Merge pull request #30 from redhatrises/add_Antivirus_oval

Add OVAL for antivirus check

Fedora/input/checks/install_antivirus.xml

@@ -0,0 +1 @@
+../../../shared/oval/install_antivirus.xml

Fedora/input/guide.xslt

@@ -42,6 +42,7 @@
     <xsl:copy>
       <xsl:copy-of select="@*|node()" />
       <xsl:apply-templates select="document('system/software/updating.xml')" />
+      <xsl:apply-templates select="document('system/software/integrity.xml')" />
     </xsl:copy>
   </xsl:template>
 

Fedora/input/system/software/integrity.xml

@@ -0,0 +1,223 @@
+<Group id="integrity">
+<title>Software Integrity Checking</title>
+<description>
+Both the AIDE (Advanced Intrusion Detection Environment)
+software and the RPM package management system provide
+mechanisms for verifying the integrity of installed software.
+AIDE uses snapshots of file metadata (such as hashes) and compares these
+to current system files in order to detect changes.
+The RPM package management system can conduct integrity
+checks by comparing information in its metadata database with
+files installed on the system.
+<br /><br />
+Integrity checking cannot <i>prevent</i> intrusions,
+but can detect that they have occurred. Requirements
+for software integrity checking may be highly dependent on
+the environment in which the system will be used. Snapshot-based
+approaches such as AIDE may induce considerable overhead
+in the presence of frequent software updates.
+</description>
+
+<Group id="aide">
+<title>Verify Integrity with AIDE</title>
+<description>AIDE conducts integrity checks by comparing information about
+files with previously-gathered information. Ideally, the AIDE database is
+created immediately after initial system configuration, and then again after any
+software update.  AIDE is highly configurable, with further configuration
+information located in <tt>/usr/share/doc/aide-<i>VERSION</i></tt>.
+</description>
+
+<Rule id="package_aide_installed" severity="medium">
+<title>Install AIDE</title>
+<description>
+Install the AIDE package with the command:
+<pre># yum install aide</pre>
+</description>
+<ocil clause="the package is not installed">
+<package-check-macro package="aide"/>
+</ocil>
+<rationale>
+The AIDE package must be installed if it is to be available for integrity checking.
+</rationale>
+<!--oval id="package_aide_installed" /-->
+<ref nist="CM-3(d),CM-3(e),CM-6(d),CM-6(3),SC-28, SI-7" disa="1069"/>
+</Rule>
+
+<Rule id="aide_build_database">
+<title>Build and Test AIDE Database</title>
+<description>Run the following command to generate a new database:
+<pre># /usr/sbin/aide --init</pre>
+By default, the database will be written to the file <tt>/var/lib/aide/aide.db.new.gz</tt>.
+Storing the database, the configuration file <tt>/etc/aide.conf</tt>, and the binary
+<tt>/usr/sbin/aide</tt> (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity.
+The newly-generated database can be installed as follows:
+<pre># cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz</pre>
+To initiate a manual check, run the following command:
+<pre># /usr/sbin/aide --check</pre>
+If this check produces any unexpected output, investigate.
+</description>
+<rationale>
+For AIDE to be effective, an initial database of "known-good" information about files
+must be captured and it should be able to be verified against the installed files.
+</rationale>
+<ref nist="CM-3(d),CM-3(e),CM-6(d),CM-6(3),SC-28,SI-7" />
+</Rule>
+
+<Rule id="aide_periodic_cron_checking" severity="medium">
+<title>Configure Periodic Execution of AIDE</title>
+<description>
