Handle version and add in hidepid check

3 files changed, 54 insertions, 3 deletions

diff --git a/xml/SCAP/Makefile b/xml/SCAP/Makefile
index f0b8628..1a48ecf 100644
--- a/xml/SCAP/Makefile
+++ b/xml/SCAP/Makefile
@@ -28,6 +28,8 @@ prep:
 	-cp -R bin/ ~/tmp/
 	-cp ~/tmp/gentoo-oval.xml ~/tmp/cpe-oval.xml
 	-sed -i 's|gentoo-oval.xml|cpe-oval.xml|g' ~/tmp/gentoo-cpe.xml
+	-sed -i "s|@@VERSION@@|`date +%Y%m%d`|g" ~/tmp/gentoo-xccdf.xml
+	-sed -i "s|@@DATE@@|`date +%Y-%m-%d`|g" ~/tmp/gentoo-xccdf.xml
 
 upload:
 	-pushd ~/tmp; scp gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml gentoo-ds.xml guide-gentoo-xccdf.html report-gentoo-oval.html report-gentoo-xccdf.html $(location)/; popd;
diff --git a/xml/SCAP/gentoo-oval.xml b/xml/SCAP/gentoo-oval.xml
index a031348..7f6e674 100644
--- a/xml/SCAP/gentoo-oval.xml
+++ b/xml/SCAP/gentoo-oval.xml
@@ -547,6 +547,21 @@
     </criteria>
   </definition>
 
+  <definition id="oval:org.gentoo.dev.swift:def:33" version="1" class="compliance">
+    <metadata>
+      <title>/proc is mounted with hidepid=1 or hidepid=2</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <description>
+        The /proc file system should be mounted with hidepid=1 or 2 so that other users' processes are not visible to non-authorized accounts.
+      </description>
+    </metadata>
+    <criteria>
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:34" comment="/proc is mounted with hidepid=1 or hidepid=2" />
+    </criteria>
+  </definition>
+
 </definitions>
 
 <tests>
@@ -824,6 +839,16 @@
     <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:13" />
   </ind-def:textfilecontent54_test>
 
+  <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:34"
+    version="1" check="all" check_existence="all_exist"
+    comment="Tests that /proc is mounted with hidepid=1 or hidepid=2 option">
+    <!-- /proc partition -->
+    <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:21" />
+    <!-- "hidepid=[12]" mount option -->
+    <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:14" />
+  </lin-def:partition_test>
+
+
 </tests>
 
 <objects>
@@ -944,6 +969,11 @@
     <ind-def:instance operation="greater than or equal" datatype="int">1</ind-def:instance>
   </ind-def:textfilecontent54_object>
 
+  <lin-def:partition_object id="oval:org.gentoo.dev.swift:obj:21"
+    version="1" comment="The /proc file system">
+    <lin-def:mount_point>/proc</lin-def:mount_point>
+  </lin-def:partition_object>
+
 </objects>
 
 <states>
@@ -1013,6 +1043,11 @@
     <ind-def:text datatype="string" operation="pattern match" entity_check="all">(console|tty[[:digit:]]+)</ind-def:text>
   </ind-def:textfilecontent54_state>
 
+  <lin-def:partition_state id="oval:org.gentoo.dev.swift:ste:14"
+    version="1" comment="hidepid=1 or hidepid=2 mount option">
+    <lin-def:mount_options entity_check="at least one" operation="pattern match">hidepid=[12]</lin-def:mount_options>
+  </lin-def:partition_state>
+
 </states>
 
 <variables>
diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml
index 5fe590d..3c3afcd 100644
--- a/xml/SCAP/gentoo-xccdf.xml
+++ b/xml/SCAP/gentoo-xccdf.xml
@@ -1,13 +1,13 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:h="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.gentoo.dev.swift_benchmark_gentoo-20140326-1" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" resolved="0">
-  <status date="2014-03-26">draft</status>
+<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:h="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.gentoo.dev.swift_benchmark_gentoo-@@VERSION@@-1" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" resolved="0">
+  <status date="@@DATE@@">draft</status>
   <title>Gentoo Security Benchmark</title>
   <description>
     This benchmarks helps people in improving their system configuration to be
     more resilient against attacks and vulnerabilities.
   </description>
   <platform idref="cpe:/o:gentoo:linux"/>
-  <version>20140326.1</version>
+  <version>@@VERSION@@</version>
   <model system="urn:xccdf:scoring:default" />
   <model system="urn:xccdf:scoring:flat" />
   <model system="urn:xccdf:scoring:flat-unweighted" />
@@ -101,6 +101,8 @@
     <select idref="xccdf_org.gentoo.dev.swift_rule_PORTAGE_GPG_DIR-nonempty" selected="true" />
     <!-- Make sure /etc/securetty only contains console and tty's -->
     <select idref="xccdf_org.gentoo.dev.swift_rule_securetty-limitentries" selected="true" />
+    <!-- Make sure /proc is mounted with hidepid=1 or hidepid=2 -->
+    <select idref="xccdf_org.gentoo.dev.swift_rule_proc-hidepid" selected="true" />
   </Profile>
   <Profile id="xccdf_org.gentoo.dev.swift_profile_default" extends="xccdf_org.gentoo.dev.swift_profile_default-oval">
     <title>Default server setup settings</title>
@@ -1009,6 +1011,18 @@ mount -o remount,usrquota,grpquota /home
 	</description>
 	<reference href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0499680a42141d86417a8fbaa8c8db806bea1201">Kernel commit introducing
 	the hidepid support</reference>
+	<Rule id="xccdf_org.gentoo.dev.swift_rule_proc-hidepid" selected="false" severity="medium" weight="1.7">
+	  <title>The /proc file system is mounted with hidepid=1 or hidepid=2</title>
+	  <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_proc-hidepid">Mount /proc with hidepid=1 or hidepid=2</fixtext>
+	  <fix id="xccdf_org.gentoo.dev.swift_fix_proc-hidepid"
+	       system="urn:xccdf:fix:system:commands"
+	       platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+mount -o remount,hidepid=2 /proc
+          </fix>
+	  <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+	    <check-content-ref name="oval:org.gentoo.dev.swift:def:33" href="gentoo-oval.xml" />
+	  </check>
+	</Rule>
       </Group>
     </Group> <!-- system-fs -->
     <Group id="xccdf_org.gentoo.dev.swift_group_system-services">