Support sysctl checks with multiple profiles

2016-08-18 14:35:20 +02:00 · 2016-08-18 14:35:20 +02:00 · d95ab3d253
parent 4368b59a1d
commit d95ab3d253
3 changed files with 130 additions and 84 deletions
--- a/default.prf
+++ b/default.prf
@ -153,74 +153,83 @@ plugin=users
 #
 #################################################################################

+# Config
+# - Type (sysctl)
+# - Setting (kernel.sysrq)
+# - Expected value (0)
+# - Hardening Points (1)
+# - Description (Disable magic SysRQ)
+# - Related file or command (sysctl -a)
+# - Solution field (url:URL, text:TEXT, or -)
+
 # Processes
-#sysctl:kern.randompid:1234:1:Increase the next PID with an amount close to the given value:
-sysctl:security.bsd.see_other_gids:0:1:Disable display of processes of other groups:
-sysctl:security.bsd.see_other_uids:0:1:Disable display of processes of other users:
+config-data=sysctl;security.bsd.see_other_gids;0;1;Disable display of processes of other groups;sysctl -a;-;category:security;
+config-data=sysctl;security.bsd.see_other_uids;0;1;Disable display of processes of other users;sysctl -a;-;category:security;

 # Kernel
-sysctl:kern.sugid_coredump:0:1:XXX:
-sysctl:kernel.core_setuid_ok:0:1:XXX:
-sysctl:kernel.core_uses_pid:1:1:XXX:
-sysctl:kernel.ctrl-alt-del:0:1:XXX:
-sysctl:kernel.exec-shield-randomize:1:1:XXX:
-sysctl:kernel.exec-shield:1:1:XXX:
-sysctl:kernel.kptr_restrict:2:1:Restrict access to kernel symbols:
-sysctl:kernel.sysrq:0:1:Disable magic SysRQ:
-sysctl:kernel.use-nx:0:1:XXX:
+config-data=sysctl;kern.sugid_coredump;0;1;XXX;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.core_setuid_ok;0;1;XXX;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.core_uses_pid;1;1;XXX;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.ctrl-alt-del;0;1;XXX;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.exec-shield-randomize;1;1;XXX;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.exec-shield;1;1;XXX;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.kptr_restrict;2;1;Restrict access to kernel symbols;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.sysrq;0;1;Disable magic SysRQ;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.use-nx;0;1;XXX;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;

