Test: exec-shield

Description

Exec-shield and virtual address randomization checking.

What is checked?

The test expects value of /proc/sys/kernel/randomize_va_space above zero.

"1"	indicates conservative randomization. It makes the addresses of mmap base and VDSO page randomized.
"2"	indicates full randomization. This includes all the features that Conservative randomization provides. In addition to that, also start of the brk area is randomized.

The test expects value of /proc/sys/kernel/exec-shield to be "1"

Test: firewall

Description

Simple analysis of firewall policy rules.

What is checked?

(all of the steps bellow are the same for IPv4 and IPv6)

The output of iptables -L and ip6tables -L is analyzed in this way:
- INPUT, OUTPUT (in L5) are checked.
- A warning/error is displayed if the policy is:
  1. ACCEPT, DROP, RETURN or QUEUE and the chain is empty.
  2. ACCEPT and the last rule IS NOT a REJECT rule. If the last rule is a custom chain, then it is checked in the same way.
Forwarding. If enabled, then a warning is displayed and the FORWARD chain is checked as described above.
Source routing. If enabled, then an error is displayed.

.dsc file variables

ENABLE_IPV4=<bool> [Default value: 1]
Enable/Disable all IPv4 related tests.

ENABLE_IPV4_FWCHECK=<bool> [Default value: 1]
Enable/Disable IPv4 firewall rules analysis.

SCAN_TCP4=<bool> [Default value: 0]
Enable/Disable TCP scanning over IPv4. (Implemented, but disabled)

SCAN_UDP4=<bool> [Default value: 0]
Enable/Disable UDP scanning over IPv4. (Implemented, but disabled)

ENABLE_IPV6=<bool> [Default value: 1]
Enable/Disable all IPv6 related tests.

ENABLE_IPV6_FWCHECK=<bool> [Default value: 0]
Enable/Disable IPv6 firewall rules analysis.

SCAN_TCP6=<bool> [Default value: 0]
Enable/Disable TCP scanning over IPv4. (Not implemented)

SCAN_UDP6=<bool> [Default value: 0]
Enable/Disable TCP scanning over IPv4. (Not implemented)

DEV_BLACKLIST="<string - devname> [<string - devname]" [Default value: "virbr[0-9]* lo"]
Ignore listed devices in tests.

PARANOID=<bool> [Default value: 0]
This is only a helper variable that is set to 1 in level 5 and will be probably deleted.

Test: integrity

Description

System integrity test. Checks presence and integrity of system commands and directories. For checking the integrity of binaries the command rpmverify (rpm -Vf) is used. A search for duplicates is also done for each command.

What is checked?

Presence of directories listed in $DIRECTORY_LIST
Integrity of core commands. This is done by calling $RPMVERIFY with $COREPKG as the package name.
Duplicit commands in directories listed in $CMDPATH

.dsc file variables

CMDPATH="<string - directory>[:<string - directory> …]" [Default value: "/bin:/sbin:/root/bin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"]
Directories containing command executables.

RPMVERIFY="<string - filepath>" [Default value: "/usr/bin/rpmverify"]
Absolute path to the rpmverify command executable.

COREPKG="<string - name>" [Default value: "coreutils"]
Name of package containing the core commands that should be checked.

DIRECTORY_LIST="<string - directory>[\n<string - directory> …]" [Default value: "/bin\n/sbin\n/lib\n/usr/bin\n/usr/sbin\n/usr/lib\n/usr/libexec\n/tmp\n/proc\n/var"] ^[1]
List of directories that must exist.

Note	[1] `\n` means that items in this list are delimited using newline character: `DIRECTORY_LIST="/bin /sbin ..."`

Test: openssh

Description

OpenSSH configuration audit. Performs basic checks on default configuration files, keys and on configuration files and keys used by running openssh processes.

What is checked?

Permissions of configuration files and directories used by OpenSSH processes. ^[1]

Variables affecting this step:

SSHD_CONFIGDIR_PERM, SSHD_CONFIGDIR_OWNER, SSH_KNOWN_HOSTS_REQUIRE, SSH_KNOWN_HOSTS_PERM, SSH_KNOWN_HOSTS_OWNER, SSHD_PRIVSEP_DIR_REQUIRE, SSHD_PRIVSEP_DIR_PERM, SSHD_PRIVSEP_DIR_OWNER, SSHD_PRIVSEP_DIR_EMPTY
Permissions and hash sums^[2] of keys in default locations and locations specified in process options and/or configuration directives.

