Gentoo Security Benchmark

with profile Default server setup settings (non-scripted)
This benchmarks helps people in improving their system configuration to be more resilient against attacks and vulnerabilities.

Evaluation Characteristics

Target machineclevo
Benchmark URLgentoo-xccdf.xml
Benchmark IDxccdf_org.gentoo.dev.swift_benchmark_gentoo-20150827-1
Profile IDxccdf_org.gentoo.dev.swift_profile_default-oval
Started at2015-08-27T22:39:10
Finished at2015-08-27T22:39:10
Performed byswift

CPE Platforms

  • cpe:/o:gentoo:linux

Addresses

  • IPv4  127.0.0.1
  • IPv4  192.168.1.4
  • IPv6  0:0:0:0:0:0:0:1
  • IPv6  fe80:0:0:0:e952:2ace:b55:82a0
  • MAC  00:00:00:00:00:00
  • MAC  00:90:F5:F9:7C:3E

Compliance and Scoring

The target system did not satisfy the conditions of 21 rules! Furthermore, the results of 1 rules were inconclusive. Please review rule results and consider applying remediation.

Rule results

12 passed
21 failed
1 other

Severity of failed rules

0 other
18 low
3 medium
0 high

Score

Scoring systemScoreMaximumPercent
urn:xccdf:scoring:default33.718906100.000000
33.72%
urn:xccdf:scoring:flat57.400002117.400002
48.89%
urn:xccdf:scoring:flat-unweighted12.00000034.000000
35.29%

Rule Overview

TitleSeverityResult
Gentoo Security Benchmark 21x fail 1x error
Introduction
This is no security policy
A little more about SCAP and OVAL
Using this guide
Available XCCDF Profiles
About the rule weights
Before starting
Infrastructure architecturing
Mapping requirements
Non-software security concerns
Physical security
Policies and contractual agreements
Installation configuration 4x fail
Storage configuration 4x fail
Partitioning 4x fail
Separate file systems for important locations 4x fail
/tmp is a separate file systemmedium
pass
/var is a separate file systemmedium
fail
/var/log is a separate file systemlow
fail
/var/log/audit is a separate file systemlow
fail
/home is a separate file systemmedium
pass
/var/tmp is a separate file systemlow
fail
Use a Hardened Toolchain
The hardened toolchain is usedlow
notselected
System settings 17x fail 1x error
File system related settings 10x fail
Using no* mount options for the file systems 6x fail
/var is mounted with nodevlow
fail
/var/log is mounted with nodevlow
fail
/var/log/audit is mounted with nodevlow
fail
/home is mounted with nodevlow
fail
/tmp is mounted with nodevmedium
fail
/tmp is mounted with nosuidmedium
pass
/home is mounted with nosuidlow
fail
/dev/shm is mounted with nosuidmedium
pass
/tmp is mounted with noexecmedium
pass
/dev/shm is mounted with noexecmedium
pass
Disk quota support 3x fail
The kernel supports quota (CONFIG_QUOTA)low
fail
The /var file system is mounted with usrquota or grpquotalow
fail
The /home file system is mounted with usrquota or grpquotalow
fail
Hiding process information through hidepid 1x fail
The /proc file system is mounted with hidepid=1 or hidepid=2medium
fail
System services 1x fail
Disable unsafe services
No telnet daemons are runninghigh
pass
No FTP daemons are runningmedium
pass
Require single-user boot to give root password
sulogin is used for single-user boot (/etc/rc.conf)medium
pass
sulogin is used for single-user boot (/etc/inittab)medium
pass
Properly Configure TCP Wrappers
/etc/hosts.allow existsinfo
pass
SSH service
Cron service
Only allow trusted accounts cron access
At service 1x fail
Only allow trusted accounts at access 1x fail
/etc/at/at.allow existslow
fail
NTP service
Synchronise the system clock
Syslog service
Configure the system logger to log intervals
Enable remote logging
Decide which events to send to user terminals
Portage settings 5x fail
USE flags 3x fail
USE="pam" is setlow
fail
USE="tcpd" is setlow
fail
USE="ssl" is setlow
fail
Fetching signed portage tree 2x fail
FEATURES="webrsync-gpg" is setlow
fail
PORTAGE_GPG_DIR is setlow
fail
Kernel configuration
Bootloader configuration 1x fail
Password protect GRUB 2
Password protect GRUB (legacy) 1x fail
Grub legacy (if it exists) has a password entry with md5 hashlow
fail
Password protect LILO
LILO (if it exists) has a password entrylow
pass
Authentication and authorization settings 1x error
Restrict root system logon 1x error
/etc/securetty is limited to console and tty'slow
error
Allow only known users to login
Restrict user resources
Enforce password policy
Review password strength regularly
Session settings
Disable access to user terminals
File and directory privileges and integrity
Limit world writable files and locations
All world writable directories have the sticky bit setmedium
notselected
Limit setuid and setgid file and directory usage
Limit capability enabled files
Logs only readable by proper group
Files only used by root should be root-only
Review file integrity regularly
Data flows
Backup the data
Automated backups
Full data coverage
Retention
Off-site backups
Validate and test
Decommissioning servers
Wipe disks

