Summary

During OSCAP Scan Result (ID OSCAP-Test-Full) processing which started 2012-07-21 20:59 and ended 2012-07-21 20:59, 53 rule results were recorded.

Result ID: OSCAP-Test-Full

Start time: 2012-07-21 20:59

End time: 2012-07-21 20:59

Profile: Full

Target: hpl

Rule Results Summary

pass 48
fixed 0
fail 5
error 0
not selected 0
not checked 0
not applicable 0
informational 0
unknown 0
total 53

Target Information

Target

  • hpl

Addresses

  • 127.0.0.1
  • 192.168.1.3
  • 192.168.100.1
  • ::1
  • fe80::f27b:cbff:fe0f:5a3b
  • fe80::d00e:1cff:fe89:1660

Benchmark Execution Information

Score

system score max bar
urn:xccdf:scoring:default 9.16 100.00
urn:xccdf:scoring:flat 48.00 53.00

Results

Title Result more
sysctl net.ipv4.ip_forward must be 0 fail
sysctl net.ipv4.conf.all.rp_filter must be 1 pass
sysctl net.ipv4.conf.default.rp_filter must be 1 pass
sysctl net.ipv4.conf.all.accept_source_route must be 0 pass
sysctl net.ipv4.conf.default.accept_source_route must be 0 pass
sysctl net.ipv4.conf.all.accept_redirects must be 0 pass
sysctl net.ipv4.conf.default.accept_redirects must be 0 pass
sysctl net.ipv4.icmp_echo_ignore_broadcasts must be 1 pass
sysctl net.ipv4.icmp_ignore_bogus_error_responses must be 1 pass
sysctl net.ipv4.conf.all.log_martians must be 1 pass
sysctl net.ipv4.conf.default.log_martians must be 1 pass
sysctl net.ipv4.tcp_syncookies must be 1 pass
kernel config CONFIG_SYN_COOKIES must be y pass
kernel config CONFIG_ARCH_RANDOM must be y pass
kernel config CONFIG_HW_RANDOM must be y pass
kernel config CONFIG_HW_RANDOM_* must be y pass
kernel config CONFIG_AUDIT must be y pass
kernel config CONFIG_AUDITSYSCALL must be y pass
kernel config CONFIG_CC_STACKPROTECTOR must be y pass
kernel config CONFIG_DEBUG_RODATA must be y fail
kernel config CONFIG_STRICT_DEVMEM must be y pass
kernel config CONFIG_PROC_KCORE must not be set pass
kernel config CONFIG_SECURITY_DMESG_RESTRICT must be y fail
kernel config CONFIG_GRKERNSEC_TPE must be y fail
kernel config CONFIG_GRKERNSEC_PROC must be y pass
kernel config CONFIG_GRKERNSEC_PROC_USER must be y fail
kernel config CONFIG_GRKERNSEC_PROC_USERGROUP must be y pass
kernel config CONFIG_GRKERNSEC_PROC_ADD must be y pass
kernel config CONFIG_GRKERNSEC_LINK must be y pass
kernel config CONFIG_GRKERNSEC_FIFO must be y pass
kernel config CONFIG_GRKERNSEC_CHROOT must be y pass
kernel config CONFIG_GRKERNSEC_CHROOT_MOUNT must be y pass
kernel config CONFIG_GRKERNSEC_CHROOT_DOUBLE must be y pass
kernel config CONFIG_GRKERNSEC_CHROOT_PIVOT must be y pass
kernel config CONFIG_GRKERNSEC_CHROOT_CHDIR must be y pass
kernel config CONFIG_GRKERNSEC_CHROOT_CHMOD must be y pass
kernel config CONFIG_GRKERNSEC_CHROOT_FCHDIR must be y pass
kernel config CONFIG_GRKERNSEC_CHROOT_MKNOD must be y pass
kernel config CONFIG_GRKERNSEC_CHROOT_SHMAT must be y pass
kernel config CONFIG_GRKERNSEC_CHROOT_UNIX must be y pass
kernel config CONFIG_GRKERNSEC_CHROOT_FINDTASK must be y pass
kernel config CONFIG_GRKERNSEC_CHROOT_NICE must be y pass
kernel config CONFIG_GRKERNSEC_CHROOT_SYSCTL must be y pass
kernel config CONFIG_GRKERNSEC_CHROOT_CAPS must be y pass
kernel config CONFIG_GRKERNSEC must be y pass
kernel config CONFIG_PAX must be y pass
kernel config CONFIG_PAX_NOEXEC must be y pass
kernel config CONFIG_PAX_....EXEC must be y pass
kernel config CONFIG_PAX_MPROTECT must be y pass
kernel config CONFIG_PAX_ASLR must be y pass
kernel config CONFIG_PAX_RANDKSTACK must be y pass
kernel config CONFIG_PAX_RANDUSTACK must be y pass
kernel config CONFIG_PAX_RANDMMAP must be y pass

Result for sysctl net.ipv4.ip_forward must be 0

Result: fail

Rule ID: rule-sysctl-ipv4-forward

Time: 2012-07-21 20:59

Disable IPv4 forwarding

Remediation script

echo 0 > /proc/sys/net/ipv4/ip_forward

sysctl net.ipv4.ip_forward must be 0

pathcontent
/proc/sys/net/ipv4/ip_forward1

Result for sysctl net.ipv4.conf.all.rp_filter must be 1

Result: pass

Rule ID: rule-sysctl-ipv4-all-rp_filter

Time: 2012-07-21 20:59

Enable source route verification

Remediation script

                echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
              

Result for sysctl net.ipv4.conf.default.rp_filter must be 1

Result: pass

Rule ID: rule-sysctl-ipv4-default-rp_filter

Time: 2012-07-21 20:59

Enable source route verification

Remediation script

                echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
              

Result for sysctl net.ipv4.conf.all.accept_source_route must be 0

Result: pass

Rule ID: rule-sysctl-ipv4-all-asr

Time: 2012-07-21 20:59

Enable IP source routing

Remediation script

                echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
              

Result for sysctl net.ipv4.conf.default.accept_source_route must be 0

Result: pass

Rule ID: rule-sysctl-ipv4-default-asr

Time: 2012-07-21 20:59

Enable IP source routing

Remediation script

                echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route
              

Result for sysctl net.ipv4.conf.all.accept_redirects must be 0

Result: pass

Rule ID: rule-sysctl-ipv4-all-aredirect

Time: 2012-07-21 20:59

Disable ICMP redirects

Remediation script

                echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
              

Result for sysctl net.ipv4.conf.default.accept_redirects must be 0

Result: pass

Rule ID: rule-sysctl-ipv4-default-aredirect

Time: 2012-07-21 20:59

Disable ICMP redirects

Remediation script

                echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects
              

Result for sysctl net.ipv4.icmp_echo_ignore_broadcasts must be 1

Result: pass

Rule ID: rule-sysctl-ipv4-echobroadcast

Time: 2012-07-21 20:59

Ignore ICMP broadcasts

Remediation script

                echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
              

Result for sysctl net.ipv4.icmp_ignore_bogus_error_responses must be 1

Result: pass

Rule ID: rule-sysctl-icmpboguserror

Time: 2012-07-21 20:59

Ignore ICMP Bogus Error Responses

Remediation script

                echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
              

Result for sysctl net.ipv4.conf.all.log_martians must be 1

Result: pass

Rule ID: rule-sysctl-ipv4-all-logmartians

Time: 2012-07-21 20:59

Log all packages that originate from an unknown, unroutable network

Remediation script

                echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
              

Result for sysctl net.ipv4.conf.default.log_martians must be 1

Result: pass

Rule ID: rule-sysctl-ipv4-default-logmartians

Time: 2012-07-21 20:59

Log all packages that originate from an unknown, unroutable network

Remediation script

                echo 1 > /proc/sys/net/ipv4/conf/default/log_martians
              

Result for sysctl net.ipv4.tcp_syncookies must be 1

Result: pass

Rule ID: rule-sysctl-ipv4-tcpsyncookies

Time: 2012-07-21 20:59

Enable TCP SYN cookie protection

Remediation script

                echo 1 > /proc/sys/net/ipv4/tcp_syncookies
              

Result for kernel config CONFIG_SYN_COOKIES must be y

Result: pass

Rule ID: rule-kernel-syncookies

Time: 2012-07-21 20:59

kernel config CONFIG_SYN_COOKIES must be y

Result for kernel config CONFIG_ARCH_RANDOM must be y

Result: pass

Rule ID: rule-kernel-config-rand

Time: 2012-07-21 20:59

Enable a secure random number generator

Result for kernel config CONFIG_HW_RANDOM must be y

Result: pass

Rule ID: rule-kernel-config-hwrand

Time: 2012-07-21 20:59

Enable hardware-supported random number generator

Result for kernel config CONFIG_HW_RANDOM_* must be y

Result: pass

Rule ID: rule-kernel-config-hwrand-detail

Time: 2012-07-21 20:59

Enable specific hardware supported random number generators

Result for kernel config CONFIG_AUDIT must be y

Result: pass

Rule ID: rule-kernel-config-audit

Time: 2012-07-21 20:59

Enable audit support

Result for kernel config CONFIG_AUDITSYSCALL must be y

Result: pass

Rule ID: rule-kernel-config-audit-syscall

Time: 2012-07-21 20:59

Enable system call auditing support

Result for kernel config CONFIG_CC_STACKPROTECTOR must be y

Result: pass

Rule ID: rule-kernel-ccstackprotect

Time: 2012-07-21 20:59

Enable kernel stack protection through compiler directive

Result for kernel config CONFIG_DEBUG_RODATA must be y

Result: fail

Rule ID: rule-kernel-rodata

Time: 2012-07-21 20:59

Write-protect kernel read-only data structures

Result for kernel config CONFIG_STRICT_DEVMEM must be y

Result: pass

Rule ID: rule-kernel-strictdevmem

Time: 2012-07-21 20:59

Filter access to /dev/mem

Result for kernel config CONFIG_PROC_KCORE must not be set

Result: pass

Rule ID: rule-kernel-prockcore

Time: 2012-07-21 20:59

Disable support for /proc/kcore

Result for kernel config CONFIG_SECURITY_DMESG_RESTRICT must be y

Result: fail

Rule ID: rule-kernel-nodmesg

Time: 2012-07-21 20:59

Restrict unprivileged access to dmesg (kernel syslog)

