-
Notifications
You must be signed in to change notification settings - Fork 673
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #30 from redhatrises/add_Antivirus_oval
Add OVAL for antivirus check
- Loading branch information
Showing
8 changed files
with
273 additions
and
12 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
../../../shared/oval/install_antivirus.xml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,223 @@ | ||
<Group id="integrity"> | ||
<title>Software Integrity Checking</title> | ||
<description> | ||
Both the AIDE (Advanced Intrusion Detection Environment) | ||
software and the RPM package management system provide | ||
mechanisms for verifying the integrity of installed software. | ||
AIDE uses snapshots of file metadata (such as hashes) and compares these | ||
to current system files in order to detect changes. | ||
The RPM package management system can conduct integrity | ||
checks by comparing information in its metadata database with | ||
files installed on the system. | ||
<br /><br /> | ||
Integrity checking cannot <i>prevent</i> intrusions, | ||
but can detect that they have occurred. Requirements | ||
for software integrity checking may be highly dependent on | ||
the environment in which the system will be used. Snapshot-based | ||
approaches such as AIDE may induce considerable overhead | ||
in the presence of frequent software updates. | ||
</description> | ||
|
||
<Group id="aide"> | ||
<title>Verify Integrity with AIDE</title> | ||
<description>AIDE conducts integrity checks by comparing information about | ||
files with previously-gathered information. Ideally, the AIDE database is | ||
created immediately after initial system configuration, and then again after any | ||
software update. AIDE is highly configurable, with further configuration | ||
information located in <tt>/usr/share/doc/aide-<i>VERSION</i></tt>. | ||
</description> | ||
|
||
<Rule id="package_aide_installed" severity="medium"> | ||
<title>Install AIDE</title> | ||
<description> | ||
Install the AIDE package with the command: | ||
<pre># yum install aide</pre> | ||
</description> | ||
<ocil clause="the package is not installed"> | ||
<package-check-macro package="aide"/> | ||
</ocil> | ||
<rationale> | ||
The AIDE package must be installed if it is to be available for integrity checking. | ||
</rationale> | ||
<!--oval id="package_aide_installed" /--> | ||
<ref nist="CM-3(d),CM-3(e),CM-6(d),CM-6(3),SC-28, SI-7" disa="1069"/> | ||
</Rule> | ||
|
||
<Rule id="aide_build_database"> | ||
<title>Build and Test AIDE Database</title> | ||
<description>Run the following command to generate a new database: | ||
<pre># /usr/sbin/aide --init</pre> | ||
By default, the database will be written to the file <tt>/var/lib/aide/aide.db.new.gz</tt>. | ||
Storing the database, the configuration file <tt>/etc/aide.conf</tt>, and the binary | ||
<tt>/usr/sbin/aide</tt> (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. | ||
The newly-generated database can be installed as follows: | ||
<pre># cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz</pre> | ||
To initiate a manual check, run the following command: | ||
<pre># /usr/sbin/aide --check</pre> | ||
If this check produces any unexpected output, investigate. | ||
</description> | ||
<rationale> | ||
For AIDE to be effective, an initial database of "known-good" information about files | ||
must be captured and it should be able to be verified against the installed files. | ||
</rationale> | ||
<ref nist="CM-3(d),CM-3(e),CM-6(d),CM-6(3),SC-28,SI-7" /> | ||
</Rule> | ||
|
||
<Rule id="aide_periodic_cron_checking" severity="medium"> | ||
<title>Configure Periodic Execution of AIDE</title> | ||
<description> | ||
To implement a daily execution of AIDE at 4:05am using cron, add the following line to <tt>/etc/crontab</tt>: | ||
<pre>05 4 * * * root /usr/sbin/aide --check</pre> | ||
AIDE can be executed periodically through other means; this is merely one example. | ||
</description> | ||
<ocil clause="there is no output"> | ||
To determine that periodic AIDE execution has been scheduled, run the following command: | ||
<pre># grep aide /etc/crontab</pre> | ||
</ocil> | ||
<rationale> | ||
By default, AIDE does not install itself for periodic execution. Periodically | ||
running AIDE is necessary to reveal unexpected changes in installed files. | ||
</rationale> | ||
<ref nist="CM-3(d),CM-3(e),CM-6(d),CM-6(3),SC-28,SI-7" disa="374,416,1069,1263,1297,1589"/> | ||
</Rule> | ||
</Group> | ||
|
||
<Group id="rpm_verification"> | ||
<title>Verify Integrity with RPM</title> | ||
<description>The RPM package management system includes the ability | ||
to verify the integrity of installed packages by comparing the | ||
installed files with information about the files taken from the | ||
package metadata stored in the RPM database. Although an attacker | ||
could corrupt the RPM database (analogous to attacking the AIDE | ||
database as described above), this check can still reveal | ||
modification of important files. To list which files on the system differ from what is expected by the RPM database: | ||
<pre># rpm -qVa</pre> | ||
See the man page for <tt>rpm</tt> to see a complete explanation of each column. | ||
</description> | ||
|
||
<Rule id="rpm_verify_permissions"> | ||
<title>Verify and Correct File Permissions with RPM</title> | ||
<description> | ||
The RPM package management system can check file access | ||
permissions of installed software packages, including many that are | ||
important to system security. | ||
After locating a file with incorrect permissions, run the following command to determine which package owns it: | ||
<pre># rpm -qf <i>FILENAME</i></pre> | ||
Next, run the following command to reset its permissions to | ||
the correct values: | ||
<pre># rpm --setperms <i>PACKAGENAME</i></pre> | ||
</description> | ||
<ocil clause="there is output"> | ||
The following command will list which files on the system have permissions different from what | ||
is expected by the RPM database: | ||
<pre># rpm -Va | grep '^.M'</pre> | ||
</ocil> | ||
<rationale> | ||
Permissions on system binaries and configuration files that are too generous | ||
could allow an unauthorized user to gain privileges that they should not have. | ||
The permissions set by the vendor should be maintained. Any deviations from | ||
this baseline should be investigated.</rationale> | ||
<!--oval id="rpm_verify_permissions" /--> | ||
<ref nist="AC-6,CM-6(d),CM-6(3)" disa="1493,1494,1495" /> | ||
</Rule> | ||
|
||
<Rule id="rpm_verify_hashes"> | ||
<title>Verify File Hashes with RPM</title> | ||
<description>The RPM package management system can check the hashes of | ||
installed software packages, including many that are important to system | ||
security. Run the following command to list which files on the system | ||
have hashes that differ from what is expected by the RPM database: | ||
<pre># rpm -Va | grep '^..5'</pre> | ||
A "c" in the second column indicates that a file is a configuration file, which | ||
may appropriately be expected to change. If the file was not expected to | ||
change, investigate the cause of the change using audit logs or other means. | ||
The package can then be reinstalled to restore the file. | ||
Run the following command to determine which package owns the file: | ||
<pre># rpm -qf <i>FILENAME</i></pre> | ||
The package can be reinstalled from a yum repository using the command: | ||
<pre>yum reinstall <i>PACKAGENAME</i></pre> | ||
Alternatively, the package can be reinstalled from trusted media using the command: | ||
<pre>rpm -Uvh <i>PACKAGENAME</i></pre> | ||
</description> | ||
<ocil clause="there is output"> The following command will list which files on the system | ||
have file hashes different from what is expected by the RPM database. | ||
<pre># rpm -Va | awk '$1 ~ /..5/ && $2 != "c"'</pre> | ||
</ocil> | ||
<rationale> | ||
The hashes of important files like system executables should match the | ||
information given by the RPM database. Executables with erroneous hashes could | ||
be a sign of nefarious activity on the system.</rationale> | ||
<!--oval id="rpm_verify_hashes" /--> | ||
<ref nist="CM-6(d),CM-6(3),SI-7" disa="1496" /> | ||
</Rule> | ||
|
||
</Group> | ||
|
||
<Group id="additional_security_software"> | ||
<title>Additional Security Software</title> | ||
<description> | ||
Additional security software that is not provided or supported | ||
by Red Hat can be installed to provide complementary or duplicative | ||
security capabilities to those provided by the base platform. Add-on | ||
