From d95ab3d253417b8030ee4d9620bd7ed06c4f28e1 Mon Sep 17 00:00:00 2001
From: Michael Boelen <michael.boelen@cisofy.com>
Date: Thu, 18 Aug 2016 14:35:20 +0200
Subject: Support sysctl checks with multiple profiles

---
 default.prf | 131 ++++++++++++++++++++++++++++++++----------------------------
 1 file changed, 70 insertions(+), 61 deletions(-)

(limited to 'default.prf')

diff --git a/default.prf b/default.prf
index 9e797561..a9d9f519 100644
--- a/default.prf
+++ b/default.prf
@@ -153,74 +153,83 @@ plugin=users
 #
 #################################################################################
 
+# Config
+# - Type (sysctl)
+# - Setting (kernel.sysrq)
+# - Expected value (0)
+# - Hardening Points (1)
+# - Description (Disable magic SysRQ)
+# - Related file or command (sysctl -a)
+# - Solution field (url:URL, text:TEXT, or -)
+
 # Processes
-#sysctl:kern.randompid:1234:1:Increase the next PID with an amount close to the given value:
-sysctl:security.bsd.see_other_gids:0:1:Disable display of processes of other groups:
-sysctl:security.bsd.see_other_uids:0:1:Disable display of processes of other users:
+config-data=sysctl;security.bsd.see_other_gids;0;1;Disable display of processes of other groups;sysctl -a;-;category:security;
+config-data=sysctl;security.bsd.see_other_uids;0;1;Disable display of processes of other users;sysctl -a;-;category:security;
 
 # Kernel
-sysctl:kern.sugid_coredump:0:1:XXX:
-sysctl:kernel.core_setuid_ok:0:1:XXX:
-sysctl:kernel.core_uses_pid:1:1:XXX:
-sysctl:kernel.ctrl-alt-del:0:1:XXX:
-sysctl:kernel.exec-shield-randomize:1:1:XXX:
-sysctl:kernel.exec-shield:1:1:XXX:
-sysctl:kernel.kptr_restrict:2:1:Restrict access to kernel symbols:
-sysctl:kernel.sysrq:0:1:Disable magic SysRQ:
-sysctl:kernel.use-nx:0:1:XXX:
+config-data=sysctl;kern.sugid_coredump;0;1;XXX;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.core_setuid_ok;0;1;XXX;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.core_uses_pid;1;1;XXX;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.ctrl-alt-del;0;1;XXX;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.exec-shield-randomize;1;1;XXX;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.exec-shield;1;1;XXX;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.kptr_restrict;2;1;Restrict access to kernel symbols;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.sysrq;0;1;Disable magic SysRQ;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.use-nx;0;1;XXX;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
 