kernel config CONFIG_SECURITY_DMESG_RESTRICT must be y

pathcontent
/usr/src/linux/.configCONFIG_SECURITY_DMESG_RESTRICT is not set

Result for kernel config CONFIG_GRKERNSEC_TPE must be y

Result: fail

Rule ID: rule-kernel-tpe

Time: 2012-07-21 20:59

Enable Trusted Path Execution

kernel config CONFIG_GRKERNSEC_TPE must be y

pathcontent
/usr/src/linux/.configCONFIG_GRKERNSEC_TPE is not set

Result for kernel config CONFIG_GRKERNSEC_PROC must be y

Result: pass

Rule ID: rule-kernel-grsec-proc

Time: 2012-07-21 20:59

kernel config CONFIG_GRKERNSEC_PROC must be y

Result for kernel config CONFIG_GRKERNSEC_PROC_USER must be y

Result: fail

Rule ID: rule-kernel-grsec-proc-user

Time: 2012-07-21 20:59

kernel config CONFIG_GRKERNSEC_PROC_USER must be y

kernel config CONFIG_GRKERNSEC_PROC_USER must be y

pathcontent
/usr/src/linux/.configCONFIG_GRKERNSEC_PROC_USERGROUP=y

Result for kernel config CONFIG_GRKERNSEC_PROC_USERGROUP must be y

Result: pass

Rule ID: rule-kernel-grsec-proc-usergroup

Time: 2012-07-21 20:59

kernel config CONFIG_GRKERNSEC_PROC_USERGROUP must be y

Result for kernel config CONFIG_GRKERNSEC_PROC_ADD must be y

Result: pass

Rule ID: rule-kernel-grsec-proc-add

Time: 2012-07-21 20:59

kernel config CONFIG_GRKERNSEC_PROC_ADD must be y

Result for kernel config CONFIG_GRKERNSEC_LINK must be y

Result: pass

Rule ID: rule-kernel-grsec-link

Time: 2012-07-21 20:59

kernel config CONFIG_GRKERNSEC_LINK must be y

Result for kernel config CONFIG_GRKERNSEC_FIFO must be y

Result: pass

Rule ID: rule-kernel-grsec-fifo

Time: 2012-07-21 20:59

kernel config CONFIG_GRKERNSEC_FIFO must be y

Result for kernel config CONFIG_GRKERNSEC_CHROOT must be y

Result: pass

Rule ID: rule-kernel-grsec-chroot

Time: 2012-07-21 20:59

kernel config CONFIG_GRKERNSEC_CHROOT must be y

Result for kernel config CONFIG_GRKERNSEC_CHROOT_MOUNT must be y

Result: pass

Rule ID: rule-kernel-grsec-chroot-mount

Time: 2012-07-21 20:59

kernel config CONFIG_GRKERNSEC_CHROOT_MOUNT must be y

Result for kernel config CONFIG_GRKERNSEC_CHROOT_DOUBLE must be y

Result: pass

Rule ID: rule-kernel-grsec-chroot-double

Time: 2012-07-21 20:59

kernel config CONFIG_GRKERNSEC_CHROOT_DOUBLE must be y

Result for kernel config CONFIG_GRKERNSEC_CHROOT_PIVOT must be y

Result: pass

Rule ID: rule-kernel-grsec-chroot-pivot

Time: 2012-07-21 20:59

kernel config CONFIG_GRKERNSEC_CHROOT_PIVOT must be y

Result for kernel config CONFIG_GRKERNSEC_CHROOT_CHDIR must be y

Result: pass

Rule ID: rule-kernel-grsec-chroot-chdir

Time: 2012-07-21 20:59

kernel config CONFIG_GRKERNSEC_CHROOT_CHDIR must be y

Result for kernel config CONFIG_GRKERNSEC_CHROOT_CHMOD must be y

Result: pass

Rule ID: rule-kernel-grsec-chroot-chmod

Time: 2012-07-21 20:59

kernel config CONFIG_GRKERNSEC_CHROOT_CHMOD must be y

Result for kernel config CONFIG_GRKERNSEC_CHROOT_FCHDIR must be y

Result: pass

Rule ID: rule-kernel-grsec-chroot-fchdir

Time: 2012-07-21 20:59