 # Network
-sysctl:net.inet.icmp.bmcastecho:0:1:Ignore ICMP packets directed to broadcast address:
-sysctl:net.inet.icmp.rediraccept:0:1:Disable incoming ICMP redirect routing redirects:
-sysctl:net.inet.ip.accept_sourceroute:0:1:Disable IP source routing:
-sysctl:net.inet.ip.redirect:0:1:Disable/Ignore ICMP routing redirects:
-sysctl:net.inet.ip.sourceroute:0:1:Disable IP source routing:
-sysctl:net.inet.ip6.redirect:0:1:Disable/Ignore ICMP routing redirects:
-sysctl:net.inet.tcp.blackhole:2:1:Do not sent RST but drop traffic:
-sysctl:net.inet.udp.blackhole:1:1:Do not sent RST but drop traffic:
-sysctl:net.inet6.icmp6.rediraccept:0:1:Disable incoming ICMP redirect routing redirects:
-sysctl:net.inet6.ip6.redirect:0:1:Disable sending ICMP redirect routing redirects:
-sysctl:net.ipv4.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
-sysctl:net.ipv4.conf.all.accept_source_route:0:1:Disable IP source routing:
-sysctl:net.ipv4.conf.all.bootp_relay:0:1:Do not relay BOOTP packets:
-sysctl:net.ipv4.conf.all.forwarding:0:1:Disable IP source routing:
-sysctl:net.ipv4.conf.all.log_martians:1:1:Log all packages for which the host does not have a path back to the source:
-sysctl:net.ipv4.conf.all.mc_forwarding:0:1:Disable IP source routing:
-sysctl:net.ipv4.conf.all.proxy_arp:0:1:Do not relay ARP packets:
-sysctl:net.ipv4.conf.all.rp_filter:1:1:Enforce ingress/egress filtering for packets:
-sysctl:net.ipv4.conf.all.send_redirects:0:1:Disable/Ignore ICMP routing redirects:
-sysctl:net.ipv4.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
-sysctl:net.ipv4.conf.default.accept_source_route:0:1:Disable IP source routing:
-sysctl:net.ipv4.conf.default.log_martians:1:1:Log all packages for which the host does not have a path back to the source:
-sysctl:net.ipv4.icmp_echo_ignore_broadcasts:1:1:Ignore ICMP packets directed to broadcast address:
-sysctl:net.ipv4.icmp_ignore_bogus_error_responses:1:1:Ignore
-#sysctl:net.ipv4.ip_forward:0:1:Do not forward traffic:
-sysctl:net.ipv4.tcp_syncookies:1:1:Use SYN cookies to prevent SYN attack:
-sysctl:net.ipv4.tcp_timestamps:0:1:Do not use TCP time stamps:
-sysctl:net.ipv6.conf.all.send_redirects:0:1:Disable/ignore ICMP routing redirects:
-sysctl:net.ipv6.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
-sysctl:net.ipv6.conf.all.accept_source_route:0:1:Disable IP source routing:
-sysctl:net.ipv6.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
-sysctl:net.ipv6.conf.default.accept_source_route:0:1:Disable IP source routing:
+config-data=sysctl;net.inet.icmp.bmcastecho;0;1;Ignore ICMP packets directed to broadcast address;-;category:security;
+config-data=sysctl;net.inet.icmp.rediraccept;0;1;Disable incoming ICMP redirect routing redirects;-;category:security;
+config-data=sysctl;net.inet.ip.accept_sourceroute;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.inet.ip.redirect;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.inet.ip.sourceroute;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.inet.ip6.redirect;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.inet.tcp.blackhole;2;1;Do not sent RST but drop traffic;-;category:security;
+config-data=sysctl;net.inet.udp.blackhole;1;1;Do not sent RST but drop traffic;-;category:security;
+config-data=sysctl;net.inet6.icmp6.rediraccept;0;1;Disable incoming ICMP redirect routing redirects;-;category:security;
+config-data=sysctl;net.inet6.ip6.redirect;0;1;Disable sending ICMP redirect routing redirects;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.accept_source_route;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.bootp_relay;0;1;Do not relay BOOTP packets;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.forwarding;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.log_martians;1;1;Log all packages for which the host does not have a path back to the source;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.mc_forwarding;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.proxy_arp;0;1;Do not relay ARP packets;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.rp_filter;1;1;Enforce ingress/egress filtering for packets;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.send_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.ipv4.conf.default.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.ipv4.conf.default.accept_source_route;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.ipv4.conf.default.log_martians;1;1;Log all packages for which the host does not have a path back to the source;-;category:security;
+config-data=sysctl;net.ipv4.icmp_echo_ignore_broadcasts;1;1;Ignore ICMP packets directed to broadcast address;-;category:security;
+config-data=sysctl;net.ipv4.icmp_ignore_bogus_error_responses;1;1;Ignore-;category:security;
+#config-data=sysctl;net.ipv4.ip_forward;0;1;Do not forward traffic;-;category:security;
+config-data=sysctl;net.ipv4.tcp_syncookies;1;1;Use SYN cookies to prevent SYN attack;-;category:security;
+config-data=sysctl;net.ipv4.tcp_timestamps;0;1;Do not use TCP time stamps;-;category:security;
+config-data=sysctl;net.ipv6.conf.all.send_redirects;0;1;Disable/ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.ipv6.conf.all.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.ipv6.conf.all.accept_source_route;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.ipv6.conf.default.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.ipv6.conf.default.accept_source_route;0;1;Disable IP source routing;-;category:security;

