a method of authentication and +configure appropriately. The recommended minimum configurations illustrated for each method are acceptable. +To force an ACL to require authentication, use the following directive: +<pre>acl <i>name-of-ACL</i> proxy_auth REQUIRED</pre> +Note: The keyword <tt>REQUIRED</tt> can be replaced with a user or list of users to further restrict access to a smaller +subset of users.</description> +<oval id="service_squid_authentication_configured" /> +</Rule> + + +<Group id="access_control_lists"> +<title> Access Control Lists (ACL)</title> +<description> +Be very careful with the order of access control tags. Access control is handled top-down. The first +rule that matches is the only rule adhered to. The last rule on the list defines the default behavior +in the case of no rule match. +The acl and http_access tags are used in combination to allow filtering based on a series of access control lists. +Squid has a list of default ACLs for localhost, SSL ports, and "safe" ports. Following the definition of these +ACLs, a series of http access directives establish the following default filtering policy: +<ul> +<li> Allow <tt>cachemgr</tt> access only from localhost </li> +<li> Allow access to only ports in the "safe" access control list </li> +<li> Limit <tt>CONNECT</tt> method to SSL ports only </li> +<li> Allow access from localhost </li> +<li> Deny all other requests </li> +</ul> +The default ACL policies are reasonable from a security standpoint. However, the number of ports listed as +"safe" could be significantly trimmed depending on the needs of your network. Out of the box, ports 21, 70, 80, +210, 280, 443, 488, 591, 777, and 1025 through 65535 are all considered safe. Some of these ports are associated +with deprecated or rarely used protocols. As such, this list could be trimmed to further tighten filtering. +The following actions should be taken to tighten the ACL policies: +</description> + +<Rule id="localhost_access_denied"> +<title>Proxy Access to localhost Denied by Default</title> +<description> +1.There is a filter line in the configuration file that is recommended but commented out. This line should +be uncommented or added to prevent access to localhost from the proxy: +<pre>http access deny to_localhost</pre> +</description> +<ident cce="CCE-4413-1" /> +<oval id="service_squid_acls_configured_localhost" /> +</Rule> + +<Group id="proxy_access_list"> +<title> Establish an Access List for Subset of IPs</title> +<description> +2.An access list should be setup for the specific network or networks that the proxy is intended to serve. +Only this subset of IP addresses should be allowed access. +Add these lines where the following comment appears: + +<pre> +# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS +acl your-network-acl-name src ip-range +http_access allow your-network-acl-name +</pre> + +Note: <tt>ip-range</tt> is of the format xxx.xxx.xxx.xxx/xx +<!--4.Consult the chart below. Corresponding <tt>acl</tt> entries for unused protocols should be commented out and thus denied. --> + +</description> + +<Rule id="proxy_ftp_configured"> +<description> +Port: 21<br /> +Service: <tt>ftp</tt> <br /> +File Transfer Protocol(FTP) is a widely used file transfer protocol. <br /> +ALLOW <br /> +<pre> +acl ftp src 21 +http_access allow ftp +</pre> +</description> +<ident cce="4255-6" /> +<oval id="service_squid_acls_configured_ftp" /> +</Rule> + +<Rule id="proxy_gopher_configured"> +<description> +Port: 70 <br /> +Service: <tt>gopher</tt> <br /> +The gopher protocol is a deprecated search and retrieval protocol +that is almost extinct, with as few as 100 gopher servers present worldwide. +Support for gopher is disabled in most modern browsers.<br /> +DENY<br /> +<pre> +acl gopher src 70 +http_access allow gopher +</pre> +</description> +<ident cce="4127-7" /> +<oval id="service_squid_acls_configured_gopher" /> +</Rule> + +<Rule id="proxy_http_configured"> +<description> +Port: 80<br /> +Service: <tt>http</tt><br /> +A web proxy needs to allow access to HTTP traffic. <br /> +ALLOW<br /> +<pre> +acl http src 80 +http_access allow http +</pre> +</description> +<ident cce="4607-8" /> +<oval id="service_squid_acls_configured_http" /> +</Rule> + +<Rule id="proxy_wais_configured"> +<description> +Port: 210<br /> +Service: <tt>wais</tt><br /> +The Wide Area Information Server port is similar +to gopher, serving as a text searching system +to scour indexes on remote machines. Today, it is +deprecated and nearly non-existent on the Inter- +net.