diff options
| author |   Sven Vermeulen <sven.vermeulen@siphos.be> | 2015-09-02 22:24:14 +0200 |
|---|---|---|
| committer | Sven Vermeulen <sven.vermeulen@siphos.be> | 2015-09-02 22:24:14 +0200 |
| commit | ec36b14065b253f45eaf9992b9b87cb22b52561c (patch) | |
| tree | 1b50570f35bdffb0d5be9f6c2ad11c453a88e495 /xml | |
| parent | Add test for world writable directories (diff) | |
| download | hardened-docs-ec36b14065b253f45eaf9992b9b87cb22b52561c.tar.gz hardened-docs-ec36b14065b253f45eaf9992b9b87cb22b52561c.tar.bz2 hardened-docs-ec36b14065b253f45eaf9992b9b87cb22b52561c.zip | |
Adding kernel files
Diffstat (limited to 'xml')
| -rw-r--r-- | xml/SCAP/kernel-oval.xml | 1129 | ||||
| -rw-r--r-- | xml/SCAP/kernel-xccdf.xml | 967 |
2 files changed, 2096 insertions, 0 deletions
diff --git a/xml/SCAP/kernel-oval.xml b/xml/SCAP/kernel-oval.xml new file mode 100644 index 0000000..7ea2238 --- /dev/null +++ b/xml/SCAP/kernel-oval.xml @@ -0,0 +1,1129 @@ +<?xml version="1.0"?> +<oval_definitions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" + xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" + xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" + xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" + xmlns:lin-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" + xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"> + <generator> + <oval:product_name>vim</oval:product_name> + <oval:schema_version>5.9</oval:schema_version> + <oval:timestamp>2011-10-31T12:00:00-04:00</oval:timestamp> + </generator> + +<definitions> +<!-- @@GENOVAL START DEFINITIONS --> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:2" version="1"> + <metadata> + <title>sysctl net.ipv4.ip_forward must be 0</title> + <description>sysctl net.ipv4.ip_forward must be 0</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:2" comment="sysctl net.ipv4.ip_forward must be 0" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:4" version="1"> + <metadata> + <title>sysctl net.ipv4.conf.all.rp_filter must be 1</title> + <description>sysctl net.ipv4.conf.all.rp_filter must be 1</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:4" comment="sysctl net.ipv4.conf.all.rp_filter must be 1" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:6" version="1"> + <metadata> + <title>sysctl net.ipv4.conf.default.rp_filter must be 1</title> + <description>sysctl net.ipv4.conf.default.rp_filter must be 1</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:6" comment="sysctl net.ipv4.conf.default.rp_filter must be 1" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:8" version="1"> + <metadata> + <title>sysctl net.ipv4.conf.all.accept_source_route must be 0</title> + <description>sysctl net.ipv4.conf.all.accept_source_route must be 0</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:8" comment="sysctl net.ipv4.conf.all.accept_source_route must be 0" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:10" version="1"> + <metadata> + <title>sysctl net.ipv4.conf.default.accept_source_route must be 0</title> + <description>sysctl net.ipv4.conf.default.accept_source_route must be 0</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:10" comment="sysctl net.ipv4.conf.default.accept_source_route must be 0" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:12" version="1"> + <metadata> + <title>sysctl net.ipv4.conf.all.accept_redirects must be 0</title> + <description>sysctl net.ipv4.conf.all.accept_redirects must be 0</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:12" comment="sysctl net.ipv4.conf.all.accept_redirects must be 0" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:14" version="1"> + <metadata> + <title>sysctl net.ipv4.conf.default.accept_redirects must be 0</title> + <description>sysctl net.ipv4.conf.default.accept_redirects must be 0</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:14" comment="sysctl net.ipv4.conf.default.accept_redirects must be 0" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:16" version="1"> + <metadata> + <title>sysctl net.ipv4.icmp_echo_ignore_broadcasts must be 1</title> + <description>sysctl net.ipv4.icmp_echo_ignore_broadcasts must be 1</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:16" comment="sysctl net.ipv4.icmp_echo_ignore_broadcasts must be 1" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:18" version="1"> + <metadata> + <title>sysctl net.ipv4.icmp_ignore_bogus_error_responses must be 1</title> + <description>sysctl net.ipv4.icmp_ignore_bogus_error_responses must be 1</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:18" comment="sysctl net.ipv4.icmp_ignore_bogus_error_responses must be 1" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:20" version="1"> + <metadata> + <title>sysctl net.ipv4.conf.all.log_martians must be 1</title> + <description>sysctl net.ipv4.conf.all.log_martians must be 1</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:20" comment="sysctl net.ipv4.conf.all.log_martians must be 1" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:22" version="1"> + <metadata> + <title>sysctl net.ipv4.conf.default.log_martians must be 1</title> + <description>sysctl net.ipv4.conf.default.log_martians must be 1</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:22" comment="sysctl net.ipv4.conf.default.log_martians must be 1" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:24" version="1"> + <metadata> + <title>sysctl net.ipv4.tcp_syncookies must be 1</title> + <description>sysctl net.ipv4.tcp_syncookies must be 1</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:24" comment="sysctl net.ipv4.tcp_syncookies must be 1" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:27" version="1"> + <metadata> + <title>kernel config CONFIG_GRKERNSEC must be y</title> + <description>kernel config CONFIG_GRKERNSEC must be y</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:27" comment="kernel config CONFIG_GRKERNSEC must be y" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:29" version="1"> + <metadata> + <title>kernel config CONFIG_GRKERNSEC_TPE must be y</title> + <description>kernel config CONFIG_GRKERNSEC_TPE must be y</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:29" comment="kernel config CONFIG_GRKERNSEC_TPE must be y" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:31" version="1"> + <metadata> + <title>kernel config CONFIG_PAX must be y</title> + <description>kernel config CONFIG_PAX must be y</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:31" comment="kernel config CONFIG_PAX must be y" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:32" version="1"> + <metadata> + <title>kernel config CONFIG_PAX_NOEXEC must be y</title> + <description>kernel config CONFIG_PAX_NOEXEC must be y</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:32" comment="kernel config CONFIG_PAX_NOEXEC must be y" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:33" version="1"> + <metadata> + <title>kernel config CONFIG_PAX_....EXEC must be y</title> + <description>kernel config CONFIG_PAX_....EXEC must be y</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:33" comment="kernel config CONFIG_PAX_....EXEC must be y" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:34" version="1"> + <metadata> + <title>kernel config CONFIG_PAX_MPROTECT must be y</title> + <description>kernel config CONFIG_PAX_MPROTECT must be y</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:34" comment="kernel config CONFIG_PAX_MPROTECT must be y" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:35" version="1"> + <metadata> + <title>kernel config CONFIG_PAX_ASLR must be y</title> + <description>kernel config CONFIG_PAX_ASLR must be y</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:35" comment="kernel config CONFIG_PAX_ASLR must be y" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:36" version="1"> + <metadata> + <title>kernel config CONFIG_PAX_RANDKSTACK must be y</title> + <description>kernel config CONFIG_PAX_RANDKSTACK must be y</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:36" comment="kernel config CONFIG_PAX_RANDKSTACK must be y" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:37" version="1"> + <metadata> + <title>kernel config CONFIG_PAX_RANDUSTACK must be y</title> + <description>kernel config CONFIG_PAX_RANDUSTACK must be y</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:37" comment="kernel config CONFIG_PAX_RANDUSTACK must be y" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:38" version="1"> + <metadata> + <title>kernel config CONFIG_PAX_RANDMMAP must be y</title> + <description>kernel config CONFIG_PAX_RANDMMAP must be y</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:38" comment="kernel config CONFIG_PAX_RANDMMAP must be y" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:39" version="1"> + <metadata> + <title>kernel config CONFIG_GRKERNSEC_PROC must be y</title> + <description>kernel config CONFIG_GRKERNSEC_PROC must be y</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:39" comment="kernel config CONFIG_GRKERNSEC_PROC must be y" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:40" version="1"> + <metadata> + <title>kernel config CONFIG_GRKERNSEC_PROC_USER must be y</title> + <description>kernel config CONFIG_GRKERNSEC_PROC_USER must be y</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:40" comment="kernel config CONFIG_GRKERNSEC_PROC_USER must be y" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:41" version="1"> + <metadata> + <title>kernel config CONFIG_GRKERNSEC_PROC_USERGROUP must be y</title> + <description>kernel config CONFIG_GRKERNSEC_PROC_USERGROUP must be y</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:41" comment="kernel config CONFIG_GRKERNSEC_PROC_USERGROUP must be y" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:42" version="1"> + <metadata> + <title>kernel config CONFIG_GRKERNSEC_PROC_ADD must be y</title> + <description>kernel config CONFIG_GRKERNSEC_PROC_ADD must be y</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:42" comment="kernel config CONFIG_GRKERNSEC_PROC_ADD must be y" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:43" version="1"> + <metadata> + <title>kernel config CONFIG_GRKERNSEC_LINK must be y</title> + <description>kernel config CONFIG_GRKERNSEC_LINK must be y</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:43" comment="kernel config CONFIG_GRKERNSEC_LINK must be y" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:44" version="1"> + <metadata> + <title>kernel config CONFIG_GRKERNSEC_FIFO must be y</title> + <description>kernel config CONFIG_GRKERNSEC_FIFO must be y</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:44" comment="kernel config CONFIG_GRKERNSEC_FIFO must be y" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:45" version="1"> + <metadata> + <title>kernel config CONFIG_GRKERNSEC_CHROOT must be y</title> + <description>kernel config CONFIG_GRKERNSEC_CHROOT must be y</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:45" comment="kernel config CONFIG_GRKERNSEC_CHROOT must be y" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:46" version="1"> + <metadata> + <title>kernel config CONFIG_GRKERNSEC_CHROOT_MOUNT must be y</title> + <description>kernel config CONFIG_GRKERNSEC_CHROOT_MOUNT must be y</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:46" comment="kernel config CONFIG_GRKERNSEC_CHROOT_MOUNT must be y" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:47" version="1"> + <metadata> + <title>kernel config CONFIG_GRKERNSEC_CHROOT_DOUBLE must be y</title> + <description>kernel config CONFIG_GRKERNSEC_CHROOT_DOUBLE must be y</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:47" comment="kernel config CONFIG_GRKERNSEC_CHROOT_DOUBLE must be y" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:48" version="1"> + <metadata> + <title>kernel config CONFIG_GRKERNSEC_CHROOT_PIVOT must be y</title> + <description>kernel config CONFIG_GRKERNSEC_CHROOT_PIVOT must be y</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:48" comment="kernel