skyler / rpms / scap-security-guide

Forked from rpms/scap-security-guide 3 years ago
Clone
Source Code
GIT

Blame SOURCES/scap-security-guide-0.1.41-sysctl_kernel.patch

c7 c7-alt c7-beta c8 c8-beta c8s
  1.   2b7fd2238a2382a88135af040b46cf5ff53f70af
  2.   SOURCES
  3.   scap-security-guide-0.1.41-sysctl_kernel.patch
Blob History Raw
7629ac 
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled.rule b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled.rule
7629ac 
new file mode 100644
7629ac 
index 0000000000..a8fc8715e1
7629ac 
--- /dev/null
7629ac 
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled.rule
7629ac 
@@ -0,0 +1,17 @@
7629ac 
+documentation_complete: true
7629ac 
+
7629ac 
+prodtype: rhel6,rhel7,fedora
7629ac 
+
7629ac 
+title: 'Disable kernel image loading'
7629ac 
+
7629ac 
+description: '{{{ describe_sysctl_option_value(sysctl="kernel.kexec_load_disabled", value="1") }}}'
7629ac 
+
7629ac 
+rationale: |
7629ac 
+    Disabling kexec_load allows greater control of the kernel memory.
7629ac 
+    It makes it impossible to load another kernel image after it has been disabled.
7629ac 
+
7629ac 
+severity: unknown
7629ac 
+
7629ac 
+
7629ac 
+{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kexec_load_disabled", value="1") }}}
7629ac 
+
7629ac 
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope.rule b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope.rule
7629ac 
new file mode 100644
7629ac 
index 0000000000..67b7ff8056
7629ac 
--- /dev/null
7629ac 
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope.rule
7629ac 
@@ -0,0 +1,19 @@
7629ac 
+documentation_complete: true
7629ac 
+
7629ac 
+prodtype: rhel6,rhel7,fedora
7629ac 
+
7629ac 
+title: 'Restrict usage of ptrace to descendant processes'
7629ac 
+
7629ac 
+description: '{{{ describe_sysctl_option_value(sysctl="kernel.yama.ptrace_scope", value="1") }}}'
7629ac 
+
7629ac 
+rationale: |
7629ac 
+    Unrestricted usage of ptrace allows compromised binaries to run ptrace
7629ac 
+    on another processes of the user. Like this, the attacker can steal
7629ac 
+    sensitive information from the target processes (e.g. SSH sessions, web browser, ...)
7629ac 
+    without any additional assistance from the user (i.e. without resorting to phishing).
7629ac 
+
7629ac 
+severity: unknown
7629ac 
+
7629ac 
+
7629ac 
+{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.yama.ptrace_scope", value="1") }}}
7629ac 
+
7629ac 
diff --git a/rhel7/profiles/ospp42.profile b/rhel7/profiles/ospp42.profile
7629ac 
index 8550434ffa..a29e282b6e 100644
7629ac 
--- a/rhel7/profiles/ospp42.profile
7629ac 
+++ b/rhel7/profiles/ospp42.profile
7629ac 
@@ -33,6 +33,10 @@ selections:
7629ac 
     - var_password_pam_lcredit=1
7629ac 
     - accounts_password_pam_lcredit
7629ac 
     - package_screen_installed
7629ac 
+    - sysctl_kernel_yama_ptrace_scope
7629ac 
+    - sysctl_kernel_kptr_restrict
7629ac 
+    - sysctl_kernel_kexec_load_disabled
7629ac 
+    - sysctl_kernel_dmesg_restrict
7629ac 
     - dconf_gnome_screensaver_idle_activation_enabled
7629ac 
     - dconf_gnome_screensaver_idle_delay
7629ac 
     - dconf_gnome_screensaver_lock_delay
7629ac 
diff --git a/rhel7/templates/csv/sysctl_values.csv b/rhel7/templates/csv/sysctl_values.csv
7629ac 
index 12f0232760..3090159aa5 100644
7629ac 
--- a/rhel7/templates/csv/sysctl_values.csv
7629ac 
+++ b/rhel7/templates/csv/sysctl_values.csv
7629ac 
@@ -1,7 +1,10 @@
7629ac 
 # Add <sysctl_parameter_name, desired_value> to generate hard-coded OVAL and remediation content.
7629ac 
 # Add <sysctl_parameter_name,> to generate OVAL and remediation content that use the XCCDF value.
7629ac 
 fs.suid_dumpable,0
7629ac 
+kernel.yama.ptrace_scope,1
