DIRECTORY_LIST="/bin
/sbin
..."
Examines bash aliases.
existence of target command or sourced file
possibility of changing target file
none
Tests grub bootloader configuration.
permissions and owner of /boot/grub/grub.conf
password presence
WARNING_PASS =<0|1>
Whether to report warning if password is missing.
ERROR_PASS =<0|1>
Whether to report error if password is missing.
GRUBCONF =<path> [default value: /boot/grub/grub.conf]
Full path to grub.conf.
Reports mounted volumes, which are going to be full.
Percentage of disk usage for mounted volumes. Warning or error is reported if it exceeds given value. Utility df is used to gather needed data.
PERCENT_LIMIT_WARNING =<0-100> [Default value: 80]
Percentage of disk to be filled to issue warning.
PERCENT_LIMIT_ERROR =<0-100> [Default value: 100]
Percentage of disk to be filled to issue error.
DF_ARGS =<options> [Default value: -l -x iso9660]
Additional arguments to be passed to df utility.
Useful ones include -x (exclude filesystem type)
and -l (limit listing to local filesystems).
Exec-shield and virtual address randomization checking.
The test expects value of /proc/sys/kernel/randomize_va_space above zero.
| "1" | indicates conservative randomization. It makes the addresses of mmap base and VDSO page randomized. |
| "2" | indicates full randomization. This includes all the features that Conservative randomization provides. In addition to that, also start of the brk area is randomized. |
The test expects value of /proc/sys/kernel/exec-shield to be "1"
Scans filesystem for wierd entries and file attributes.
finds all files which have have unknown owner UID or GID
finds world writable files
finds world or group writable executables
finds SUID scripts
finds executable files, which are not in rpm database
finds symbolic links pointing to non-existing files or directories
finds files with incorrect SELinux context
FSTYPES =<filesystems>
Space-separated list of filesystem types to be checked.
INCLUDE =<dirs>
Directories to be included into filesystem scan. One entry per line.
EXCLUDE =<dirs>
Directories NOT to be included into filesystem scan. One entry per line.
RPMCHECK =<0|1>
Whether to check unpackaged binaries.
SYMLINK_WHITELIST =<symlink_path → symlink_target>
List of symlink patterns not to be reported if they are broken.
One entry per line, glob expressions can be used.
SELINUXCHECK =<0|1>
Whether to check file security contexts against configuration.
If SELinux is disabled, this part of test will be skipped anyway.
Simple analysis of firewall policy rules.
(all of the steps bellow are the same for IPv4 and IPv6)
The output of iptables -L and ip6tables -L is analyzed in this way:
INPUT, OUTPUT (in L5) are checked.
A warning/error is displayed if the policy is:
ACCEPT, DROP, RETURN or QUEUE and the chain is empty.
ACCEPT and the last rule IS NOT a REJECT rule. If the last rule is a custom chain, then it is checked in the same way.
Forwarding. If enabled, then a warning is displayed and the FORWARD chain is checked as described above.
Source routing. If enabled, then an error is displayed.
ENABLE_IPV4=<bool> [Default value: 1]
Enable/Disable all IPv4 related tests.
ENABLE_IPV4_FWCHECK=<bool> [Default value: 1]
Enable/Disable IPv4 firewall rules analysis.
SCAN_TCP4=<bool> [Default value: 0]
Enable/Disable TCP scanning over IPv4. (Implemented, but disabled)
SCAN_UDP4=<bool> [Default value: 0]
Enable/Disable UDP scanning over IPv4. (Implemented, but disabled)
ENABLE_IPV6=<bool> [Default value: 1]
Enable/Disable all IPv6 related tests.
ENABLE_IPV6_FWCHECK=<bool> [Default value: 0]
Enable/Disable IPv6 firewall rules analysis.
SCAN_TCP6=<bool> [Default value: 0]
Enable/Disable TCP scanning over IPv4. (Not implemented)
SCAN_UDP6=<bool> [Default value: 0]
Enable/Disable TCP scanning over IPv4. (Not implemented)
DEV_BLACKLIST="<string - devname> [<string - devname]" [Default value: "virbr[0-9]* lo"]
Ignore listed devices in tests.
PARANOID=<bool> [Default value: 0]
This is only a helper variable that is set to 1 in level 5 and will be probably deleted.
Examines /etc/group file for various strange entities.
Checks /etc/group for whether
line is not blank
line has correct number of fields
groupname is not empty
groupname contains only alpha-numeric characters
groupname is shorter than 32 chars
all group passwords are shadowed
GIDs are valid numbers
GIDs are in range 0..60000
there are groups with same GID
there are same groupnames
none
System integrity test. Checks presence and integrity of system commands and directories. For checking the integrity of binaries the command rpmverify (rpm -Vf) is used. A search for duplicates is also done for each command.