config CONFIG_GRKERNSEC_CHROOT_PIVOT must be y" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:49" version="1"> + <metadata> + <title>kernel config CONFIG_GRKERNSEC_CHROOT_CHDIR must be y</title> + <description>kernel config CONFIG_GRKERNSEC_CHROOT_CHDIR must be y</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:49" comment="kernel config CONFIG_GRKERNSEC_CHROOT_CHDIR must be y" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:50" version="1"> + <metadata> + <title>kernel config CONFIG_GRKERNSEC_CHROOT_CHMOD must be y</title> + <description>kernel config CONFIG_GRKERNSEC_CHROOT_CHMOD must be y</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:50" comment="kernel config CONFIG_GRKERNSEC_CHROOT_CHMOD must be y" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:51" version="1"> + <metadata> + <title>kernel config CONFIG_GRKERNSEC_CHROOT_FCHDIR must be y</title> + <description>kernel config CONFIG_GRKERNSEC_CHROOT_FCHDIR must be y</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:51" comment="kernel config CONFIG_GRKERNSEC_CHROOT_FCHDIR must be y" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:52" version="1"> + <metadata> + <title>kernel config CONFIG_GRKERNSEC_CHROOT_MKNOD must be y</title> + <description>kernel config CONFIG_GRKERNSEC_CHROOT_MKNOD must be y</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:52" comment="kernel config CONFIG_GRKERNSEC_CHROOT_MKNOD must be y" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:53" version="1"> + <metadata> + <title>kernel config CONFIG_GRKERNSEC_CHROOT_SHMAT must be y</title> + <description>kernel config CONFIG_GRKERNSEC_CHROOT_SHMAT must be y</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:53" comment="kernel config CONFIG_GRKERNSEC_CHROOT_SHMAT must be y" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:54" version="1"> + <metadata> + <title>kernel config CONFIG_GRKERNSEC_CHROOT_UNIX must be y</title> + <description>kernel config CONFIG_GRKERNSEC_CHROOT_UNIX must be y</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:54" comment="kernel config CONFIG_GRKERNSEC_CHROOT_UNIX must be y" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:55" version="1"> + <metadata> + <title>kernel config CONFIG_GRKERNSEC_CHROOT_FINDTASK must be y</title> + <description>kernel config CONFIG_GRKERNSEC_CHROOT_FINDTASK must be y</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:55" comment="kernel config CONFIG_GRKERNSEC_CHROOT_FINDTASK must be y" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:56" version="1"> + <metadata> + <title>kernel config CONFIG_GRKERNSEC_CHROOT_NICE must be y</title> + <description>kernel config CONFIG_GRKERNSEC_CHROOT_NICE must be y</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:56" comment="kernel config CONFIG_GRKERNSEC_CHROOT_NICE must be y" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:57" version="1"> + <metadata> + <title>kernel config CONFIG_GRKERNSEC_CHROOT_SYSCTL must be y</title> + <description>kernel config CONFIG_GRKERNSEC_CHROOT_SYSCTL must be y</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:57" comment="kernel config CONFIG_GRKERNSEC_CHROOT_SYSCTL must be y" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:58" version="1"> + <metadata> + <title>kernel config CONFIG_GRKERNSEC_CHROOT_CAPS must be y</title> + <description>kernel config CONFIG_GRKERNSEC_CHROOT_CAPS must be y</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:58" comment="kernel config CONFIG_GRKERNSEC_CHROOT_CAPS must be y" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:59" version="1"> + <metadata> + <title>kernel config CONFIG_SYN_COOKIES must be y</title> + <description>kernel config CONFIG_SYN_COOKIES must be y</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:59" comment="kernel config CONFIG_SYN_COOKIES must be y" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:61" version="1"> + <metadata> + <title>kernel config CONFIG_CC_STACKPROTECTOR must be y</title> + <description>kernel config CONFIG_CC_STACKPROTECTOR must be y</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:61" comment="kernel config CONFIG_CC_STACKPROTECTOR must be y" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:63" version="1"> + <metadata> + <title>kernel config CONFIG_DEBUG_RODATA must be y</title> + <description>kernel config CONFIG_DEBUG_RODATA must be y</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:63" comment="kernel config CONFIG_DEBUG_RODATA must be y" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:65" version="1"> + <metadata> + <title>kernel config CONFIG_STRICT_DEVMEM must be y</title> + <description>kernel config CONFIG_STRICT_DEVMEM must be y</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:65" comment="kernel config CONFIG_STRICT_DEVMEM must be y" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:67" version="1"> + <metadata> + <title>kernel config CONFIG_PROC_KCORE must not be set</title> + <description>kernel config CONFIG_PROC_KCORE must not be set</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:67" comment="kernel config CONFIG_PROC_KCORE must not be set" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:69" version="1"> + <metadata> + <title>kernel config CONFIG_SECURITY_DMESG_RESTRICT must be y</title> + <description>kernel config CONFIG_SECURITY_DMESG_RESTRICT must be y</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:69" comment="kernel config CONFIG_SECURITY_DMESG_RESTRICT must be y" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:71" version="1"> + <metadata> + <title>kernel config CONFIG_ARCH_RANDOM must be y</title> + <description>kernel config CONFIG_ARCH_RANDOM must be y</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:71" comment="kernel config CONFIG_ARCH_RANDOM must be y" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:73" version="1"> + <metadata> + <title>kernel config CONFIG_HW_RANDOM must be y</title> + <description>kernel config CONFIG_HW_RANDOM must be y</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:73" comment="kernel config CONFIG_HW_RANDOM must be y" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:75" version="1"> + <metadata> + <title>kernel config CONFIG_HW_RANDOM_* must be y</title> + <description>kernel config CONFIG_HW_RANDOM_* must be y</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:75" comment="kernel config CONFIG_HW_RANDOM_* must be y" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:77" version="1"> + <metadata> + <title>kernel config CONFIG_AUDIT must be y</title> + <description>kernel config CONFIG_AUDIT must be y</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:77" comment="kernel config CONFIG_AUDIT must be y" /> + </criteria> +</definition> +<definition class="compliance" id="oval:org.gentoo.dev.swift:def:79" version="1"> + <metadata> + <title>kernel config CONFIG_AUDITSYSCALL must be y</title> + <description>kernel config CONFIG_AUDITSYSCALL must be y</description> + </metadata> + <criteria> + <criterion test_ref="oval:org.gentoo.dev.swift:tst:79" comment="kernel config CONFIG_AUDITSYSCALL must be y" /> + </criteria> +</definition> +<!-- @@GENOVAL END DEFINITIONS --> +</definitions> + +<tests> +<!-- @@GENOVAL START TESTS --> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:2" version="1" check="at least one" comment="sysctl net.ipv4.ip_forward must be 0" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:1" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:4" version="1" check="at least one" comment="sysctl net.ipv4.conf.all.rp_filter must be 1" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:2" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:2" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:6" version="1" check="at least one" comment="sysctl net.ipv4.conf.default.rp_filter must be 1" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:3" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:2" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:8" version="1" check="at least one" comment="sysctl net.ipv4.conf.all.accept_source_route must be 0" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:4" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:1" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:10" version="1" check="at least one" comment="sysctl net.ipv4.conf.default.accept_source_route must be 0" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:5" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:1" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:12" version="1" check="at least one" comment="sysctl net.ipv4.conf.all.accept_redirects must be 0" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:6" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:1" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:14" version="1" check="at least one" comment="sysctl net.ipv4.conf.default.accept_redirects must be 0" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:7" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:1" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:16" version="1" check="at least one" comment="sysctl net.ipv4.icmp_echo_ignore_broadcasts must be 1" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:8" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:2" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:18" version="1" check="at least one" comment="sysctl net.ipv4.icmp_ignore_bogus_error_responses must be 1" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:9" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:2" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:20" version="1" check="at least one" comment="sysctl net.ipv4.conf.all.log_martians must be 1" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:10" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:2" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:22" version="1" check="at least one" comment="sysctl net.ipv4.conf.default.log_martians must be 1" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:11" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:2" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:24" version="1" check="at least one" comment="sysctl net.ipv4.tcp_syncookies must be 1" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:12" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:2" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:27" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC must be y" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:13" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:3" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:29" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_TPE must be y" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:14" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:4" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:31" version="1" check="at least one" comment="kernel config CONFIG_PAX must be y" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:15" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:5" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:32" version="1" check="at least one" comment="kernel config CONFIG_PAX_NOEXEC must be y" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:16" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:6" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:33" version="1" check="at least one" comment="kernel config CONFIG_PAX_....EXEC must be y" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:17" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:7" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:34" version="1" check="at least one" comment="kernel config CONFIG_PAX_MPROTECT must be y" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:18" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:8" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:35" version="1" check="at least one" comment="kernel config CONFIG_PAX_ASLR must be y" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:19" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:9" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:36" version="1" check="at least one" comment="kernel config CONFIG_PAX_RANDKSTACK must be y" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:20" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:10" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:37" version="1" check="at least one" comment="kernel config CONFIG_PAX_RANDUSTACK must be y" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:21" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:11" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:38" version="1" check="at least one" comment="kernel config CONFIG_PAX_RANDMMAP must be y" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:22" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:12" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:39" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_PROC must be y" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:23" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:13" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:40" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_PROC_USER must be y" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:24" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:14" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:41" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_PROC_USERGROUP must be y" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:25" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:15" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:42" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_PROC_ADD must be y" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:26" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:16" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:43" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_LINK must be y" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:27" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:17" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:44" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_FIFO must be y" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:28" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:18" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:45" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT must be y" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:29" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:19" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:46" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT_MOUNT must be y" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:30" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:20" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:47" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT_DOUBLE must be y" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:31" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:21" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:48" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT_PIVOT must be y" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:32" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:22" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:49" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT_CHDIR must be y" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:33" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:23" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:50" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT_CHMOD must be y" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:34" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:24" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:51" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT_FCHDIR must be y" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:35" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:25" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:52" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT_MKNOD must be y" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:36" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:26" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:53" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT_SHMAT must be y" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:37" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:27" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:54" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT_UNIX must be y" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:38" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:28" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:55" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT_FINDTASK must be y" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:39" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:29" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:56" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT_NICE must be y" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:40" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:30" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:57" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT_SYSCTL must be y" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:41" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:31" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:58" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT_CAPS must be y" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:42" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:32" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:59" version="1" check="at least one" comment="kernel config CONFIG_SYN_COOKIES must be y" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:43" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:33" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:61" version="1" check="at least one" comment="kernel config CONFIG_CC_STACKPROTECTOR must be y" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:49" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:39" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:63" version="1" check="at least one" comment="kernel config CONFIG_DEBUG_RODATA must be y" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:50" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:40" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:65" version="1" check="at least one" comment="kernel config CONFIG_STRICT_DEVMEM must be y" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:51" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:41" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:67" version="1" check="at least one" comment="kernel config CONFIG_PROC_KCORE must not be set" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:52" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:42" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:69" version="1" check="at least one" comment="kernel config CONFIG_SECURITY_DMESG_RESTRICT must be y" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:53" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:43" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:71" version="1" check="at least one" comment="kernel config CONFIG_ARCH_RANDOM must be y" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:44" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:34" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:73" version="1" check="at least one" comment="kernel config CONFIG_HW_RANDOM must be y" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:45" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:35" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:75" version="1" check="at least one" comment="kernel config CONFIG_HW_RANDOM_* must be y" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:46" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:36" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:77" version="1" check="at least one" comment="kernel config CONFIG_AUDIT must be y" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:47" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:37" /> +</ind-def:textfilecontent54_test> +<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:79" version="1" check="at least one" comment="kernel config CONFIG_AUDITSYSCALL must be y" check_existence="at_least_one_exists"> + <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:48" /> + <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:38" /> +</ind-def:textfilecontent54_test> +<!-- @@GENOVAL END TESTS --> +</tests> + +<objects> +<!-- @@GENOVAL START OBJECTS --> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:1" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/ip_forward"> + <ind-def:filepath>/proc/sys/net/ipv4/ip_forward</ind-def:filepath> + <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:2" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/conf/all/rp_filter"> + <ind-def:filepath>/proc/sys/net/ipv4/conf/all/rp_filter</ind-def:filepath> + <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:3" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/conf/default/rp_filter"> + <ind-def:filepath>/proc/sys/net/ipv4/conf/default/rp_filter</ind-def:filepath> + <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:4" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/conf/all/accept_source_route"> + <ind-def:filepath>/proc/sys/net/ipv4/conf/all/accept_source_route</ind-def:filepath> + <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:5" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/conf/default/accept_source_route"> + <ind-def:filepath>/proc/sys/net/ipv4/conf/default/accept_source_route</ind-def:filepath> + <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:6" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/conf/all/accept_redirects"> + <ind-def:filepath>/proc/sys/net/ipv4/conf/all/accept_redirects</ind-def:filepath> + <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:7" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/conf/default/accept_redirects"> + <ind-def:filepath>/proc/sys/net/ipv4/conf/default/accept_redirects</ind-def:filepath> + <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:8" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts"> + <ind-def:filepath>/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts</ind-def:filepath> + <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:9" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses"> + <ind-def:filepath>/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses</ind-def:filepath> + <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:10" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/conf/all/log_martians"> + <ind-def:filepath>/proc/sys/net/ipv4/conf/all/log_martians</ind-def:filepath> + <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:11" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/conf/default/log_martians"> + <ind-def:filepath>/proc/sys/net/ipv4/conf/default/log_martians</ind-def:filepath> + <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:12" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/tcp_syncookies"> + <ind-def:filepath>/proc/sys/net/ipv4/tcp_syncookies</ind-def:filepath> + <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:13" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:14" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_TPE"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_TPE.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:15" version="1" comment="Kernel configuration entry CONFIG_PAX"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_PAX.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:16" version="1" comment="Kernel configuration entry CONFIG_PAX_NOEXEC"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_PAX_NOEXEC.