Result Details

/tmp is a separate file systemxccdf_org.gentoo.dev.swift_rule_partition-tmp

/tmp is a separate file system

Rule IDxccdf_org.gentoo.dev.swift_rule_partition-tmp
Result
pass
Time2015-08-27T22:39:10
Severitymedium
Identifiers and References
OVAL details

Items found satisfying Tests that /tmp is a separate file system:

Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/tmptmpfstmpfsrwrootcontext=system_u:object_r:tmp_t:s0seclabelnosuidnoexecrelatimebind410717124107169
/var is a separate file systemxccdf_org.gentoo.dev.swift_rule_partition-var

/var is a separate file system

Rule IDxccdf_org.gentoo.dev.swift_rule_partition-var
Result
fail
Time2015-08-27T22:39:10
Severitymedium
Identifiers and References
OVAL details

Items not found violating Tests that /var is a separate file system:

Object oval:org.gentoo.dev.swift:obj:4 of type partition_object
Mount point
/var
Remediation description:
Create a file system for /var; make sure it is added in the /etc/fstab file and reboot the system.
/var/log is a separate file systemxccdf_org.gentoo.dev.swift_rule_partition-varlog

/var/log is a separate file system

Rule IDxccdf_org.gentoo.dev.swift_rule_partition-varlog
Result
fail
Time2015-08-27T22:39:10
Severitylow
Identifiers and References
OVAL details

Items not found violating Tests that /var/log is a separate file system:

Object oval:org.gentoo.dev.swift:obj:5 of type partition_object
Mount point
/var/log
Remediation description:
Create a file system for /var/log; make sure it is added in the /etc/fstab file and reboot the system.
/var/log/audit is a separate file systemxccdf_org.gentoo.dev.swift_rule_partition-varlogaudit

/var/log/audit is a separate file system

Rule IDxccdf_org.gentoo.dev.swift_rule_partition-varlogaudit
Result
fail
Time2015-08-27T22:39:10
Severitylow
Identifiers and References
OVAL details

Items not found violating Tests that /var/log/audit is a separate file system:

Object oval:org.gentoo.dev.swift:obj:6 of type partition_object
Mount point
/var/log/audit
Remediation description:
Create a file system for /var/log/audit; make sure it is added in the /etc/fstab file and reboot the system.
/home is a separate file systemxccdf_org.gentoo.dev.swift_rule_partition-home

/home is a separate file system

Rule IDxccdf_org.gentoo.dev.swift_rule_partition-home
Result
pass
Time2015-08-27T22:39:10
Severitymedium
Identifiers and References
OVAL details

Items found satisfying Tests that /home is a separate file system:

Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/home/dev/mapper/vg0-homeext4rwseclabelnoatimediscarddata=ordered1028846453145754973889
/var/tmp is a separate file systemxccdf_org.gentoo.dev.swift_rule_partition-vartmp

/var/tmp is a separate file system

Rule IDxccdf_org.gentoo.dev.swift_rule_partition-vartmp
Result
fail
Time2015-08-27T22:39:10
Severitylow
Identifiers and References
OVAL details

Items not found violating Tests that /var/tmp is on its own file system:

