Test: aliases

Description

Examines bash aliases.

What is checked

existence of target command or sourced file
possibility of changing target file

.dsc file variables

none

Test: bootloader

Description

Tests grub bootloader configuration.

What is checked?

permissions and owner of /boot/grub/grub.conf
password presence

.dsc file variables

WARNING_PASS =<0|1>
Whether to report warning if password is missing.

ERROR_PASS =<0|1>
Whether to report error if password is missing.

GRUBCONF =<path> [default value: /boot/grub/grub.conf]
Full path to grub.conf.

Test: disc_usage

Description

Reports mounted volumes, which are going to be full.

What is checked?

Percentage of disk usage for mounted volumes. Warning or error is reported if it exceeds given value. Utility df is used to gather needed data.

.dsc file variables

PERCENT_LIMIT_WARNING =<0-100> [Default value: 80]
Percentage of disk to be filled to issue warning.

PERCENT_LIMIT_ERROR =<0-100> [Default value: 100]
Percentage of disk to be filled to issue error.

DF_ARGS =<options> [Default value: -l -x iso9660]
Additional arguments to be passed to df utility. Useful ones include -x (exclude filesystem type) and -l (limit listing to local filesystems).

Test: exec-shield

Description

Exec-shield and virtual address randomization checking.

What is checked?

The test expects value of /proc/sys/kernel/randomize_va_space above zero.

"1"

indicates conservative randomization. It makes the addresses of mmap base and VDSO page randomized.

"2"

indicates full randomization. This includes all the features that Conservative randomization provides. In addition to that, also start of the brk area is randomized.
The test expects value of /proc/sys/kernel/exec-shield to be "1"

Test: filesystem

Description

Scans filesystem for wierd entries and file attributes.

What is checked?

finds all files which have have unknown owner UID or GID
finds world writable files
finds world or group writable executables
finds SUID scripts
finds executable files, which are not in rpm database
finds symbolic links pointing to non-existing files or directories
finds files with incorrect SELinux context

.dsc file variables

FSTYPES =<filesystems>
Space-separated list of filesystem types to be checked.

INCLUDE =<dirs>
Directories to be included into filesystem scan. One entry per line.

EXCLUDE =<dirs>
Directories NOT to be included into filesystem scan. One entry per line.

RPMCHECK =<0|1>
Whether to check unpackaged binaries.

SYMLINK_WHITELIST =<symlink_path → symlink_target>
List of symlink patterns not to be reported if they are broken. One entry per line, glob expressions can be used.

SELINUXCHECK =<0|1>
Whether to check file security contexts against configuration. If SELinux is disabled, this part of test will be skipped anyway.

Test: firewall

Description

Simple analysis of firewall policy rules.

What is checked?

(all of the steps bellow are the same for IPv4 and IPv6)

The output of iptables -L and ip6tables -L is analyzed in this way:
- INPUT, OUTPUT (in L5) are checked.
- A warning/error is displayed if the policy is:
  1. ACCEPT, DROP, RETURN or QUEUE and the chain is empty.
  2. ACCEPT and the last rule IS NOT a REJECT rule. If the last rule is a custom chain, then it is checked in the same way.
Forwarding. If enabled, then a warning is displayed and the FORWARD chain is checked as described above.
Source routing. If enabled, then an error is displayed.

.dsc file variables

*ENABLE_IPV4*=<bool> [Default value: 1]
Enable/Disable all IPv4 related tests.

*ENABLE_IPV4_FWCHECK*=<bool> [Default value: 1]
Enable/Disable IPv4 firewall rules analysis.

SCAN_TCP4*=<bool> [Default value: 0]
Enable/Disable TCP scanning over IPv4. (*Implemented, but disabled)

SCAN_UDP4*=<bool> [Default value: 0]
Enable/Disable UDP scanning over IPv4. (*Implemented, but disabled)

*ENABLE_IPV6*=<bool> [Default value: 1]
Enable/Disable all IPv6 related tests.

*ENABLE_IPV6_FWCHECK*=<bool> [Default value: 0]
Enable/Disable IPv6 firewall rules analysis.