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:17" version="1" comment="Kernel configuration entry CONFIG_PAX_....EXEC"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_PAX_....EXEC.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:18" version="1" comment="Kernel configuration entry CONFIG_PAX_MPROTECT"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_PAX_MPROTECT.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:19" version="1" comment="Kernel configuration entry CONFIG_PAX_ASLR"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_PAX_ASLR.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:20" version="1" comment="Kernel configuration entry CONFIG_PAX_RANDKSTACK"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_PAX_RANDKSTACK.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:21" version="1" comment="Kernel configuration entry CONFIG_PAX_RANDUSTACK"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_PAX_RANDUSTACK.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:22" version="1" comment="Kernel configuration entry CONFIG_PAX_RANDMMAP"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_PAX_RANDMMAP.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:23" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_PROC"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_PROC.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:24" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_PROC_USER"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_PROC_USER.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:25" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_PROC_USERGROUP"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_PROC_USERGROUP.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:26" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_PROC_ADD"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_PROC_ADD.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:27" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_LINK"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_LINK.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:28" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_FIFO"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_FIFO.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:29" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:30" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT_MOUNT"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT_MOUNT.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:31" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT_DOUBLE"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT_DOUBLE.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:32" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT_PIVOT"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT_PIVOT.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:33" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT_CHDIR"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT_CHDIR.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:34" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT_CHMOD"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT_CHMOD.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:35" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT_FCHDIR"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT_FCHDIR.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:36" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT_MKNOD"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT_MKNOD.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:37" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT_SHMAT"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT_SHMAT.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:38" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT_UNIX"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT_UNIX.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:39" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT_FINDTASK"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT_FINDTASK.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:40" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT_NICE"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT_NICE.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:41" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT_SYSCTL"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT_SYSCTL.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:42" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT_CAPS"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT_CAPS.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:43" version="1" comment="Kernel configuration entry CONFIG_SYN_COOKIES"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_SYN_COOKIES.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:44" version="1" comment="Kernel configuration entry CONFIG_ARCH_RANDOM"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_ARCH_RANDOM.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:45" version="1" comment="Kernel configuration entry CONFIG_HW_RANDOM"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_HW_RANDOM.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:46" version="1" comment="Kernel configuration entry CONFIG_HW_RANDOM_*"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_HW_RANDOM_*.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:47" version="1" comment="Kernel configuration entry CONFIG_AUDIT"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_AUDIT.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:48" version="1" comment="Kernel configuration entry CONFIG_AUDITSYSCALL"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_AUDITSYSCALL.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:49" version="1" comment="Kernel configuration entry CONFIG_CC_STACKPROTECTOR"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_CC_STACKPROTECTOR.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:50" version="1" comment="Kernel configuration entry CONFIG_DEBUG_RODATA"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_DEBUG_RODATA.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:51" version="1" comment="Kernel configuration entry CONFIG_STRICT_DEVMEM"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_STRICT_DEVMEM.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:52" version="1" comment="Kernel configuration entry CONFIG_PROC_KCORE"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_PROC_KCORE.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:53" version="1" comment="Kernel configuration entry CONFIG_SECURITY_DMESG_RESTRICT"> + <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath> + <ind-def:pattern operation="pattern match">(CONFIG_SECURITY_DMESG_RESTRICT.*)</ind-def:pattern> + <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance> +</ind-def:textfilecontent54_object> +<!-- @@GENOVAL END OBJECTS --> +</objects> + +<states> +<!-- @@GENOVAL START STATES --> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:1" version="1" comment="The match of 0"> + <ind-def:subexpression operation="pattern match">0</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:2" version="1" comment="The match of 1"> + <ind-def:subexpression operation="pattern match">1</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:3" version="1" comment="The match of CONFIG_GRKERNSEC=y"> + <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC=y</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:4" version="1" comment="The match of CONFIG_GRKERNSEC_TPE=y"> + <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_TPE=y</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:5" version="1" comment="The match of CONFIG_PAX=y"> + <ind-def:subexpression operation="pattern match">CONFIG_PAX=y</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:6" version="1" comment="The match of CONFIG_PAX_NOEXEC=y"> + <ind-def:subexpression operation="pattern match">CONFIG_PAX_NOEXEC=y</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:7" version="1" comment="The match of CONFIG_PAX_....EXEC=y"> + <ind-def:subexpression operation="pattern match">CONFIG_PAX_....EXEC=y</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:8" version="1" comment="The match of CONFIG_PAX_MPROTECT=y"> + <ind-def:subexpression operation="pattern match">CONFIG_PAX_MPROTECT=y</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:9" version="1" comment="The match of CONFIG_PAX_ASLR=y"> + <ind-def:subexpression operation="pattern match">CONFIG_PAX_ASLR=y</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:10" version="1" comment="The match of CONFIG_PAX_RANDKSTACK=y"> + <ind-def:subexpression operation="pattern match">CONFIG_PAX_RANDKSTACK=y</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:11" version="1" comment="The match of CONFIG_PAX_RANDUSTACK=y"> + <ind-def:subexpression operation="pattern match">CONFIG_PAX_RANDUSTACK=y</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:12" version="1" comment="The match of CONFIG_PAX_RANDMMAP=y"> + <ind-def:subexpression operation="pattern match">CONFIG_PAX_RANDMMAP=y</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:13" version="1" comment="The match of CONFIG_GRKERNSEC_PROC=y"> + <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_PROC=y</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:14" version="1" comment="The match of CONFIG_GRKERNSEC_PROC_USER=y"> + <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_PROC_USER=y</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:15" version="1" comment="The match of CONFIG_GRKERNSEC_PROC_USERGROUP=y"> + <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_PROC_USERGROUP=y</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:16" version="1" comment="The match of CONFIG_GRKERNSEC_PROC_ADD=y"> + <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_PROC_ADD=y</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:17" version="1" comment="The match of CONFIG_GRKERNSEC_LINK=y"> + <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_LINK=y</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:18" version="1" comment="The match of CONFIG_GRKERNSEC_FIFO=y"> + <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_FIFO=y</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:19" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT=y"> + <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT=y</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:20" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT_MOUNT=y"> + <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT_MOUNT=y</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:21" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT_DOUBLE=y"> + <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT_DOUBLE=y</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:22" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT_PIVOT=y"> + <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT_PIVOT=y</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:23" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT_CHDIR=y"> + <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT_CHDIR=y</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:24" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT_CHMOD=y"> + <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT_CHMOD=y</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:25" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT_FCHDIR=y"> + <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT_FCHDIR=y</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:26" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT_MKNOD=y"> + <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT_MKNOD=y</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:27" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT_SHMAT=y"> + <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT_SHMAT=y</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:28" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT_UNIX=y"> + <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT_UNIX=y</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:29" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT_FINDTASK=y"> + <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT_FINDTASK=y</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:30" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT_NICE=y"> + <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT_NICE=y</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:31" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT_SYSCTL=y"> + <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT_SYSCTL=y</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:32" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT_CAPS=y"> + <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT_CAPS=y</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:33" version="1" comment="The