Object oval:org.gentoo.dev.swift:obj:8 of type partition_object
Mount point
/var/tmp
Remediation description:
Create a file system for /var/tmp; make sure it is added in the /etc/fstab file and reboot the system.
The hardened toolchain is usedxccdf_org.gentoo.dev.swift_rule_installation-toolchain-hardened

The hardened toolchain is used

Rule IDxccdf_org.gentoo.dev.swift_rule_installation-toolchain-hardened
Result
notselected
Time2015-08-27T22:39:10
Severitylow
Identifiers and References
SCE stdout

          
/var is mounted with nodevxccdf_org.gentoo.dev.swift_rule_partition-var-nodev

/var is mounted with nodev

Rule IDxccdf_org.gentoo.dev.swift_rule_partition-var-nodev
Result
fail
Time2015-08-27T22:39:10
Severitylow
Identifiers and References
OVAL details

Items not found violating Tests that /var is a separate file system:

Object oval:org.gentoo.dev.swift:obj:4 of type partition_object
Mount point
/var

Items not found violating Tests that /var is mounted with nodev option:

Object oval:org.gentoo.dev.swift:obj:4 of type partition_object
Mount point
/var
State oval:org.gentoo.dev.swift:ste:2 of type partition_state
Mount options
nodev
Remediation description:
Mount /var with nodev mount option
Remediation script:

mount -o remount,nodev /var
          
/var/log is mounted with nodevxccdf_org.gentoo.dev.swift_rule_partition-varlog-nodev

/var/log is mounted with nodev

Rule IDxccdf_org.gentoo.dev.swift_rule_partition-varlog-nodev
Result
fail
Time2015-08-27T22:39:10
Severitylow
Identifiers and References
OVAL details

Items not found violating Tests that /var/log is a separate file system:

Object oval:org.gentoo.dev.swift:obj:5 of type partition_object
Mount point
/var/log

Items not found violating Tests that /var/log is mounted with nodev option:

Object oval:org.gentoo.dev.swift:obj:5 of type partition_object
Mount point
/var/log
State oval:org.gentoo.dev.swift:ste:2 of type partition_state
Mount options
nodev
Remediation description:
Mount /var/log with nodev mount option
Remediation script:

mount -o remount,nodev /var/log
          
/var/log/audit is mounted with nodevxccdf_org.gentoo.dev.swift_rule_partition-varlogaudit-nodev

/var/log/audit is mounted with nodev

Rule IDxccdf_org.gentoo.dev.swift_rule_partition-varlogaudit-nodev
Result
fail
Time2015-08-27T22:39:10
Severitylow
Identifiers and References
OVAL details

Items not found violating Tests that /var/log/audit is a separate file system:

Object oval:org.gentoo.dev.swift:obj:6 of type partition_object
Mount point
/var/log/audit

Items not found violating Tests that /var/log/audit is mounted with nodev option:

Object oval:org.gentoo.dev.swift:obj:6 of type partition_object
Mount point
/var/log/audit
State oval:org.gentoo.dev.swift:ste:2 of type partition_state
Mount options
nodev
Remediation description:
Mount /var/log/audit with nodev mount option
Remediation script:

mount -o remount,nodev /var/log/audit
          
/home is mounted with nodevxccdf_org.gentoo.dev.swift_rule_partition-home-nodev

/home is mounted with nodev

Rule IDxccdf_org.gentoo.dev.swift_rule_partition-home-nodev
Result
fail
Time2015-08-27T22:39:10
Severitylow
Identifiers and References
OVAL details

Items found violating Tests that /home is a separate file system:

Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/home/dev/mapper/vg0-homeext4rwseclabelnoatimediscarddata=ordered1028846453145754973889

Items found violating Tests that /home is mounted with nodev option:

Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/home/dev/mapper/vg0-homeext4rwseclabelnoatimediscarddata=ordered1028846453145754973889
Remediation description:
Mount /home with nodev mount option
Remediation script:

mount -o remount,nodev /home
          
/tmp is mounted with nodevxccdf_org.gentoo.dev.swift_rule_partition-tmp-nodev

/tmp is mounted with nodev

Rule IDxccdf_org.gentoo.dev.swift_rule_partition-tmp-nodev
Result
fail
Time2015-08-27T22:39:10
Severitymedium
Identifiers and References
OVAL details