SCAN_TCP6*=<bool> [Default value: 0]
Enable/Disable TCP scanning over IPv4. (*Not implemented)

SCAN_UDP6*=<bool> [Default value: 0]
Enable/Disable TCP scanning over IPv4. (*Not implemented)

DEV_BLACKLIST*="<string - devname> [<string - devname]" [Default value: "virbr[0-9] lo"]
Ignore listed devices in tests.

*PARANOID*=<bool> [Default value: 0]
This is only a helper variable that is set to 1 in level 5 and will be probably deleted.

Test: group

Description

Examines /etc/group file for various strange entities.

What is checked?

Checks /etc/group for whether

line is not blank
line has correct number of fields
groupname is not empty
groupname contains only alpha-numeric characters
groupname is shorter than 32 chars
all group passwords are shadowed
GIDs are valid numbers
GIDs are in range 0..60000
there are groups with same GID
there are same groupnames

.dsc file variables

none

Test: integrity

Description

System integrity test. Checks presence and integrity of system commands and directories. For checking the integrity of binaries the command rpmverify (rpm -Vf) is used. A search for duplicates is also done for each command.

What is checked?

Presence of directories listed in $DIRECTORY_LIST
Integrity of core commands. This is done by calling $RPMVERIFY with $COREPKG as the package name.
Duplicit commands in directories listed in $CMDPATH

.dsc file variables

*CMDPATH*="<string - directory>[:<string - directory> …]" [Default value: "/bin:/sbin:/root/bin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"]
Directories containing command executables.

*RPMVERIFY*="<string - filepath>" [Default value: "/usr/bin/rpmverify"]
Absolute path to the rpmverify command executable.

*COREPKG*="<string - name>" [Default value: "coreutils"]
Name of package containing the core commands that should be checked.

*DIRECTORY_LIST*="<string - directory>[\n<string - directory> …]" [Default value: "/bin\n/sbin\n/lib\n/usr/bin\n/usr/sbin\n/usr/lib\n/usr/libexec\n/tmp\n/proc\n/var"] ^[1]
List of directories that must exist.

Note	[1] `\n` means that items in this list are delimited using newline character: `DIRECTORY_LIST="/bin /sbin ..."`

Test: logfiles

Description

Checks log files for existence and permissions.

What is checked?

logfile existence
logfile owner and group
logfile permissions

.dsc file variables

LOGFILES =<lines of form: file owner group permissions>
Specifies expected logfile loactions and their attributes. One logfile per line.

Test: mountopt

Description

Checks for potentially insecure mount options in /etc/fstab like not having nosuid on removable devices etc.

What is checked?

The test checks removable and remote filesystems for the nodev, noexec and nosuid options. Checks local filesystems for the nodev option. Mountpoints can be blacklisted and this omitted from testing.

.dsc file variables

DEFAULTS =<list of options>
The list of options that the defaults keyword expands into. (rw suid dev exec auto nouser async by default)

FILES =<list of files>
Files to be checked. /etc/fstab by default, make it /proc/mounts if you want mounted FSs to be checked.

LOCAL_TYPES =<list of filesystem types>
Filesystem types recognized as local (ext2 ext3 by default)

REMOVABLE_TYPES =<list of filesystem types>
Filesystem types recognized as removable (floppy cdrom iso9660 vfat msdos by default)

REMOTE_TYPES =<list of filesystem types>
Filesystem types recognized as removable (nfs nfs4 smbfs cifs ncpfs by default)

BLACKLIST =<list of directories>
Mountpoints to be skipped when checking (/boot by default)

Test: nfs

Description

Tests nfs exports file for its existence and read-write exports.

What is checked

Checks if exports file exists
Reports exports with write permission

.dsc file variables

EXPORTS =<filename> [Default value: /etc/exports]
Path to nfs exports file.

Test: openssh

Description

OpenSSH configuration audit. Performs basic checks on default configuration files, keys and on configuration files and keys used by running openssh processes.

What is checked?

Permissions of configuration files and directories used by OpenSSH processes. ^[1]

Variables affecting this step

SSHD_CONFIGDIR_PERM, SSHD_CONFIGDIR_OWNER, SSH_KNOWN_HOSTS_REQUIRE, SSH_KNOWN_HOSTS_PERM, SSH_KNOWN_HOSTS_OWNER, SSHD_PRIVSEP_DIR_REQUIRE, SSHD_PRIVSEP_DIR_PERM, SSHD_PRIVSEP_DIR_OWNER, SSHD_PRIVSEP_DIR_EMPTY
Permissions and hash sums^[2] of keys in default locations and locations specified in process options and/or configuration directives.