 [security]
-#sysctl:kern.securelevel:1^2^3:1:FreeBSD security level:
-#security.jail.jailed: 0
-#security.jail.jail_max_af_ips: 255
-#security.jail.mount_allowed: 0
-#security.jail.chflags_allowed: 0
-#security.jail.allow_raw_sockets: 0
-#security.jail.enforce_statfs: 2
-#security.jail.sysvipc_allowed: 0
-#security.jail.socket_unixiproute_only: 1
-#security.jail.set_hostname_allowed: 1
-#security.bsd.suser_enabled: 1
-#security.bsd.unprivileged_proc_debug: 1
-#security.bsd.conservative_signals: 1
-#security.bsd.unprivileged_read_msgbuf: 1
-#security.bsd.hardlink_check_gid: 0
-#security.bsd.hardlink_check_uid: 0
-#security.bsd.unprivileged_get_quota: 0
+#sysctl;kern.securelevel;1^2^3;1;FreeBSD security level;
+#security.jail.jailed; 0
+#security.jail.jail_max_af_ips; 255
+#security.jail.mount_allowed; 0
+#security.jail.chflags_allowed; 0
+#security.jail.allow_raw_sockets; 0
+#security.jail.enforce_statfs; 2
+#security.jail.sysvipc_allowed; 0
+#security.jail.socket_unixiproute_only; 1
+#security.jail.set_hostname_allowed; 1
+#security.bsd.suser_enabled; 1
+#security.bsd.unprivileged_proc_debug; 1
+#security.bsd.conservative_signals; 1
+#security.bsd.unprivileged_read_msgbuf; 1
+#security.bsd.hardlink_check_gid; 0
+#security.bsd.hardlink_check_uid; 0
+#security.bsd.unprivileged_get_quota; 0
+#sysctl;kern.randompid;1234;1;Increase the next PID with an amount close to the given value;sysctl -a;-;category:security;