Items found violating Tests that /tmp is a separate file system:

Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/tmptmpfstmpfsrwrootcontext=system_u:object_r:tmp_t:s0seclabelnosuidnoexecrelatimebind410717124107169

Items found violating Tests that /tmp is mounted with nodev option:

Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/tmptmpfstmpfsrwrootcontext=system_u:object_r:tmp_t:s0seclabelnosuidnoexecrelatimebind410717124107169
Remediation description:
Mount /tmp with nodev mount option
Remediation script:

mount -o remount,nodev /tmp
          
/tmp is mounted with nosuidxccdf_org.gentoo.dev.swift_rule_partition-tmp-nosuid

/tmp is mounted with nosuid

Rule IDxccdf_org.gentoo.dev.swift_rule_partition-tmp-nosuid
Result
pass
Time2015-08-27T22:39:10
Severitymedium
Identifiers and References
OVAL details

Items found satisfying Tests that /tmp is a separate file system:

Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/tmptmpfstmpfsrwrootcontext=system_u:object_r:tmp_t:s0seclabelnosuidnoexecrelatimebind410717124107169

Items found satisfying Tests that /tmp is mounted with nosuid option:

Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/tmptmpfstmpfsrwrootcontext=system_u:object_r:tmp_t:s0seclabelnosuidnoexecrelatimebind410717124107169
/home is mounted with nosuidxccdf_org.gentoo.dev.swift_rule_partition-home-nosuid

/home is mounted with nosuid

Rule IDxccdf_org.gentoo.dev.swift_rule_partition-home-nosuid
Result
fail
Time2015-08-27T22:39:10
Severitylow
Identifiers and References
OVAL details

Items found violating Tests that /home is a separate file system:

Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/home/dev/mapper/vg0-homeext4rwseclabelnoatimediscarddata=ordered1028846453145754973889

Items found violating Tests that /home is mounted with nosuid option:

Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/home/dev/mapper/vg0-homeext4rwseclabelnoatimediscarddata=ordered1028846453145754973889
Remediation description:
Mount /home with nosuid mount option
Remediation script:

mount -o remount,nosuid /home
          
/dev/shm is mounted with nosuidxccdf_org.gentoo.dev.swift_rule_partition-devshm-nosuid

/dev/shm is mounted with nosuid

Rule IDxccdf_org.gentoo.dev.swift_rule_partition-devshm-nosuid
Result
pass
Time2015-08-27T22:39:10
Severitymedium
Identifiers and References
OVAL details

Items found satisfying Tests that /dev/shm is a separate file system:

Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/dev/shmshmtmpfsrwseclabelnosuidnodevnoexecrelatimebind410717104107171

Items found satisfying Tests that /dev/shm is mounted with nosuid option:

Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/dev/shmshmtmpfsrwseclabelnosuidnodevnoexecrelatimebind410717104107171
/tmp is mounted with noexecxccdf_org.gentoo.dev.swift_rule_partition-tmp-noexec

/tmp is mounted with noexec

Rule IDxccdf_org.gentoo.dev.swift_rule_partition-tmp-noexec
Result
pass
Time2015-08-27T22:39:10
Severitymedium
Identifiers and References
OVAL details

Items found satisfying Tests that /tmp is a separate file system:

Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/tmptmpfstmpfsrwrootcontext=system_u:object_r:tmp_t:s0seclabelnosuidnoexecrelatimebind410717124107169

Items found satisfying Tests that /tmp is mounted with noexec option:

Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/tmptmpfstmpfsrwrootcontext=system_u:object_r:tmp_t:s0seclabelnosuidnoexecrelatimebind410717124107169
/dev/shm is mounted with noexecxccdf_org.gentoo.dev.swift_rule_partition-devshm-noexec

/dev/shm is mounted with noexec

Rule IDxccdf_org.gentoo.dev.swift_rule_partition-devshm-noexec
Result
pass
Time2015-08-27T22:39:10
Severitymedium
Identifiers and References
OVAL details

Items found satisfying Tests that /dev/shm is a separate file system:

Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/dev/shmshmtmpfsrwseclabelnosuidnodevnoexecrelatimebind410717104107171

Items found satisfying Tests that /dev/shm is mounted with noexec option:

Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/dev/shmshmtmpfsrwseclabelnosuidnodevnoexecrelatimebind410717104107171
The kernel supports quota (CONFIG_QUOTA)xccdf_org.gentoo.dev.swift_rule_kernel-quota

The kernel supports quota (CONFIG_QUOTA)

Rule IDxccdf_org.gentoo.dev.swift_rule_kernel-quota
Result
fail
Time2015-08-27T22:39:10
Severitylow
Identifiers and References
OVAL details

Items not found violating Tests that CONFIG_QUOTA is in the kernel configuration:

Object oval:org.gentoo.dev.swift:obj:9 of type textfilecontent54_object
FilepathPatternInstance
/usr/src/linux/.configCONFIG_QUOTA.*1
State oval:org.gentoo.dev.swift:ste:4 of type textfilecontent54_state
Text
^CONFIG_QUOTA=[ym]
Remediation description:
Rebuild the Linux kernel with quota support (CONFIG_QUOTA)
The /var file system is mounted with usrquota or grpquotaxccdf_org.gentoo.dev.swift_rule_var-quota

The /var file system is mounted with usrquota or grpquota

Rule IDxccdf_org.gentoo.dev.swift_rule_var-quota
Result
fail
Time2015-08-27T22:39:10
Severitylow
Identifiers and References
OVAL details

Items not found violating Tests that /var is mounted with usrquota or grpquota option:

Object oval:org.gentoo.dev.swift:obj:16 of type partition_object
Mount point
/var
State oval:org.gentoo.dev.swift:ste:7 of type partition_state
Mount options
(usr|grp)quota
Remediation description:
Mount /var with usrquota and/or grpquota
Remediation script:

mount -o remount,usrquota,grpquota /var
          
The /home file system is mounted with usrquota or grpquotaxccdf_org.gentoo.dev.swift_rule_home-quota

The /home file system is mounted with usrquota or grpquota

Rule IDxccdf_org.gentoo.dev.swift_rule_home-quota
Result
fail
Time2015-08-27T22:39:10
Severitylow
Identifiers and References
OVAL details

Items found violating Tests that /home is mounted with usrquota or grpquota option:

Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/home/dev/mapper/vg0-homeext4rwseclabelnoatimediscarddata=ordered1028846453145754973889
Remediation description:
Mount /home with usrquota and/or grpquota
Remediation script:

mount -o remount,usrquota,grpquota /home
          
The /proc file system is mounted with hidepid=1 or hidepid=2xccdf_org.gentoo.dev.swift_rule_proc-hidepid

The /proc file system is mounted with hidepid=1 or hidepid=2

Rule IDxccdf_org.gentoo.dev.swift_rule_proc-hidepid
Result
fail
Time2015-08-27T22:39:10
Severitymedium
Identifiers and References
OVAL details

Items found violating Tests that /proc is mounted with hidepid=1 or hidepid=2 option:

Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/procprocprocrwnosuidnodevnoexecrelatimebind000
Remediation description:
Mount /proc with hidepid=1 or hidepid=2
Remediation script:

mount -o remount,hidepid=2 /proc
          
No telnet daemons are runningxccdf_org.gentoo.dev.swift_rule_telnetd-notrunning

No telnet daemons are running

Rule IDxccdf_org.gentoo.dev.swift_rule_telnetd-notrunning
Result
pass
Time2015-08-27T22:39:10
Severityhigh
Identifiers and References
OVAL details

Items not found satisfying Tests that no telnet daemons are running:

Object oval:org.gentoo.dev.swift:obj:10 of type process58_object
Command linePid
.*[Tt][Ee][Ll][Nn][Ee][Tt][Dd].*0
No FTP daemons are runningxccdf_org.gentoo.dev.swift_rule_ftpd-notrunning

No FTP daemons are running

Rule IDxccdf_org.gentoo.dev.swift_rule_ftpd-notrunning
Result
pass
Time2015-08-27T22:39:10
Severitymedium
Identifiers and References
OVAL details

