Introduction

Test Result

Result ID Profile Start time End time Benchmark Benchmark version
xccdf_org.open-scap_testresult_xccdf_org.gentoo.dev.swift_profile_default-oval xccdf_org.gentoo.dev.swift_profile_default-oval 2014-04-12 07:49 2014-04-12 07:49 embedded 20140412

Target info

Targets

  • hpl

Addresses

  • 127.0.0.1
  • 192.168.1.3
  • 0:0:0:0:0:0:0:1
  • fe80:0:0:0:f27b:cbff:fe0f:5a3b

Applicable platforms

  • cpe:/o:gentoo:linux

Score

system score max % bar
urn:xccdf:scoring:default 51.64 100.00 51.64%
urn:xccdf:scoring:flat 81.80 117.40 69.68%
urn:xccdf:scoring:flat-unweighted 19.00 34.00 55.88%

Results overview

Rule Results Summary

pass fixed fail error not selected not checked not applicable informational unknown total
19 0 14 1 2 0 0 0 0 36
Title Result
/tmp is a separate file system pass
/var is a separate file system pass
/var/log is a separate file system fail
/var/log/audit is a separate file system fail
/home is a separate file system pass
/var/tmp is a separate file system pass
/var is mounted with nodev fail
/var/log is mounted with nodev fail
/var/log/audit is mounted with nodev fail
/home is mounted with nodev pass
/tmp is mounted with nodev pass
/tmp is mounted with nosuid pass
/home is mounted with nosuid pass
/dev/shm is mounted with nosuid pass
/tmp is mounted with noexec pass
/dev/shm is mounted with noexec pass
The kernel supports quota (CONFIG_QUOTA) fail
The /var file system is mounted with usrquota or grpquota fail
The /home file system is mounted with usrquota or grpquota fail
The /proc file system is mounted with hidepid=1 or hidepid=2 fail
No telnet daemons are running pass
No FTP daemons are running pass
sulogin is used for single-user boot (/etc/rc.conf) pass
sulogin is used for single-user boot (/etc/inittab) pass
/etc/hosts.allow exists pass
/etc/at/at.allow exists pass
USE="pam" is set fail
USE="tcpd" is set fail
USE="ssl" is set fail
FEATURES="webrsync-gpg" is set fail
PORTAGE_GPG_DIR is set pass
Grub legacy (if it exists) has a password entry with md5 hash fail
LILO (if it exists) has a password entry pass
/etc/securetty is limited to console and tty's error

Results details

Result for /tmp is a separate file system

Result: pass

Rule ID: xccdf_org.gentoo.dev.swift_rule_partition-tmp

Time: 2014-04-12 07:49

Severity: medium

Result for /var is a separate file system

Result: pass

Rule ID: xccdf_org.gentoo.dev.swift_rule_partition-var

Time: 2014-04-12 07:49

Severity: medium

Result for /var/log is a separate file system

Result: fail

Rule ID: xccdf_org.gentoo.dev.swift_rule_partition-varlog

Time: 2014-04-12 07:49

Severity: low

Remediation instructions

Create a file system for /var/log; make sure it is added in the /etc/fstab file and reboot the system.

Result for /var/log/audit is a separate file system

Result: fail

Rule ID: xccdf_org.gentoo.dev.swift_rule_partition-varlogaudit

Time: 2014-04-12 07:49

Severity: low

Remediation instructions

Create a file system for /var/log/audit; make sure it is added in the /etc/fstab file and reboot the system.

Result for /home is a separate file system

Result: pass

Rule ID: xccdf_org.gentoo.dev.swift_rule_partition-home

Time: 2014-04-12 07:49

Severity: medium

Result for /var/tmp is a separate file system

Result: pass

Rule ID: xccdf_org.gentoo.dev.swift_rule_partition-vartmp

Time: 2014-04-12 07:49

Severity: low

Result for /var is mounted with nodev

Result: fail

Rule ID: xccdf_org.gentoo.dev.swift_rule_partition-var-nodev

Time: 2014-04-12 07:49

Severity: low

Remediation instructions

Mount /var with nodev mount option

Remediation script


mount -o remount,nodev /var
          

Tests that /var is mounted with nodev option

mount pointdeviceuuidfs typemount optionsmount optionsmount optionsmount optionsmount optionstotal spacespace usedspace left
/var/dev/mapper/volgrp-varext4rwseclabelnoatimenodelallocdata=journal20314704224971608973

Result for /var/log is mounted with nodev

Result: fail

Rule ID: xccdf_org.gentoo.dev.swift_rule_partition-varlog-nodev

Time: 2014-04-12 07:49

Severity: low

Remediation instructions

Mount /var/log with nodev mount option

Remediation script


mount -o remount,nodev /var/log
          

Result for /var/log/audit is mounted with nodev

Result: fail

Rule ID: xccdf_org.gentoo.dev.swift_rule_partition-varlogaudit-nodev

Time: 2014-04-12 07:49

Severity: low

Remediation instructions

Mount /var/log/audit with nodev mount option

Remediation script


mount -o remount,nodev /var/log/audit
          

Result for /home is mounted with nodev

Result: pass

Rule ID: xccdf_org.gentoo.dev.swift_rule_partition-home-nodev

Time: 2014-04-12 07:49

Severity: low

Remediation script

                
mount -o remount,nodev /home
          
              

Result for /tmp is mounted with nodev

Result: pass

Rule ID: xccdf_org.gentoo.dev.swift_rule_partition-tmp-nodev

Time: 2014-04-12 07:49

Severity: medium

Remediation script

                
mount -o remount,nodev /tmp
          
              

Result for /tmp is mounted with nosuid

Result: pass

Rule ID: xccdf_org.gentoo.dev.swift_rule_partition-tmp-nosuid

Time: 2014-04-12 07:49

Severity: medium

Remediation script

                
mount -o remount,nosuid /tmp
          
              

Result for /home is mounted with nosuid

Result: pass

Rule ID: xccdf_org.gentoo.dev.swift_rule_partition-home-nosuid

Time: 2014-04-12 07:49

Severity: low

Remediation script

                
mount -o remount,nosuid /home
          
              

Result for /dev/shm is mounted with nosuid

Result: pass

Rule ID: xccdf_org.gentoo.dev.swift_rule_partition-devshm-nosuid

Time: 2014-04-12 07:49

Severity: medium

Remediation script

                
mount -o remount,nosuid /dev/shm
          
              

Result for /tmp is mounted with noexec

Result: pass

Rule ID: xccdf_org.gentoo.dev.swift_rule_partition-tmp-noexec

Time: 2014-04-12 07:49

Severity: medium

Remediation script

                
mount -o remount,noexec /tmp
          
              

Result for /dev/shm is mounted with noexec

Result: pass

Rule ID: xccdf_org.gentoo.dev.swift_rule_partition-devshm-noexec

Time: 2014-04-12 07:49

Severity: medium

Remediation script

                
mount -o remount,noexec /dev/shm
          
              

Result for The kernel supports quota (CONFIG_QUOTA)

Result: fail

Rule ID: xccdf_org.gentoo.dev.swift_rule_kernel-quota

Time: 2014-04-12 07:49

Severity: low

Remediation instructions

Rebuild the Linux kernel with quota support (CONFIG_QUOTA)

Tests that CONFIG_QUOTA is in the kernel configuration

pathcontent
/usr/src/linux/.configCONFIG_QUOTA is not set
/usr/src/linux/.configCONFIG_QUOTACTL is not set

Result for The /var file system is mounted with usrquota or grpquota

Result: fail

Rule ID: xccdf_org.gentoo.dev.swift_rule_var-quota

Time: 2014-04-12 07:49

Severity: low

Remediation instructions

Mount /var with usrquota and/or grpquota

Remediation script


mount -o remount,usrquota,grpquota /var
          

Tests that /var is mounted with usrquota or grpquota option

mount pointdeviceuuidfs typemount optionsmount optionsmount optionsmount optionsmount optionstotal spacespace usedspace left
/var/dev/mapper/volgrp-varext4rwseclabelnoatimenodelallocdata=journal20314704224971608973

Result for The /home file system is mounted with usrquota or grpquota

Result: fail

Rule ID: xccdf_org.gentoo.dev.swift_rule_home-quota

Time: 2014-04-12 07:49

Severity: low

Remediation instructions

Mount /home with usrquota and/or grpquota

Remediation script


mount -o remount,usrquota,grpquota /home
          

Tests that /home is mounted with usrquota or grpquota option

mount pointdeviceuuidfs typemount optionsmount optionsmount optionsmount optionsmount optionsmount optionsmount optionstotal spacespace usedspace left
/home/dev/mapper/volgrp-homeext4rwseclabelnosuidnodevnoatimenodelallocdata=journal15449087112561234192964

Result for The /proc file system is mounted with hidepid=1 or hidepid=2

Result: fail

Rule ID: xccdf_org.gentoo.dev.swift_rule_proc-hidepid

Time: 2014-04-12 07:49

Severity: medium

Remediation instructions

Mount /proc with hidepid=1 or hidepid=2

Remediation script


mount -o remount,hidepid=2 /proc
          

Tests that /proc is mounted with hidepid=1 or hidepid=2 option

mount pointdeviceuuidfs typemount optionsmount optionsmount optionsmount optionsmount optionstotal spacespace usedspace left
/procprocprocrwnosuidnodevnoexecrelatime000