Variables affecting this step

SSHD_DEFAULT_KEYS, SSHD_PRIVKEY_PERM, SSHD_PRIVKEY_OWNER, SSHD_PUBKEY_PERM, SSHD_PUBKEY_OWNER, SSHD_SHA256_LIST, SSHD_SAVE_SHA256_CHANGES
Values of this configuration directives:
- Protocol - If SSHv1 is enabled, then a warning is diplayed.
- PermitRootLogin - In level 5, an error is displayed if this directive is set to yes. Otherwise, a warning is emitted if the value is without-password or forced-commands-only.
- AllowGroups, AllowUsers - In level 5, a warning is emitted if none of this directives is present.
- ChallengeResponseAuthentication, UsePAM - If both directives are set to no, then a warning is emitted.
- PermitUserEnvironment - A warning is displayed if the value is yes.
- StrictModes - A warning is displayed if the value is no.
- UsePrivilegeSeparation - A warning is displayed if the value is no.
- ClientAliveCountMax - (Checked only in L5 and if SSHv2 is enabled) If the value is 0 or higher that 6, then a warning is displayed.
- ClientAliveInverval - (Checked only in L5 and if SSHv2 is enabled) If the value if 0 or higher that 600 seconds, then a warning is displayed.

Note	[1] Files in default locations and also currently used files (for example configuration file specified with the `-f` option) are checked. [2] If enabled and if it is not the first run.

.dsc file variables

SSHD_USER ="<string - user>" [Default value:"sshd"]
Owner of the running sshd process.

SSHD_GROUP ="<string - group>" [Default value: "sshd"]
Group of the running sshd process.

SSHD_CONFIG_PERM =<number in octal base> [Default value: 755]
Correct file permissions of sshd_config file.

SSHD_CONFIG_OWNER ="<string - user>:<string - group>" [Default value: "root:root"]
Correct owner and group of sshd_config file.

SSHD_CONFIGDIR_PERM =<number in octal base> [Default value: 755]
Correct file permissions of sshd configuration directory.

SSHD_CONFIGDIR_OWNER ="<string - user>:<string - group> [Default value: "root:root"]
Correct owner of sshd configuration directory.

SSHD_PRIVKEY_PERM =<number in octal base> [Default value: 600]
Correct permissions of sshd private key file(s).

SSHD_PRIVKEY_OWNER ="<string - user:<string - group> [Default value: "root:root"]
Correct owner of sshd private key files(s).

SSHD_PUBKEY_PERM =<number in octal base> [Default value: 644]
Correct permissions of sshd public key files(s).

SSHD_PUBKEY_OWNER ="<string - user>:<string - group> [Default value: "root:root"]
Correct owner of sshd public key files(s).

SSH_KNOWN_HOSTS_REQUIRE =<bool> [Default value: 0]
This variable controls if the presence of known_hosts file is required or not.

SSH_KNOWN_HOSTS_PERM =<number in octal base> [Default value: 644]
Correct permissions of known_hosts file.

SSH_KNOWN_HOSTS_OWNER ="<string - user>:<string - group> [Default value: "root:root"]
Correct owner of known_hosts file.

SSHD_PRIVSEP_DIR_REQUIRE =<bool> [Default value: 1]
This variable controls if the presence of the directory used in privilege separation phase is required or not. If yes and the directory does not exist, then a warning is displayed.

SSHD_PRIVSEP_DIR_PERM =<number in octal base> [Default value: 711, L5 value: 700]
Correct permissions of the privsep directory.

SSHD_PRIVSEP_DIR_OWNER ="<string - user>:<string - group> [Default value: "root:root"]
Correct owner of the directory.

SSHD_PRIVSEP_DIR ="<string - directory>" [Default value: "/var/empty/sshd"]
Location of the directory used in privilege separation phase.

SSHD_PRIVSEP_DIR_EMPTY =<bool> [Default value: 0]
If set to 1, then the privsep directory must be empty. Otherwise a warning will be displayed.

SSHD_CHECK_SHA256 =<bool> [Default value: 1]
This variable controls if the checksums of sshd related files will be checked.

