Blob Blame History Raw
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled.rule b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled.rule
new file mode 100644
index 0000000000..a8fc8715e1
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled.rule
@@ -0,0 +1,17 @@
+documentation_complete: true
+
+prodtype: rhel6,rhel7,fedora
+
+title: 'Disable kernel image loading'
+
+description: '{{{ describe_sysctl_option_value(sysctl="kernel.kexec_load_disabled", value="1") }}}'
+
+rationale: |
+    Disabling kexec_load allows greater control of the kernel memory.
+    It makes it impossible to load another kernel image after it has been disabled.
+
+severity: unknown
+
+
+{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kexec_load_disabled", value="1") }}}
+
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope.rule b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope.rule
new file mode 100644
index 0000000000..67b7ff8056
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope.rule
@@ -0,0 +1,19 @@
+documentation_complete: true
+
+prodtype: rhel6,rhel7,fedora
+
+title: 'Restrict usage of ptrace to descendant processes'
+
+description: '{{{ describe_sysctl_option_value(sysctl="kernel.yama.ptrace_scope", value="1") }}}'
+
+rationale: |
+    Unrestricted usage of ptrace allows compromised binaries to run ptrace
+    on another processes of the user. Like this, the attacker can steal
+    sensitive information from the target processes (e.g. SSH sessions, web browser, ...)
+    without any additional assistance from the user (i.e. without resorting to phishing).
+
+severity: unknown
+
+
+{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.yama.ptrace_scope", value="1") }}}
+
diff --git a/rhel7/profiles/ospp42.profile b/rhel7/profiles/ospp42.profile
index 8550434ffa..a29e282b6e 100644
--- a/rhel7/profiles/ospp42.profile
+++ b/rhel7/profiles/ospp42.profile
@@ -33,6 +33,10 @@ selections:
     - var_password_pam_lcredit=1
     - accounts_password_pam_lcredit
     - package_screen_installed
+    - sysctl_kernel_yama_ptrace_scope
+    - sysctl_kernel_kptr_restrict
+    - sysctl_kernel_kexec_load_disabled
+    - sysctl_kernel_dmesg_restrict
     - dconf_gnome_screensaver_idle_activation_enabled
     - dconf_gnome_screensaver_idle_delay
     - dconf_gnome_screensaver_lock_delay
diff --git a/rhel7/templates/csv/sysctl_values.csv b/rhel7/templates/csv/sysctl_values.csv
index 12f0232760..3090159aa5 100644
--- a/rhel7/templates/csv/sysctl_values.csv
+++ b/rhel7/templates/csv/sysctl_values.csv
@@ -1,7 +1,10 @@
 # Add <sysctl_parameter_name, desired_value> to generate hard-coded OVAL and remediation content.
 # Add <sysctl_parameter_name,> to generate OVAL and remediation content that use the XCCDF value.
 fs.suid_dumpable,0
+kernel.yama.ptrace_scope,1
+kernel.kptr_restrict,1
 kernel.dmesg_restrict,1
+kernel.kexec_load_disabled,1
 #kernel.exec-shield,1
 kernel.randomize_va_space,2
 net.ipv4.conf.all.accept_redirects,
diff --git a/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_dmesg_restrict/disabled.fail.sh b/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_dmesg_restrict/disabled.fail.sh
new file mode 100644
index 0000000000..715f0b81dc
--- /dev/null
+++ b/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_dmesg_restrict/disabled.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+#
+# profiles = xccdf_org.ssgproject.content_profile_ospp42
+
+. ../sysctl.sh
+
+sysctl_set_kernel_setting_to dmsg_restrict 0
diff --git a/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_kexec_load_disabled/disabled.fail.sh b/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_kexec_load_disabled/disabled.fail.sh
new file mode 100644
index 0000000000..05cd772b7f
--- /dev/null
+++ b/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_kexec_load_disabled/disabled.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+#
+# profiles = xccdf_org.ssgproject.content_profile_ospp42
+
+. ../sysctl.sh
+
+sysctl_set_kernel_setting_to kexec_load_disabled 0
diff --git a/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_kptr_restrict/disabled.fail.sh b/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_kptr_restrict/disabled.fail.sh
new file mode 100644
index 0000000000..ac7922d927
--- /dev/null
+++ b/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_kptr_restrict/disabled.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+#
+# profiles = xccdf_org.ssgproject.content_profile_ospp42
+
+. ../sysctl.sh
+
+sysctl_set_kernel_setting_to kptr_restrict 0
diff --git a/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_yama_ptrace_scope/disabled.fail.sh b/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_yama_ptrace_scope/disabled.fail.sh
new file mode 100644
index 0000000000..6e0892c4d8
--- /dev/null
+++ b/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_yama_ptrace_scope/disabled.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+#
+# profiles = xccdf_org.ssgproject.content_profile_ospp42
+
+. ../sysctl.sh
+
+sysctl_set_kernel_setting_to yama.ptrace_scope 0
diff --git a/tests/data/group_system/group_permissions/group_restrictions/sysctl.sh b/tests/data/group_system/group_permissions/group_restrictions/sysctl.sh
new file mode 100644
index 0000000000..6a424a3641
--- /dev/null
+++ b/tests/data/group_system/group_permissions/group_restrictions/sysctl.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# Sets the kernel setting using sysctl exec as well as in sysctl config file.
+# $1: The setting name without the leading 'kernel.'
+# $2: The value to set the setting to
+function sysctl_set_kernel_setting_to {
+	local setting_name="kernel.$1" setting_value="$2"
+	sysctl -w "$setting_name=$setting_value"
+	if grep -q "^$setting_name" /etc/sysctl.conf; then
+		sed -i "s/^$setting_name.*/$setting_name = $setting_value/" /etc/sysctl.conf
+	else
+		echo "$setting_name = $setting_value" >> /etc/sysctl.conf
+	fi
+}