From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
Date: Wed, 2 Sep 2015 20:24:37 +0000 (UTC) [thread overview]
Message-ID: <1441225454.ec36b14065b253f45eaf9992b9b87cb22b52561c.swift@gentoo> (raw)
commit: ec36b14065b253f45eaf9992b9b87cb22b52561c
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Sep 2 20:24:14 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Sep 2 20:24:14 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-docs.git/commit/?id=ec36b140
Adding kernel files
xml/SCAP/kernel-oval.xml | 1129 +++++++++++++++++++++++++++++++++++++++++++++
xml/SCAP/kernel-xccdf.xml | 967 ++++++++++++++++++++++++++++++++++++++
2 files changed, 2096 insertions(+)
diff --git a/xml/SCAP/kernel-oval.xml b/xml/SCAP/kernel-oval.xml
new file mode 100644
index 0000000..7ea2238
--- /dev/null
+++ b/xml/SCAP/kernel-oval.xml
@@ -0,0 +1,1129 @@
+<?xml version="1.0"?>
+<oval_definitions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5"
+ xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5"
+ xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5"
+ xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
+ xmlns:lin-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"
+ xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix">
+ <generator>
+ <oval:product_name>vim</oval:product_name>
+ <oval:schema_version>5.9</oval:schema_version>
+ <oval:timestamp>2011-10-31T12:00:00-04:00</oval:timestamp>
+ </generator>
+
+<definitions>
+<!-- @@GENOVAL START DEFINITIONS -->
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:2" version="1">
+ <metadata>
+ <title>sysctl net.ipv4.ip_forward must be 0</title>
+ <description>sysctl net.ipv4.ip_forward must be 0</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:2" comment="sysctl net.ipv4.ip_forward must be 0" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:4" version="1">
+ <metadata>
+ <title>sysctl net.ipv4.conf.all.rp_filter must be 1</title>
+ <description>sysctl net.ipv4.conf.all.rp_filter must be 1</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:4" comment="sysctl net.ipv4.conf.all.rp_filter must be 1" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:6" version="1">
+ <metadata>
+ <title>sysctl net.ipv4.conf.default.rp_filter must be 1</title>
+ <description>sysctl net.ipv4.conf.default.rp_filter must be 1</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:6" comment="sysctl net.ipv4.conf.default.rp_filter must be 1" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:8" version="1">
+ <metadata>
+ <title>sysctl net.ipv4.conf.all.accept_source_route must be 0</title>
+ <description>sysctl net.ipv4.conf.all.accept_source_route must be 0</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:8" comment="sysctl net.ipv4.conf.all.accept_source_route must be 0" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:10" version="1">
+ <metadata>
+ <title>sysctl net.ipv4.conf.default.accept_source_route must be 0</title>
+ <description>sysctl net.ipv4.conf.default.accept_source_route must be 0</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:10" comment="sysctl net.ipv4.conf.default.accept_source_route must be 0" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:12" version="1">
+ <metadata>
+ <title>sysctl net.ipv4.conf.all.accept_redirects must be 0</title>
+ <description>sysctl net.ipv4.conf.all.accept_redirects must be 0</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:12" comment="sysctl net.ipv4.conf.all.accept_redirects must be 0" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:14" version="1">
+ <metadata>
+ <title>sysctl net.ipv4.conf.default.accept_redirects must be 0</title>
+ <description>sysctl net.ipv4.conf.default.accept_redirects must be 0</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:14" comment="sysctl net.ipv4.conf.default.accept_redirects must be 0" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:16" version="1">
+ <metadata>
+ <title>sysctl net.ipv4.icmp_echo_ignore_broadcasts must be 1</title>
+ <description>sysctl net.ipv4.icmp_echo_ignore_broadcasts must be 1</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:16" comment="sysctl net.ipv4.icmp_echo_ignore_broadcasts must be 1" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:18" version="1">
+ <metadata>
+ <title>sysctl net.ipv4.icmp_ignore_bogus_error_responses must be 1</title>
+ <description>sysctl net.ipv4.icmp_ignore_bogus_error_responses must be 1</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:18" comment="sysctl net.ipv4.icmp_ignore_bogus_error_responses must be 1" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:20" version="1">
+ <metadata>
+ <title>sysctl net.ipv4.conf.all.log_martians must be 1</title>
+ <description>sysctl net.ipv4.conf.all.log_martians must be 1</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:20" comment="sysctl net.ipv4.conf.all.log_martians must be 1" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:22" version="1">
+ <metadata>
+ <title>sysctl net.ipv4.conf.default.log_martians must be 1</title>
+ <description>sysctl net.ipv4.conf.default.log_martians must be 1</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:22" comment="sysctl net.ipv4.conf.default.log_martians must be 1" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:24" version="1">
+ <metadata>
+ <title>sysctl net.ipv4.tcp_syncookies must be 1</title>
+ <description>sysctl net.ipv4.tcp_syncookies must be 1</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:24" comment="sysctl net.ipv4.tcp_syncookies must be 1" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:27" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:27" comment="kernel config CONFIG_GRKERNSEC must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:29" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_TPE must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_TPE must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:29" comment="kernel config CONFIG_GRKERNSEC_TPE must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:31" version="1">
+ <metadata>
+ <title>kernel config CONFIG_PAX must be y</title>
+ <description>kernel config CONFIG_PAX must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:31" comment="kernel config CONFIG_PAX must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:32" version="1">
+ <metadata>
+ <title>kernel config CONFIG_PAX_NOEXEC must be y</title>
+ <description>kernel config CONFIG_PAX_NOEXEC must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:32" comment="kernel config CONFIG_PAX_NOEXEC must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:33" version="1">
+ <metadata>
+ <title>kernel config CONFIG_PAX_....EXEC must be y</title>
+ <description>kernel config CONFIG_PAX_....EXEC must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:33" comment="kernel config CONFIG_PAX_....EXEC must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:34" version="1">
+ <metadata>
+ <title>kernel config CONFIG_PAX_MPROTECT must be y</title>
+ <description>kernel config CONFIG_PAX_MPROTECT must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:34" comment="kernel config CONFIG_PAX_MPROTECT must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:35" version="1">