match of CONFIG_SYN_COOKIES=y"> + <ind-def:subexpression operation="pattern match">CONFIG_SYN_COOKIES=y</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:34" version="1" comment="The match of CONFIG_ARCH_RANDOM=y"> + <ind-def:subexpression operation="pattern match">CONFIG_ARCH_RANDOM=y</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:35" version="1" comment="The match of CONFIG_HW_RANDOM=y"> + <ind-def:subexpression operation="pattern match">CONFIG_HW_RANDOM=y</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:36" version="1" comment="The match of CONFIG_HW_RANDOM_*=y"> + <ind-def:subexpression operation="pattern match">CONFIG_HW_RANDOM_*=y</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:37" version="1" comment="The match of CONFIG_AUDIT=y"> + <ind-def:subexpression operation="pattern match">CONFIG_AUDIT=y</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:38" version="1" comment="The match of CONFIG_AUDITSYSCALL=y"> + <ind-def:subexpression operation="pattern match">CONFIG_AUDITSYSCALL=y</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:39" version="1" comment="The match of CONFIG_CC_STACKPROTECTOR=y"> + <ind-def:subexpression operation="pattern match">CONFIG_CC_STACKPROTECTOR=y</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:40" version="1" comment="The match of CONFIG_DEBUG_RODATA=y"> + <ind-def:subexpression operation="pattern match">CONFIG_DEBUG_RODATA=y</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:41" version="1" comment="The match of CONFIG_STRICT_DEVMEM=y"> + <ind-def:subexpression operation="pattern match">CONFIG_STRICT_DEVMEM=y</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:42" version="1" comment="The match of # CONFIG_PROC_KCORE is not set"> + <ind-def:subexpression operation="pattern match"># CONFIG_PROC_KCORE is not set</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:43" version="1" comment="The match of CONFIG_SECURITY_DMESG_RESTRICT=y"> + <ind-def:subexpression operation="pattern match">CONFIG_SECURITY_DMESG_RESTRICT=y</ind-def:subexpression> +</ind-def:textfilecontent54_state> +<!-- @@GENOVAL END STATES --> +</states> + +<!-- +<variables> +--> +<!-- @@GENOVAL START VARIABLES --> +<!-- @@GENOVAL END VARIABLES --> +<!-- +<local_variable id="oval:org.gentoo.dev.swift.genoval:var:1" version="1" datatype="string" comment="Location where the helper scripts output is stored"> + <object_component item_field="value" object_ref="oval:org.gentoo.dev.swift.genoval:obj:1"/> +</local_variable> +</variables> +--> +</oval_definitions> diff --git a/xml/SCAP/kernel-xccdf.xml b/xml/SCAP/kernel-xccdf.xml new file mode 100644 index 0000000..4cfdbe8 --- /dev/null +++ b/xml/SCAP/kernel-xccdf.xml @@ -0,0 +1,967 @@ +<?xml version="1.0" encoding="UTF-8"?> +<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:h="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="Gentoo-Security-Benchmark-Kernel-1" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 xccdf-1.1.4.xsd" resolved="0"> + <status date="2012-07-21">draft</status> + <title>Hardening Linux Kernel</title> + <description> + The Linux kernel is at the heart of every Linux system. With its extensive configuration + options, it comes to no surprise that specific settings can be enabled to further harden + your system. + <h:br /> + <h:br /> + In this guide, we focus on Linux kernel configuration entries that support additional + hardening of your system, as well as the configuration through the <h:em>syctl</h:em> + settings. + </description> + <platform idref="cpe:/o:gentoo:linux"/> + <version>1</version> + <model system="urn:xccdf:scoring:default"/> + <model system="urn:xccdf:scoring:flat"/> + <Profile id="Default"> + <title>Default vanilla kernel hardening</title> + <description> + Profile matching all standard (vanilla-kernel) hardening rules + </description> + <select idref="rule-sysctl-ipv4-forward" selected="true" /> + <select idref="rule-sysctl-ipv4-all-rp_filter" selected="true" /> + <select idref="rule-sysctl-ipv4-default-rp_filter" selected="true" /> + <select idref="rule-sysctl-ipv4-all-asr" selected="true" /> + <select idref="rule-sysctl-ipv4-default-asr" selected="true" /> + <select idref="rule-sysctl-ipv4-all-aredirect" selected="true" /> + <select idref="rule-sysctl-ipv4-default-aredirect" selected="true" /> + <select idref="rule-sysctl-ipv4-echobroadcast" selected="true" /> + <select idref="rule-sysctl-icmpboguserror" selected="true" /> + <select idref="rule-sysctl-ipv4-all-logmartians" selected="true" /> + <select idref="rule-sysctl-ipv4-default-logmartians" selected="true" /> + <select idref="rule-sysctl-ipv4-tcpsyncookies" selected="true" /> + <select idref="rule-kernel-syncookies" selected="true" /> + <select idref="rule-kernel-config-rand" selected="true" /> + <select idref="rule-kernel-config-hwrand" selected="true" /> + <select idref="rule-kernel-config-hwrand-detail" selected="true" /> + <select idref="rule-kernel-config-audit" selected="true" /> + <select idref="rule-kernel-config-audit-syscall" selected="true" /> + <select idref="rule-kernel-ccstackprotect" selected="true" /> + <select idref="rule-kernel-rodata" selected="true" /> + <select idref="rule-kernel-strictdevmem" selected="true" /> + <select idref="rule-kernel-prockcore" selected="true" /> + <select idref="rule-kernel-nodmesg" selected="true" /> + </Profile> + <Profile id="Full" extends="grSecurity"> + <title>grSecurity (incl. PaX) kernel hardening</title> + <description> + Profile matching the recommended PaX settings and grSecurity + settings + </description> + <select idref="rule-kernel-grsec" selected="true" /> + <select idref="rule-kernel-grsec-pax" selected="true" /> + <select idref="rule-kernel-grsec-pax-noexec" selected="true" /> + <select idref="rule-kernel-grsec-pax-anyexec" selected="true" /> + <select idref="rule-kernel-grsec-pax-mprotect" selected="true" /> + <select idref="rule-kernel-grsec-pax-aslr" selected="true" /> + <select idref="rule-kernel-grsec-pax-randkstack" selected="true" /> + <select idref="rule-kernel-grsec-pax-randustack" selected="true" /> + <select idref="rule-kernel-grsec-pax-randmmap" selected="true" /> + </Profile> + <Profile id="grSecurity" extends="Default"> + <title>grSecurity specific kernel hardening</title> + <description> + Profile matching the recommended grSecurity settings (except PaX) + </description> + <select idref="rule-kernel-grsec" selected="true" /> + <select idref="rule-kernel-tpe" selected="true" /> + <select idref="rule-kernel-grsec-proc" selected="true" /> + <select idref="rule-kernel-grsec-proc-user" selected="true" /> + <select idref="rule-kernel-grsec-proc-usergroup" selected="true" /> + <select idref="rule-kernel-grsec-proc-add" selected="true" /> + <select idref="rule-kernel-grsec-link" selected="true" /> + <select idref="rule-kernel-grsec-fifo" selected="true" /> + <select idref="rule-kernel-grsec-chroot" selected="true" /> + <select idref="rule-kernel-grsec-chroot-mount" selected="true" /> + <select idref="rule-kernel-grsec-chroot-double" selected="true" /> + <select idref="rule-kernel-grsec-chroot-pivot" selected="true" /> + <select idref="rule-kernel-grsec-chroot-chdir" selected="true" /> + <select idref="rule-kernel-grsec-chroot-chmod" selected="true" /> + <select idref="rule-kernel-grsec-chroot-fchdir" selected="true" /> + <select idref="rule-kernel-grsec-chroot-mknod" selected="true" /> + <select idref="rule-kernel-grsec-chroot-shmat" selected="true" /> + <select idref="rule-kernel-grsec-chroot-unix" selected="true" /> + <select idref="rule-kernel-grsec-chroot-findtask" selected="true" /> + <select idref="rule-kernel-grsec-chroot-nice" selected="true" /> + <select idref="rule-kernel-grsec-chroot-sysctl" selected="true" /> + <select idref="rule-kernel-grsec-chroot-caps" selected="true" /> + </Profile> + <Group id="gt-kernelconfig"> + <title>Kernel Configuration</title> + <description> + The Linux kernel should be configured using a sane security standard in + mind. When using grSecurity, additional security-enhancing settings can + be enabled. + <h:br /> + <h:br /> + In this guide, kernel configuration is shown in the short-hand notation. + This allows us to document configuration settings in a way that is somewhat more + future proof, since the position of the settings in the kernel configuration changes + often. In the resources below you will find instructions on how to convert short-hand + notation to the current, right location in the configuration. + <h:br /> + <h:br /> + Kernel configuration can be handled through <h:b>make menuconfig</h:b> within + the Linux kernel source code repository (usually <h:code>/usr/src/linux</h:code>). + </description> + <reference href="http://www.gentoo.org/doc/en/kernel-config.xml#shorthand">Gentoo Kernel Configuration Guide - Shorthand notation information</reference> + <Group id="gt-kernelconfig-general"> + <title>General kernel configuration settings</title> + <description> + Next to the grSecurity-related settings, general Linux kernel configuration entries have a positive + influence on the security of your system. These settings are described further in this section + </description> + <Group id="gt-kernelconfig-general-random"> + <title>Enable random number generator</title> + <description> + If supported by your platform, enable the random number generator to provide + a high bandwidth, secure source of random numbers (which is important for cryptographic + functions). This can be accomplished using the <h:code>CONFIG_ARCH_RANDOM</h:code> setting. + <h:br /> + <h:br /> + Next, enable hardware-supported random generators (<h:code>CONFIG_HW_RANDOM</h:code>) and + select the random number generator for your platform. Examples are the Intel i8xx-based + random number generator (<h:code>CONFIG_HW_RANDOM_INTEL</h:code>) or the AMD 76x-based + ones (<h:code>CONFIG_HW_RANDOM_AMD</h:code>) but others exist as well. + </description> + <!-- @@GEN START rule-kernel-config-rand --> +<Rule id="rule-kernel-config-rand" selected="false"> + <title>kernel config CONFIG_ARCH_RANDOM must be y</title> + <description>Enable a secure random number generator</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:71" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-config-rand --> + <!-- @@GEN START rule-kernel-config-hwrand --> +<Rule id="rule-kernel-config-hwrand" selected="false"> + <title>kernel config CONFIG_HW_RANDOM must be y</title> + <description>Enable hardware-supported random number generator</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:73" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-config-hwrand --> + <!-- @@GEN START rule-kernel-config-hwrand-detail --> +<Rule id="rule-kernel-config-hwrand-detail" selected="false"> + <title>kernel config CONFIG_HW_RANDOM_* must be y</title> + <description>Enable specific hardware supported random number generators</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:75" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-config-hwrand-detail --> + </Group> + <!