Presence of directories listed in $DIRECTORY_LIST
Integrity of core commands. This is done by calling $RPMVERIFY with $COREPKG as the package name.
Duplicit commands in directories listed in $CMDPATH
CMDPATH="<string - directory>[:<string - directory> …]" [Default value: "/bin:/sbin:/root/bin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"]
Directories containing command executables.
RPMVERIFY="<string - filepath>" [Default value: "/usr/bin/rpmverify"]
Absolute path to the rpmverify command executable.
COREPKG="<string - name>" [Default value: "coreutils"]
Name of package containing the core commands that should be checked.
DIRECTORY_LIST="<string - directory>[\n<string - directory> …]" [Default value: "/bin\n/sbin\n/lib\n/usr/bin\n/usr/sbin\n/usr/lib\n/usr/libexec\n/tmp\n/proc\n/var"] [1]
List of directories that must exist.
Checks log files for existence and permissions.
logfile existence
logfile owner and group
logfile permissions
LOGFILES =<lines of form: file owner group permissions>
Specifies expected logfile loactions and their attributes.
One logfile per line.
Checks for potentially insecure mount options in /etc/fstab like not having nosuid on removable devices etc.
The test checks removable and remote filesystems for the nodev, noexec and nosuid options. Checks local filesystems for the nodev option. Mountpoints can be blacklisted and this omitted from testing.
DEFAULTS =<list of options>
The list of options that the defaults keyword expands into. (rw suid dev exec auto nouser async by default)
FILES =<list of files>
Files to be checked. /etc/fstab by default, make it /proc/mounts if you want mounted FSs to be checked.
LOCAL_TYPES =<list of filesystem types>
Filesystem types recognized as local (ext2 ext3 by default)
REMOVABLE_TYPES =<list of filesystem types>
Filesystem types recognized as removable (floppy cdrom iso9660 vfat msdos by default)
REMOTE_TYPES =<list of filesystem types>
Filesystem types recognized as removable (nfs nfs4 smbfs cifs ncpfs by default)
BLACKLIST =<list of directories>
Mountpoints to be skipped when checking (/boot by default)
Tests nfs exports file for its existence and read-write exports.
Checks if exports file exists
Reports exports with write permission
EXPORTS =<filename> [Default value: /etc/exports]
Path to nfs exports file.
OpenSSH configuration audit. Performs basic checks on default configuration files, keys and on configuration files and keys used by running openssh processes.
Permissions of configuration files and directories used by OpenSSH processes. [1]
SSHD_CONFIGDIR_PERM, SSHD_CONFIGDIR_OWNER, SSH_KNOWN_HOSTS_REQUIRE, SSH_KNOWN_HOSTS_PERM, SSH_KNOWN_HOSTS_OWNER, SSHD_PRIVSEP_DIR_REQUIRE, SSHD_PRIVSEP_DIR_PERM, SSHD_PRIVSEP_DIR_OWNER, SSHD_PRIVSEP_DIR_EMPTY
Permissions and hash sums[2] of keys in default locations and locations specified in process options and/or configuration directives.
SSHD_DEFAULT_KEYS, SSHD_PRIVKEY_PERM, SSHD_PRIVKEY_OWNER, SSHD_PUBKEY_PERM, SSHD_PUBKEY_OWNER, SSHD_SHA256_LIST, SSHD_SAVE_SHA256_CHANGES
Values of this configuration directives:
Protocol - If SSHv1 is enabled, then a warning is diplayed.
PermitRootLogin - In level 5, an error is displayed if this directive is set to yes. Otherwise, a warning is emitted if the value is without-password or forced-commands-only.
AllowGroups, AllowUsers - In level 5, a warning is emitted if none of this directives is present.
ChallengeResponseAuthentication, UsePAM - If both directives are set to no, then a warning is emitted.
PermitUserEnvironment - A warning is displayed if the value is yes.
StrictModes - A warning is displayed if the value is no.
UsePrivilegeSeparation - A warning is displayed if the value is no.
ClientAliveCountMax - (Checked only in L5 and if SSHv2 is enabled) If the value is 0 or higher that 6, then a warning is displayed.
ClientAliveInverval - (Checked only in L5 and if SSHv2 is enabled) If the value if 0 or higher that 600 seconds, then a warning is displayed.
|
Note
|
SSHD_USER ="<string - user>" [Default value:"sshd"]
Owner of the running sshd process.
SSHD_GROUP ="<string - group>" [Default value: "sshd"]
Group of the running sshd process.
SSHD_CONFIG_PERM =<number in octal base> [Default value: 755]
Correct file permissions of sshd_config file.
SSHD_CONFIG_OWNER ="<string - user>:<string - group>" [Default value: "root:root"]
Correct owner and group of sshd_config file.