SSH_CHECK_SHA256 =<bool> [Default value: 1]
This variable controls if the checksums of ssh related files will be checked.

SSHD_SHA256_LIST ="<string - filename>" [Default value: "sshd.sum"]
Name of the checksum file. This file is stored in the persistent data directory.

SSHD_SAVE_SHA256_CHANGES =<bool> [Default value: 1]
This variable controls if changes in checksums will be saved to the checksum file.

SSHD_DEFAULT_KEYS ="<string - keypath> [<string - keypath #2> …]" [Default value: "/etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_key /etc/ssh/ssh_host_rsa_key"]
Default locations of sshd keyfiles.

PARANOID =<bool> [Default value: 0, L5 value: 1]
This is only a helper variable that is set to 1 in level 5 and will be probably deleted.

default configuration database

A simple default configuration database is implemented in this test for better portability to other systems with different default values of OpenSSH configuration directives. The syntax is quite simple:

A prefix must be defined. In this test, SSHD is hardcoded for the sshd daemon configuration.
All directives that will have their default values listed in .dsc fuke must be added to the variable $PREFIX_defined_vars.

For example:
```
SSHD_default_vars="PermitRootLogin StrictModes"
```
Then the default values for each listed directive must be defined. This definition includes version of sshd that it applies to. The version string must contain only characters that can be part of .dsc variable name.

For example:
```
Version = 4.7p1 -> Version string = 47p1
```
The definition name is in the format $PREFIX_$VersionString\_$ConfDirectiveName.
For example:
```
SSHD_47p1_PermitRootLogin="yes"
```
And for all 4.x versions it would be:
```
SSHD_4_PermitRootLogin="yes"
```
This is also correct and applies to any version:
```
SSHD__PermitRootLogin="yes"
```

.dsc file

SSHD_defined_vars="PermitRootLogin StrictModes
                   ChallengeResponseAuthentication
                   UsePAM AllowTcpForwarding"

# 4.7p1 defaults on F9
SSHD_47p1_PermitRootLogin="yes"
SSHD_47p1_StrictModes="yes"
SSHD_47p1_ChallengeResponseAuthentication="no"
SSHD_47p1_UsePAM="no"
SSHD_47p1_AllowTcpForwarding="yes"

Test: pam

Description

Checks pam configuration

What is checked?

Are new passwords checked with cracklib?
(in paranoid mode) Are accounts locked after a number of consecutive login failures?

Test: passwd

Description

Examines /etc/passwd file for validity and completeness of present entries.

What is checked?

Checks passwd for whether

/etc/passwd has permission 644 and its owner is root:root
/etc/shadow has permission 400 and its owner is root:root
line is not blank
line has correct number of fields
username is not empty
username contains only alpha-numeric characters
username is shorter than 32 chars
all users have password
all passwords are shadowed
UID and GID are valid numbers
UID and GID are in range 500..60000
user has UID 0, but his username is not root
user has UID 1, but his username is not bin
user has GID 0, but his username is not root
user has GID 1, but his username is not bin
user has negative UID
user has negative GID
there are users with same UID
there are same username
root has UID 0
user has valid shell (listed in /etc/shells)

.dsc file variables

none

Test: path

Description

Examines environment variable PATH for potentially dangerous elements.

What is checked?

if all directiories in PATH exist
world or group writable files in PATH destinations
files in PATH destinations not owned by root
dangerous elements present in PATH
- empty element (points to current directiory)
- relative path
- /tmp directory
- world or group writable directories

.dsc file variables

none

Test: permissions

Description

Checks given important directories for existence, owner and pemissions.

What is checked?

existence of given filesystem entry
permissions of given filesystem entry
whether owner of the filesystem entry is root

Directories tested by default and expected permissions:

/                  755
/bin               755
/boot              755
/dev               755
/etc               755
/home              755
/lib               755
/media             755
/mnt               755
/opt               755
/root              750
/sbin              755
/srv               755
/tmp              1777
/usr               755
  /usr/bin         755
  /usr/sbin        755
  /usr/include     755
  /usr/lib         755
  /usr/share       755
  /usr/src         755
  /usr/local       755
/var               755
  /var/lock        775
  /var/log         755
  /var/mail        777
  /var/run         755
  /var/spool       755
  /var/spool/mail  775
  /var/tmp        1777

.dsc file variables

DIRS =<path permissions, one entry per line>
Additional directories to be checked. Syntax is the same as in listing above.