-- Do not enable, only works on systemd systems + <Group id="gt-kernelconfig-general-immutableuid"> + <title>Make audit loginuid immutable</title> + <description> + </description> + </Group> + --> + <Group id="gt-kernelconfig-general-audit"> + <title>Enable audit support</title> + <description> + If you need to enable auditing on the system (which definitely is a best practice to follow), you + will need to enable auditing in the kernel configuration (<h:code>CONFIG_AUDIT</h:code>) together + with support for auditing system calls (<h:code>CONFIG_AUDITSYSCALL</h:code>) + </description> + <!-- @@GEN START rule-kernel-config-audit --> +<Rule id="rule-kernel-config-audit" selected="false"> + <title>kernel config CONFIG_AUDIT must be y</title> + <description>Enable audit support</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:77" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-config-audit --> + <!-- @@GEN START rule-kernel-config-audit-syscall --> +<Rule id="rule-kernel-config-audit-syscall" selected="false"> + <title>kernel config CONFIG_AUDITSYSCALL must be y</title> + <description>Enable system call auditing support</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:79" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-config-audit-syscall --> + </Group> + <Group id="gt-kernelconfig-general-syncookie"> + <title>Enable TCP SYN cookie protection support</title> + <description> + To support SYN cookies (a method to work around a denial-of-service attack using a flood + of SYN requests) the Linux kernel first needs to be configured to support the method. This + is handled through the <h:code>CONFIG_SYN_COOKIES</h:code> parameter. + <h:br /> + <h:br /> + Further configuration of this setting is then handled by the <h:b>sysctl</h:b> settings (which + we describe later in this guide). + </description> + <!-- @@GEN START rule-kernel-syncookies --> +<Rule id="rule-kernel-syncookies" selected="false"> + <title>kernel config CONFIG_SYN_COOKIES must be y</title> + <description>kernel config CONFIG_SYN_COOKIES must be y</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:59" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-syncookies --> + </Group> + <Group id="gt-kernelconfig-general-stackprotect"> + <title>Enable compiler-driven stack protection</title> + <description> + In Gentoo Hardened, the use of stack protection in the compiler is by default enabled, but for + the Linux kernel, this feature is only selectable through the <h:code>CONFIG_CC_STACKPROTECTOR</h:code> + selection. + <h:br /> + <h:br /> + Enabling this will provide some level of protection against stack based buffer overflows within + the Linux kernel memory (not the user processes). If detected, the kernel will die with a kernel panic. + <!-- + This is not available if UDEREF is setµ + https://forums.grsecurity.net/viewtopic.php?t=2725 + --> + </description> + <!-- @@GEN START rule-kernel-ccstackprotect --> +<Rule id="rule-kernel-ccstackprotect" selected="false"> + <title>kernel config CONFIG_CC_STACKPROTECTOR must be y</title> + <description>Enable kernel stack protection through compiler directive</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:61" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-ccstackprotect --> + </Group> + <Group id="gt-kernelconfig-general-rodata"> + <title>Mark read-only data pages as write-protected</title> + <description> + When <h:code>CONFIG_DEBUG_RODATA</h:code> is set, the memory pages containing the Linux + kernel read-only data are marked as write-protected, so that any attempt to update the data is + trapped, prevented and reported. + </description> + <!-- @@GEN START rule-kernel-rodata --> +<Rule id="rule-kernel-rodata" selected="false"> + <title>kernel config CONFIG_DEBUG_RODATA must be y</title> + <description>Write-protect kernel read-only data structures</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:63" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-rodata --> + </Group> + <Group id="gt-kernelconfig-restrictmemaccess"> + <title>Restrict memory access through /dev/mem</title> + <description> + Do not allow root processes full access to all of the systems' memory through <h:code>/dev/mem</h:code> + (which includes kernel memory and process memory). This should only be needed for kernel programmers or + kernel debugging. + <h:br /> + <h:br /> + By enabling <h:code>CONFIG_STRICT_DEVMEM</h:code> the (root) user can only access memory regions expected + for all legitimate common usage of <h:code>/dev/mem</h:code>. + </description> + <!-- @@GEN START rule-kernel-strictdevmem --> +<Rule id="rule-kernel-strictdevmem" selected="false"> + <title>kernel config CONFIG_STRICT_DEVMEM must be y</title> + <description>Filter access to /dev/mem</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:65" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-strictdevmem --> + </Group> + <Group id="gt-kernelconfig-prockcore"> + <title>Disable /proc/kcore support</title> + <description> + When <h:code>CONFIG_PROC_KCORE</h:code> is selected, the system will have a <h:code>/proc/kcore</h:code> + pseudo-file which corresponds to the system memory. As we do not want users snooping around in our + memory, support for this must be disabled. + </description> + <!-- @@GEN START rule-kernel-prockcore --> +<Rule id="rule-kernel-prockcore" selected="false"> + <title>kernel config CONFIG_PROC_KCORE must not be set</title> + <description>Disable support for /proc/kcore</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:67" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-prockcore --> + </Group> + <Group id="gt-kernelconfig-nodmesg"> + <title>Restrict access to the kernel syslog</title> + <description> + Users that hold no administrator function on the system should not need to access the + kernel system logs (through <h:b>dmesg</h:b>). You can enforce this through the + <h:code>CONFIG_SECURITY_DMESG_RESTRICT</h:code> option, but if you chose not to, + you can still enable it through the sysctl <h:code>kernel.dmesg_restrict</h:code>. + <h:br /> + <h:br /> + Also, grSecurity has a related kernel setting for this (<h:code>CONFIG_GRKERNSEC_DMESG</h:code>) + which accomplishes the same. As a matter of fact, the <h:code>CONFIG_SECURITY_DMESG_RESTRICT</h:code> + setting is somewhat based on the grSecurity patch and available in the main kernel tree. + </description> + <!-- @@GEN START rule-kernel-nodmesg --> +<Rule id="rule-kernel-nodmesg" selected="false"> + <title>kernel config CONFIG_SECURITY_DMESG_RESTRICT must be y</title> + <description>Restrict unprivileged access to dmesg (kernel syslog)</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:69" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-nodmesg --> + </Group> + </Group> + <Group id="gt-kernelconfig-grsec"> + <title>Use grSecurity</title> + <description> + grSecurity is a set of kernel patches that provides additional countermeasures + against popular exploit methods and common vulnerabilities. Although the patchset + is not part of the mainstream Linux kernel sources, Gentoo offers grSecurity through + the <h:code>hardened-sources</h:code> kernel package. + <h:br /> + <h:br /> + If you do not intend to use grSecurity, then you can ignore the rest of this section. + </description> + <reference href="https://grsecurity.net">grSecurity Homepage</reference> + <reference href="http://www.gentoo.org/proj/en/hardened/grsecurity.xml">Gentoo grSecurity v2 Guide</reference> + <!-- @@GEN START rule-kernel-grsec --> +<Rule id="rule-kernel-grsec" selected="false"> + <title>kernel config CONFIG_GRKERNSEC must be y</title> + <description>Enable grSecurity</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:27" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-grsec --> + <Group id="gt-kernelconfig-grsec-pax"> + <title>Use PaX</title> + <description> + With PaX, additional protection against memory corruption bugs and exploits + is enabled. We recommend to enable the following settings: + <h:ul> + <h:li> + <h:em>Use legacy ELF header marking</h:em> (<h:code>CONFIG_PAX_EI_PAX</h:code>) and + <h:em>Use ELF program header marking</h:em> (<h:code>CONFIG_PAX_PT_PAX_FLAGS</h:code>) so that + you can enable/disable PaX settings on a per-binary basis. + </h:li> + <h:li> + <h:em>Enforce non-executable pages</h:em> (<h:code>CONFIG_PAX_NOEXEC</h:code>) to disable allocation of + memory that is both executable (contains runnable code) and writeable. Write- and executable + pages are risky as it allows attackers to introduce code (through overflows or other methods) + in memory and then execute that code. However, the downside is that there are still applications + (or drivers) that depend on RWX memory. + </h:li> + <h:li> + <h:em>Segmentation based non-executable pages</h:em> (<h:code>CONFIG_PAX_SEGMEXEC</h:code>) or + <h:em>Paging based non-executable pages</h:em> (<h:code>CONFIG_PAX_PAGEEXEC</h:code>) will support the + non-executable pages through memory segmentation or paging rules. + </h:li> + <h:li> + <h:em>Emulate trampolines</h:em> (<h:code>CONFIG_PAX_EMUTRAMP</h:code>) if you are on x86_32 architecture (the option + is not available for x86_64). This will enable emulation of trampolines (small bits of code in + non-executable memory pages) for those applications that you enable this on (which can be triggered + through <h:b>chpax</h:b> or <h:b>paxctl</h:b>). + </h:li> + <h:li> + <h:em>Restrict mprotect()</h:em> (<h:code>CONFIG_PAX_MPROTECT</h:code>) will restrict the use of <h:em>mprotect()</h:em> + so that applications cannot switch the purpose of pages (executable vs non-executable and such) after + creating them. + </h:li> + <h:li> + <h:em>Address Space Layout Randomization</h:em> (<h:code>CONFIG_PAX_ASLR</h:code>) to introduce some randomization + in the memory allocation so that attackers will find it much more difficult to guess the address + of specific pages correctly. + </h:li> + <h:li> + <h:em>Randomize kernel stack base</h:em> (<h:code>CONFIG_PAX_RANDKSTACK</h:code>) to randomize every task's kernel + stack on each system call, making it more difficult to both guess locations as well as use leaked + information from previous calls. + </h:li> + <h:li> + <h:em>Randomize user stack base</h:em> (<h:code>CONFIG_PAX_RANDUSTACK</h:code>) to randomize every task's userland + stack, providing similar protection as mentioned earlier but for user applications. + </h:li> + <h:li> + <h:em>Randomize mmap() base</h:em> (<h:code>CONFIG_PAX_RANDMMAP</h:code>) to randomize the base address of + mmap() requests (unless the requests specify an address themselves). This will cause dynamically + loaded libraries to appear at random addresses. + </h:li> + </h:ul> + </description> + <!-- @@GEN START rule-kernel-grsec-pax --> +<Rule id="rule-kernel-grsec-pax" selected="false"> + <title>kernel config CONFIG_PAX must be y</title> + <description>Enable PaX protection</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:31" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-grsec-pax --> + <!-- @@GEN START rule-kernel-grsec-pax-noexec --> +<Rule id="rule-kernel-grsec-pax-noexec" selected="false"> + <title>kernel config CONFIG_PAX_NOEXEC must be y</title> + <description>kernel config CONFIG_PAX_NOEXEC must be y</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:32" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-grsec-pax-noexec --> + <!-- @@GEN START rule-kernel-grsec-pax-anyexec --> +<Rule id="rule-kernel-grsec-pax-anyexec" selected="false"> + <title>kernel config CONFIG_PAX_....EXEC must be y</title> + <description>kernel config CONFIG_PAX_....EXEC must be y</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:33" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-grsec-pax-anyexec --> + <!-- @@GEN START rule-kernel-grsec-pax-mprotect --> +<Rule id="rule-kernel-grsec-pax-mprotect" selected="false"> + <title>kernel config CONFIG_PAX_MPROTECT must be y</title> + <description>kernel config CONFIG_PAX_MPROTECT must be y</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:34" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-grsec-pax-mprotect --> + <!