Blame SOURCES/scap-security-guide-0.1.41-sysctl_kernel.patch

28bffe
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled.rule b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled.rule
28bffe
new file mode 100644
28bffe
index 0000000000..a8fc8715e1
28bffe
--- /dev/null
28bffe
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled.rule
28bffe
@@ -0,0 +1,17 @@
28bffe
+documentation_complete: true
28bffe
+
28bffe
+prodtype: rhel6,rhel7,fedora
28bffe
+
28bffe
+title: 'Disable kernel image loading'
28bffe
+
28bffe
+description: '{{{ describe_sysctl_option_value(sysctl="kernel.kexec_load_disabled", value="1") }}}'
28bffe
+
28bffe
+rationale: |
28bffe
+    Disabling kexec_load allows greater control of the kernel memory.
28bffe
+    It makes it impossible to load another kernel image after it has been disabled.
28bffe
+
28bffe
+severity: unknown
28bffe
+
28bffe
+
28bffe
+{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kexec_load_disabled", value="1") }}}
28bffe
+
28bffe
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope.rule b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope.rule
28bffe
new file mode 100644
28bffe
index 0000000000..67b7ff8056
28bffe
--- /dev/null
28bffe
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope.rule
28bffe
@@ -0,0 +1,19 @@
28bffe
+documentation_complete: true
28bffe
+
28bffe
+prodtype: rhel6,rhel7,fedora
28bffe
+
28bffe
+title: 'Restrict usage of ptrace to descendant processes'
28bffe
+
28bffe
+description: '{{{ describe_sysctl_option_value(sysctl="kernel.yama.ptrace_scope", value="1") }}}'
28bffe
+
28bffe
+rationale: |
28bffe
+    Unrestricted usage of ptrace allows compromised binaries to run ptrace
28bffe
+    on another processes of the user. Like this, the attacker can steal
28bffe
+    sensitive information from the target processes (e.g. SSH sessions, web browser, ...)
28bffe
+    without any additional assistance from the user (i.e. without resorting to phishing).
28bffe
+
28bffe
+severity: unknown
28bffe
+
28bffe
+
28bffe
+{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.yama.ptrace_scope", value="1") }}}
28bffe
+
28bffe
diff --git a/rhel7/profiles/ospp42.profile b/rhel7/profiles/ospp42.profile
28bffe
index 8550434ffa..a29e282b6e 100644
28bffe
--- a/rhel7/profiles/ospp42.profile
28bffe
+++ b/rhel7/profiles/ospp42.profile
28bffe
@@ -33,6 +33,10 @@ selections:
28bffe
     - var_password_pam_lcredit=1
28bffe
     - accounts_password_pam_lcredit
28bffe
     - package_screen_installed
28bffe
+    - sysctl_kernel_yama_ptrace_scope
28bffe
+    - sysctl_kernel_kptr_restrict
28bffe
+    - sysctl_kernel_kexec_load_disabled
28bffe
+    - sysctl_kernel_dmesg_restrict
28bffe
     - dconf_gnome_screensaver_idle_activation_enabled
28bffe
     - dconf_gnome_screensaver_idle_delay
28bffe
     - dconf_gnome_screensaver_lock_delay
28bffe
diff --git a/rhel7/templates/csv/sysctl_values.csv b/rhel7/templates/csv/sysctl_values.csv