+ <metadata>
+ <title>kernel config CONFIG_PAX_ASLR must be y</title>
+ <description>kernel config CONFIG_PAX_ASLR must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:35" comment="kernel config CONFIG_PAX_ASLR must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:36" version="1">
+ <metadata>
+ <title>kernel config CONFIG_PAX_RANDKSTACK must be y</title>
+ <description>kernel config CONFIG_PAX_RANDKSTACK must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:36" comment="kernel config CONFIG_PAX_RANDKSTACK must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:37" version="1">
+ <metadata>
+ <title>kernel config CONFIG_PAX_RANDUSTACK must be y</title>
+ <description>kernel config CONFIG_PAX_RANDUSTACK must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:37" comment="kernel config CONFIG_PAX_RANDUSTACK must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:38" version="1">
+ <metadata>
+ <title>kernel config CONFIG_PAX_RANDMMAP must be y</title>
+ <description>kernel config CONFIG_PAX_RANDMMAP must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:38" comment="kernel config CONFIG_PAX_RANDMMAP must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:39" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_PROC must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_PROC must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:39" comment="kernel config CONFIG_GRKERNSEC_PROC must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:40" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_PROC_USER must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_PROC_USER must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:40" comment="kernel config CONFIG_GRKERNSEC_PROC_USER must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:41" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_PROC_USERGROUP must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_PROC_USERGROUP must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:41" comment="kernel config CONFIG_GRKERNSEC_PROC_USERGROUP must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:42" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_PROC_ADD must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_PROC_ADD must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:42" comment="kernel config CONFIG_GRKERNSEC_PROC_ADD must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:43" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_LINK must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_LINK must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:43" comment="kernel config CONFIG_GRKERNSEC_LINK must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:44" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_FIFO must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_FIFO must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:44" comment="kernel config CONFIG_GRKERNSEC_FIFO must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:45" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:45" comment="kernel config CONFIG_GRKERNSEC_CHROOT must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:46" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_MOUNT must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_MOUNT must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:46" comment="kernel config CONFIG_GRKERNSEC_CHROOT_MOUNT must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:47" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_DOUBLE must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_DOUBLE must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:47" comment="kernel config CONFIG_GRKERNSEC_CHROOT_DOUBLE must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:48" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_PIVOT must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_PIVOT must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:48" comment="kernel config CONFIG_GRKERNSEC_CHROOT_PIVOT must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:49" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_CHDIR must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_CHDIR must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:49" comment="kernel config CONFIG_GRKERNSEC_CHROOT_CHDIR must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:50" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_CHMOD must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_CHMOD must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:50" comment="kernel config CONFIG_GRKERNSEC_CHROOT_CHMOD must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:51" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_FCHDIR must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_FCHDIR must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:51" comment="kernel config CONFIG_GRKERNSEC_CHROOT_FCHDIR must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:52" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_MKNOD must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_MKNOD must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:52" comment="kernel config CONFIG_GRKERNSEC_CHROOT_MKNOD must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:53" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_SHMAT must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_SHMAT must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:53" comment="kernel config CONFIG_GRKERNSEC_CHROOT_SHMAT must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:54" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_UNIX must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_UNIX must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:54" comment="kernel config CONFIG_GRKERNSEC_CHROOT_UNIX must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:55" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_FINDTASK must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_FINDTASK must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:55" comment="kernel config CONFIG_GRKERNSEC_CHROOT_FINDTASK must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:56" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_NICE must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_NICE must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:56" comment="kernel config CONFIG_GRKERNSEC_CHROOT_NICE must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:57" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_SYSCTL must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_SYSCTL must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:57" comment="kernel config CONFIG_GRKERNSEC_CHROOT_SYSCTL must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:58" version="1">
+ <metadata>
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_CAPS must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_CAPS must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:58" comment="kernel config CONFIG_GRKERNSEC_CHROOT_CAPS must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:59" version="1">
+ <metadata>
+ <title>kernel config CONFIG_SYN_COOKIES must be y</title>
+ <description>kernel config CONFIG_SYN_COOKIES must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:59" comment="kernel config CONFIG_SYN_COOKIES must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:61" version="1">
+ <metadata>
+ <title>kernel config CONFIG_CC_STACKPROTECTOR must be y</title>
+ <description>kernel config CONFIG_CC_STACKPROTECTOR must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:61" comment="kernel config CONFIG_CC_STACKPROTECTOR must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:63" version="1">
+ <metadata>
+ <title>kernel config CONFIG_DEBUG_RODATA must be y</title>
+ <description>kernel config CONFIG_DEBUG_RODATA must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:63" comment="kernel config CONFIG_DEBUG_RODATA must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:65" version="1">
+ <metadata>
+ <title>kernel config CONFIG_STRICT_DEVMEM must be y</title>
+ <description>kernel config CONFIG_STRICT_DEVMEM must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:65" comment="kernel config CONFIG_STRICT_DEVMEM must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:67" version="1">
+ <metadata>
+ <title>kernel config CONFIG_PROC_KCORE must not be set</title>
+ <description>kernel config CONFIG_PROC_KCORE must not be set</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:67" comment="kernel config CONFIG_PROC_KCORE must not be set" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:69" version="1">
+ <metadata>
+ <title>kernel config CONFIG_SECURITY_DMESG_RESTRICT must be y</title>
+ <description>kernel config CONFIG_SECURITY_DMESG_RESTRICT must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:69" comment="kernel config CONFIG_SECURITY_DMESG_RESTRICT must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:71" version="1">
+ <metadata>
+ <title>kernel config CONFIG_ARCH_RANDOM must be y</title>
+ <description>kernel config CONFIG_ARCH_RANDOM must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:71" comment="kernel config CONFIG_ARCH_RANDOM must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:73" version="1">
+ <metadata>
+ <title>kernel config CONFIG_HW_RANDOM must be y</title>
+ <description>kernel config CONFIG_HW_RANDOM must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:73" comment="kernel config CONFIG_HW_RANDOM must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:75" version="1">
+ <metadata>
+ <title>kernel config CONFIG_HW_RANDOM_* must be y</title>
+ <description>kernel config CONFIG_HW_RANDOM_* must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:75" comment="kernel config CONFIG_HW_RANDOM_* must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:77" version="1">
+ <metadata>
+ <title>kernel config CONFIG_AUDIT must be y</title>
+ <description>kernel config CONFIG_AUDIT must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:77" comment="kernel config CONFIG_AUDIT must be y" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:79" version="1">
+ <metadata>
+ <title>kernel config CONFIG_AUDITSYSCALL must be y</title>
+ <description>kernel config CONFIG_AUDITSYSCALL must be y</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:79" comment="kernel config CONFIG_AUDITSYSCALL must be y" />
+ </criteria>
+</definition>
+<!-- @@GENOVAL END DEFINITIONS -->
+</definitions>
+
+<tests>
+<!-- @@GENOVAL START TESTS -->
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:2" version="1" check="at least one" comment="sysctl net.ipv4.ip_forward must be 0" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:1" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:4" version="1" check="at least one" comment="sysctl net.ipv4.conf.all.rp_filter must be 1" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:2" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:2" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:6" version="1" check="at least one" comment="sysctl net.ipv4.conf.default.rp_filter must be 1" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:3" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:2" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:8" version="1" check="at least one" comment="sysctl net.ipv4.conf.all.accept_source_route must be 0" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:4" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:1" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:10" version="1" check="at least one" comment="sysctl net.ipv4.conf.default.accept_source_route must be 0" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:5" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:1" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:12" version="1" check="at least one" comment="sysctl net.ipv4.conf.all.accept_redirects must be 0" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:6" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:1" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:14" version="1" check="at least one" comment="sysctl net.ipv4.conf.default.accept_redirects must be 0" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:7" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:1" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:16" version="1" check="at least one" comment="sysctl net.ipv4.icmp_echo_ignore_broadcasts must be 1" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:8" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:2" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:18" version="1" check="at least one" comment="sysctl net.ipv4.icmp_ignore_bogus_error_responses must be 1" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:9" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:2" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:20" version="1" check="at least one" comment="sysctl net.ipv4.conf.all.log_martians must be 1" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:10" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:2" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:22" version="1" check="at least one" comment="sysctl net.ipv4.conf.default.log_martians must be 1" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:11" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:2" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:24" version="1" check="at least one" comment="sysctl net.ipv4.tcp_syncookies must be 1" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:12" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:2" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:27" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:13" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:3" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:29" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_TPE must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:14" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:4" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:31" version="1" check="at least one" comment="kernel config CONFIG_PAX must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:15" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:5" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:32" version="1" check="at