From d95ab3d253417b8030ee4d9620bd7ed06c4f28e1 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 18 Aug 2016 14:35:20 +0200 Subject: Support sysctl checks with multiple profiles --- default.prf | 131 ++++++++++++++++++++++------------------- include/profiles | 6 ++ include/tests_kernel_hardening | 77 ++++++++++++++++-------- 3 files changed, 130 insertions(+), 84 deletions(-) diff --git a/default.prf b/default.prf index 9e797561..a9d9f519 100644 --- a/default.prf +++ b/default.prf @@ -153,74 +153,83 @@ plugin=users # ################################################################################# +# Config +# - Type (sysctl) +# - Setting (kernel.sysrq) +# - Expected value (0) +# - Hardening Points (1) +# - Description (Disable magic SysRQ) +# - Related file or command (sysctl -a) +# - Solution field (url:URL, text:TEXT, or -) + # Processes -#sysctl:kern.randompid:1234:1:Increase the next PID with an amount close to the given value: -sysctl:security.bsd.see_other_gids:0:1:Disable display of processes of other groups: -sysctl:security.bsd.see_other_uids:0:1:Disable display of processes of other users: +config-data=sysctl;security.bsd.see_other_gids;0;1;Disable display of processes of other groups;sysctl -a;-;category:security; +config-data=sysctl;security.bsd.see_other_uids;0;1;Disable display of processes of other users;sysctl -a;-;category:security; # Kernel -sysctl:kern.sugid_coredump:0:1:XXX: -sysctl:kernel.core_setuid_ok:0:1:XXX: -sysctl:kernel.core_uses_pid:1:1:XXX: -sysctl:kernel.ctrl-alt-del:0:1:XXX: -sysctl:kernel.exec-shield-randomize:1:1:XXX: -sysctl:kernel.exec-shield:1:1:XXX: -sysctl:kernel.kptr_restrict:2:1:Restrict access to kernel symbols: -sysctl:kernel.sysrq:0:1:Disable magic SysRQ: -sysctl:kernel.use-nx:0:1:XXX: +config-data=sysctl;kern.sugid_coredump;0;1;XXX;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; +config-data=sysctl;kernel.core_setuid_ok;0;1;XXX;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; +config-data=sysctl;kernel.core_uses_pid;1;1;XXX;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; +config-data=sysctl;kernel.ctrl-alt-del;0;1;XXX;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; +config-data=sysctl;kernel.exec-shield-randomize;1;1;XXX;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; +config-data=sysctl;kernel.exec-shield;1;1;XXX;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; +config-data=sysctl;kernel.kptr_restrict;2;1;Restrict access to kernel symbols;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; +config-data=sysctl;kernel.sysrq;0;1;Disable magic SysRQ;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; +config-data=sysctl;kernel.use-nx;0;1;XXX;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; # Network -sysctl:net.inet.icmp.bmcastecho:0:1:Ignore ICMP packets directed to broadcast address: -sysctl:net.inet.icmp.rediraccept:0:1:Disable incoming ICMP redirect routing redirects: -sysctl:net.inet.ip.accept_sourceroute:0:1:Disable IP source routing: -sysctl:net.inet.ip.redirect:0:1:Disable/Ignore ICMP routing redirects: -sysctl:net.inet.ip.sourceroute:0:1:Disable IP source routing: -sysctl:net.inet.ip6.redirect:0:1:Disable/Ignore ICMP routing redirects: -sysctl:net.inet.tcp.blackhole:2:1:Do not sent RST but drop traffic: -sysctl:net.inet.udp.blackhole:1:1:Do not sent RST but drop traffic: -sysctl:net.inet6.icmp6.rediraccept:0:1:Disable incoming ICMP redirect routing redirects: -sysctl:net.inet6.ip6.redirect:0:1:Disable sending ICMP redirect routing redirects: -sysctl:net.ipv4.