|
|
28bffe |
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled.rule b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled.rule
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..a8fc8715e1
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled.rule
|
|
|
28bffe |
@@ -0,0 +1,17 @@
|
|
|
28bffe |
+documentation_complete: true
|
|
|
28bffe |
+
|
|
|
28bffe |
+prodtype: rhel6,rhel7,fedora
|
|
|
28bffe |
+
|
|
|
28bffe |
+title: 'Disable kernel image loading'
|
|
|
28bffe |
+
|
|
|
28bffe |
+description: '{{{ describe_sysctl_option_value(sysctl="kernel.kexec_load_disabled", value="1") }}}'
|
|
|
28bffe |
+
|
|
|
28bffe |
+rationale: |
|
|
|
28bffe |
+ Disabling kexec_load allows greater control of the kernel memory.
|
|
|
28bffe |
+ It makes it impossible to load another kernel image after it has been disabled.
|
|
|
28bffe |
+
|
|
|
28bffe |
+severity: unknown
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kexec_load_disabled", value="1") }}}
|
|
|
28bffe |
+
|
|
|
28bffe |
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope.rule b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope.rule
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..67b7ff8056
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope.rule
|
|
|
28bffe |
@@ -0,0 +1,19 @@
|
|
|
28bffe |
+documentation_complete: true
|
|
|
28bffe |
+
|
|
|
28bffe |
+prodtype: rhel6,rhel7,fedora
|
|
|
28bffe |
+
|
|
|
28bffe |
+title: 'Restrict usage of ptrace to descendant processes'
|
|
|
28bffe |
+
|
|
|
28bffe |
+description: '{{{ describe_sysctl_option_value(sysctl="kernel.yama.ptrace_scope", value="1") }}}'
|
|
|
28bffe |
+
|
|
|
28bffe |
+rationale: |
|
|
|
28bffe |
+ Unrestricted usage of ptrace allows compromised binaries to run ptrace
|
|
|
28bffe |
+ on another processes of the user. Like this, the attacker can steal
|
|
|
28bffe |
+ sensitive information from the target processes (e.g. SSH sessions, web browser, ...)
|
|
|
28bffe |
+ without any additional assistance from the user (i.e. without resorting to phishing).
|
|
|
28bffe |
+
|
|
|
28bffe |
+severity: unknown
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.yama.ptrace_scope", value="1") }}}
|
|
|
28bffe |
+
|
|
|
28bffe |
diff --git a/rhel7/profiles/ospp42.profile b/rhel7/profiles/ospp42.profile
|
|
|
28bffe |
index 8550434ffa..a29e282b6e 100644
|
|
|
28bffe |
--- a/rhel7/profiles/ospp42.profile
|
|
|
28bffe |
+++ b/rhel7/profiles/ospp42.profile
|
|
|
28bffe |
@@ -33,6 +33,10 @@ selections:
|
|
|
28bffe |
- var_password_pam_lcredit=1
|
|
|
28bffe |
- accounts_password_pam_lcredit
|
|
|
28bffe |
- package_screen_installed
|
|
|
28bffe |
+ - sysctl_kernel_yama_ptrace_scope
|
|
|
28bffe |
+ - sysctl_kernel_kptr_restrict
|
|
|
28bffe |
+ - sysctl_kernel_kexec_load_disabled
|
|
|
28bffe |
+ - sysctl_kernel_dmesg_restrict
|
|
|
28bffe |
- dconf_gnome_screensaver_idle_activation_enabled
|
|
|
28bffe |
- dconf_gnome_screensaver_idle_delay
|
|
|
28bffe |
- dconf_gnome_screensaver_lock_delay
|
|
|
28bffe |
diff --git a/rhel7/templates/csv/sysctl_values.csv b/rhel7/templates/csv/sysctl_values.csv