-- @@GEN START rule-kernel-grsec-pax-aslr --> +<Rule id="rule-kernel-grsec-pax-aslr" selected="false"> + <title>kernel config CONFIG_PAX_ASLR must be y</title> + <description>kernel config CONFIG_PAX_ASLR must be y</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:35" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-grsec-pax-aslr --> + <!-- @@GEN START rule-kernel-grsec-pax-randkstack --> +<Rule id="rule-kernel-grsec-pax-randkstack" selected="false"> + <title>kernel config CONFIG_PAX_RANDKSTACK must be y</title> + <description>kernel config CONFIG_PAX_RANDKSTACK must be y</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:36" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-grsec-pax-randkstack --> + <!-- @@GEN START rule-kernel-grsec-pax-randustack --> +<Rule id="rule-kernel-grsec-pax-randustack" selected="false"> + <title>kernel config CONFIG_PAX_RANDUSTACK must be y</title> + <description>kernel config CONFIG_PAX_RANDUSTACK must be y</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:37" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-grsec-pax-randustack --> + <!-- @@GEN START rule-kernel-grsec-pax-randmmap --> +<Rule id="rule-kernel-grsec-pax-randmmap" selected="false"> + <title>kernel config CONFIG_PAX_RANDMMAP must be y</title> + <description>kernel config CONFIG_PAX_RANDMMAP must be y</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:38" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-grsec-pax-randmmap --> + </Group> + <Group id="gt-kernelconfig-grsec-filesystem"> + <title>Enable file system protection measures</title> + <description> + In the grSecurity patches, a set of additional protections are included to thwart information + leakage as well as further limit chroot environments. We recommend to enable the following settings: + <h:ul> + <h:li> + <h:em>Proc restrictions</h:em> (<h:code>CONFIG_GRKERNSEC_PROC</h:code>) so that the <h:code>/proc</h:code> file system + will be altered to enhance privacy (prevent information leakage). + </h:li> + <h:li> + <h:em>Restrict /proc to user only</h:em> (<h:code>CONFIG_GRKERNSEC_PROC_USER</h:code>) so that non-root users cannot + see processes of other users. + </h:li> + <h:li> + <h:em>Allow special group</h:em> (<h:code>CONFIG_GRKERNSEC_PROC_USERGROUP</h:code>) so that the members of a specific + group can see other users' processes and network-related information. + </h:li> + <h:li> + <h:em>Additional restrictions</h:em> (<h:code>CONFIG_GRKERNSEC_PROC_ADD</h:code>) will prevent non-root users to + see device information and memory information which can be (ab)used for exploit purposes. + </h:li> + <h:li> + <h:em>Linking restrictions</h:em> (<h:code>CONFIG_GRKERNSEC_LINK</h:code>) will prevent users to follow + symlinks that are owned by other users in world-writeable sticky directories such as <h:code>/tmp</h:code> + (unless that user is the owner of that directory). This prevents a certain kind of race conditions. + </h:li> + <h:li> + <h:em>FIFO restrictions</h:em> (<h:code>CONFIG_GRKERNSEC_FIFO</h:code>) will prevent users to write into + FIFOs in world-writeable sticky directories (like <h:code>/tmp</h:code> if they do not own + these FIFOs themselves. + </h:li> + <h:li> + <h:em>Chroot jail restrictions</h:em> (<h:code>CONFIG_GRKERNSEC_CHROOT</h:code> and all chroot-related options) to + make the chroot jails more strict and less easy to break out from. + </h:li> + </h:ul> + </description> + <!-- @@GEN START rule-kernel-grsec-proc --> +<Rule id="rule-kernel-grsec-proc" selected="false"> + <title>kernel config CONFIG_GRKERNSEC_PROC must be y</title> + <description>kernel config CONFIG_GRKERNSEC_PROC must be y</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:39" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-grsec-proc --> + <!-- @@GEN START rule-kernel-grsec-proc-user --> +<Rule id="rule-kernel-grsec-proc-user" selected="false"> + <title>kernel config CONFIG_GRKERNSEC_PROC_USER must be y</title> + <description>kernel config CONFIG_GRKERNSEC_PROC_USER must be y</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:40" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-grsec-proc-user --> + <!-- @@GEN START rule-kernel-grsec-proc-usergroup --> +<Rule id="rule-kernel-grsec-proc-usergroup" selected="false"> + <title>kernel config CONFIG_GRKERNSEC_PROC_USERGROUP must be y</title> + <description>kernel config CONFIG_GRKERNSEC_PROC_USERGROUP must be y</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:41" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-grsec-proc-usergroup --> + <!-- @@GEN START rule-kernel-grsec-proc-add --> +<Rule id="rule-kernel-grsec-proc-add" selected="false"> + <title>kernel config CONFIG_GRKERNSEC_PROC_ADD must be y</title> + <description>kernel config CONFIG_GRKERNSEC_PROC_ADD must be y</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:42" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-grsec-proc-add --> + <!-- @@GEN START rule-kernel-grsec-link --> +<Rule id="rule-kernel-grsec-link" selected="false"> + <title>kernel config CONFIG_GRKERNSEC_LINK must be y</title> + <description>kernel config CONFIG_GRKERNSEC_LINK must be y</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:43" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-grsec-link --> + <!-- @@GEN START rule-kernel-grsec-fifo --> +<Rule id="rule-kernel-grsec-fifo" selected="false"> + <title>kernel config CONFIG_GRKERNSEC_FIFO must be y</title> + <description>kernel config CONFIG_GRKERNSEC_FIFO must be y</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:44" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-grsec-fifo --> + <!-- @@GEN START rule-kernel-grsec-chroot --> +<Rule id="rule-kernel-grsec-chroot" selected="false"> + <title>kernel config CONFIG_GRKERNSEC_CHROOT must be y</title> + <description>kernel config CONFIG_GRKERNSEC_CHROOT must be y</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:45" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-grsec-chroot --> + <!-- @@GEN START rule-kernel-grsec-chroot-mount --> +<Rule id="rule-kernel-grsec-chroot-mount" selected="false"> + <title>kernel config CONFIG_GRKERNSEC_CHROOT_MOUNT must be y</title> + <description>kernel config CONFIG_GRKERNSEC_CHROOT_MOUNT must be y</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:46" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-grsec-chroot-mount --> + <!-- @@GEN START rule-kernel-grsec-chroot-double --> +<Rule id="rule-kernel-grsec-chroot-double" selected="false"> + <title>kernel config CONFIG_GRKERNSEC_CHROOT_DOUBLE must be y</title> + <description>kernel config CONFIG_GRKERNSEC_CHROOT_DOUBLE must be y</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:47" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-grsec-chroot-double --> + <!-- @@GEN START rule-kernel-grsec-chroot-pivot --> +<Rule id="rule-kernel-grsec-chroot-pivot" selected="false"> + <title>kernel config CONFIG_GRKERNSEC_CHROOT_PIVOT must be y</title> + <description>kernel config CONFIG_GRKERNSEC_CHROOT_PIVOT must be y</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:48" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-grsec-chroot-pivot --> + <!-- @@GEN START rule-kernel-grsec-chroot-chdir --> +<Rule id="rule-kernel-grsec-chroot-chdir" selected="false"> + <title>kernel config CONFIG_GRKERNSEC_CHROOT_CHDIR must be y</title> + <description>kernel config CONFIG_GRKERNSEC_CHROOT_CHDIR must be y</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:49" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-grsec-chroot-chdir --> + <!-- @@GEN START rule-kernel-grsec-chroot-chmod --> +<Rule id="rule-kernel-grsec-chroot-chmod" selected="false"> + <title>kernel config CONFIG_GRKERNSEC_CHROOT_CHMOD must be y</title> + <description>kernel config CONFIG_GRKERNSEC_CHROOT_CHMOD must be y</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:50" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-grsec-chroot-chmod --> + <!-- @@GEN START rule-kernel-grsec-chroot-fchdir --> +<Rule id="rule-kernel-grsec-chroot-fchdir" selected="false"> + <title>kernel config CONFIG_GRKERNSEC_CHROOT_FCHDIR must be y</title> + <description>kernel config CONFIG_GRKERNSEC_CHROOT_FCHDIR must be y</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:51" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-grsec-chroot-fchdir --> + <!-- @@GEN START rule-kernel-grsec-chroot-mknod --> +<Rule id="rule-kernel-grsec-chroot-mknod" selected="false"> + <title>kernel config CONFIG_GRKERNSEC_CHROOT_MKNOD must be y</title> + <description>kernel config CONFIG_GRKERNSEC_CHROOT_MKNOD must be y</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:52" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-grsec-chroot-mknod --> + <!-- @@GEN START rule-kernel-grsec-chroot-shmat --> +<Rule id="rule-kernel-grsec-chroot-shmat" selected="false"> + <title>kernel config CONFIG_GRKERNSEC_CHROOT_SHMAT must be y</title> + <description>kernel config CONFIG_GRKERNSEC_CHROOT_SHMAT must be y</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:53" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-grsec-chroot-shmat --> + <!-- @@GEN START rule-kernel-grsec-chroot-unix --> +<Rule id="rule-kernel-grsec-chroot-unix" selected="false"> + <title>kernel config CONFIG_GRKERNSEC_CHROOT_UNIX must be y</title> + <description>kernel config CONFIG_GRKERNSEC_CHROOT_UNIX must be y</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:54" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-grsec-chroot-unix --> + <!-- @@GEN START rule-kernel-grsec-chroot-findtask --> +<Rule id="rule-kernel-grsec-chroot-findtask" selected="false"> + <title>kernel config CONFIG_GRKERNSEC_CHROOT_FINDTASK must be y</title> + <description>kernel config CONFIG_GRKERNSEC_CHROOT_FINDTASK must be y</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:55" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-grsec-chroot-findtask --> + <!-- @@GEN START rule-kernel-grsec-chroot-nice --> +<Rule id="rule-kernel-grsec-chroot-nice" selected="false"> + <title>kernel config CONFIG_GRKERNSEC_CHROOT_NICE must be y</title> + <description>kernel config CONFIG_GRKERNSEC_CHROOT_NICE must be y</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:56" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-grsec-chroot-nice --> + <!-- @@GEN START rule-kernel-grsec-chroot-sysctl --> +<Rule id="rule-kernel-grsec-chroot-sysctl" selected="false"> + <title>kernel config CONFIG_GRKERNSEC_CHROOT_SYSCTL must be y</title> + <description>kernel config CONFIG_GRKERNSEC_CHROOT_SYSCTL must be y</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:57" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-grsec-chroot-sysctl --> + <!-- @@GEN START rule-kernel-grsec-chroot-caps --> +<Rule id="rule-kernel-grsec-chroot-caps" selected="false"> + <title>kernel config CONFIG_GRKERNSEC_CHROOT_CAPS must be y</title> + <description>kernel config CONFIG_GRKERNSEC_CHROOT_CAPS must be y</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:58" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-grsec-chroot-caps --> + </Group> + <Group id="gt-kernelconfig-grsec-tpe"> + <title>Enable Trusted Path Execution</title> + <description> + When using <h:code>sys-kernel/hardened-sources</h:code>, enable + <h:code>CONFIG_GRKERNSEC_TPE</h:code>, which enabled <h:em>Trusted + Path Execution</h:em>, a safety measure that ensures that, for a set + of users, these users can only execute binaries and scripts from + root-owned directories. + </description> + <reference href="http://www.gentoo.org/proj/en/hardened/grsec-tpe.xml">Gentoo Hardened grSecurity TPE Guide</reference> + <!