7629ac 
+kernel.kptr_restrict,1
7629ac 
 kernel.dmesg_restrict,1
7629ac 
+kernel.kexec_load_disabled,1
7629ac 
 #kernel.exec-shield,1
7629ac 
 kernel.randomize_va_space,2
7629ac 
 net.ipv4.conf.all.accept_redirects,
7629ac 
diff --git a/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_dmesg_restrict/disabled.fail.sh b/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_dmesg_restrict/disabled.fail.sh
7629ac 
new file mode 100644
7629ac 
index 0000000000..715f0b81dc
7629ac 
--- /dev/null
7629ac 
+++ b/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_dmesg_restrict/disabled.fail.sh
7629ac 
@@ -0,0 +1,7 @@
7629ac 
+#!/bin/bash
7629ac 
+#
7629ac 
+# profiles = xccdf_org.ssgproject.content_profile_ospp42
7629ac 
+
7629ac 
+. ../sysctl.sh
7629ac 
+
7629ac 
+sysctl_set_kernel_setting_to dmsg_restrict 0
7629ac 
diff --git a/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_kexec_load_disabled/disabled.fail.sh b/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_kexec_load_disabled/disabled.fail.sh
7629ac 
new file mode 100644
7629ac 
index 0000000000..05cd772b7f
7629ac 
--- /dev/null
7629ac 
+++ b/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_kexec_load_disabled/disabled.fail.sh
7629ac 
@@ -0,0 +1,7 @@
7629ac 
+#!/bin/bash
7629ac 
+#
7629ac 
+# profiles = xccdf_org.ssgproject.content_profile_ospp42
7629ac 
+
7629ac 
+. ../sysctl.sh
7629ac 
+
7629ac 
+sysctl_set_kernel_setting_to kexec_load_disabled 0
7629ac 
diff --git a/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_kptr_restrict/disabled.fail.sh b/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_kptr_restrict/disabled.fail.sh
7629ac 
new file mode 100644
7629ac 
index 0000000000..ac7922d927
7629ac 
--- /dev/null
7629ac 
+++ b/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_kptr_restrict/disabled.fail.sh
7629ac 
@@ -0,0 +1,7 @@
7629ac 
+#!/bin/bash
7629ac 
+#
7629ac 
+# profiles = xccdf_org.ssgproject.content_profile_ospp42
7629ac 
+
7629ac 
+. ../sysctl.sh
7629ac 
+
7629ac 
+sysctl_set_kernel_setting_to kptr_restrict 0
7629ac 
diff --git a/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_yama_ptrace_scope/disabled.fail.sh b/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_yama_ptrace_scope/disabled.fail.sh
7629ac 
new file mode 100644
7629ac 
index 0000000000..6e0892c4d8
7629ac 
--- /dev/null
7629ac 
+++ b/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_yama_ptrace_scope/disabled.fail.sh
7629ac 
@@ -0,0 +1,7 @@
7629ac 
+#!/bin/bash
7629ac 
+#
7629ac 
+# profiles = xccdf_org.ssgproject.content_profile_ospp42
7629ac 
+
7629ac 
+. ../sysctl.sh
7629ac 
+
7629ac 
+sysctl_set_kernel_setting_to yama.ptrace_scope 0
7629ac 
diff --git a/tests/data/group_system/group_permissions/group_restrictions/sysctl.sh b/tests/data/group_system/group_permissions/group_restrictions/sysctl.sh
7629ac 
new file mode 100644
7629ac 
index 0000000000..6a424a3641
7629ac 
--- /dev/null
7629ac 
+++ b/tests/data/group_system/group_permissions/group_restrictions/sysctl.sh
7629ac 
@@ -0,0 +1,14 @@
7629ac 
+#!/bin/bash
7629ac 
+
7629ac 
+# Sets the kernel setting using sysctl exec as well as in sysctl config file.
7629ac 
+# $1: The setting name without the leading 'kernel.'
7629ac 
+# $2: The value to set the setting to
7629ac 
+function sysctl_set_kernel_setting_to {
7629ac 
+	local setting_name="kernel.$1" setting_value="$2"
7629ac 
+	sysctl -w "$setting_name=$setting_value"
7629ac 
+	if grep -q "^$setting_name" /etc/sysctl.conf; then
7629ac 
+		sed -i "s/^$setting_name.*/$setting_name = $setting_value/" /etc/sysctl.conf
7629ac 
+	else
7629ac 
+		echo "$setting_name = $setting_value" >> /etc/sysctl.conf
7629ac 
+	fi
7629ac 
+}

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation