diff --git a/Fedora/input/checks/install_antivirus.xml b/Fedora/input/checks/install_antivirus.xml new file mode 120000 index 00000000000..18e2f206a97 --- /dev/null +++ b/Fedora/input/checks/install_antivirus.xml @@ -0,0 +1 @@ +../../../shared/oval/install_antivirus.xml \ No newline at end of file diff --git a/Fedora/input/guide.xslt b/Fedora/input/guide.xslt index f649a3669b9..4ea133f4827 100644 --- a/Fedora/input/guide.xslt +++ b/Fedora/input/guide.xslt @@ -42,6 +42,7 @@ + diff --git a/Fedora/input/system/software/integrity.xml b/Fedora/input/system/software/integrity.xml new file mode 100644 index 00000000000..cb246c451d3 --- /dev/null +++ b/Fedora/input/system/software/integrity.xml @@ -0,0 +1,223 @@ + +Software Integrity Checking + +Both the AIDE (Advanced Intrusion Detection Environment) +software and the RPM package management system provide +mechanisms for verifying the integrity of installed software. +AIDE uses snapshots of file metadata (such as hashes) and compares these +to current system files in order to detect changes. +The RPM package management system can conduct integrity +checks by comparing information in its metadata database with +files installed on the system. +

+Integrity checking cannot prevent intrusions, +but can detect that they have occurred. Requirements +for software integrity checking may be highly dependent on +the environment in which the system will be used. Snapshot-based +approaches such as AIDE may induce considerable overhead +in the presence of frequent software updates. + + + +Verify Integrity with AIDE +AIDE conducts integrity checks by comparing information about +files with previously-gathered information. Ideally, the AIDE database is +created immediately after initial system configuration, and then again after any +software update. AIDE is highly configurable, with further configuration +information located in /usr/share/doc/aide-VERSION. + + + +Install AIDE + +Install the AIDE package with the command: +
# yum install aide
+ + + + + +The AIDE package must be installed if it is to be available for integrity checking. + + + + + + +Build and Test AIDE Database +Run the following command to generate a new database: +
# /usr/sbin/aide --init
+By default, the database will be written to the file /var/lib/aide/aide.db.new.gz. +Storing the database, the configuration file /etc/aide.conf, and the binary +/usr/sbin/aide (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. +The newly-generated database can be installed as follows: +
# cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
+To initiate a manual check, run the following command: +
# /usr/sbin/aide --check
+If this check produces any unexpected output, investigate. + + +For AIDE to be effective, an initial database of "known-good" information about files +must be captured and it should be able to be verified against the installed files. + + + + + +Configure Periodic Execution of AIDE + +To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: +
05 4 * * * root /usr/sbin/aide --check
+AIDE can be executed periodically through other means; this is merely one example. + + +To determine that periodic AIDE execution has been scheduled, run the following command: +
# grep aide /etc/crontab
+ + +By default, AIDE does not install itself for periodic execution. Periodically +running AIDE is necessary to reveal unexpected changes in installed files. + + + + + + +Verify Integrity with RPM +The RPM package management system includes the ability +to verify the integrity of installed packages by comparing the +installed files with information about the files taken from the +package metadata stored in the RPM database. Although an attacker +could corrupt the RPM database (analogous to attacking the AIDE +database as described above), this check can still reveal +modification of important files. To list which files on the system differ from what is expected by the RPM database: +
# rpm -qVa
+See the man page for rpm to see a complete explanation of each column. + + + +Verify and Correct File Permissions with RPM + +The RPM package management system can check file access +permissions of installed software packages, including many that are +important to system security. +After locating a file with incorrect permissions, run the following command to determine which package owns it: +
# rpm -qf FILENAME
+Next, run the following command to reset its permissions to +the correct values: +
# rpm --setperms PACKAGENAME
+ + +The following command will list which files on the system have permissions different from what +is expected by the RPM database: +
# rpm -Va | grep '^.M'
+ + +Permissions on system binaries and configuration files that are too generous +could allow an unauthorized user to gain privileges that they should not have. +The permissions set by the vendor should be maintained. Any deviations from +this baseline should be investigated. + + + + + +Verify File Hashes with RPM +The RPM package management system can check the hashes of +installed software packages, including many that are important to system +security. Run the following command to list which files on the system +have hashes that differ from what is expected by the RPM database: +
# rpm -Va | grep '^..5'
+A "c" in the second column indicates that a file is a configuration file, which +may appropriately be expected to change. If the file was not expected to +change, investigate the cause of the change using audit logs or other means. +The package can then be reinstalled to restore the file. +Run the following command to determine which package owns the file: +
# rpm -qf FILENAME
+The package can be reinstalled from a yum repository using the command: +
yum reinstall PACKAGENAME
+Alternatively, the package can be reinstalled from trusted media using the command: +
rpm -Uvh PACKAGENAME
+ + The following command will list which files on the system +have file hashes different from what is expected by the RPM database. +