|
|
|
28bffe |
index 12f0232760..3090159aa5 100644
|
|
|
28bffe |
--- a/rhel7/templates/csv/sysctl_values.csv
|
|
|
28bffe |
+++ b/rhel7/templates/csv/sysctl_values.csv
|
|
|
28bffe |
@@ -1,7 +1,10 @@
|
|
|
28bffe |
# Add <sysctl_parameter_name, desired_value> to generate hard-coded OVAL and remediation content.
|
|
|
28bffe |
# Add <sysctl_parameter_name,> to generate OVAL and remediation content that use the XCCDF value.
|
|
|
28bffe |
fs.suid_dumpable,0
|
|
|
28bffe |
+kernel.yama.ptrace_scope,1
|
|
|
28bffe |
+kernel.kptr_restrict,1
|
|
|
28bffe |
kernel.dmesg_restrict,1
|
|
|
28bffe |
+kernel.kexec_load_disabled,1
|
|
|
28bffe |
#kernel.exec-shield,1
|
|
|
28bffe |
kernel.randomize_va_space,2
|
|
|
28bffe |
net.ipv4.conf.all.accept_redirects,
|
|
|
28bffe |
diff --git a/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_dmesg_restrict/disabled.fail.sh b/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_dmesg_restrict/disabled.fail.sh
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..715f0b81dc
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_dmesg_restrict/disabled.fail.sh
|
|
|
28bffe |
@@ -0,0 +1,7 @@
|
|
|
28bffe |
+#!/bin/bash
|
|
|
28bffe |
+#
|
|
|
28bffe |
+# profiles = xccdf_org.ssgproject.content_profile_ospp42
|
|
|
28bffe |
+
|
|
|
28bffe |
+. ../sysctl.sh
|
|
|
28bffe |
+
|
|
|
28bffe |
+sysctl_set_kernel_setting_to dmsg_restrict 0
|
|
|
28bffe |
diff --git a/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_kexec_load_disabled/disabled.fail.sh b/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_kexec_load_disabled/disabled.fail.sh
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..05cd772b7f
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_kexec_load_disabled/disabled.fail.sh
|
|
|
28bffe |
@@ -0,0 +1,7 @@
|
|
|
28bffe |
+#!/bin/bash
|
|
|
28bffe |
+#
|
|
|
28bffe |
+# profiles = xccdf_org.ssgproject.content_profile_ospp42
|
|
|
28bffe |
+
|
|
|
28bffe |
+. ../sysctl.sh
|
|
|
28bffe |
+
|
|
|
28bffe |
+sysctl_set_kernel_setting_to kexec_load_disabled 0
|
|
|
28bffe |
diff --git a/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_kptr_restrict/disabled.fail.sh b/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_kptr_restrict/disabled.fail.sh
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..ac7922d927
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_kptr_restrict/disabled.fail.sh
|
|
|
28bffe |
@@ -0,0 +1,7 @@
|
|
|
28bffe |
+#!/bin/bash
|
|
|
28bffe |
+#
|
|
|
28bffe |
+# profiles = xccdf_org.ssgproject.content_profile_ospp42
|
|
|
28bffe |
+
|
|
|
28bffe |
+. ../sysctl.sh
|
|
|
28bffe |
+
|
|
|
28bffe |
+sysctl_set_kernel_setting_to kptr_restrict 0
|
|
|
28bffe |
diff --git a/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_yama_ptrace_scope/disabled.fail.sh b/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_yama_ptrace_scope/disabled.fail.sh
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..6e0892c4d8
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_yama_ptrace_scope/disabled.fail.sh
|
|
|
28bffe |
@@ -0,0 +1,7 @@
|
|
|
28bffe |
+#!/bin/bash
|
|
|
28bffe |
+#
|
|
|
28bffe |
+# profiles = xccdf_org.ssgproject.content_profile_ospp42
|
|
|
28bffe |
+
|
|
|
28bffe |
+. ../sysctl.sh
|
|
|
28bffe |
+
|
|
|
28bffe |
+sysctl_set_kernel_setting_to yama.ptrace_scope 0
|
|
|
28bffe |
diff --git a/tests/data/group_system/group_permissions/group_restrictions/sysctl.sh b/tests/data/group_system/group_permissions/group_restrictions/sysctl.sh
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..6a424a3641
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/tests/data/group_system/group_permissions/group_restrictions/sysctl.sh
|
|
|
28bffe |
@@ -0,0 +1,14 @@
|
|
|
28bffe |
+#!/bin/bash
|
|
|
28bffe |
+
|
|
|
28bffe |
+# Sets the kernel setting using sysctl exec as well as in sysctl config file.
|
|
|
28bffe |
+# $1: The setting name without the leading 'kernel.'
|
|
|
28bffe |
+# $2: The value to set the setting to
|
|
|
28bffe |
+function sysctl_set_kernel_setting_to {
|
|
|
28bffe |
+ local setting_name="kernel.$1" setting_value="$2"
|
|
|
28bffe |
+ sysctl -w "$setting_name=$setting_value"
|
|
|
28bffe |
+ if grep -q "^$setting_name" /etc/sysctl.conf; then
|
|
|
28bffe |
+ sed -i "s/^$setting_name.*/$setting_name = $setting_value/" /etc/sysctl.conf
|
|
|
28bffe |
+ else
|
|
|
28bffe |
+ echo "$setting_name = $setting_value" >> /etc/sysctl.conf
|
|
|
28bffe |
+ fi
|
|
|
28bffe |
+}
|