From 0624fa2b000a176fa92dea5d2b351db03bc1ba62 Mon Sep 17 00:00:00 2001 From: Gabe Date: Thu, 14 Aug 2014 19:38:10 -0600 Subject: [PATCH 1/4] Add OVAL for Antivirus check - Add OVAL for Antivirus check - Enable for RHEL 6 & 7 and Fedora 20 --- Fedora/input/checks/install_antivirus.xml | 1 + RHEL/6/input/checks/install_antivirus.xml | 1 + RHEL/6/input/system/software/integrity.xml | 1 + RHEL/7/input/checks/install_antivirus.xml | 1 + RHEL/7/input/system/software/integrity.xml | 1 + shared/oval/install_antivirus.xml | 38 ++++++++++++++++++++++ 6 files changed, 43 insertions(+) create mode 120000 Fedora/input/checks/install_antivirus.xml create mode 120000 RHEL/6/input/checks/install_antivirus.xml create mode 120000 RHEL/7/input/checks/install_antivirus.xml create mode 100644 shared/oval/install_antivirus.xml diff --git a/Fedora/input/checks/install_antivirus.xml b/Fedora/input/checks/install_antivirus.xml new file mode 120000 index 00000000000..18e2f206a97 --- /dev/null +++ b/Fedora/input/checks/install_antivirus.xml @@ -0,0 +1 @@ +../../../shared/oval/install_antivirus.xml \ No newline at end of file diff --git a/RHEL/6/input/checks/install_antivirus.xml b/RHEL/6/input/checks/install_antivirus.xml new file mode 120000 index 00000000000..43b10c98443 --- /dev/null +++ b/RHEL/6/input/checks/install_antivirus.xml @@ -0,0 +1 @@ +../../../../shared/oval/install_antivirus.xml \ No newline at end of file diff --git a/RHEL/6/input/system/software/integrity.xml b/RHEL/6/input/system/software/integrity.xml index b0f3e5c7375..2029bddfc23 100644 --- a/RHEL/6/input/system/software/integrity.xml +++ b/RHEL/6/input/system/software/integrity.xml @@ -252,6 +252,7 @@ To check on the age of uvscan virus definition files, run the following command: Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. + diff --git a/RHEL/7/input/checks/install_antivirus.xml b/RHEL/7/input/checks/install_antivirus.xml new file mode 120000 index 00000000000..43b10c98443 --- /dev/null +++ b/RHEL/7/input/checks/install_antivirus.xml @@ -0,0 +1 @@ +../../../../shared/oval/install_antivirus.xml \ No newline at end of file diff --git a/RHEL/7/input/system/software/integrity.xml b/RHEL/7/input/system/software/integrity.xml index a2a6921db60..7dc4e03ed7d 100644 --- a/RHEL/7/input/system/software/integrity.xml +++ b/RHEL/7/input/system/software/integrity.xml @@ -242,6 +242,7 @@ To check on the age of uvscan virus definition files, run the following command: Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. + diff --git a/shared/oval/install_antivirus.xml b/shared/oval/install_antivirus.xml new file mode 100644 index 00000000000..aafe769555c --- /dev/null +++ b/shared/oval/install_antivirus.xml @@ -0,0 +1,38 @@ + + + + Package Antivirus Installed + + Red Hat Enterprise Linux 6 + Red Hat Enterprise Linux 7 + Fedora 20 + + The RPM package sav should be installed. + + + + + + + + + + + + sav + + + + + + McAfeeVSEForLinux + + + From 4de70e2fd11e2ece9ae5022f50733ada8b3bc334 Mon Sep 17 00:00:00 2001 From: Gabe Date: Tue, 19 Aug 2014 18:24:56 -0600 Subject: [PATCH 2/4] [Enhancement] Update Antivirus checks - Enable for Fedora - Add XCCDF for Fedora - Update RHEL 7 XCCDF for antivirus --- Fedora/input/guide.xslt | 1 + Fedora/input/system/software/integrity.xml | 223 +++++++++++++++++++++ RHEL/7/input/system/software/integrity.xml | 29 +-- shared/oval/install_antivirus.xml | 6 +- 4 files changed, 244 insertions(+), 15 deletions(-) create mode 100644 Fedora/input/system/software/integrity.xml diff --git a/Fedora/input/guide.xslt b/Fedora/input/guide.xslt index 68f1870176d..4d85e03cffa 100644 --- a/Fedora/input/guide.xslt +++ b/Fedora/input/guide.xslt @@ -42,6 +42,7 @@ + diff --git a/Fedora/input/system/software/integrity.xml b/Fedora/input/system/software/integrity.xml new file mode 100644 index 00000000000..cb246c451d3 --- /dev/null +++ b/Fedora/input/system/software/integrity.xml @@ -0,0 +1,223 @@ + +Software Integrity Checking + +Both the AIDE (Advanced Intrusion Detection Environment) +software and the RPM package management system provide +mechanisms for verifying the integrity of installed software. +AIDE uses snapshots of file metadata (such as hashes) and compares these +to current system files in order to detect changes. +The RPM package management system can conduct integrity +checks by comparing information in its metadata database with +files installed on the system. +

+Integrity checking cannot prevent intrusions, +but can detect that they have occurred. Requirements +for software integrity checking may be highly dependent on +the environment in which the system will be used. Snapshot-based +approaches such as AIDE may induce considerable overhead +in the presence of frequent software updates. +
+ + +Verify Integrity with AIDE +AIDE conducts integrity checks by comparing information about +files with previously-gathered information. Ideally, the AIDE database is +created immediately after initial system configuration, and then again after any +software update. AIDE is highly configurable, with further configuration +information located in /usr/share/doc/aide-VERSION. + + + +Install AIDE + +Install the AIDE package with the command: +
# yum install aide
+
+ + + + +The AIDE package must be installed if it is to be available for integrity checking. + + + +
+ + +Build and Test AIDE Database +Run the following command to generate a new database: +
# /usr/sbin/aide --init
+By default, the database will be written to the file /var/lib/aide/aide.db.new.gz. +Storing the database, the configuration file /etc/aide.conf, and the binary +/usr/sbin/aide (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. +The newly-generated database can be installed as follows: +
# cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
+To initiate a manual check, run the following command: +
# /usr/sbin/aide --check
+If this check produces any unexpected output, investigate. +
+ +For AIDE to be effective, an initial database of "known-good" information about files +must be captured and it should be able to be verified against the installed files. + + +
+ + +Configure Periodic Execution of AIDE + +To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: +
05 4 * * * root /usr/sbin/aide --check
+AIDE can be executed periodically through other means; this is merely one example. +
+ +To determine that periodic AIDE execution has been scheduled, run the following command: +
# grep aide /etc/crontab
+
+ +By default, AIDE does not install itself for periodic execution. Periodically +running AIDE is necessary to reveal unexpected changes in installed files. + + +
+
+ + +Verify Integrity with RPM +The RPM package management system includes the ability +to verify the integrity of installed packages by comparing the +installed files with information about the files taken from the +package metadata stored in the RPM database. Although an attacker +could corrupt the RPM database (analogous to attacking the AIDE +database as described above), this check can still reveal +modification of important files. To list which files on the system differ from what is expected by the RPM database: +
# rpm -qVa
+See the man page for rpm to see a complete explanation of each column. +
+ + +Verify and Correct File Permissions with RPM + +The RPM package management system can check file access +permissions of installed software packages, including many that are +important to system security. +After locating a file with incorrect permissions, run the following command to determine which package owns it: +
# rpm -qf FILENAME
+Next, run the following command to reset its permissions to +the correct values: +
# rpm --setperms PACKAGENAME
+
+ +The following command will list which files on the system have permissions different from what +is expected by the RPM database: +
# rpm -Va | grep '^.M'
+
+ +Permissions on system binaries and configuration files that are too generous +could allow an unauthorized user to gain privileges that they should not have. +The permissions set by the vendor should be maintained. Any deviations from +this baseline should be investigated. + + +
+ + +Verify File Hashes with RPM +The RPM package management system can check the hashes of +installed software packages, including many that are important to system +security. Run the following command to list which files on the system +have hashes that differ from what is expected by the RPM database: +
# rpm -Va | grep '^..5'
+A "c" in the second column indicates that a file is a configuration file, which +may appropriately be expected to change. If the file was not expected to +change, investigate the cause of the change using audit logs or other means. +The package can then be reinstalled to restore the file. +Run the following command to determine which package owns the file: +
# rpm -qf FILENAME
+The package can be reinstalled from a yum repository using the command: +
yum reinstall PACKAGENAME
+Alternatively, the package can be reinstalled from trusted media using the command: +
rpm -Uvh PACKAGENAME
+
+ The following command will list which files on the system +have file hashes different from what is expected by the RPM database. +
# rpm -Va | awk '$1 ~ /..5/ && $2 != "c"'
+
+ +The hashes of important files like system executables should match the +information given by the RPM database. Executables with erroneous hashes could +be a sign of nefarious activity on the system. + + +
+ +
+ + +Additional Security Software + +Additional security software that is not provided or supported +by Red Hat can be installed to provide complementary or duplicative +security capabilities to those provided by the base platform. Add-on +software may not be appropriate for some specialized systems. + + + +Install Intrusion Detection Software + +The Red Hat platform includes a sophisticated auditing system +and SELinux, which provide host-based intrusion detection capabilities. + + +Inspect the system to determine if intrusion detection software has been installed. +Verify this intrusion detection software is active. + + +Host-based intrusion detection tools provide a system-level defense when an +intruder gains access to a system or network. + + + + + +Install Virus Scanning Software + +Install virus scanning software, which uses signatures to search for the +presence of viruses on the filesystem. +The McAfee VirusScan Enterprise for Linux virus scanning tool is provided for DoD systems. +Ensure virus definition files are no older than 7 days, or their last release. + +Configure the virus scanning software to perform scans dynamically on all +accessed files. If this is not possible, configure the +system to scan all altered files on the system on a daily +basis. If the system processes inbound SMTP mail, configure the virus scanner +to scan all received mail. + + + +Inspect the system for a cron job or system service which executes +a virus scanning tool regularly. +
+ +To verify the McAfee VSEL system service is operational, +run the following command: +
# /etc/init.d/nails status
+
+To check on the age of uvscan virus definition files, run the following command: +
# cd /opt/NAI/LinuxShield/engine/dat
+# ls -la avvscan.dat avvnames.dat avvclean.dat
+
+ +Virus scanning software can be used to detect if a system has been compromised by +computer viruses, as well as to limit their spread to other systems. + + + +
+ +
+ +
diff --git a/RHEL/7/input/system/software/integrity.xml b/RHEL/7/input/system/software/integrity.xml index 7dc4e03ed7d..a7bc62ca7b8 100644 --- a/RHEL/7/input/system/software/integrity.xml +++ b/RHEL/7/input/system/software/integrity.xml @@ -190,13 +190,19 @@ software may not be appropriate for some specialized systems. Install Intrusion Detection Software -The Red Hat platform includes a sophisticated auditing system -and SELinux, which provide host-based intrusion detection capabilities. +The base Red Hat platform already includes a sophisticated auditing system that +can detect intruder activity, as well as SELinux, which provides host-based +intrusion prevention capabilities by confining privileged programs and user +sessions which may become compromised.