-- @@GEN START rule-kernel-tpe --> +<Rule id="rule-kernel-tpe" selected="false"> + <title>kernel config CONFIG_GRKERNSEC_TPE must be y</title> + <description>Enable Trusted Path Execution</description> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:29" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-kernel-tpe --> + </Group> + </Group> + + </Group> + <Group id="gt-sysctl"> + <title>Kernel Tunables (Sysctl)</title> + <description> + The Linux kernel offers an interface, called <h:b>sysctl</h:b>, + allowing to fine-tune kernel parameters (and even changing its + behavior). Many parameters offered through sysctl allow an + administrator to further strengthen his systems' security. + <h:br /> + <h:br /> + To read and change sysctl parameters, you can use the + <h:b>sysctl</h:b> command or the <h:code>/etc/sysctl.conf</h:code> + file (which is used by the <h:code>sysctl</h:code> service (init + script), part of the default boot process. + <h:pre>### Using sysctl command to read and set variables ### +# <h:b>sysctl net.ipv4.ip_forward</h:b> +net.ipv4.ip_forward = 1 +# <h:b>sysctl -w net.ipv4.ip_forward=0</h:b></h:pre> + The sysctl values can also be read through the + <h:code>/proc/sys</h:code> file system. + </description> + <Group id="gt-sysctl-ipv4forward"> + <title>Disable IPv4 Forwarding</title> + <description> + The <h:code>net.ipv4.ip_forward</h:code> sysctl setting controls if + IP forwarding is allowed or not on the system. + <h:br /> + <h:br /> + Unless the system is used as a router or gateway, IPv4 forwarding + should be disabled. + </description> + <!-- @@GEN START rule-sysctl-ipv4-forward --> +<Rule id="rule-sysctl-ipv4-forward" selected="false"> + <title>sysctl net.ipv4.ip_forward must be 0</title> + <description>Disable IPv4 forwarding</description> + <fix>echo 0 > /proc/sys/net/ipv4/ip_forward</fix> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:2" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-sysctl-ipv4-forward --> + </Group> + <Group id="gt-sysctl-sourceroute"> + <title>Enable Source Route Verification</title> + <description> + To offer additional protection against IP spoofing, enable source + route verification on all interfaces. This is governed through the + <h:code>net.ipv4.conf.*.rp_filter=1</h:code> setting. + <h:br /> + <h:br /> + With source route verification, the Linux kernel validates that an IP + packet comes from the right interface. In other words, on a multi-homed + system, packets that claim to be from your internal network on your external + interface are dropped (and vice versa). + </description> + <!-- @@GEN START rule-sysctl-ipv4-all-rp_filter --> +<Rule id="rule-sysctl-ipv4-all-rp_filter" selected="false"> + <title>sysctl net.ipv4.conf.all.rp_filter must be 1</title> + <description>Enable source route verification</description> + <fix>echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter</fix> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:4" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-sysctl-ipv4-all-rp_filter --> + <!-- @@GEN START rule-sysctl-ipv4-default-rp_filter --> +<Rule id="rule-sysctl-ipv4-default-rp_filter" selected="false"> + <title>sysctl net.ipv4.conf.default.rp_filter must be 1</title> + <description>Enable source route verification</description> + <fix>echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter</fix> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:6" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-sysctl-ipv4-default-rp_filter --> + </Group> + <Group id="gt-sysctl-ipsrcroute"> + <title>Disable IP Source Routing</title> + <description> + Disable IP source routing on all interfaces through the + <h:code>net.ipv4.conf.*.accept_source_route=0</h:code> setting. + <h:br /> + <h:br /> + IP source routing would allow a remote user (the sender) to specify + the route that the packet should take, rather than use the + (default) routing tables used by the routers between the sender and + the destination. This could be (ab)used to spoof IP addresses and still + get the replies (rather than sending the replies to the real owner + of the IP address). + </description> + <!-- @@GEN START rule-sysctl-ipv4-all-asr --> +<Rule id="rule-sysctl-ipv4-all-asr" selected="false"> + <title>sysctl net.ipv4.conf.all.accept_source_route must be 0</title> + <description>Enable IP source routing</description> + <fix>echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route</fix> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:8" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-sysctl-ipv4-all-asr --> + <!-- @@GEN START rule-sysctl-ipv4-default-asr --> +<Rule id="rule-sysctl-ipv4-default-asr" selected="false"> + <title>sysctl net.ipv4.conf.default.accept_source_route must be 0</title> + <description>Enable IP source routing</description> + <fix>echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route</fix> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:10" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-sysctl-ipv4-default-asr --> + </Group> + <Group id="gt-sysctl-redirect"> + <title>Disable ICMP Redirects</title> + <description> + Set <h:code>net.ipv4.conf.*.accept_redirects=0</h:code> to disable + ICMP redirect support on the interfaces. + <h:br /> + <h:br /> + ICMP redirect messages are used by routers to inform hosts to use a + different gateway than the one used. These packets should only be + sent by the gateway of the system, but since you control that + gateway and know when this gateway is changed, there is no point in + allowing ICMP redirect messages on your system. After all, this would + allow for "remote" updating of your routing table, which could allow + an attacker to get all packets you want to send to the outside first + (rather than the packets immediately going to the real gateway). + </description> + <!-- @@GEN START rule-sysctl-ipv4-all-aredirect --> +<Rule id="rule-sysctl-ipv4-all-aredirect" selected="false"> + <title>sysctl net.ipv4.conf.all.accept_redirects must be 0</title> + <description>Disable ICMP redirects</description> + <fix>echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects</fix> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:12" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-sysctl-ipv4-all-aredirect --> + <!-- @@GEN START rule-sysctl-ipv4-default-aredirect --> +<Rule id="rule-sysctl-ipv4-default-aredirect" selected="false"> + <title>sysctl net.ipv4.conf.default.accept_redirects must be 0</title> + <description>Disable ICMP redirects</description> + <fix>echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects</fix> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:14" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-sysctl-ipv4-default-aredirect --> + </Group> + <Group id="gt-sysctl-echobroadcast"> + <title>Ignore ICMP Echo Broadcasts</title> + <description> + When <h:code>net.ipv4.icmp_echo_ignore_broadcasts=1</h:code> is set, + then your system will not reply to broadcast 'ping' requests (a ping + is an ICMP Echo request). Similar to hiding a WIFI SSID, this makes + your system just a tiny bit more hidden from scanners. + </description> + <!-- @@GEN START rule-sysctl-ipv4-echobroadcast --> +<Rule id="rule-sysctl-ipv4-echobroadcast" selected="false"> + <title>sysctl net.ipv4.icmp_echo_ignore_broadcasts must be 1</title> + <description>Ignore ICMP broadcasts</description> + <fix>echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts</fix> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:16" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-sysctl-ipv4-echobroadcast --> + </Group> + <Group id="gt-sysctl-icmpboguserror"> + <title>Ignore ICMP Bogus Error Responses</title> + <description> + When an invalid response is given to broadcast frames (which occurs + sometimes in erronous routers), the Linux kernel will by default log this + event. To ensure that these (harmless) reports do not clutter your logs, + you can disable this through <h:code>net.ipv4.icmp_ignore_bogus_error_responses</h:code> + by setting it to 1. + </description> + <!-- @@GEN START rule-sysctl-icmpboguserror --> +<Rule id="rule-sysctl-icmpboguserror" selected="false"> + <title>sysctl net.ipv4.icmp_ignore_bogus_error_responses must be 1</title> + <description>Ignore ICMP Bogus Error Responses</description> + <fix>echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses</fix> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:18" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-sysctl-icmpboguserror --> + </Group> + <Group id="gt-sysctl-martians"> + <title>Enable Logging of Martians</title> + <description> + When you receive a packet that seemingly originates from a location where + you have no route for, this packet is dropped silently. You can enable logging + of these packets (which are called <h:em>martians</h:em>) so that you at least + are aware of them. + <h:br /> + <h:br /> + Note that martians can only exist if you do not use a "default gateway", since + a default gateway always matches (if no other route does) for any IP address. + <h:br /> + <h:br /> + Logging of martians can be enabled through <h:code>net.ipv4.conf.*.log_martians=1</h:code>. + </description> + <!-- @@GEN START rule-sysctl-ipv4-all-logmartians --> +<Rule id="rule-sysctl-ipv4-all-logmartians" selected="false"> + <title>sysctl net.ipv4.conf.all.log_martians must be 1</title> + <description>Log all packages that originate from an unknown, unroutable network</description> + <fix>echo 1 > /proc/sys/net/ipv4/conf/all/log_martians</fix> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:20" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-sysctl-ipv4-all-logmartians --> + <!-- @@GEN START rule-sysctl-ipv4-default-logmartians --> +<Rule id="rule-sysctl-ipv4-default-logmartians" selected="false"> + <title>sysctl net.ipv4.conf.default.log_martians must be 1</title> + <description>Log all packages that originate from an unknown, unroutable network</description> + <fix>echo 1 > /proc/sys/net/ipv4/conf/default/log_martians</fix> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:22" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-sysctl-ipv4-default-logmartians --> + </Group> + <Group id="gt-sysctl-tcpsyncookies"> + <title>Enable TCP SYN Cookie Protection</title> + <description> + One denial of service attack against a service would be to flood the server with SYN requests + (the TCP packet that starts a handshake for a connection). Such a flood can easily lead to a + service disruption as connection state handling would consume a lot of resources in a small timeframe. + <h:br /> + <h:br /> + By enabling <h:code>net.ipv4.tcp_syncookies</h:code>, the Linux kernel will change its handshake + behavior when its SYN backlog queue overflows: it replies to SYN requests with the appropriate + SYN+ACK reply, but it does not store the connection in its backlog queue. Instead, it will only + do that when it gets the ACK reply on his SYN+ACK. Based on the information in this reply, the + Linux kernel can then reconstruct the necessary information to generate an entry in the backlog + queue. + <h:br /> + <h:br /> + It should be noted that enabling TCP cookies is a last-resort. It changes the TCP stack behavior + of the Linux kernel, violating TCP protocol and dropping support for certain TCP extensions whose + information is only available in a SYN packet. + <h:br /> + <h:br /> + To enable TCP SYN cookie protection, enable <h:code>CONFIG_SYN_COOKIES</h:code> in the kernel, + set <h:code>net.ipv4.tcp_syncookies=1</h:code> and set proper values for <h:code>net.ipv4.tcp_max_syn_backlog</h:code>, + <h:code>net.ipv4.tcp_synack_retries</h:code> and <h:code>net.ipv4.tcp_abort_on_overflow</h:code>. + </description> + <!-- @@GEN START rule-sysctl-ipv4-tcpsyncookies --> +<Rule id="rule-sysctl-ipv4-tcpsyncookies" selected="false"> + <title>sysctl net.ipv4.tcp_syncookies must be 1</title> + <description>Enable TCP SYN cookie protection</description> + <fix>echo 1 > /proc/sys/net/ipv4/tcp_syncookies</fix> + <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> + <check-content-ref name="oval:org.gentoo.dev.swift:def:24" href="scap-kernel-oval.xml" /> + </check> +</Rule> + <!-- @@GEN END rule-sysctl-ipv4-tcpsyncookies --> + </Group> + </Group> +</Benchmark> |