Variables affecting this step:

SSHD_DEFAULT_KEYS, SSHD_PRIVKEY_PERM, SSHD_PRIVKEY_OWNER, SSHD_PUBKEY_PERM, SSHD_PUBKEY_OWNER, SSHD_SHA256_LIST, SSHD_SAVE_SHA256_CHANGES
Values of this configuration directives:
- Protocol - If SSHv1 is enabled, then a warning is diplayed.
- PermitRootLogin - In level 5, an error is displayed if this directive is set to yes. Otherwise, a warning is emitted if the value is without-password or forced-commands-only.
- AllowGroups, AllowUsers - In level 5, a warning is emitted if none of this directives is present.
- ChallengeResponseAuthentication, UsePAM - If both directives are set to no, then a warning is emitted.
- PermitUserEnvironment - A warning is displayed if the value is yes.
- StrictModes - A warning is displayed if the value is no.
- UsePrivilegeSeparation - A warning is displayed if the value is no.
- ClientAliveCountMax - (Checked only in L5 and if SSHv2 is enabled) If the value is 0 or higher that 6, then a warning is displayed.
- ClientAliveInverval - (Checked only in L5 and if SSHv2 is enabled) If the value if 0 or higher that 600 seconds, then a warning is displayed.

Note	[1] Files in default locations and also currently used files (for example configuration file specified with the `-f` option) are checked. [2] If enabled and if it is not the first run.

.dsc file variables

SSHD_USER ="<string - user>" [Default value:"sshd"]
Owner of the running sshd process.

SSHD_GROUP ="<string - group>" [Default value: "sshd"]
Group of the running sshd process.

SSHD_CONFIG_PERM =<number in octal base> [Default value: 755]
Correct file permissions of sshd_config file.

SSHD_CONFIG_OWNER ="<string - user>:<string - group>" [Default value: "root:root"]
Correct owner and group of sshd_config file.

SSHD_CONFIGDIR_PERM =<number in octal base> [Default value: 755]
Correct file permissions of sshd configuration directory.

SSHD_CONFIGDIR_OWNER ="<string - user>:<string - group> [Default value: "root:root"]
Correct owner of sshd configuration directory.

SSHD_PRIVKEY_PERM =<number in octal base> [Default value: 600]
Correct permissions of sshd private key file(s).

SSHD_PRIVKEY_OWNER ="<string - user:<string - group> [Default value: "root:root"]
Correct owner of sshd private key files(s).

SSHD_PUBKEY_PERM =<number in octal base> [Default value: 644]
Correct permissions of sshd public key files(s).

SSHD_PUBKEY_OWNER ="<string - user>:<string - group> [Default value: "root:root"]
Correct owner of sshd public key files(s).

SSH_KNOWN_HOSTS_REQUIRE =<bool> [Default value: 0]
This variable controls if the presence of known_hosts file is required or not.

SSH_KNOWN_HOSTS_PERM =<number in octal base> [Default value: 644]
Correct permissions of known_hosts file.

SSH_KNOWN_HOSTS_OWNER ="<string - user>:<string - group> [Default value: "root:root"]
Correct owner of known_hosts file.

SSHD_PRIVSEP_DIR_REQUIRE =<bool> [Default value: 1]
This variable controls if the presence of the directory used in privilege separation phase is required or not. If yes and the directory does not exist, then a warning is displayed.

SSHD_PRIVSEP_DIR_PERM =<number in octal base> [Default value: 711, L5 value: 700]
Correct permissions of the privsep directory.

SSHD_PRIVSEP_DIR_OWNER ="<string - user>:<string - group> [Default value: "root:root"]
Correct owner of the directory.

SSHD_PRIVSEP_DIR ="<string - directory>" [Default value: "/var/empty/sshd"]
Location of the directory used in privilege separation phase.

SSHD_PRIVSEP_DIR_EMPTY =<bool> [Default value: 0]
If set to 1, then the privsep directory must be empty. Otherwise a warning will be displayed.

SSHD_CHECK_SHA256 =<bool> [Default value: 1]
This variable controls if the checksums of sshd related files will be checked.

SSH_CHECK_SHA256 =<bool> [Default value: 1]
This variable controls if the checksums of ssh related files will be checked.

SSHD_SHA256_LIST ="<string - filename>" [Default value: "sshd.sum"]
Name of the checksum file. This file is stored in the persistent data directory.

SSHD_SAVE_SHA256_CHANGES =<bool> [Default value: 1]
This variable controls if changes in checksums will be saved to the checksum file.

SSHD_DEFAULT_KEYS ="<string - keypath> [<string - keypath #2> …]" [Default value: "/etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_key /etc/ssh/ssh_host_rsa_key"]
Default locations of sshd keyfiles.

PARANOID =<bool> [Default value: 0, L5 value: 1]
This is only a helper variable that is set to 1 in level 5 and will be probably deleted.

default configuration database

A simple default configuration database is implemented in this test for better portability to other systems with different default values of OpenSSH configuration directives. The syntax is quite simple:

A prefix must be defined. In this test, SSHD is hardcoded for the sshd daemon configuration.
All directives that will have their default values listed in .dsc fuke must be added to the variable $PREFIX_defined_vars.

For example:
```
SSHD_default_vars="PermitRootLogin StrictModes"
```
Then the default values for each listed directive must be defined. This definition includes version of sshd that it applies to. The version string must contain only characters that can be part of .dsc variable name.