<br /> +DENY<br /> +<pre> +acl wais src 210 +http_access allow wais +</pre> +</description> +<ident cce="3610-3" /> +<oval id="service_squid_acls_configured_wais" /> +</Rule> + +<Rule id="proxy_http-mgmt_configured"> +<description> +Port: 280<br /> +Service: <tt>http-mgmt</tt><br /> +No documentation of any kind could be found on the +obscure service that resides on this port.<br /> +DENY<br /> +<pre> +acl http-mgmt src 280 +http_access allow http-mgmt +</pre> +</description> +<ident cce="4373-7" /> +<oval id="service_squid_acls_configured_http-mgmt" /> +</Rule> + +<Rule id="proxy_https_configured"> +<description> +Port: 443<br /> +Service: <tt>https</tt><br /> +SSL traffic is likely (and recommended) for any +proxy and should be allowed.<br /> +ALLOW<br /> +<pre> +acl https src 443 +http_access allow https +</pre> +</description> +<ident cce="4529-4" /> +<oval id="service_squid_acls_configured_https" /> +</Rule> + +<Rule id="proxy_gss-http_configured"> +<description> +Port: 488<br /> +Service: <tt>gss-http</tt><br /> +No documentation of any kind could be found on +the obscure service that resides on this port.<br /> +DENY<br /> +<pre> +acl gss-http src 488 +http_access allow gss-http +</pre> +</description> +<ident cce="4511-2" /> +<oval id="service_squid_acls_configured_gss-http" /> +</Rule> + +<Rule id="proxy_filemaker_configured"> +<description> +Port: 591<br /> +Service: <tt>filemaker</tt><br /> +Filemaker is a database application originally offered +by Apple in the 1980s. Although development continues +and it remains in use today, it should be disabled +if your network does not require such traffic.<br /> +DENY<br /> +<pre> +acl filemaker src 591 +http_access allow filemaker +</pre> +</description> +<ident cce="4519-5" /> +<oval id="service_squid_acls_configured_filemaker" /> +</Rule> + +<Rule id="proxy_multiling-http_configured"> +<description> +Port: 777<br /> +Service: <tt>multiling http</tt><br /> +No documentation of any kind could be found on +the obscure service that resides on this port.<br /> +DENY<br /> +<pre> +acl ftp src 777 +http_access allow multiling-http +</pre> +</description> +<ident cce="4466-9" /> +<oval id="service_squid_acls_configured_multiling" /> +</Rule> + +<!-- +<li> +Port: 1025-65535<br /> +Service: unregistered ports<br /> +Random high ports are used by a variety of applications +and should be allowed.<br /> +ALLOW<br /> +</li> +</ul> +</description> +--> + +<Group id="proxy_acls_unfiltered"> +<title>Deny All Unfiltered Traffic</title> +<description> +Ensure that the final http access line to appear in the document is the following: + +<pre>http_access deny all</pre> + +This guarantees that all traffic not meeting an explicit filtering rule is denied. +Further filters should be established to meet the specific needs of a network, explicitly allowing access +only where necessary. +</description> +</Group> +</Group> +</Group> + +<!-- Removed because this item does not enhance security +<Rule id="configure_icp"> +ICP protocol is a cache communication protocol that allows multiple Squid servers to communicate. The +ICP protocol was designed with no security in mind, relying on user-defined access control lists alone to determine +which ICP messages to allow. +If a Squid server is standalone, the ICP port should be disabled by adding or correcting the following line in +the configuration file: +<pre>icp_port 0 </pre> +If the Squid server is meant to speak with peers, strict ACLs should be established to only allow ICP traffic +from trusted neighbors. To accomplish this, add or correct the following lines: +<pre>icp_access allow <i>acl-defining-trusted-neighbors</i> +icp_access deny all</pre> +</description> +<oval id="system_icp_configured" /> +</Rule>--> + +<Rule id="allow_proxy_server_access"> +<title> Configure iptables to Allow Access to the Proxy Server</title> +<description> +Determine an appropriate network block, <i>netwk</i>, and network mask, <i>mask</i>, representing the machines on +your network which should operate as clients of the proxy server. +Edit <tt>/etc/sysconfig/iptables</tt>. Add the following line, ensuring that it appears <i>before</i> the final <tt>LOG</tt> and <tt>DROP</tt> lines for the <tt>RH-Firewall-1-INPUT</tt> chain: +<pre>-A RH-Firewall-1-INPUT -s <i>netwk/mask</i> -m state --state NEW -p tcp --dport <i>port</i> -j ACCEPT </pre> +For port , use either the default 3128. +The default Iptables