+To implement a daily execution of AIDE at 4:05am using cron, add the following line to <tt>/etc/crontab</tt>:
+<pre>05 4 * * * root /usr/sbin/aide --check</pre>
+AIDE can be executed periodically through other means; this is merely one example.
+</description>
+<ocil clause="there is no output">
+To determine that periodic AIDE execution has been scheduled, run the following command:
+<pre># grep aide /etc/crontab</pre>
+</ocil>
+<rationale>
+By default, AIDE does not install itself for periodic execution. Periodically
+running AIDE is necessary to reveal unexpected changes in installed files.
+</rationale>
+<ref nist="CM-3(d),CM-3(e),CM-6(d),CM-6(3),SC-28,SI-7" disa="374,416,1069,1263,1297,1589"/>
+</Rule>
+</Group>
+
+<Group id="rpm_verification">
+<title>Verify Integrity with RPM</title>
+<description>The RPM package management system includes the ability
+to verify the integrity of installed packages by comparing the
+installed files with information about the files taken from the
+package metadata stored in the RPM database. Although an attacker
+could corrupt the RPM database (analogous to attacking the AIDE
+database as described above), this check can still reveal
+modification of important files. To list which files on the system differ from what is expected by the RPM database:
+<pre># rpm -qVa</pre>
+See the man page for <tt>rpm</tt> to see a complete explanation of each column.
+</description>
+
+<Rule id="rpm_verify_permissions">
+<title>Verify and Correct File Permissions with RPM</title>
+<description>
+The RPM package management system can check file access
+permissions of installed software packages, including many that are
+important to system security. 
+After locating a file with incorrect permissions, run the following command to determine which package owns it:
+<pre># rpm -qf <i>FILENAME</i></pre>
+Next, run the following command to reset its permissions to 
+the correct values:
+<pre># rpm --setperms <i>PACKAGENAME</i></pre>
+</description>
+<ocil clause="there is output">
+The following command will list which files on the system have permissions different from what
+is expected by the RPM database:
+<pre># rpm -Va | grep '^.M'</pre>
+</ocil>
+<rationale>
+Permissions on system binaries and configuration files that are too generous
+could allow an unauthorized user to gain privileges that they should not have.
+The permissions set by the vendor should be maintained. Any deviations from
+this baseline should be investigated.</rationale>
+<!--oval id="rpm_verify_permissions" /-->
+<ref nist="AC-6,CM-6(d),CM-6(3)" disa="1493,1494,1495" />
+</Rule>
+
+<Rule id="rpm_verify_hashes">
+<title>Verify File Hashes with RPM</title>
+<description>The RPM package management system can check the hashes of
+installed software packages, including many that are important to system
+security. Run the following command to list which files on the system
+have hashes that differ from what is expected by the RPM database:
+<pre># rpm -Va | grep '^..5'</pre>
+A "c" in the second column indicates that a file is a configuration file, which
+may appropriately be expected to change.  If the file was not expected to
+change, investigate the cause of the change using audit logs or other means.
+The package can then be reinstalled to restore the file.
+Run the following command to determine which package owns the file:
+<pre># rpm -qf <i>FILENAME</i></pre>
+The package can be reinstalled from a yum repository using the command:
+<pre>yum reinstall <i>PACKAGENAME</i></pre>
+Alternatively, the package can be reinstalled from trusted media using the command:
+<pre>rpm -Uvh <i>PACKAGENAME</i></pre> 