28bffe
index 12f0232760..3090159aa5 100644
28bffe
--- a/rhel7/templates/csv/sysctl_values.csv
28bffe
+++ b/rhel7/templates/csv/sysctl_values.csv
28bffe
@@ -1,7 +1,10 @@
28bffe
 # Add <sysctl_parameter_name, desired_value> to generate hard-coded OVAL and remediation content.
28bffe
 # Add <sysctl_parameter_name,> to generate OVAL and remediation content that use the XCCDF value.
28bffe
 fs.suid_dumpable,0
28bffe
+kernel.yama.ptrace_scope,1
28bffe
+kernel.kptr_restrict,1
28bffe
 kernel.dmesg_restrict,1
28bffe
+kernel.kexec_load_disabled,1
28bffe
 #kernel.exec-shield,1
28bffe
 kernel.randomize_va_space,2
28bffe
 net.ipv4.conf.all.accept_redirects,
28bffe
diff --git a/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_dmesg_restrict/disabled.fail.sh b/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_dmesg_restrict/disabled.fail.sh
28bffe
new file mode 100644
28bffe
index 0000000000..715f0b81dc
28bffe
--- /dev/null
28bffe
+++ b/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_dmesg_restrict/disabled.fail.sh
28bffe
@@ -0,0 +1,7 @@
28bffe
+#!/bin/bash
28bffe
+#
28bffe
+# profiles = xccdf_org.ssgproject.content_profile_ospp42
28bffe
+
28bffe
+. ../sysctl.sh
28bffe
+
28bffe
+sysctl_set_kernel_setting_to dmsg_restrict 0
28bffe
diff --git a/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_kexec_load_disabled/disabled.fail.sh b/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_kexec_load_disabled/disabled.fail.sh
28bffe
new file mode 100644
28bffe
index 0000000000..05cd772b7f
28bffe
--- /dev/null
28bffe
+++ b/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_kexec_load_disabled/disabled.fail.sh
28bffe
@@ -0,0 +1,7 @@
28bffe
+#!/bin/bash
28bffe
+#
28bffe
+# profiles = xccdf_org.ssgproject.content_profile_ospp42
28bffe
+
28bffe
+. ../sysctl.sh
28bffe
+
28bffe
+sysctl_set_kernel_setting_to kexec_load_disabled 0
28bffe
diff --git a/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_kptr_restrict/disabled.fail.sh b/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_kptr_restrict/disabled.fail.sh
28bffe
new file mode 100644
28bffe
index 0000000000..ac7922d927
28bffe
--- /dev/null
28bffe
+++ b/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_kptr_restrict/disabled.fail.sh
28bffe
@@ -0,0 +1,7 @@
28bffe
+#!/bin/bash
28bffe
+#
28bffe
+# profiles = xccdf_org.ssgproject.content_profile_ospp42
28bffe
+
28bffe
+. ../sysctl.sh
28bffe
+
28bffe
+sysctl_set_kernel_setting_to kptr_restrict 0
28bffe
diff --git a/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_yama_ptrace_scope/disabled.fail.sh b/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_yama_ptrace_scope/disabled.fail.sh
28bffe
new file mode 100644
28bffe
index 0000000000..6e0892c4d8
28bffe
--- /dev/null
28bffe
+++ b/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_yama_ptrace_scope/disabled.fail.sh
28bffe
@@ -0,0 +1,7 @@
28bffe
+#!/bin/bash
28bffe
+#
28bffe
+# profiles = xccdf_org.ssgproject.content_profile_ospp42
28bffe
+
28bffe
+. ../sysctl.sh
28bffe
+
28bffe
+sysctl_set_kernel_setting_to yama.ptrace_scope 0
28bffe
diff --git a/tests/data/group_system/group_permissions/group_restrictions/sysctl.sh b/tests/data/group_system/group_permissions/group_restrictions/sysctl.sh
28bffe
new file mode 100644
28bffe
index 0000000000..6a424a3641
28bffe
--- /dev/null
28bffe
+++ b/tests/data/group_system/group_permissions/group_restrictions/sysctl.sh
28bffe
@@ -0,0 +1,14 @@
28bffe
+#!/bin/bash
28bffe
+
28bffe
+# Sets the kernel setting using sysctl exec as well as in sysctl config file.
28bffe
+# $1: The setting name without the leading 'kernel.'
28bffe
+# $2: The value to set the setting to
28bffe
+function sysctl_set_kernel_setting_to {
28bffe
+	local setting_name="kernel.$1" setting_value="$2"
28bffe
+	sysctl -w "$setting_name=$setting_value"
28bffe
+	if grep -q "^$setting_name" /etc/sysctl.conf; then
28bffe
+		sed -i "s/^$setting_name.*/$setting_name = $setting_value/" /etc/sysctl.conf
28bffe
+	else
28bffe
+		echo "$setting_name = $setting_value" >> /etc/sysctl.conf
28bffe
+	fi
28bffe
+}