configuration does not allow inbound access to the Squid proxy service. This modification +allows that access, while keeping other ports on the server in their default protected state. +</description> +<oval id="system_proxy_access_allowed" /> +</Rule> + + +<Rule id="forward_logs_to_syslogd"> +<title> Forward Log Messages to Syslog Daemon</title> +<description> +The default behavior of Squid is to record its log messages in <tt>/var/log/squid.log</tt>. This behavior can be +supplemented so that Squid also sends messages to syslog as well. This is useful for centralizing log data, +particularly in instances where multiple Squid servers are present. +Squid provides a command line argument to enable syslog forwarding. Modify the <tt>SQUID_OPTS</tt> line in +<tt>/etc/init.d/squid</tt> to include the <tt>-s</tt> option: +<pre>SQUID_OPTS="${SQUID_OPTS:-"-D"} -s"</pre></description> +<oval id="service_squid_logs_forwarded" /> +</Rule> + + +<Group id="disallow_squid_root"> +<title> Do Not Run as Root</title> +<description> +Since Squid is loaded by the system's <tt>service</tt> utility, it starts as root and then changes its effective UID to the +UID specified by the <tt>cache_effective_user</tt> directive. However, since it was still executed by root, the program +maintains a saved UID of root even after changing its effective UID. +To prevent this undesired behavior, Squid must either be configured to run in a chroot environment or it must +be executed by a non-privileged user in non-daemon mode (the <tt>service</tt> utility must not be used).</description> + +<Rule id="run_squid_in_chroot_jail"> +<title> Run Squid in a <tt>chroot</tt> Jail</title> +<description> +Chrooting Squid can be a very complicated task. Documentation for the process is vague and a great deal +of trial and error may be required to determine all the files that need to be transitioned over to the chroot +environment. Therefore, this guide recommends instead the method detailed in Section 3.19.2.9.2 to lower +privileges. If chrooting Squid is still desired, it can be enabled with the following directive in the configuration +file: +<pre>chroot <i>chroot-path</i></pre> +Then, all the necessary files used by Squid must be copied into the <i>chroot-path</i> directory. The specifics of this +step cannot be covered in this guide because they are highly dependent on the external programs used in the +Squid configuration. +Note: The <tt>strace</tt> utility is a valuable resource for discovering the files needed for the chroot environment.</description> +<oval id="service_squid_chroot_jailed" /> +</Rule> + + +<Rule id="lower_privileges"> +<title> Modify Service Entry to Lower Privileges</title> +<description> +The following modification to <tt>/etc/init.d/squid</tt> forces the <tt>service</tt> utility to execute Squid as the squid +user instead of the root user: +<pre># determine the name of the squid binary +[ -f /usr/sbin/squid ] && SQUID="sudo -u squid squid" </pre> +Making this change prevents Squid from writing its pid to <tt>/var/run</tt>. This pid file is used by <tt>service</tt> to +check to see if the program started successfully. Therefore, a new location must be chosen for this pid file +that the squid user has access to, and the corresponding references in <tt>/etc/init.d/squid</tt> must be altered +to point to it. +Make the following modification to the Squid configuration file: +<pre>pid_filename /var/spool/squid/squid.pid</pre> +Edit the file <tt>/etc/init.d/squid</tt> by changing all occurrences of <tt>/var/run/squid.pid</tt> to <tt>/var/spool/squid/squid.pid</tt> +Also modify the following line in <tt>/etc/init.d/squid</tt>: +<pre>[ $RETVAL -eq 0 ] && touch /var/lock/subsys/squid</pre> +and add the following lines immediately after it: +<pre>rm -f /var/lock/subsys/squid +status squid +</pre> +</description> +<oval id="service_squid_privileges_lowered" /> +</Rule> + +</Group> <!-- End <Group id="disallow_squid_root"> --> +</Group> <!-- End <Group id="configure_squid"> --> +</Group> <!-- End <Group id="proxy"> -->
I'd like to push to the repo. Is this patch ACK-worthy? ________________________________________ From: scap-security-guide-bounces@lists.fedorahosted.org [scap-security-guide-bounces@lists.fedorahosted.org] on behalf of Michael Palmiotto [mpalmiotto@tresys.com] Sent: Friday, April 27, 2012 9:12 AM To: scap-security-guide@lists.fedorahosted.org Subject: [PATCH v2] M1 Incomplete Guidance - Proxy
Prose and OVAL checks for Proxy.