+</description>
+<ocil clause="there is output"> The following command will list which files on the system 
+have file hashes different from what is expected by the RPM database. 
+<pre># rpm -Va | awk '$1 ~ /..5/ &amp;&amp; $2 != "c"'</pre> 
+</ocil>
+<rationale>
+The hashes of important files like system executables should match the
+information given by the RPM database. Executables with erroneous hashes could
+be a sign of nefarious activity on the system.</rationale>
+<!--oval id="rpm_verify_hashes" /-->
+<ref nist="CM-6(d),CM-6(3),SI-7" disa="1496" />
+</Rule>
+
+</Group>
+
+<Group id="additional_security_software">
+<title>Additional Security Software</title>
+<description>
+Additional security software that is not provided or supported
+by Red Hat can be installed to provide complementary or duplicative
+security capabilities to those provided by the base platform.  Add-on
+software may not be appropriate for some specialized systems.
+</description>
+
+<Rule id="install_hids" severity="high">
+<title>Install Intrusion Detection Software</title>
+<description>
+The Red Hat platform includes a sophisticated auditing system 
+and SELinux, which provide host-based intrusion detection capabilities.
+</description>
+<ocil clause="no host-based intrusion detection tools are installed">
+Inspect the system to determine if intrusion detection software has been installed. 
+Verify this intrusion detection software is active.
+</ocil>
+<rationale>
+Host-based intrusion detection tools provide a system-level defense when an
+intruder gains access to a system or network.  
+</rationale>
+<ref nist="SC-7" disa="1263"/>
+</Rule>
+
+<Rule id="install_antivirus">
+<title>Install Virus Scanning Software</title>
+<description>
+Install virus scanning software, which uses signatures to search for the
+presence of viruses on the filesystem. 
+The McAfee VirusScan Enterprise for Linux virus scanning tool is provided for DoD systems.
+Ensure virus definition files are no older than 7 days, or their last release.
+<!-- need info here on where DoD admins can go to get this -->
+Configure the virus scanning software to perform scans dynamically on all
+accessed files.  If this is not possible, configure the
+system to scan all altered files on the system on a daily
+basis. If the system processes inbound SMTP mail, configure the virus scanner
+to scan all received mail.
+<!-- what's the basis for the IAO language? would not failure of a check
+     imply a discussion, for every check in this document, 
+     with the IAO (or SSO or ISSO or ISSM or whatever is the right acronym in your
+     particular neighborhood) should occur? -->
+</description>
+<ocil clause="virus scanning software does not run continuously, or at least daily, or has signatures that are out of date">
+Inspect the system for a cron job or system service which executes
+a virus scanning tool regularly.
+<br/>
+<!-- this should be handled as DoD-specific text in a future revision -->
+To verify the McAfee VSEL system service is operational,
+run the following command:
+<pre># /etc/init.d/nails status</pre>
+<br/>
+To check on the age of uvscan virus definition files, run the following command:
+<pre># cd /opt/NAI/LinuxShield/engine/dat
+# ls -la avvscan.dat avvnames.dat avvclean.dat</pre>
+</ocil>
+<rationale>
+Virus scanning software can be used to detect if a system has been compromised by
+computer viruses, as well as to limit their spread to other systems. 
+</rationale>
+<oval id="install_antivirus" />
+<ref nist="SC-28, SI-3" disa="1239,1668"/>
+</Rule>
+
+</Group>
+
+</Group>