For example:
```
Version = 4.7p1 -> Version string = 47p1
```
The definition name is in the format $PREFIX_$VersionString_$ConfDirectiveName.
For example:
```
SSHD_47p1_PermitRootLogin="yes"
```
And for all 4.x versions it would be:
```
SSHD_4_PermitRootLogin="yes"
```
This is also correct and applies to any version:
```
SSHD__PermitRootLogin="yes"
```

Example: .dsc file

SSHD_defined_vars="PermitRootLogin StrictModes
                   ChallengeResponseAuthentication
                   UsePAM AllowTcpForwarding"

# 4.7p1 defaults on F9
SSHD_47p1_PermitRootLogin="yes"
SSHD_47p1_StrictModes="yes"
SSHD_47p1_ChallengeResponseAuthentication="no"
SSHD_47p1_UsePAM="no"
SSHD_47p1_AllowTcpForwarding="yes"

Test: selinux

Description

Simple test that checks if the mandatory access control architecture is enabled.

What is checked?

The test expects that selinux is enabled and switched into enforcing mode from level 3.

.dsc file variables

MODE =["Enforcing" | "Permissive"]
What selinux mode is expected by the test.

MESSAGE_TYPE =["WARNING" | "ERROR"]
What kind of message is issued.

Test: mountopt

Description

Checks for potentially insecure mount options in /etc/fstab like not having nosuid on removable devices etc.

What is checked?

The test checks removable and remote filesystems for the nodev, noexec and nosuid options. Checks local filesystems for the nodev option. Mountpoints can be blacklisted and this omitted from testing.

.dsc file variables

DEFAULTS =<list of options>
The list of options that the defaults keyword expands into. (rw suid dev exec auto nouser async by default)

FILES =<list of files>
Files to be checked. /etc/fstab by default, make it /proc/mounts if you want mounted FSs to be checked.

LOCAL_TYPES =<list of filesystem types>
Filesystem types recognized as local (ext2 ext3 by default)

REMOVABLE_TYPES =<list of filesystem types>
Filesystem types recognized as removable (floppy cdrom iso9660 vfat msdos by default)

REMOTE_TYPES =<list of filesystem types>
Filesystem types recognized as removable (nfs nfs4 smbfs cifs ncpfs by default)

BLACKLIST =<list of directories>
Mountpoints to be skipped when checking (/boot by default)

Test: suid

Description

Looks for suid binaries in the system and compares against last run. Up to level 3, it checks only binaries in $PATH, from level 3 onwards, also checks if a file belongs to a package and from level 4 onwards walks through entire / filesystem and scans for setuid files.

What is checked?

A list of suid files in locations based on .dsc file is gathered and compared against a previous run, differences are printed. The test can also report suid files not belonging to a package or check arbitrary directories.

.dsc file variables

CHECK_PATH =["1" | "0"]
If the test should check directories in the $PATH variable. This is on by default.

CHECK_FILE_PACKAGE =["1" | "0"]
Whether to check if a setuid file belongs to a package, is 1 from level 3 up

PACKAGE_CMD =<a command> (rpm -qf in rpm-based distributions)
The command used to get the package a file belongs to

CHECK_DIR =<list of directories>
A directory or a list of directories to check in addition. Set to /opt and /usr/local from level 4 up.

Test: vsftpd

Description

Vsftpd configuration audit. Performs basic checks on default configuration file of vsftpd.

What is checked?

Permissions of configuration files and directories used by vsftpd.

Files affecting this step:

/etc/vsftpd/vsftpd.conf
If server is listening and is listening only on one protocol.

Variables affecting this step:

listen, listen_ipv6
Existing necessary files / directories and their permissions.
Variables affecting this step:
banned_email_file, userlist_file, chroot_list_file, email_password_file, vsftpd_log_file, xferlog_file, banner_file, dsa_cert_file, dsa_private_key_file, rsa_cert_file, rsa_private_key_file, local_root, anon_root, user_config_dir
Note

Variables are affected only when dependency is resolved (For exapmle if deny_email_enable option is NO, then banned_email_file is not tested)
Existing necessary files / directories and their permissions for user configs

Variables affecting this step:

banned_email_file, banner_file, dsa_private_key_file, rsa_cert_file, rsa_private_key_file, local_root, anon_root, user_config_dir
If anonymous directory is writable for other users or is owned by wrong user

Variables affecting this step:

anonymous_enable, anon_root
If selinux is enabled and is preventing access to user home directories
Port range for passive connections

Variables affecting this step:

pasv_min_port, pasv_max_port
If ls_recurse_enable is enabled
Check possibility of ascii mangling

Note	By enabling ascii upload or download on some FTP servers, ASCII support allows a denial of service attack (DoS) via the command "SIZE /big/file" in ASCII mode. ASCII mangling is a horrible feature of the protocol. For disabling use ascii_upload_enable=NO and ascii_download_enable=NO

.dsc file variables

PASSWD_FILE =<string - path> [Default value:"/etc/passwd"]
Path to system passwd file

CONFIG_FILE =<string - path> [Default value:"/etc/vsftpd/vsftpd.conf"]
Path to vsftpd configuration file