Michael Palmiotto (1): M1 Incomplete Guidance - Proxy
.../service_squid_acls_configured_filemaker.xml | 40 ++ .../checks/service_squid_acls_configured_ftp.xml | 40 ++ .../service_squid_acls_configured_gopher.xml | 40 ++ .../service_squid_acls_configured_gss_http.xml | 40 ++ .../service_squid_acls_configured_http-mgmt.xml | 40 ++ .../checks/service_squid_acls_configured_http.xml | 40 ++ .../checks/service_squid_acls_configured_https.xml | 40 ++ .../service_squid_acls_configured_localhost.xml | 30 ++ .../service_squid_acls_configured_multiling.xml | 40 ++ .../checks/service_squid_acls_configured_wais.xml | 40 ++ .../service_squid_authentication_configured.xml | 30 ++ ...ervice_squid_default_insecure_forwarded_for.xml | 30 ++ .../service_squid_default_insecure_log_mime.xml | 30 ++ ...id_default_insecure_suppress_version_string.xml | 30 ++ .../service_squid_default_insecure_underscore.xml | 30 ++ .../input/checks/service_squid_logs_forwarded.xml | 30 ++ .../checks/service_squid_privileges_lowered.xml | 70 +++ .../checks/squid_default_secure_cache_group.xml | 30 ++ .../checks/squid_default_secure_cache_user.xml | 30 ++ .../checks/squid_default_secure_hostnames.xml | 30 ++ .../input/checks/squid_default_secure_passive.xml | 30 ++ .../checks/squid_default_secure_reply_header.xml | 30 ++ .../checks/squid_default_secure_request_header.xml | 30 ++ .../input/checks/squid_default_secure_sanity.xml | 30 ++ .../squid_default_secured_ignore_unknown.xml | 30 ++ .../input/checks/system_proxy_access_allowed.xml | 30 ++ rhel6/src/input/profiles/common.xml | 39 ++- rhel6/src/input/services/squid.xml | 536 ++++++++++++++++++++ 28 files changed, 1476 insertions(+), 9 deletions(-) create mode 100644 rhel6/src/input/checks/service_squid_acls_configured_filemaker.xml create mode 100644 rhel6/src/input/checks/service_squid_acls_configured_ftp.xml create mode 100644 rhel6/src/input/checks/service_squid_acls_configured_gopher.xml create mode 100644 rhel6/src/input/checks/service_squid_acls_configured_gss_http.xml create mode 100644 rhel6/src/input/checks/service_squid_acls_configured_http-mgmt.xml create mode 100644 rhel6/src/input/checks/service_squid_acls_configured_http.xml create mode 100644 rhel6/src/input/checks/service_squid_acls_configured_https.xml create mode 100644 rhel6/src/input/checks/service_squid_acls_configured_localhost.xml create mode 100644 rhel6/src/input/checks/service_squid_acls_configured_multiling.xml create mode 100644 rhel6/src/input/checks/service_squid_acls_configured_wais.xml create mode 100644 rhel6/src/input/checks/service_squid_authentication_configured.xml create mode 100644 rhel6/src/input/checks/service_squid_default_insecure_forwarded_for.xml create mode 100644 rhel6/src/input/checks/service_squid_default_insecure_log_mime.xml create mode 100644 rhel6/src/input/checks/service_squid_default_insecure_suppress_version_string.xml create mode 100644 rhel6/src/input/checks/service_squid_default_insecure_underscore.xml create mode 100644 rhel6/src/input/checks/service_squid_logs_forwarded.xml create mode 100644 rhel6/src/input/checks/service_squid_privileges_lowered.xml create mode 100644 rhel6/src/input/checks/squid_default_secure_cache_group.xml create mode 100644 rhel6/src/input/checks/squid_default_secure_cache_user.xml create mode 100644 rhel6/src/input/checks/squid_default_secure_hostnames.xml create mode 100644 rhel6/src/input/checks/squid_default_secure_passive.xml create mode 100644 rhel6/src/input/checks/squid_default_secure_reply_header.xml create mode 100644 rhel6/src/input/checks/squid_default_secure_request_header.xml create mode 100644 rhel6/src/input/checks/squid_default_secure_sanity.xml create mode 100644 rhel6/src/input/checks/squid_default_secured_ignore_unknown.xml create mode 100644 rhel6/src/input/checks/system_proxy_access_allowed.xml
-- 1.7.6.5
_______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org