software may not be appropriate for some specialized systems. | ||
</description> | ||
|
||
<Rule id="install_hids" severity="high"> | ||
<title>Install Intrusion Detection Software</title> | ||
<description> | ||
The Red Hat platform includes a sophisticated auditing system | ||
and SELinux, which provide host-based intrusion detection capabilities. | ||
</description> | ||
<ocil clause="no host-based intrusion detection tools are installed"> | ||
Inspect the system to determine if intrusion detection software has been installed. | ||
Verify this intrusion detection software is active. | ||
</ocil> | ||
<rationale> | ||
Host-based intrusion detection tools provide a system-level defense when an | ||
intruder gains access to a system or network. | ||
</rationale> | ||
<ref nist="SC-7" disa="1263"/> | ||
</Rule> | ||
|
||
<Rule id="install_antivirus"> | ||
<title>Install Virus Scanning Software</title> | ||
<description> | ||
Install virus scanning software, which uses signatures to search for the | ||
presence of viruses on the filesystem. | ||
The McAfee VirusScan Enterprise for Linux virus scanning tool is provided for DoD systems. | ||
Ensure virus definition files are no older than 7 days, or their last release. | ||
<!-- need info here on where DoD admins can go to get this --> | ||
Configure the virus scanning software to perform scans dynamically on all | ||
accessed files. If this is not possible, configure the | ||
system to scan all altered files on the system on a daily | ||
basis. If the system processes inbound SMTP mail, configure the virus scanner | ||
to scan all received mail. | ||
<!-- what's the basis for the IAO language? would not failure of a check | ||
imply a discussion, for every check in this document, | ||
with the IAO (or SSO or ISSO or ISSM or whatever is the right acronym in your | ||
particular neighborhood) should occur? --> | ||
</description> | ||
<ocil clause="virus scanning software does not run continuously, or at least daily, or has signatures that are out of date"> | ||
Inspect the system for a cron job or system service which executes | ||
a virus scanning tool regularly. | ||
<br/> | ||
<!-- this should be handled as DoD-specific text in a future revision --> | ||
To verify the McAfee VSEL system service is operational, | ||
run the following command: | ||
<pre># /etc/init.d/nails status</pre> | ||
<br/> | ||
To check on the age of uvscan virus definition files, run the following command: | ||
<pre># cd /opt/NAI/LinuxShield/engine/dat | ||
# ls -la avvscan.dat avvnames.dat avvclean.dat</pre> | ||
</ocil> | ||
<rationale> | ||
Virus scanning software can be used to detect if a system has been compromised by | ||
computer viruses, as well as to limit their spread to other systems. | ||
</rationale> | ||
<oval id="install_antivirus" /> | ||
<ref nist="SC-28, SI-3" disa="1239,1668"/> | ||
</Rule> | ||
|
||
</Group> | ||
|
||
</Group> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
../../../../shared/oval/install_antivirus.xml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
../../../../shared/oval/install_antivirus.xml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
<def-group> | ||
<definition class="compliance" id="install_antivirus" | ||
version="1"> | ||
<metadata> | ||
<title>Package Antivirus Installed</title> | ||
<affected family="unix"> | ||
<platform>Red Hat Enterprise Linux 6</platform> | ||
<platform>Red Hat Enterprise Linux 7</platform> | ||
<platform>Fedora 20</platform> | ||
</affected> | ||
<description>Antivirus software should be installed.</description> | ||
<reference source="galford" ref_id="20140813" ref_url="test_attestation"/> | ||
</metadata> | ||
<criteria comment="Antivirus is not being used or conditions are met"> | ||
<criterion comment="Linuxshield AntiVirus package is installed" | ||
test_ref="test_linuxshield_install_antivirus" /> | ||
</criteria> | ||
</definition> | ||
<linux:rpminfo_test check="all" check_existence="all_exist" | ||
id="test_linuxshield_install_antivirus" version="1" | ||
comment="AntiVirus package is installed"> | ||
<linux:object object_ref="obj_linuxshield_install_antivirus" /> | ||
</linux:rpminfo_test> | ||
<linux:rpminfo_object id="obj_linuxshield_install_antivirus" version="1"> | ||
<linux:name>McAfeeVSEForLinux</linux:name> | ||
</linux:rpminfo_object> | ||
</def-group> |