kernel config CONFIG_GRKERNSEC_CHROOT_FCHDIR must be y

Result for kernel config CONFIG_GRKERNSEC_CHROOT_MKNOD must be y

Result: pass

Rule ID: rule-kernel-grsec-chroot-mknod

Time: 2012-07-21 20:59

kernel config CONFIG_GRKERNSEC_CHROOT_MKNOD must be y

Result for kernel config CONFIG_GRKERNSEC_CHROOT_SHMAT must be y

Result: pass

Rule ID: rule-kernel-grsec-chroot-shmat

Time: 2012-07-21 20:59

kernel config CONFIG_GRKERNSEC_CHROOT_SHMAT must be y

Result for kernel config CONFIG_GRKERNSEC_CHROOT_UNIX must be y

Result: pass

Rule ID: rule-kernel-grsec-chroot-unix

Time: 2012-07-21 20:59

kernel config CONFIG_GRKERNSEC_CHROOT_UNIX must be y

Result for kernel config CONFIG_GRKERNSEC_CHROOT_FINDTASK must be y

Result: pass

Rule ID: rule-kernel-grsec-chroot-findtask

Time: 2012-07-21 20:59

kernel config CONFIG_GRKERNSEC_CHROOT_FINDTASK must be y

Result for kernel config CONFIG_GRKERNSEC_CHROOT_NICE must be y

Result: pass

Rule ID: rule-kernel-grsec-chroot-nice

Time: 2012-07-21 20:59

kernel config CONFIG_GRKERNSEC_CHROOT_NICE must be y

Result for kernel config CONFIG_GRKERNSEC_CHROOT_SYSCTL must be y

Result: pass

Rule ID: rule-kernel-grsec-chroot-sysctl

Time: 2012-07-21 20:59

kernel config CONFIG_GRKERNSEC_CHROOT_SYSCTL must be y

Result for kernel config CONFIG_GRKERNSEC_CHROOT_CAPS must be y

Result: pass

Rule ID: rule-kernel-grsec-chroot-caps

Time: 2012-07-21 20:59

kernel config CONFIG_GRKERNSEC_CHROOT_CAPS must be y

Result for kernel config CONFIG_GRKERNSEC must be y

Result: pass

Rule ID: rule-kernel-grsec

Time: 2012-07-21 20:59

Enable grSecurity

Result for kernel config CONFIG_PAX must be y

Result: pass

Rule ID: rule-kernel-grsec-pax

Time: 2012-07-21 20:59

Enable PaX protection

Result for kernel config CONFIG_PAX_NOEXEC must be y

Result: pass

Rule ID: rule-kernel-grsec-pax-noexec

Time: 2012-07-21 20:59

kernel config CONFIG_PAX_NOEXEC must be y

Result for kernel config CONFIG_PAX_....EXEC must be y

Result: pass

Rule ID: rule-kernel-grsec-pax-anyexec

Time: 2012-07-21 20:59

kernel config CONFIG_PAX_....EXEC must be y

Result for kernel config CONFIG_PAX_MPROTECT must be y

Result: pass

Rule ID: rule-kernel-grsec-pax-mprotect

Time: 2012-07-21 20:59

kernel config CONFIG_PAX_MPROTECT must be y

Result for kernel config CONFIG_PAX_ASLR must be y

Result: pass

Rule ID: rule-kernel-grsec-pax-aslr

Time: 2012-07-21 20:59

kernel config CONFIG_PAX_ASLR must be y

Result for kernel config CONFIG_PAX_RANDKSTACK must be y

Result: pass

Rule ID: rule-kernel-grsec-pax-randkstack

Time: 2012-07-21 20:59

kernel config CONFIG_PAX_RANDKSTACK must be y

Result for kernel config CONFIG_PAX_RANDUSTACK must be y

Result: pass

Rule ID: rule-kernel-grsec-pax-randustack

Time: 2012-07-21 20:59

kernel config CONFIG_PAX_RANDUSTACK must be y

Result for kernel config CONFIG_PAX_RANDMMAP must be y

Result: pass

Rule ID: rule-kernel-grsec-pax-randmmap

Time: 2012-07-21 20:59

kernel config CONFIG_PAX_RANDMMAP must be y