Items not found satisfying Tests that no FTP daemons are running:

Object oval:org.gentoo.dev.swift:obj:11 of type process58_object
Command linePid
.*[Ff][Tt][Pp][Dd].*0
sulogin is used for single-user boot (/etc/rc.conf)xccdf_org.gentoo.dev.swift_rule_rcconf-sulogin

sulogin is used for single-user boot (/etc/rc.conf)

Rule IDxccdf_org.gentoo.dev.swift_rule_rcconf-sulogin
Result
pass
Time2015-08-27T22:39:10
Severitymedium
Identifiers and References
OVAL details

Items found satisfying Tests that rc_shell in /etc/rc.conf is set to /sbin/sulogin:

PathContent
/etc/rc.conf#rc_depend_strict="YES"
/etc/rc.conf#rc_parallel="NO"
/etc/rc.conf#rc_interactive="YES"
/etc/rc.confrc_shell=/sbin/sulogin
/etc/rc.confrc_hotplug="pcscd
/etc/rc.conf#rc_logger="YES"
/etc/rc.conf#rc_log_path="/var/log/rc.log"
/etc/rc.conf#rc_verbose=no
/etc/rc.conf#rc_env_allow="VAR1
/etc/rc.conf#rc_start_wait=100
/etc/rc.conf#rc_nostop=""
/etc/rc.conf#rc_crashed_stop=NO
/etc/rc.conf#rc_crashed_start=YES
/etc/rc.conf#rc_nocolor=NO
/etc/rc.confunicode="YES"
/etc/rc.conf#rc_fuser_timeout=60
/etc/rc.conf#extra_net_fs_list=""
/etc/rc.conf#SSD_NICELEVEL="-19"
/etc/rc.conf#rc_ulimit="-u
/etc/rc.conf#rc_config="/etc/foo"
/etc/rc.conf#rc_need="openvpn"
/etc/rc.conf#rc_use="net.eth0"
/etc/rc.conf#rc_after="clock"
/etc/rc.conf#rc_before="local"
/etc/rc.conf#rc_provide="!net"
/etc/rc.conf#rc_foo_config="/etc/foo"
/etc/rc.conf#rc_foo_need="openvpn"
/etc/rc.conf#rc_foo_after="clock"
/etc/rc.conf#rc_foo_bar_config="/etc/foo-bar"
/etc/rc.conf#rc_foo_bar_need="openvpn"
/etc/rc.conf#rc_foo_bar_after="clock"
/etc/rc.conf#rc_net_tap0_provide="!net"
/etc/rc.conf#rc_sys=""
/etc/rc.confrc_tty_number=12
/etc/rc.conf#rc_controller_cgroups="YES"
/etc/rc.conf#rc_cgroup_blkio=""
/etc/rc.conf#rc_cgroup_cpu=""
/etc/rc.conf#rc_cgroup_cpuacct=""
/etc/rc.conf#rc_cgroup_cpuset=""
/etc/rc.conf#rc_cgroup_devices=""
/etc/rc.conf#rc_cgroup_memory=""
/etc/rc.conf#rc_cgroup_net_prio=""
sulogin is used for single-user boot (/etc/inittab)xccdf_org.gentoo.dev.swift_rule_inittab-sulogin

sulogin is used for single-user boot (/etc/inittab)

Rule IDxccdf_org.gentoo.dev.swift_rule_inittab-sulogin
Result
pass
Time2015-08-27T22:39:10
Severitymedium
Identifiers and References
OVAL details

Items found satisfying Tests that single-user boot only triggers '/sbin/rc single' or '/sbin/sulogin':

PathContent
/etc/inittabsu0:S:wait:/sbin/rc single
/etc/inittabsu1:S:wait:/sbin/sulogin
/etc/hosts.allow existsxccdf_org.gentoo.dev.swift_rule_hostsallow-exists

/etc/hosts.allow exists

Rule IDxccdf_org.gentoo.dev.swift_rule_hostsallow-exists
Result
pass
Time2015-08-27T22:39:10
Severityinfo
Identifiers and References
OVAL details

Items found satisfying Tests that /etc/hosts.allow exists:

PathTypeUIDGIDSize (B)Permissions
/etc/hosts.allowregular00585rw-r--r-- 
/etc/at/at.allow existsxccdf_org.gentoo.dev.swift_rule_atallow-exists

/etc/at/at.allow exists

Rule IDxccdf_org.gentoo.dev.swift_rule_atallow-exists
Result
fail
Time2015-08-27T22:39:10
Severitylow
Identifiers and References
OVAL details

Items not found violating Tests that /etc/at/at.allow exists:

Object oval:org.gentoo.dev.swift:obj:15 of type file_object
Filepath
/etc/at/at.allow
Remediation description:
Create and properly configure /etc/at/at.allow
USE="pam" is setxccdf_org.gentoo.dev.swift_rule_USE-pam

USE="pam" is set

Rule IDxccdf_org.gentoo.dev.swift_rule_USE-pam
Result
fail
Time2015-08-27T22:39:10
Severitylow
Identifiers and References
OVAL details

Items not found violating Tests that 'pam' is set as a global USE flag in make.conf:

Object oval:org.gentoo.dev.swift:obj:17 of type textfilecontent54_object
FilepathPatternInstance
/etc/portage/make.conf^USE=.*1
State oval:org.gentoo.dev.swift:ste:8 of type textfilecontent54_state
Text
( |")pam( |")
Remediation description:
Edit /etc/portage/make.conf and make sure that 'pam' is in the USE declaration
USE="tcpd" is setxccdf_org.gentoo.dev.swift_rule_USE-tcpd

USE="tcpd" is set

Rule IDxccdf_org.gentoo.dev.swift_rule_USE-tcpd
Result
fail
Time2015-08-27T22:39:10
Severitylow
Identifiers and References
OVAL details

Items not found violating Tests that 'tcpd' is set as a global USE flag in make.conf:

Object oval:org.gentoo.dev.swift:obj:17 of type textfilecontent54_object
FilepathPatternInstance
/etc/portage/make.conf^USE=.*1
State oval:org.gentoo.dev.swift:ste:9 of type textfilecontent54_state
Text
( |")tcpd( |")
Remediation description:
Edit /etc/portage/make.conf and make sure that 'tcpd' is in the USE declaration
USE="ssl" is setxccdf_org.gentoo.dev.swift_rule_USE-ssl

USE="ssl" is set

Rule IDxccdf_org.gentoo.dev.swift_rule_USE-ssl
Result
fail
Time2015-08-27T22:39:10
Severitylow
Identifiers and References
OVAL details

Items not found violating Tests that 'ssl' is set as a global USE flag in make.conf:

Object oval:org.gentoo.dev.swift:obj:17 of type textfilecontent54_object
FilepathPatternInstance
/etc/portage/make.conf^USE=.*1
State oval:org.gentoo.dev.swift:ste:10 of type textfilecontent54_state
Text
( |")ssl( |")
Remediation description:
Edit /etc/portage/make.conf and make sure that 'ssl' is in the USE declaration
FEATURES="webrsync-gpg" is setxccdf_org.gentoo.dev.swift_rule_FEATURES-webrsync-gpg

FEATURES="webrsync-gpg" is set

Rule IDxccdf_org.gentoo.dev.swift_rule_FEATURES-webrsync-gpg
Result
fail
Time2015-08-27T22:39:10
Severitylow
Identifiers and References
OVAL details

Items not found violating Tests that webrsync-gpg is set in make.conf FEATURES:

Object oval:org.gentoo.dev.swift:obj:18 of type textfilecontent54_object
FilepathPatternInstance
/etc/portage/make.conf^FEATURES=.*1
State oval:org.gentoo.dev.swift:ste:11 of type textfilecontent54_state
Text
( |")webrsync-gpg( |")
Remediation description:
Edit /etc/portage/make.conf and make sure that 'webrsync-gpg' is in the FEATURES declaration.
PORTAGE_GPG_DIR is setxccdf_org.gentoo.dev.swift_rule_PORTAGE_GPG_DIR-nonempty

PORTAGE_GPG_DIR is set

Rule IDxccdf_org.gentoo.dev.swift_rule_PORTAGE_GPG_DIR-nonempty
Result
fail
Time2015-08-27T22:39:10
Severitylow
Identifiers and References
OVAL details

Items not found violating Tests that PORTAGE_GPG_DIR is non-empty:

Object oval:org.gentoo.dev.swift:obj:19 of type textfilecontent54_object
FilepathPatternInstance
/etc/portage/make.conf^PORTAGE_GPG_DIR="(.*)"1
State oval:org.gentoo.dev.swift:ste:12 of type textfilecontent54_state
Subexpression
[\S]+
Remediation description:
Edit /etc/portage/make.conf and make sure that PORTAGE_GPG_DIR is set correctly.
Grub legacy (if it exists) has a password entry with md5 hashxccdf_org.gentoo.dev.swift_rule_grubconf-password-md5

Grub legacy (if it exists) has a password entry with md5 hash

Rule IDxccdf_org.gentoo.dev.swift_rule_grubconf-password-md5
Result
fail
Time2015-08-27T22:39:10
Severitylow
Identifiers and References
OVAL details

Items not found violating /boot/grub exists:

Object oval:org.gentoo.dev.swift:obj:24 of type file_object
Filepath
/boot/grub

Items not found violating /boot/grub/grub.conf does not exist:

Object oval:org.gentoo.dev.swift:obj:22 of type file_object
Filepath
/boot/grub/grub.conf

Items not found violating The grub.conf file has a password --md5 entry:

Object oval:org.gentoo.dev.swift:obj:23 of type textfilecontent54_object
FilepathPatternInstance
/boot/grub/grub.conf^([^#\n]*)(?#.*)?$1
State oval:org.gentoo.dev.swift:ste:15 of type textfilecontent54_state
Subexpression
[\s]*password --md5 [\S]+
Remediation description:
Edit /boot/grub/grub.conf and set a password entry with md5 hash
LILO (if it exists) has a password entryxccdf_org.gentoo.dev.swift_rule_liloconf-password

LILO (if it exists) has a password entry

Rule IDxccdf_org.gentoo.dev.swift_rule_liloconf-password
Result
pass
Time2015-08-27T22:39:10
Severitylow
Identifiers and References
OVAL details

Items not found satisfying /etc/lilo.conf does not exist:

Object oval:org.gentoo.dev.swift:obj:25 of type file_object
Filepath
/etc/lilo.conf

Items not found satisfying lilo.conf has a password set:

Object oval:org.gentoo.dev.swift:obj:26 of type textfilecontent54_object
FilepathPatternInstance
/etc/lilo.conf^([^#\n]*)(?#.*)?$1
State oval:org.gentoo.dev.swift:ste:16 of type textfilecontent54_state
Subexpression
[\s]*password=[\S]+
/etc/securetty is limited to console and tty'sxccdf_org.gentoo.dev.swift_rule_securetty-limitentries

/etc/securetty is limited to console and tty's

Rule IDxccdf_org.gentoo.dev.swift_rule_securetty-limitentries
Result
error
Time2015-08-27T22:39:10
Severitylow
Identifiers and References
OVAL details

Items not found violating Tests that securetty only contains console and tty#:

Object oval:org.gentoo.dev.swift:obj:20 of type textfilecontent54_object
FilepathPatternInstance
/etc/securetty^[^#]+1
State oval:org.gentoo.dev.swift:ste:13 of type textfilecontent54_state
Text
(console|tty[[:digit:]]+)
Remediation description:
Edit /etc/securetty and make sure only 'console' and 'tty[0-9]*' are defined.
All world writable directories have the sticky bit setxccdf_org.gentoo.dev.swift_rule_worldwritedir-stickybit

All world writable directories have the sticky bit set

Rule IDxccdf_org.gentoo.dev.swift_rule_worldwritedir-stickybit
Result
notselected
Time2015-08-27T22:39:10
Severitymedium
Identifiers and References
OVAL details

Items not found violating All world writable directories have the sticky bit set:

Object oval:org.gentoo.dev.swift:obj:27 of type file_object
Set
oval:org.gentoo.dev.swift:obj:28 oval:org.gentoo.dev.swift:ste:18
State oval:org.gentoo.dev.swift:ste:17 of type file_state
Sticky
1