# rpm -Va | awk '$1 ~ /..5/ && $2 != "c"'
+ + +The hashes of important files like system executables should match the +information given by the RPM database. Executables with erroneous hashes could +be a sign of nefarious activity on the system. + + + + + + + +Additional Security Software + +Additional security software that is not provided or supported +by Red Hat can be installed to provide complementary or duplicative +security capabilities to those provided by the base platform. Add-on +software may not be appropriate for some specialized systems. + + + +Install Intrusion Detection Software + +The Red Hat platform includes a sophisticated auditing system +and SELinux, which provide host-based intrusion detection capabilities. + + +Inspect the system to determine if intrusion detection software has been installed. +Verify this intrusion detection software is active. + + +Host-based intrusion detection tools provide a system-level defense when an +intruder gains access to a system or network. + + + + + +Install Virus Scanning Software + +Install virus scanning software, which uses signatures to search for the +presence of viruses on the filesystem. +The McAfee VirusScan Enterprise for Linux virus scanning tool is provided for DoD systems. +Ensure virus definition files are no older than 7 days, or their last release. + +Configure the virus scanning software to perform scans dynamically on all +accessed files. If this is not possible, configure the +system to scan all altered files on the system on a daily +basis. If the system processes inbound SMTP mail, configure the virus scanner +to scan all received mail. + + + +Inspect the system for a cron job or system service which executes +a virus scanning tool regularly. +
+ +To verify the McAfee VSEL system service is operational, +run the following command: +
# /etc/init.d/nails status
+
+To check on the age of uvscan virus definition files, run the following command: +
# cd /opt/NAI/LinuxShield/engine/dat
+# ls -la avvscan.dat avvnames.dat avvclean.dat
+ + +Virus scanning software can be used to detect if a system has been compromised by +computer viruses, as well as to limit their spread to other systems. + + + + + + + + diff --git a/RHEL/6/input/checks/install_antivirus.xml b/RHEL/6/input/checks/install_antivirus.xml new file mode 120000 index 00000000000..43b10c98443 --- /dev/null +++ b/RHEL/6/input/checks/install_antivirus.xml @@ -0,0 +1 @@ +../../../../shared/oval/install_antivirus.xml \ No newline at end of file diff --git a/RHEL/6/input/system/software/integrity.xml b/RHEL/6/input/system/software/integrity.xml index 930fe623429..b0d2f605e8c 100644 --- a/RHEL/6/input/system/software/integrity.xml +++ b/RHEL/6/input/system/software/integrity.xml @@ -252,6 +252,7 @@ $ sudo ls -la avvscan.dat avvnames.dat avvclean.dat Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. + diff --git a/RHEL/7/input/checks/install_antivirus.xml b/RHEL/7/input/checks/install_antivirus.xml new file mode 120000 index 00000000000..43b10c98443 --- /dev/null +++ b/RHEL/7/input/checks/install_antivirus.xml @@ -0,0 +1 @@ +../../../../shared/oval/install_antivirus.xml \ No newline at end of file diff --git a/RHEL/7/input/system/software/integrity.xml b/RHEL/7/input/system/software/integrity.xml index a2a6921db60..a7bc62ca7b8 100644 --- a/RHEL/7/input/system/software/integrity.xml +++ b/RHEL/7/input/system/software/integrity.xml @@ -190,13 +190,19 @@ software may not be appropriate for some specialized systems. Install Intrusion Detection Software -The Red Hat platform includes a sophisticated auditing system -and SELinux, which provide host-based intrusion detection capabilities. +The base Red Hat platform already includes a sophisticated auditing system that +can detect intruder activity, as well as SELinux, which provides host-based +intrusion prevention capabilities by confining privileged programs and user +sessions which may become compromised.
+In DoD environments, supplemental intrusion detection tools, such as, the McAfee +Host-based Security System, are available to integrate with existing infrastructure. +When these supplemental tools interfere with the proper functioning of SELinux, SELinux +takes precedence. +
 - + Inspect the system to determine if intrusion detection software has been installed. -SELinux is the intrusion detection system included with RHEL. Another one is -McAfee HBSS, which is available through Cybercom. +Verify this intrusion detection software is active. Host-based intrusion detection tools provide a system-level defense when an @@ -211,7 +217,7 @@ intruder gains access to a system or network. Install virus scanning software, which uses signatures to search for the presence of viruses on the filesystem. -The McAfee uvscan virus scanning tool is provided for DoD systems. +The McAfee VirusScan Enterprise for Linux virus scanning tool is provided for DoD systems. Ensure virus definition files are no older than 7 days, or their last release. Configure the virus scanning software to perform scans dynamically on all @@ -224,24 +230,24 @@ to scan all received mail. with the IAO (or SSO or ISSO or ISSM or whatever is the right acronym in your particular neighborhood) should occur? --> - + Inspect the system for a cron job or system service which executes a virus scanning tool regularly.
-To verify the McAfee command line scan tool (uvscan) is scheduled for -regular execution, run the following command to check for a cron job: -
# grep uvscan /etc/cron* /var/spool/cron/*
-This will reveal if and when the uvscan program will be run. +To verify the McAfee VSEL system service is operational, +run the following command: +
# /etc/init.d/nails status

To check on the age of uvscan virus definition files, run the following command: -
# cd /usr/local/uvscan
+
# cd /opt/NAI/LinuxShield/engine/dat
 # ls -la avvscan.dat avvnames.dat avvclean.dat

 
 
 Virus scanning software can be used to detect if a system has been compromised by
 computer viruses, as well as to limit their spread to other systems. 
 
+
 
 
 
diff --git a/shared/oval/install_antivirus.xml b/shared/oval/install_antivirus.xml
new file mode 100644
index 00000000000..ff61ab9dd98
--- /dev/null
+++ b/shared/oval/install_antivirus.xml
@@ -0,0 +1,27 @@
+
+  
+    
+      Package Antivirus Installed
+      
+        Red Hat Enterprise Linux 6
+        Red Hat Enterprise Linux 7
+        Fedora 20
+      
+      Antivirus software should be installed.
+      
+    
+    
+      
+    
+  
+  
+    
+  
+  
+    McAfeeVSEForLinux
+  
+