least one" comment="kernel config CONFIG_PAX_NOEXEC must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:16" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:6" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:33" version="1" check="at least one" comment="kernel config CONFIG_PAX_....EXEC must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:17" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:7" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:34" version="1" check="at least one" comment="kernel config CONFIG_PAX_MPROTECT must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:18" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:8" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:35" version="1" check="at least one" comment="kernel config CONFIG_PAX_ASLR must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:19" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:9" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:36" version="1" check="at least one" comment="kernel config CONFIG_PAX_RANDKSTACK must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:20" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:10" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:37" version="1" check="at least one" comment="kernel config CONFIG_PAX_RANDUSTACK must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:21" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:11" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:38" version="1" check="at least one" comment="kernel config CONFIG_PAX_RANDMMAP must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:22" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:12" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:39" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_PROC must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:23" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:13" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:40" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_PROC_USER must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:24" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:14" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:41" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_PROC_USERGROUP must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:25" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:15" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:42" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_PROC_ADD must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:26" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:16" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:43" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_LINK must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:27" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:17" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:44" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_FIFO must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:28" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:18" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:45" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:29" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:19" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:46" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT_MOUNT must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:30" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:20" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:47" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT_DOUBLE must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:31" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:21" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:48" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT_PIVOT must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:32" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:22" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:49" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT_CHDIR must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:33" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:23" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:50" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT_CHMOD must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:34" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:24" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:51" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT_FCHDIR must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:35" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:25" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:52" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT_MKNOD must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:36" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:26" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:53" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT_SHMAT must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:37" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:27" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:54" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT_UNIX must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:38" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:28" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:55" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT_FINDTASK must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:39" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:29" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:56" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT_NICE must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:40" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:30" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:57" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT_SYSCTL must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:41" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:31" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:58" version="1" check="at least one" comment="kernel config CONFIG_GRKERNSEC_CHROOT_CAPS must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:42" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:32" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:59" version="1" check="at least one" comment="kernel config CONFIG_SYN_COOKIES must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:43" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:33" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:61" version="1" check="at least one" comment="kernel config CONFIG_CC_STACKPROTECTOR must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:49" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:39" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:63" version="1" check="at least one" comment="kernel config CONFIG_DEBUG_RODATA must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:50" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:40" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:65" version="1" check="at least one" comment="kernel config CONFIG_STRICT_DEVMEM must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:51" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:41" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:67" version="1" check="at least one" comment="kernel config CONFIG_PROC_KCORE must not be set" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:52" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:42" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:69" version="1" check="at least one" comment="kernel config CONFIG_SECURITY_DMESG_RESTRICT must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:53" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:43" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:71" version="1" check="at least one" comment="kernel config CONFIG_ARCH_RANDOM must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:44" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:34" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:73" version="1" check="at least one" comment="kernel config CONFIG_HW_RANDOM must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:45" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:35" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:75" version="1" check="at least one" comment="kernel config CONFIG_HW_RANDOM_* must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:46" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:36" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:77" version="1" check="at least one" comment="kernel config CONFIG_AUDIT must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:47" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:37" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:79" version="1" check="at least one" comment="kernel config CONFIG_AUDITSYSCALL must be y" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:48" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:38" />
+</ind-def:textfilecontent54_test>
+<!-- @@GENOVAL END TESTS -->
+</tests>
+
+<objects>
+<!-- @@GENOVAL START OBJECTS -->
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:1" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/ip_forward">
+ <ind-def:filepath>/proc/sys/net/ipv4/ip_forward</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:2" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/conf/all/rp_filter">
+ <ind-def:filepath>/proc/sys/net/ipv4/conf/all/rp_filter</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:3" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/conf/default/rp_filter">
+ <ind-def:filepath>/proc/sys/net/ipv4/conf/default/rp_filter</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:4" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/conf/all/accept_source_route">
+ <ind-def:filepath>/proc/sys/net/ipv4/conf/all/accept_source_route</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:5" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/conf/default/accept_source_route">
+ <ind-def:filepath>/proc/sys/net/ipv4/conf/default/accept_source_route</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:6" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/conf/all/accept_redirects">
+ <ind-def:filepath>/proc/sys/net/ipv4/conf/all/accept_redirects</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:7" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/conf/default/accept_redirects">
+ <ind-def:filepath>/proc/sys/net/ipv4/conf/default/accept_redirects</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:8" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts">
+ <ind-def:filepath>/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:9" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses">
+ <ind-def:filepath>/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:10" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/conf/all/log_martians">
+ <ind-def:filepath>/proc/sys/net/ipv4/conf/all/log_martians</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:11" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/conf/default/log_martians">
+ <ind-def:filepath>/proc/sys/net/ipv4/conf/default/log_martians</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:12" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/tcp_syncookies">
+ <ind-def:filepath>/proc/sys/net/ipv4/tcp_syncookies</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:13" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:14" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_TPE">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_TPE.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:15" version="1" comment="Kernel configuration entry CONFIG_PAX">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_PAX.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:16" version="1" comment="Kernel configuration entry CONFIG_PAX_NOEXEC">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_PAX_NOEXEC.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:17" version="1" comment="Kernel configuration entry CONFIG_PAX_....EXEC">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_PAX_....EXEC.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:18" version="1" comment="Kernel configuration entry CONFIG_PAX_MPROTECT">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_PAX_MPROTECT.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:19" version="1" comment="Kernel configuration entry CONFIG_PAX_ASLR">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_PAX_ASLR.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:20" version="1" comment="Kernel configuration entry CONFIG_PAX_RANDKSTACK">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_PAX_RANDKSTACK.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:21" version="1" comment="Kernel configuration entry CONFIG_PAX_RANDUSTACK">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_PAX_RANDUSTACK.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:22" version="1" comment="Kernel configuration entry CONFIG_PAX_RANDMMAP">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_PAX_RANDMMAP.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:23" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_PROC">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_PROC.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:24" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_PROC_USER">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_PROC_USER.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:25" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_PROC_USERGROUP">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_PROC_USERGROUP.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:26" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_PROC_ADD">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_PROC_ADD.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:27" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_LINK">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_LINK.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:28" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_FIFO">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_FIFO.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:29" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:30" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT_MOUNT">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT_MOUNT.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:31" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT_DOUBLE">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT_DOUBLE.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:32" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT_PIVOT">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT_PIVOT.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:33" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT_CHDIR">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT_CHDIR.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:34" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT_CHMOD">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT_CHMOD.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:35" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT_FCHDIR">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT_FCHDIR.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:36" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT_MKNOD">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT_MKNOD.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:37" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT_SHMAT">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT_SHMAT.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:38" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT_UNIX">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT_UNIX.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:39" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT_FINDTASK">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT_FINDTASK.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:40" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT_NICE">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT_NICE.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:41" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT_SYSCTL">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT_SYSCTL.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:42" version="1" comment="Kernel configuration entry CONFIG_GRKERNSEC_CHROOT_CAPS">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_GRKERNSEC_CHROOT_CAPS.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:43" version="1" comment="Kernel configuration entry CONFIG_SYN_COOKIES">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_SYN_COOKIES.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:44" version="1" comment="Kernel configuration entry CONFIG_ARCH_RANDOM">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_ARCH_RANDOM.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:45" version="1" comment="Kernel configuration entry CONFIG_HW_RANDOM">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_HW_RANDOM.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:46" version="1" comment="Kernel configuration entry CONFIG_HW_RANDOM_*">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_HW_RANDOM_*.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:47" version="1" comment="Kernel configuration entry CONFIG_AUDIT">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_AUDIT.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:48" version="1" comment="Kernel configuration entry CONFIG_AUDITSYSCALL">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_AUDITSYSCALL.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:49" version="1" comment="Kernel configuration entry CONFIG_CC_STACKPROTECTOR">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_CC_STACKPROTECTOR.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:50" version="1" comment="Kernel configuration entry CONFIG_DEBUG_RODATA">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_DEBUG_RODATA.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:51" version="1" comment="Kernel configuration entry CONFIG_STRICT_DEVMEM">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_STRICT_DEVMEM.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:52" version="1" comment="Kernel configuration entry CONFIG_PROC_KCORE">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_PROC_KCORE.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:53" version="1" comment="Kernel configuration entry CONFIG_SECURITY_DMESG_RESTRICT">
+ <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">(CONFIG_SECURITY_DMESG_RESTRICT.*)</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<!-- @@GENOVAL END OBJECTS -->
+</objects>
+
+<states>
+<!-- @@GENOVAL START STATES -->
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:1" version="1" comment="The match of 0">
+ <ind-def:subexpression operation="pattern match">0</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:2" version="1" comment="The match of 1">
+ <ind-def:subexpression operation="pattern match">1</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:3" version="1" comment="The match of CONFIG_GRKERNSEC=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:4" version="1" comment="The match of CONFIG_GRKERNSEC_TPE=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_TPE=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:5" version="1" comment="The match of CONFIG_PAX=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_PAX=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:6" version="1" comment="The match of CONFIG_PAX_NOEXEC=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_PAX_NOEXEC=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:7" version="1" comment="The match of CONFIG_PAX_....EXEC=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_PAX_....EXEC=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:8" version="1" comment="The match of CONFIG_PAX_MPROTECT=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_PAX_MPROTECT=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:9" version="1" comment="The match of CONFIG_PAX_ASLR=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_PAX_ASLR=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:10" version="1" comment="The match of CONFIG_PAX_RANDKSTACK=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_PAX_RANDKSTACK=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:11" version="1" comment="The match of CONFIG_PAX_RANDUSTACK=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_PAX_RANDUSTACK=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:12" version="1" comment="The match of CONFIG_PAX_RANDMMAP=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_PAX_RANDMMAP=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:13" version="1" comment="The match of CONFIG_GRKERNSEC_PROC=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_PROC=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:14" version="1" comment="The match of CONFIG_GRKERNSEC_PROC_USER=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_PROC_USER=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:15" version="1" comment="The