 #################################################################################
--- a/include/profiles
+++ b/include/profiles
@ -64,6 +64,12 @@
                    STRING=$(echo ${VALUE} | tr -d "[" | tr -d "]" | sed "s/, /,/g")
                    CHECK_VALUE_ARRAY="${CHECK_OPTION_ARRAY} ${STRING}"
                ;;
+
+                # Ignore configuration data
+                config-data)
+                    Debug "Ignoring configuration option, as it will be used by a specific test"
+                ;;
+
                # Maximum number of WAITing connections
                connections-max-wait-state | connections_max_wait_state)
                    OPTIONS_CONN_MAX_WAIT_STATE="${VALUE}"
--- a/include/tests_kernel_hardening
+++ b/include/tests_kernel_hardening
@ -33,33 +33,64 @@
    Register --test-no KRNL-6000 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check sysctl key pairs in scan profile"
    if [ ${SKIPTEST} -eq 0 ]; then
        FOUND=0
+        DATA_TO_SCAN=""
        N=0
        Display --indent 2 --text "- Comparing sysctl key pairs with scan profile"
+
+        # First scan optional profiles only (ignore default and custom)
        for PROFILE in ${PROFILES}; do
-            FIND=`grep "^sysctl:" ${PROFILE} | sed 's/ /-space-/g'`
-            for I in ${FIND}; do
-                tFINDkey=`echo ${I} | awk -F: '{ print $2 }'`
-                tFINDexpvalue=`echo ${I} | awk -F: '{ print $3 }'`
-                tFINDhp=`echo ${I} | awk -F: '{ print $4 }' | grep "[0-9]"`
-                tFINDdesc=`echo ${I} | awk -F: '{ print $5 }' | sed 's/-space-/ /g'`
-                tFINDcurvalue=`${SYSCTL_READKEY} ${tFINDkey} 2> /dev/null`
-                if [ ! "${tFINDcurvalue}" = "" ]; then
-                    if [ "${tFINDexpvalue}" = "${tFINDcurvalue}" ]; then
-                        LogText "Result: sysctl key ${tFINDkey} contains equal expected and current value (${tFINDexpvalue})"
-                        Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result "${STATUS_OK}" --color GREEN
-                        AddHP ${tFINDhp} ${tFINDhp}
-                      else
-                        LogText "Result: sysctl key ${tFINDkey} has a different value than expected in scan profile. Expected=${tFINDexpvalue}, Real=${tFINDcurvalue}"
-                        Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result DIFFERENT --color RED
-                        AddHP 0 ${tFINDhp}
-                        FOUND=1
-                        N=$((N + 1))
-                        ReportDetails --test "${TEST_NO}" --service "sysctl" --field "${tFINDkey}" --value "${tFINDcurvalue}" --preferredvalue "${tFINDexpvalue}" --description "${tFINDdesc}"
-                    fi
-                  else
-                    LogText "Result: key ${tFINDkey} does not exist on this machine"
-                fi
+            FILE=$(echo ${PROFILE} | awk -F/ '{print $NF}')
+            if [ ! "${FILE}" = "default.prf" -a ! "${FILE}" = "custom.prf" ]; then
+                FIND=$(grep "^config-data=sysctl;" ${PROFILE} | sed 's/ /-space-/g')
+                DATA_TO_SCAN="${DATA_TO_SCAN} ${FIND}"
+            fi
+        done
+
+        # Scan custom profile
+        if [ ! -z "${CUSTOM_PROFILE}" ]; then
+            FIND=$(grep "^config-data=sysctl;" ${CUSTOM_PROFILE} | sed 's/ /-space-/g')
+            for LINE in ${FIND}; do
+                SYSCTLKEY=$(echo ${LINE} | awk -F\; '{ print $2 }')
+                HAS_KEY=$(echo ${DATA_TO_SCAN} | ${GREPBINARY} ";${SYSCTLKEY};")
+                if [ $? -gt 0 ]; then DATA_TO_SCAN="${DATA_TO_SCAN} ${LINE}"; fi
            done
+        fi
+
+        # Last, use data from default profile
+        if [ ! -z "${DEFAULT_PROFILE}" ]; then
+            FIND=$(grep "^config-data=sysctl;" ${DEFAULT_PROFILE} | sed 's/ /-space-/g')
+            for LINE in ${FIND}; do
+                SYSCTLKEY=$(echo ${LINE} | awk -F\; '{ print $2 }')
+                HAS_KEY=$(echo ${DATA_TO_SCAN} | ${GREPBINARY} ";${SYSCTLKEY};")
+                if [ $? -gt 0 ]; then DATA_TO_SCAN="${DATA_TO_SCAN} ${LINE}"; fi
+            done
+        fi
+
+        # Sort the results
+        DATA_TO_SCAN=$(echo ${DATA_TO_SCAN} | tr ' ' '\n' | sort)
+
+        for I in ${DATA_TO_SCAN}; do
+            tFINDkey=$(echo ${I} | awk -F\; '{ print $2 }')
+            tFINDexpvalue=$(echo ${I} | awk -F\; '{ print $3 }')
+            tFINDhp=$(echo ${I} | awk -F\; '{ print $4 }' | grep "[0-9]")
+            tFINDdesc=$(echo ${I} | awk -F\; '{ print $5 }' | sed 's/-space-/ /g')
+            tFINDcurvalue=$(${SYSCTL_READKEY} ${tFINDkey} 2> /dev/null)
+            if [ ! "${tFINDcurvalue}" = "" ]; then
+                if [ "${tFINDexpvalue}" = "${tFINDcurvalue}" ]; then
+                    LogText "Result: sysctl key ${tFINDkey} contains equal expected and current value (${tFINDexpvalue})"
+                    Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result "${STATUS_OK}" --color GREEN
+                    AddHP ${tFINDhp} ${tFINDhp}
+                else
+                    LogText "Result: sysctl key ${tFINDkey} has a different value than expected in scan profile. Expected=${tFINDexpvalue}, Real=${tFINDcurvalue}"
+                    Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result DIFFERENT --color RED
+                    AddHP 0 ${tFINDhp}
+                    FOUND=1
+                    N=$((N + 1))
+                    ReportDetails --test "${TEST_NO}" --service "sysctl" --field "${tFINDkey}" --value "${tFINDcurvalue}" --preferredvalue "${tFINDexpvalue}" --description "${tFINDdesc}"
+                fi
+            else
+                LogText "Result: key ${tFINDkey} does not exist on this machine"
+            fi
        done

        # Add suggestion if one or more sysctls have a different value than scan profile