Test: routing

Description

Tests routing tables.

What is checked?

Checks the routing tables and warns if some changes are found.

.dsc file variables

none

Test: selinux

Description

Test that checks if the mandatory access control architecture is enabled and watches for changes to security booleans.

What is checked?

The test expects that selinux is enabled and switched into enforcing mode from level 3.
Changes to security booleans.

.dsc file variables

MODE =["Enforcing" | "Permissive"]
What selinux mode is expected by the test.

DISABLED_MSGTYPE =["WARNING" | "ERROR"]
What kind of message is issued if mode doesn’t match.

OLDBOOLS_FILE =filename
Name of file to store information on security booleans to.

Test: shadow

Description

Examines /etc/shadow for validity and completness of present entries.

What is checked?

Checks shadow for whether

/etc/shadow has permission 400 and its owner is root:root
line is not blank
line has correct number of fields
username is not empty
username contains only alpha-numeric characters
username is shorter than 32 chars
all users have password
there are same usernames

.dsc file variables

none

Test: suid

Description

Looks for suid binaries in the system and compares against last run. Up to level 3, it checks only binaries in $PATH, from level 3 onwards, also checks if a file belongs to a package and from level 4 onwards walks through entire / filesystem and scans for setuid files.

What is checked?

A list of suid files in locations based on .dsc file is gathered and compared against a previous run, differences are printed. The test can also report suid files not belonging to a package or check arbitrary directories.

.dsc file variables

CHECK_PATH =["1" | "0"]
If the test should check directories in the $PATH variable. This is on by default.

CHECK_FILE_PACKAGE =["1" | "0"]
Whether to check if a setuid file belongs to a package, is 1 from level 3 up

PACKAGE_CMD =<a command> (rpm -qf in rpm-based distributions)
The command used to get the package a file belongs to

CHECK_DIR =<list of directories>
A directory or a list of directories to check in addition. Set to /opt and /usr/local from level 4 up.

Test: tcp_wrappers

Description

Test to examine proper usage of tcp_wrappers.

What is checked?

Checks whether running applications, which are using libwrap, have some restrictions in /etc/hosts.deny and /etc.hosts allow.

.dsc file variables

CHECK =<list of binaries> [Default value: /usr/bin/\* /usr/sbin/\*]
List of binaries to check. Wildcard expressions are enabled.

Test: vsftpd

Description

Vsftpd configuration audit. Performs basic checks on default configuration file of vsftpd.

What is checked?

Permissions of configuration files and directories used by vsftpd.

Files affecting this step

/etc/vsftpd/vsftpd.conf
If server is listening and is listening only on one protocol.

Variables affecting this step

listen, listen_ipv6
Existing necessary files / directories and their permissions.
Variables affecting this step
banned_email_file, userlist_file, chroot_list_file, email_password_file, vsftpd_log_file, xferlog_file, banner_file, dsa_cert_file, dsa_private_key_file, rsa_cert_file, rsa_private_key_file, local_root, anon_root, user_config_dir
Note

Variables are affected only when dependency is resolved (For exapmle if deny_email_enable option is NO, then banned_email_file is not tested)
Existing necessary files / directories and their permissions for user configs

Variables affecting this step

banned_email_file, banner_file, dsa_private_key_file, rsa_cert_file, rsa_private_key_file, local_root, anon_root, user_config_dir
If anonymous directory is writable for other users or is owned by wrong user

Variables affecting this step

anonymous_enable, anon_root
If selinux is enabled and is preventing access to user home directories
Port range for passive connections

Variables affecting this step

pasv_min_port, pasv_max_port
If ls_recurse_enable is enabled
Check possibility of ascii mangling

Note	By enabling ascii upload or download on some FTP servers, ASCII support allows a denial of service attack (DoS) via the command "SIZE /big/file" in ASCII mode. ASCII mangling is a horrible feature of the protocol. For disabling use ascii_upload_enable=NO and ascii_download_enable=NO

.dsc file variables

PASSWD_FILE =<string - path> [Default value:"/etc/passwd"]
Path to system passwd file

CONFIG_FILE =<string - path> [Default value:"/etc/vsftpd/vsftpd.conf"]
Path to vsftpd configuration file