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects: -sysctl:net.ipv4.conf.all.accept_source_route:0:1:Disable IP source routing: -sysctl:net.ipv4.conf.all.bootp_relay:0:1:Do not relay BOOTP packets: -sysctl:net.ipv4.conf.all.forwarding:0:1:Disable IP source routing: -sysctl:net.ipv4.conf.all.log_martians:1:1:Log all packages for which the host does not have a path back to the source: -sysctl:net.ipv4.conf.all.mc_forwarding:0:1:Disable IP source routing: -sysctl:net.ipv4.conf.all.proxy_arp:0:1:Do not relay ARP packets: -sysctl:net.ipv4.conf.all.rp_filter:1:1:Enforce ingress/egress filtering for packets: -sysctl:net.ipv4.conf.all.send_redirects:0:1:Disable/Ignore ICMP routing redirects: -sysctl:net.ipv4.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects: -sysctl:net.ipv4.conf.default.accept_source_route:0:1:Disable IP source routing: -sysctl:net.ipv4.conf.default.log_martians:1:1:Log all packages for which the host does not have a path back to the source: -sysctl:net.ipv4.icmp_echo_ignore_broadcasts:1:1:Ignore ICMP packets directed to broadcast address: -sysctl:net.ipv4.icmp_ignore_bogus_error_responses:1:1:Ignore -#sysctl:net.ipv4.ip_forward:0:1:Do not forward traffic: -sysctl:net.ipv4.tcp_syncookies:1:1:Use SYN cookies to prevent SYN attack: -sysctl:net.ipv4.tcp_timestamps:0:1:Do not use TCP time stamps: -sysctl:net.ipv6.conf.all.send_redirects:0:1:Disable/ignore ICMP routing redirects: -sysctl:net.ipv6.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects: -sysctl:net.ipv6.conf.all.accept_source_route:0:1:Disable IP source routing: -sysctl:net.ipv6.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects: -sysctl:net.ipv6.conf.default.accept_source_route:0:1:Disable IP source routing: +config-data=sysctl;net.inet.icmp.bmcastecho;0;1;Ignore ICMP packets directed to broadcast address;-;category:security; +config-data=sysctl;net.inet.icmp.rediraccept;0;1;Disable incoming ICMP redirect routing redirects;-;category:security; +config-data=sysctl;net.inet.ip.accept_sourceroute;0;1;Disable IP source routing;-;category:security; +config-data=sysctl;net.inet.ip.redirect;0;1;Disable/Ignore ICMP routing redirects;-;category:security; +config-data=sysctl;net.inet.ip.sourceroute;0;1;Disable IP source routing;-;category:security; +config-data=sysctl;net.inet.ip6.redirect;0;1;Disable/Ignore ICMP routing redirects;-;category:security; +config-data=sysctl;net.inet.tcp.blackhole;2;1;Do not sent RST but drop traffic;-;category:security; +config-data=sysctl;net.inet.udp.blackhole;1;1;Do not sent RST but drop traffic;-;category:security; +config-data=sysctl;net.inet6.icmp6.rediraccept;0;1;Disable incoming ICMP redirect routing redirects;-;category:security; +config-data=sysctl;net.inet6.ip6.redirect;0;1;Disable sending ICMP redirect routing redirects;-;category:security; +config-data=sysctl;net.ipv4.conf.all.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security; +config-data=sysctl;net.ipv4.conf.all.accept_source_route;0;1;Disable IP source routing;-;category:security; +config-data=sysctl;net.ipv4.conf.all.bootp_relay;0;1;Do not relay BOOTP packets;-;category:security; +config-data=sysctl;net.ipv4.conf.all.forwarding;0;1;Disable IP source routing;-;category:security; +config-data=sysctl;net.ipv4.conf.all.log_martians;1;1;Log all packages for which the host does not have a path back to the source;-;category:security; +config-data=sysctl;net.ipv4.conf.all.mc_forwarding;0;1;Disable IP source routing;-;category:security; +config-data=sysctl;net.ipv4.conf.all.proxy_arp;0;1;Do not relay ARP packets;-;category:security; +config-data=sysctl;net.ipv4.conf.all.rp_filter;1;1;Enforce ingress/egress filtering for packets;-;category:security; +config-data=sysctl;net.ipv4.conf.all.send_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security; +config-data=sysctl;net.ipv4.conf.default.