 # Network
-sysctl:net.inet.icmp.bmcastecho:0:1:Ignore ICMP packets directed to broadcast address:
-sysctl:net.inet.icmp.rediraccept:0:1:Disable incoming ICMP redirect routing redirects:
-sysctl:net.inet.ip.accept_sourceroute:0:1:Disable IP source routing:
-sysctl:net.inet.ip.redirect:0:1:Disable/Ignore ICMP routing redirects:
-sysctl:net.inet.ip.sourceroute:0:1:Disable IP source routing:
-sysctl:net.inet.ip6.redirect:0:1:Disable/Ignore ICMP routing redirects:
-sysctl:net.inet.tcp.blackhole:2:1:Do not sent RST but drop traffic:
-sysctl:net.inet.udp.blackhole:1:1:Do not sent RST but drop traffic:
-sysctl:net.inet6.icmp6.rediraccept:0:1:Disable incoming ICMP redirect routing redirects:
-sysctl:net.inet6.ip6.redirect:0:1:Disable sending ICMP redirect routing redirects:
-sysctl:net.ipv4.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
-sysctl:net.ipv4.conf.all.accept_source_route:0:1:Disable IP source routing:
-sysctl:net.ipv4.conf.all.bootp_relay:0:1:Do not relay BOOTP packets:
-sysctl:net.ipv4.conf.all.forwarding:0:1:Disable IP source routing:
-sysctl:net.ipv4.conf.all.log_martians:1:1:Log all packages for which the host does not have a path back to the source:
-sysctl:net.ipv4.conf.all.mc_forwarding:0:1:Disable IP source routing:
-sysctl:net.ipv4.conf.all.proxy_arp:0:1:Do not relay ARP packets:
-sysctl:net.ipv4.conf.all.rp_filter:1:1:Enforce ingress/egress filtering for packets:
-sysctl:net.ipv4.conf.all.send_redirects:0:1:Disable/Ignore ICMP routing redirects:
-sysctl:net.ipv4.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
-sysctl:net.ipv4.conf.default.accept_source_route:0:1:Disable IP source routing:
-sysctl:net.ipv4.conf.default.log_martians:1:1:Log all packages for which the host does not have a path back to the source:
-sysctl:net.ipv4.icmp_echo_ignore_broadcasts:1:1:Ignore ICMP packets directed to broadcast address:
-sysctl:net.ipv4.icmp_ignore_bogus_error_responses:1:1:Ignore
-#sysctl:net.ipv4.ip_forward:0:1:Do not forward traffic:
-sysctl:net.ipv4.tcp_syncookies:1:1:Use SYN cookies to prevent SYN attack:
-sysctl:net.ipv4.tcp_timestamps:0:1:Do not use TCP time stamps:
-sysctl:net.ipv6.conf.all.send_redirects:0:1:Disable/ignore ICMP routing redirects:
-sysctl:net.ipv6.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
-sysctl:net.ipv6.conf.all.accept_source_route:0:1:Disable IP source routing:
-sysctl:net.ipv6.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
-sysctl:net.ipv6.conf.default.accept_source_route:0:1:Disable IP source routing:
+config-data=sysctl;net.inet.icmp.bmcastecho;0;1;Ignore ICMP packets directed to broadcast address;-;category:security;
+config-data=sysctl;net.inet.icmp.rediraccept;0;1;Disable incoming ICMP redirect routing redirects;-;category:security;
+config-data=sysctl;net.inet.ip.accept_sourceroute;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.inet.ip.redirect;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.inet.ip.sourceroute;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.inet.ip6.redirect;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.inet.tcp.blackhole;2;1;Do not sent RST but drop traffic;-;category:security;
+config-data=sysctl;net.inet.udp.blackhole;1;1;Do not sent RST but drop traffic;-;category:security;
+config-data=sysctl;net.inet6.icmp6.rediraccept;0;1;Disable incoming ICMP redirect routing redirects;-;category:security;
+config-data=sysctl;net.inet6.ip6.redirect;0;1;Disable sending ICMP redirect routing redirects;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.accept_source_route;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.bootp_relay;0;1;Do not relay BOOTP packets;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.forwarding;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.log_martians;1;1;Log all packages for which the host does not have a path back to the source;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.mc_forwarding;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.proxy_arp;0;1;Do not relay ARP packets;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.rp_filter;1;1;Enforce ingress/egress filtering for packets;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.send_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.ipv4.conf.default.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.ipv4.conf.default.accept_source_route;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.ipv4.conf.default.log_martians;1;1;Log all packages for which the host does not have a path back to the source;-;category:security;
+config-data=sysctl;net.ipv4.icmp_echo_ignore_broadcasts;1;1;Ignore ICMP packets directed to broadcast address;-;category:security;
+config-data=sysctl;net.ipv4.icmp_ignore_bogus_error_responses;1;1;Ignore-;category:security;
+#config-data=sysctl;net.ipv4.ip_forward;0;1;Do not forward traffic;-;category:security;
+config-data=sysctl;net.ipv4.tcp_syncookies;1;1;Use SYN cookies to prevent SYN attack;-;category:security;
+config-data=sysctl;net.ipv4.tcp_timestamps;0;1;Do not use TCP time stamps;-;category:security;
+config-data=sysctl;net.ipv6.conf.all.send_redirects;0;1;Disable/ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.ipv6.conf.all.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.ipv6.conf.all.accept_source_route;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.ipv6.conf.default.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.ipv6.conf.default.accept_source_route;0;1;Disable IP source routing;-;category:security;
 
 [security]
-#sysctl:kern.securelevel:1^2^3:1:FreeBSD security level:
-#security.jail.jailed: 0
-#security.jail.jail_max_af_ips: 255
-#security.jail.mount_allowed: 0
-#security.jail.chflags_allowed: 0
-#security.jail.allow_raw_sockets: 0
-#security.jail.enforce_statfs: 2
-#security.jail.sysvipc_allowed: 0
-#security.jail.socket_unixiproute_only: 1
-#security.jail.set_hostname_allowed: 1
-#security.bsd.suser_enabled: 1
-#security.bsd.unprivileged_proc_debug: 1
-#security.bsd.conservative_signals: 1
-#security.bsd.unprivileged_read_msgbuf: 1
-#security.bsd.hardlink_check_gid: 0
-#security.bsd.hardlink_check_uid: 0
-#security.bsd.unprivileged_get_quota: 0
+#sysctl;kern.securelevel;1^2^3;1;FreeBSD security level;
+#security.jail.jailed; 0
+#security.jail.jail_max_af_ips; 255
+#security.jail.mount_allowed; 0
+#security.jail.chflags_allowed; 0
+#security.jail.allow_raw_sockets; 0
+#security.jail.enforce_statfs; 2
+#security.jail.sysvipc_allowed; 0
+#security.jail.socket_unixiproute_only; 1
+#security.jail.set_hostname_allowed; 1
+#security.bsd.suser_enabled; 1
+#security.bsd.unprivileged_proc_debug; 1
+#security.bsd.conservative_signals; 1
+#security.bsd.unprivileged_read_msgbuf; 1
+#security.bsd.hardlink_check_gid; 0
+#security.bsd.hardlink_check_uid; 0
+#security.bsd.unprivileged_get_quota; 0
+#sysctl;kern.randompid;1234;1;Increase the next PID with an amount close to the given value;sysctl -a;-;category:security;
 
 
 #################################################################################
-- 
cgit v1.2.3