Result for No telnet daemons are running

Result: pass

Rule ID: xccdf_org.gentoo.dev.swift_rule_telnetd-notrunning

Time: 2014-04-12 07:49

Severity: high

Remediation script

                
for service in /etc/init.d/*telnet*;
do
  test -f ${service} && run_init rc-service ${service##*/} stop;
done
          
              

Result for No FTP daemons are running

Result: pass

Rule ID: xccdf_org.gentoo.dev.swift_rule_ftpd-notrunning

Time: 2014-04-12 07:49

Severity: medium

Remediation script

                
for service in /etc/init.d/*ftp*;
do
  test -f ${service} && run_init rc-service ${service##*/} stop;
done
          
              

Result for sulogin is used for single-user boot (/etc/rc.conf)

Result: pass

Rule ID: xccdf_org.gentoo.dev.swift_rule_rcconf-sulogin

Time: 2014-04-12 07:49

Severity: medium

Remediation script

                
sed -i -e 's:^rc_shell=.*:rc_shell="/sbin/sulogin":g' /etc/rc.conf
          
              

Result for sulogin is used for single-user boot (/etc/inittab)

Result: pass

Rule ID: xccdf_org.gentoo.dev.swift_rule_inittab-sulogin

Time: 2014-04-12 07:49

Severity: medium

Result for /etc/hosts.allow exists

Result: pass

Rule ID: xccdf_org.gentoo.dev.swift_rule_hostsallow-exists

Time: 2014-04-12 07:49

Severity: info

Result for /etc/at/at.allow exists

Result: pass

Rule ID: xccdf_org.gentoo.dev.swift_rule_atallow-exists

Time: 2014-04-12 07:49

Severity: low

Result for USE="pam" is set

Result: fail

Rule ID: xccdf_org.gentoo.dev.swift_rule_USE-pam

Time: 2014-04-12 07:49

Severity: low

Remediation instructions

Edit /etc/portage/make.conf and make sure that 'pam' is in the USE declaration

Tests that 'pam' is set as a global USE flag in make.conf

pathcontent
/etc/portage/make.confUSE="${USE}"

Result for USE="tcpd" is set

Result: fail

Rule ID: xccdf_org.gentoo.dev.swift_rule_USE-tcpd

Time: 2014-04-12 07:49

Severity: low

Remediation instructions

Edit /etc/portage/make.conf and make sure that 'tcpd' is in the USE declaration

Tests that 'tcpd' is set as a global USE flag in make.conf

pathcontent
/etc/portage/make.confUSE="${USE}"

Result for USE="ssl" is set

Result: fail

Rule ID: xccdf_org.gentoo.dev.swift_rule_USE-ssl

Time: 2014-04-12 07:49

Severity: low

Remediation instructions

Edit /etc/portage/make.conf and make sure that 'ssl' is in the USE declaration

Tests that 'ssl' is set as a global USE flag in make.conf

pathcontent
/etc/portage/make.confUSE="${USE}"

Result for FEATURES="webrsync-gpg" is set

Result: fail

Rule ID: xccdf_org.gentoo.dev.swift_rule_FEATURES-webrsync-gpg

Time: 2014-04-12 07:49

Severity: low

Remediation instructions

Edit /etc/portage/make.conf and make sure that 'webrsync-gpg' is in the FEATURES declaration.

Tests that webrsync-gpg is set in make.conf FEATURES

pathcontent
/etc/portage/make.confFEATURES="-loadpolicy sign buildpkg metadata-transfer"

Result for PORTAGE_GPG_DIR is set

Result: pass

Rule ID: xccdf_org.gentoo.dev.swift_rule_PORTAGE_GPG_DIR-nonempty

Time: 2014-04-12 07:49

Severity: low

Result for Grub legacy (if it exists) has a password entry with md5 hash

Result: fail

Rule ID: xccdf_org.gentoo.dev.swift_rule_grubconf-password-md5

Time: 2014-04-12 07:49

Severity: low

Remediation instructions

Edit /boot/grub/grub.conf and set a password entry with md5 hash

Result for LILO (if it exists) has a password entry

Result: pass

Rule ID: xccdf_org.gentoo.dev.swift_rule_liloconf-password

Time: 2014-04-12 07:49

Severity: low

Result for /etc/securetty is limited to console and tty's

Result: error

Rule ID: xccdf_org.gentoo.dev.swift_rule_securetty-limitentries

Time: 2014-04-12 07:49

Severity: low

Remediation instructions

Edit /etc/securetty and make sure only 'console' and 'tty[0-9]*' are defined.