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security; +config-data=sysctl;net.ipv4.conf.default.accept_source_route;0;1;Disable IP source routing;-;category:security; +config-data=sysctl;net.ipv4.conf.default.log_martians;1;1;Log all packages for which the host does not have a path back to the source;-;category:security; +config-data=sysctl;net.ipv4.icmp_echo_ignore_broadcasts;1;1;Ignore ICMP packets directed to broadcast address;-;category:security; +config-data=sysctl;net.ipv4.icmp_ignore_bogus_error_responses;1;1;Ignore-;category:security; +#config-data=sysctl;net.ipv4.ip_forward;0;1;Do not forward traffic;-;category:security; +config-data=sysctl;net.ipv4.tcp_syncookies;1;1;Use SYN cookies to prevent SYN attack;-;category:security; +config-data=sysctl;net.ipv4.tcp_timestamps;0;1;Do not use TCP time stamps;-;category:security; +config-data=sysctl;net.ipv6.conf.all.send_redirects;0;1;Disable/ignore ICMP routing redirects;-;category:security; +config-data=sysctl;net.ipv6.conf.all.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security; +config-data=sysctl;net.ipv6.conf.all.accept_source_route;0;1;Disable IP source routing;-;category:security; +config-data=sysctl;net.ipv6.conf.default.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security; +config-data=sysctl;net.ipv6.conf.default.accept_source_route;0;1;Disable IP source routing;-;category:security; [security] -#sysctl:kern.securelevel:1^2^3:1:FreeBSD security level: -#security.jail.jailed: 0 -#security.jail.jail_max_af_ips: 255 -#security.jail.mount_allowed: 0 -#security.jail.chflags_allowed: 0 -#security.jail.allow_raw_sockets: 0 -#security.jail.enforce_statfs: 2 -#security.jail.sysvipc_allowed: 0 -#security.jail.socket_unixiproute_only: 1 -#security.jail.set_hostname_allowed: 1 -#security.bsd.suser_enabled: 1 -#security.bsd.unprivileged_proc_debug: 1 -#security.bsd.conservative_signals: 1 -#security.bsd.unprivileged_read_msgbuf: 1 -#security.bsd.hardlink_check_gid: 0 -#security.bsd.hardlink_check_uid: 0 -#security.bsd.unprivileged_get_quota: 0 +#sysctl;kern.securelevel;1^2^3;1;FreeBSD security level; +#security.jail.jailed; 0 +#security.jail.jail_max_af_ips; 255 +#security.jail.mount_allowed; 0 +#security.jail.chflags_allowed; 0 +#security.jail.allow_raw_sockets; 0 +#security.jail.enforce_statfs; 2 +#security.jail.sysvipc_allowed; 0 +#security.jail.socket_unixiproute_only; 1 +#security.jail.set_hostname_allowed; 1 +#security.bsd.suser_enabled; 1 +#security.bsd.unprivileged_proc_debug; 1 +#security.bsd.conservative_signals; 1 +#security.bsd.unprivileged_read_msgbuf; 1 +#security.bsd.hardlink_check_gid; 0 +#security.bsd.hardlink_check_uid; 0 +#security.bsd.unprivileged_get_quota; 0 +#sysctl;kern.randompid;1234;1;Increase the next PID with an amount close to the given value;sysctl -a;-;category:security; ################################################################################# diff --git a/include/profiles b/include/profiles index b58e907c..f95db59e 100644 --- a/include/profiles +++ b/include/profiles @@ -64,6 +64,12 @@ STRING=$(echo ${VALUE} | tr -d "[" | tr -d "]" | sed "s/, /,/g") CHECK_VALUE_ARRAY="${CHECK_OPTION_ARRAY} ${STRING}" ;; + + # Ignore configuration data + config-data) + Debug "Ignoring configuration option, as it will be used by a specific test" + ;; + # Maximum number of WAITing connections connections-max-wait-state | connections_max_wait_state) OPTIONS_CONN_MAX_WAIT_STATE="${VALUE}" diff --git a/include/tests_kernel_hardening b/include/tests_kernel_hardening index 39303326..dde871d2 100644 --- a/include/tests_kernel_hardening +++ b/include/tests_kernel_hardening @@ -33,33 +33,64 @@ Register --test-no KRNL-6000 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check sysctl key pairs in scan profile" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 + DATA_TO_SCAN="" N=0 Display --indent 2 --text "- Comparing sysctl key pairs with scan profile" + + # First scan optional profiles only (ignore default and custom) for PROFILE in ${PROFILES}; do - FIND=`grep "^sysctl:" ${PROFILE} | sed 's/ /-space-/g'` - for I in ${FIND}; do - tFINDkey=`echo ${I} | awk -F: '{ print $2 }'` - tFINDexpvalue=`echo ${I} | awk -F: '{ print $3 }'` - tFINDhp=`echo ${I} | awk -F: '{ print $4 }' | grep "[0-9]"` - tFINDdesc=`echo ${I} | awk -F: '{ print $5 }' | sed 's/-space-/ /g'` - tFINDcurvalue=`${SYSCTL_READKEY} ${tFINDkey} 2> /dev/null` - if [ ! "${tFINDcurvalue}" = "" ]; then - if [ "${tFINDexpvalue}" = "${tFINDcurvalue}" ]; then - LogText "Result: sysctl key ${tFINDkey} contains equal expected and current value (${tFINDexpvalue})" - Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result "${STATUS_OK}" --color GREEN - AddHP ${tFINDhp} ${tFINDhp} - else - LogText "Result: sysctl key ${tFINDkey} has a different value than expected in scan profile. Expected=${tFINDexpvalue}, Real=${tFINDcurvalue}" - Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result DIFFERENT --color RED - AddHP 0 ${tFINDhp} - FOUND=1 - N=$((N + 1)) - ReportDetails --test "${TEST_NO}" --service "sysctl" --field "${tFINDkey}" --value "${tFINDcurvalue}" --preferredvalue "${tFINDexpvalue}" --description "${tFINDdesc}" - fi - else - LogText "Result: key ${tFINDkey} does not exist on this machine" - fi + FILE=$(echo ${PROFILE} | awk -F/ '{print $NF}') + if [ ! "${FILE}" = "default.prf" -a ! "${FILE}" = "custom.prf" ]; then + FIND=$(grep "^config-data=sysctl;" ${PROFILE} | sed 's/ /-space-/g') + DATA_TO_SCAN="${DATA_TO_SCAN} ${FIND}" + fi + done + + # Scan custom profile + if [ ! -z "${CUSTOM_PROFILE}" ]; then + FIND=$(grep "^config-data=sysctl;" ${CUSTOM_PROFILE} | sed 's/ /-space-/g') + for LINE in ${FIND}; do + SYSCTLKEY=$(echo ${LINE} | awk -F\; '{ print $2 }') + HAS_KEY=$(echo ${DATA_TO_SCAN} | ${GREPBINARY} ";${SYSCTLKEY};") + if [ $? -gt 0 ]; then DATA_TO_SCAN="${DATA_TO_SCAN} ${LINE}"; fi done + fi + + # Last, use data from default profile + if [ ! -z "${DEFAULT_PROFILE}" ]; then + FIND=$(grep "^config-data=sysctl;" ${DEFAULT_PROFILE} | sed 's/ /-space-/g') + for LINE in ${FIND}; do + SYSCTLKEY=$(echo ${LINE} | awk -F\; '{ print $2 }') + HAS_KEY=$(echo ${DATA_TO_SCAN} | ${GREPBINARY} ";${SYSCTLKEY};") + if [ $? -gt 0 ]; then DATA_TO_SCAN="${DATA_TO_SCAN} ${LINE}"; fi + done + fi + + # Sort the results + DATA_TO_SCAN=$(echo ${DATA_TO_SCAN} | tr ' ' '\n' | sort) + + for I in ${DATA_TO_SCAN}; do + tFINDkey=$(echo ${I} | awk -F\; '{ print $2 }') + tFINDexpvalue=$(echo ${I} | awk -F\; '{ print $3 }') + tFINDhp=$(echo ${I} | awk -F\; '{ print $4 }' | grep "[0-9]") + tFINDdesc=$(echo ${I} | awk -F\; '{ print $5 }' | sed 's/-space-/ /g') + tFINDcurvalue=$(${SYSCTL_READKEY} ${tFINDkey} 2> /dev/null) + if [ ! "${tFINDcurvalue}" = "" ]; then + if [ "${tFINDexpvalue}" = "${tFINDcurvalue}" ]; then + LogText "Result: sysctl key ${tFINDkey} contains equal expected and current value (${tFINDexpvalue})" + Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result "${STATUS_OK}" --color GREEN + AddHP ${tFINDhp} ${tFINDhp} + else + LogText "Result: sysctl key ${tFINDkey} has a different value than expected in scan profile. Expected=${tFINDexpvalue}, Real=${tFINDcurvalue}" + Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result DIFFERENT --color RED + AddHP 0 ${tFINDhp} + FOUND=1 + N=$((N + 1)) + ReportDetails --test "${TEST_NO}" --service "sysctl" --field "${tFINDkey}" --value "${tFINDcurvalue}" --preferredvalue "${tFINDexpvalue}" --description "${tFINDdesc}" + fi + else + LogText "Result: key ${tFINDkey} does not exist on this machine" + fi done # Add suggestion if one or more sysctls have a different value than scan profile -- cgit v1.2.3