+In DoD environments, supplemental intrusion detection tools, such as, the McAfee +Host-based Security System, are available to integrate with existing infrastructure. +When these supplemental tools interfere with the proper functioning of SELinux, SELinux +takes precedence. +
- + Inspect the system to determine if intrusion detection software has been installed. -SELinux is the intrusion detection system included with RHEL. Another one is -McAfee HBSS, which is available through Cybercom. +Verify this intrusion detection software is active. Host-based intrusion detection tools provide a system-level defense when an @@ -211,7 +217,7 @@ intruder gains access to a system or network. Install virus scanning software, which uses signatures to search for the presence of viruses on the filesystem. -The McAfee uvscan virus scanning tool is provided for DoD systems. +The McAfee VirusScan Enterprise for Linux virus scanning tool is provided for DoD systems. Ensure virus definition files are no older than 7 days, or their last release. Configure the virus scanning software to perform scans dynamically on all @@ -224,18 +230,17 @@ to scan all received mail. with the IAO (or SSO or ISSO or ISSM or whatever is the right acronym in your particular neighborhood) should occur? --> - + Inspect the system for a cron job or system service which executes a virus scanning tool regularly.
-To verify the McAfee command line scan tool (uvscan) is scheduled for -regular execution, run the following command to check for a cron job: -
# grep uvscan /etc/cron* /var/spool/cron/*
-This will reveal if and when the uvscan program will be run. +To verify the McAfee VSEL system service is operational, +run the following command: +
# /etc/init.d/nails status

To check on the age of uvscan virus definition files, run the following command: -
# cd /usr/local/uvscan
+
# cd /opt/NAI/LinuxShield/engine/dat
 # ls -la avvscan.dat avvnames.dat avvclean.dat
diff --git a/shared/oval/install_antivirus.xml b/shared/oval/install_antivirus.xml index aafe769555c..d7970c2f8e7 100644 --- a/shared/oval/install_antivirus.xml +++ b/shared/oval/install_antivirus.xml @@ -8,11 +8,11 @@ Red Hat Enterprise Linux 7 Fedora 20 - The RPM package sav should be installed. - + Antivirus software should be installed. + - From 495cf8f94f3af322c245844286aa896a5902d8a6 Mon Sep 17 00:00:00 2001 From: redhatrises Date: Thu, 21 Aug 2014 07:24:32 -0600 Subject: [PATCH 3/4] Update install_antivirus.xml Fix typo. --- shared/oval/install_antivirus.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/oval/install_antivirus.xml b/shared/oval/install_antivirus.xml index d7970c2f8e7..3cd87184ec0 100644 --- a/shared/oval/install_antivirus.xml +++ b/shared/oval/install_antivirus.xml @@ -31,7 +31,7 @@ comment="AntiVirus package is installed"> - + McAfeeVSEForLinux From 62078ae0eed924c1b7a12126bc9f1862986a0923 Mon Sep 17 00:00:00 2001 From: redhatrises Date: Mon, 8 Sep 2014 09:44:08 -0600 Subject: [PATCH 4/4] Update install_antivirus.xml Use McAfee Linuxshield only to match STIG profile. --- shared/oval/install_antivirus.xml | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/shared/oval/install_antivirus.xml b/shared/oval/install_antivirus.xml index 3cd87184ec0..ff61ab9dd98 100644 --- a/shared/oval/install_antivirus.xml +++ b/shared/oval/install_antivirus.xml @@ -11,22 +11,12 @@ Antivirus software should be installed. - - + - - - - sav - - @@ -34,5 +24,4 @@ McAfeeVSEForLinux -