SSHD_CONFIGDIR_PERM =<number in octal base> [Default value: 755]
Correct file permissions of sshd configuration directory.
SSHD_CONFIGDIR_OWNER ="<string - user>:<string - group> [Default value: "root:root"]
Correct owner of sshd configuration directory.
SSHD_PRIVKEY_PERM =<number in octal base> [Default value: 600]
Correct permissions of sshd private key file(s).
SSHD_PRIVKEY_OWNER ="<string - user:<string - group> [Default value: "root:root"]
Correct owner of sshd private key files(s).
SSHD_PUBKEY_PERM =<number in octal base> [Default value: 644]
Correct permissions of sshd public key files(s).
SSHD_PUBKEY_OWNER ="<string - user>:<string - group> [Default value: "root:root"]
Correct owner of sshd public key files(s).
SSH_KNOWN_HOSTS_REQUIRE =<bool> [Default value: 0]
This variable controls if the presence of known_hosts file is required or not.
SSH_KNOWN_HOSTS_PERM =<number in octal base> [Default value: 644]
Correct permissions of known_hosts file.
SSH_KNOWN_HOSTS_OWNER ="<string - user>:<string - group> [Default value: "root:root"]
Correct owner of known_hosts file.
SSHD_PRIVSEP_DIR_REQUIRE =<bool> [Default value: 1]
This variable controls if the presence of the directory used in privilege separation phase is required or not. If yes and the directory does not exist, then a warning is displayed.
SSHD_PRIVSEP_DIR_PERM =<number in octal base> [Default value: 711, L5 value: 700]
Correct permissions of the privsep directory.
SSHD_PRIVSEP_DIR_OWNER ="<string - user>:<string - group> [Default value: "root:root"]
Correct owner of the directory.
SSHD_PRIVSEP_DIR ="<string - directory>" [Default value: "/var/empty/sshd"]
Location of the directory used in privilege separation phase.
SSHD_PRIVSEP_DIR_EMPTY =<bool> [Default value: 0]
If set to 1, then the privsep directory must be empty. Otherwise a warning will be displayed.
SSHD_CHECK_SHA256 =<bool> [Default value: 1]
This variable controls if the checksums of sshd related files will be checked.
SSH_CHECK_SHA256 =<bool> [Default value: 1]
This variable controls if the checksums of ssh related files will be checked.
SSHD_SHA256_LIST ="<string - filename>" [Default value: "sshd.sum"]
Name of the checksum file. This file is stored in the persistent data directory.
SSHD_SAVE_SHA256_CHANGES =<bool> [Default value: 1]
This variable controls if changes in checksums will be saved to the checksum file.
SSHD_DEFAULT_KEYS ="<string - keypath> [<string - keypath #2> …]" [Default value: "/etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_key /etc/ssh/ssh_host_rsa_key"]
Default locations of sshd keyfiles.
PARANOID =<bool> [Default value: 0, L5 value: 1]
This is only a helper variable that is set to 1 in level 5 and will be probably deleted.
A simple default configuration database is implemented in this test for better portability to other systems with different default values of OpenSSH configuration directives. The syntax is quite simple:
A prefix must be defined. In this test, SSHD is hardcoded for the sshd daemon configuration.
All directives that will have their default values listed in .dsc fuke must be added to the variable $PREFIX_defined_vars.
For example:
SSHD_default_vars="PermitRootLogin StrictModes"
Then the default values for each listed directive must be defined. This definition includes version of sshd that it applies to. The version string must contain only characters that can be part of .dsc variable name.
For example:
Version = 4.7p1 -> Version string = 47p1
The definition name is in the format $PREFIX_$VersionString_$ConfDirectiveName.
For example:
SSHD_47p1_PermitRootLogin="yes"
And for all 4.x versions it would be:
SSHD_4_PermitRootLogin="yes"
This is also correct and applies to any version:
SSHD__PermitRootLogin="yes"
SSHD_defined_vars="PermitRootLogin StrictModes
ChallengeResponseAuthentication
UsePAM AllowTcpForwarding"
# 4.7p1 defaults on F9
SSHD_47p1_PermitRootLogin="yes"
SSHD_47p1_StrictModes="yes"
SSHD_47p1_ChallengeResponseAuthentication="no"
SSHD_47p1_UsePAM="no"
SSHD_47p1_AllowTcpForwarding="yes"
Checks pam configuration
Are new passwords checked with cracklib?
(in paranoid mode) Are accounts locked after a number of consecutive login failures?
Examines /etc/passwd file for validity and completeness of present entries.