RHEL/6/input/checks/install_antivirus.xml

@@ -0,0 +1 @@
+../../../../shared/oval/install_antivirus.xml

RHEL/6/input/system/software/integrity.xml

@@ -252,6 +252,7 @@ $ sudo ls -la avvscan.dat avvnames.dat avvclean.dat</pre>
 Virus scanning software can be used to detect if a system has been compromised by
 computer viruses, as well as to limit their spread to other systems. 
 </rationale>
+<oval id="install_antivirus" />
 <ident cce="27529-7"/>
 <ref nist="SC-28, SI-3" disa="1239,1668"/>
 </Rule>

RHEL/7/input/checks/install_antivirus.xml

@@ -0,0 +1 @@
+../../../../shared/oval/install_antivirus.xml

RHEL/7/input/system/software/integrity.xml

@@ -190,13 +190,19 @@ software may not be appropriate for some specialized systems.
 <Rule id="install_hids" severity="high">
 <title>Install Intrusion Detection Software</title>
 <description>
-The Red Hat platform includes a sophisticated auditing system 
-and SELinux, which provide host-based intrusion detection capabilities.
+The base Red Hat platform already includes a sophisticated auditing system that
+can detect intruder activity, as well as SELinux, which provides host-based
+intrusion prevention capabilities by confining privileged programs and user
+sessions which may become compromised.<br />
+In DoD environments, supplemental intrusion detection tools, such as, the McAfee
+Host-based Security System, are available to integrate with existing infrastructure.
+When these supplemental tools interfere with the proper functioning of SELinux, SELinux
+takes precedence.
+<br/>
 </description>
-<ocil clause="SELinux is installed, this is not a finding.  However, if neither SELinux nor HBSS is used on the system">
+<ocil clause="no host-based intrusion detection tools are installed">
 Inspect the system to determine if intrusion detection software has been installed. 
-SELinux is the intrusion detection system included with RHEL. Another one is 
-McAfee HBSS, which is available through Cybercom.
+Verify this intrusion detection software is active.
 </ocil>
 <rationale>
 Host-based intrusion detection tools provide a system-level defense when an
@@ -211,7 +217,7 @@ intruder gains access to a system or network.
 <description>
 Install virus scanning software, which uses signatures to search for the
 presence of viruses on the filesystem. 
-The McAfee uvscan virus scanning tool is provided for DoD systems.
+The McAfee VirusScan Enterprise for Linux virus scanning tool is provided for DoD systems.
 Ensure virus definition files are no older than 7 days, or their last release.
 <!-- need info here on where DoD admins can go to get this -->
 Configure the virus scanning software to perform scans dynamically on all
@@ -224,24 +230,24 @@ to scan all received mail.
      with the IAO (or SSO or ISSO or ISSM or whatever is the right acronym in your
      particular neighborhood) should occur? -->
 </description>
-<ocil clause="virus scanning software does not run daily, or has signatures that are out of date">
+<ocil clause="virus scanning software does not run continuously, or at least daily, or has signatures that are out of date">
 Inspect the system for a cron job or system service which executes
 a virus scanning tool regularly.
 <br/>
 <!-- this should be handled as DoD-specific text in a future revision -->
-To verify the McAfee command line scan tool (uvscan) is scheduled for
-regular execution, run the following command to check for a cron job:
-<pre># grep uvscan /etc/cron* /var/spool/cron/*</pre>
-This will reveal if and when the uvscan program will be run.
+To verify the McAfee VSEL system service is operational,
+run the following command:
+<pre># /etc/init.d/nails status</pre>
 <br/>
 To check on the age of uvscan virus definition files, run the following command:
-<pre># cd /usr/local/uvscan
+<pre># cd /opt/NAI/LinuxShield/engine/dat
 # ls -la avvscan.dat avvnames.dat avvclean.dat</pre>
 </ocil>
 <rationale>
 Virus scanning software can be used to detect if a system has been compromised by
 computer viruses, as well as to limit their spread to other systems. 
 </rationale>
+<oval id="install_antivirus" />
 <ident cce="RHEL7-CCE-TBD" />
 <ref nist="SC-28, SI-3" disa="1239,1668"/>
 </Rule>

shared/oval/install_antivirus.xml

@@ -0,0 +1,27 @@
+<def-group>
+  <definition class="compliance" id="install_antivirus"
+  version="1">
+    <metadata>
+      <title>Package Antivirus Installed</title>
+      <affected family="unix">
+        <platform>Red Hat Enterprise Linux 6</platform>
+        <platform>Red Hat Enterprise Linux 7</platform>
+        <platform>Fedora 20</platform>
+      </affected>
+      <description>Antivirus software should be installed.</description>
+      <reference source="galford" ref_id="20140813" ref_url="test_attestation"/>
+    </metadata>
+    <criteria comment="Antivirus is not being used or conditions are met">
+      <criterion comment="Linuxshield AntiVirus package is installed"
+      test_ref="test_linuxshield_install_antivirus" />
+    </criteria>
+  </definition>
+  <linux:rpminfo_test check="all" check_existence="all_exist"
+  id="test_linuxshield_install_antivirus" version="1"
+  comment="AntiVirus package is installed">
+    <linux:object object_ref="obj_linuxshield_install_antivirus" />
+  </linux:rpminfo_test>
+  <linux:rpminfo_object id="obj_linuxshield_install_antivirus" version="1">
+    <linux:name>McAfeeVSEForLinux</linux:name>
+  </linux:rpminfo_object>
+</def-group>