Checks passwd for whether
/etc/passwd has permission 644 and its owner is root:root
/etc/shadow has permission 400 and its owner is root:root
line is not blank
line has correct number of fields
username is not empty
username contains only alpha-numeric characters
username is shorter than 32 chars
all users have password
all passwords are shadowed
UID and GID are valid numbers
UID and GID are in range 500..60000
user has UID 0, but his username is not root
user has UID 1, but his username is not bin
user has GID 0, but his username is not root
user has GID 1, but his username is not bin
user has negative UID
user has negative GID
there are users with same UID
there are same username
root has UID 0
user has valid shell (listed in /etc/shells)
none
Examines environment variable PATH for potentially dangerous elements.
if all directiories in PATH exist
world or group writable files in PATH destinations
files in PATH destinations not owned by root
dangerous elements present in PATH
empty element (points to current directiory)
relative path
/tmp directory
world or group writable directories
none
Checks given important directories for existence, owner and pemissions.
existence of given filesystem entry
permissions of given filesystem entry
whether owner of the filesystem entry is root
Directories tested by default and expected permissions:
/ 755 /bin 755 /boot 755 /dev 755 /etc 755 /home 755 /lib 755 /media 755 /mnt 755 /opt 755 /root 750 /sbin 755 /srv 755 /tmp 1777 /usr 755 /usr/bin 755 /usr/sbin 755 /usr/include 755 /usr/lib 755 /usr/share 755 /usr/src 755 /usr/local 755 /var 755 /var/lock 775 /var/log 755 /var/mail 777 /var/run 755 /var/spool 755 /var/spool/mail 775 /var/tmp 1777
DIRS =<path permissions, one entry per line>
Additional directories to be checked. Syntax is the same as in listing above.
Tests routing tables.
Checks the routing tables and warns if some changes are found.
none
Test that checks if the mandatory access control architecture is enabled and watches for changes to security booleans.
The test expects that selinux is enabled and switched into enforcing mode from level 3.
Changes to security booleans.
MODE =["Enforcing" | "Permissive"]
What selinux mode is expected by the test.
DISABLED_MSGTYPE =["WARNING" | "ERROR"]
What kind of message is issued if mode doesn't match.
OLDBOOLS_FILE =filename
Name of file to store information on security booleans to.
Examines /etc/shadow for validity and completness of present entries.
Checks shadow for whether
/etc/shadow has permission 400 and its owner is root:root
line is not blank
line has correct number of fields
username is not empty
username contains only alpha-numeric characters
username is shorter than 32 chars
all users have password
there are same usernames
none
Looks for suid binaries in the system and compares against last run. Up to level 3, it checks only binaries in $PATH, from level 3 onwards, also checks if a file belongs to a package and from level 4 onwards walks through entire / filesystem and scans for setuid files.
A list of suid files in locations based on .dsc file is gathered and compared against a previous run, differences are printed. The test can also report suid files not belonging to a package or check arbitrary directories.
CHECK_PATH =["1" | "0"]
If the test should check directories in the $PATH variable. This is on by default.
CHECK_FILE_PACKAGE =["1" | "0"]
Whether to check if a setuid file belongs to a package, is 1 from level 3 up
PACKAGE_CMD =<a command> (rpm -qf in rpm-based distributions)
The command used to get the package a file belongs to
CHECK_DIR =<list of directories>
A directory or a list of directories to check in addition. Set to /opt
and /usr/local from level 4 up.
Test to examine proper usage of tcp_wrappers.
Checks whether running applications, which are using libwrap, have some restrictions in /etc/hosts.deny and /etc.hosts allow.
CHECK =<list of binaries> [Default value: /usr/bin/* /usr/sbin/*]
List of binaries to check. Wildcard expressions are enabled.
Vsftpd configuration audit. Performs basic checks on default configuration file of vsftpd.
Permissions of configuration files and directories used by vsftpd.
/etc/vsftpd/vsftpd.conf
If server is listening and is listening only on one protocol.
listen, listen_ipv6
Existing necessary files / directories and their permissions.
banned_email_file, userlist_file, chroot_list_file, email_password_file, vsftpd_log_file, xferlog_file, banner_file, dsa_cert_file, dsa_private_key_file, rsa_cert_file, rsa_private_key_file, local_root, anon_root, user_config_dir
|
Note
|
|
Existing necessary files / directories and their permissions for user configs
banned_email_file, banner_file, dsa_private_key_file, rsa_cert_file, rsa_private_key_file, local_root, anon_root, user_config_dir
If anonymous directory is writable for other users or is owned by wrong user
anonymous_enable, anon_root
If selinux is enabled and is preventing access to user home directories
Port range for passive connections
pasv_min_port, pasv_max_port
If ls_recurse_enable is enabled
Check possibility of ascii mangling
|
Note
|
|
PASSWD_FILE =<string - path> [Default value:"/etc/passwd"]
Path to system passwd file
CONFIG_FILE =<string - path> [Default value:"/etc/vsftpd/vsftpd.conf"]
Path to vsftpd configuration file