match of CONFIG_GRKERNSEC_PROC_USERGROUP=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_PROC_USERGROUP=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:16" version="1" comment="The match of CONFIG_GRKERNSEC_PROC_ADD=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_PROC_ADD=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:17" version="1" comment="The match of CONFIG_GRKERNSEC_LINK=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_LINK=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:18" version="1" comment="The match of CONFIG_GRKERNSEC_FIFO=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_FIFO=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:19" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:20" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT_MOUNT=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT_MOUNT=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:21" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT_DOUBLE=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT_DOUBLE=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:22" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT_PIVOT=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT_PIVOT=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:23" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT_CHDIR=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT_CHDIR=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:24" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT_CHMOD=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT_CHMOD=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:25" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT_FCHDIR=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT_FCHDIR=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:26" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT_MKNOD=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT_MKNOD=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:27" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT_SHMAT=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT_SHMAT=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:28" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT_UNIX=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT_UNIX=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:29" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT_FINDTASK=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT_FINDTASK=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:30" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT_NICE=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT_NICE=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:31" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT_SYSCTL=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT_SYSCTL=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:32" version="1" comment="The match of CONFIG_GRKERNSEC_CHROOT_CAPS=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_GRKERNSEC_CHROOT_CAPS=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:33" version="1" comment="The match of CONFIG_SYN_COOKIES=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_SYN_COOKIES=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:34" version="1" comment="The match of CONFIG_ARCH_RANDOM=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_ARCH_RANDOM=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:35" version="1" comment="The match of CONFIG_HW_RANDOM=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_HW_RANDOM=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:36" version="1" comment="The match of CONFIG_HW_RANDOM_*=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_HW_RANDOM_*=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:37" version="1" comment="The match of CONFIG_AUDIT=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_AUDIT=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:38" version="1" comment="The match of CONFIG_AUDITSYSCALL=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_AUDITSYSCALL=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:39" version="1" comment="The match of CONFIG_CC_STACKPROTECTOR=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_CC_STACKPROTECTOR=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:40" version="1" comment="The match of CONFIG_DEBUG_RODATA=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_DEBUG_RODATA=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:41" version="1" comment="The match of CONFIG_STRICT_DEVMEM=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_STRICT_DEVMEM=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:42" version="1" comment="The match of # CONFIG_PROC_KCORE is not set">
+ <ind-def:subexpression operation="pattern match"># CONFIG_PROC_KCORE is not set</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:43" version="1" comment="The match of CONFIG_SECURITY_DMESG_RESTRICT=y">
+ <ind-def:subexpression operation="pattern match">CONFIG_SECURITY_DMESG_RESTRICT=y</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<!-- @@GENOVAL END STATES -->
+</states>
+
+<!--
+<variables>
+-->
+<!-- @@GENOVAL START VARIABLES -->
+<!-- @@GENOVAL END VARIABLES -->
+<!--
+<local_variable id="oval:org.gentoo.dev.swift.genoval:var:1" version="1" datatype="string" comment="Location where the helper scripts output is stored">
+ <object_component item_field="value" object_ref="oval:org.gentoo.dev.swift.genoval:obj:1"/>
+</local_variable>
+</variables>
+-->
+</oval_definitions>
diff --git a/xml/SCAP/kernel-xccdf.xml b/xml/SCAP/kernel-xccdf.xml
new file mode 100644
index 0000000..4cfdbe8
--- /dev/null
+++ b/xml/SCAP/kernel-xccdf.xml
@@ -0,0 +1,967 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:h="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="Gentoo-Security-Benchmark-Kernel-1" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 xccdf-1.1.4.xsd" resolved="0">
+ <status date="2012-07-21">draft</status>
+ <title>Hardening Linux Kernel</title>
+ <description>
+ The Linux kernel is at the heart of every Linux system. With its extensive configuration
+ options, it comes to no surprise that specific settings can be enabled to further harden
+ your system.
+ <h:br />
+ <h:br />
+ In this guide, we focus on Linux kernel configuration entries that support additional
+ hardening of your system, as well as the configuration through the <h:em>syctl</h:em>
+ settings.
+ </description>
+ <platform idref="cpe:/o:gentoo:linux"/>
+ <version>1</version>
+ <model system="urn:xccdf:scoring:default"/>
+ <model system="urn:xccdf:scoring:flat"/>
+ <Profile id="Default">
+ <title>Default vanilla kernel hardening</title>
+ <description>
+ Profile matching all standard (vanilla-kernel) hardening rules
+ </description>
+ <select idref="rule-sysctl-ipv4-forward" selected="true" />
+ <select idref="rule-sysctl-ipv4-all-rp_filter" selected="true" />
+ <select idref="rule-sysctl-ipv4-default-rp_filter" selected="true" />
+ <select idref="rule-sysctl-ipv4-all-asr" selected="true" />
+ <select idref="rule-sysctl-ipv4-default-asr" selected="true" />
+ <select idref="rule-sysctl-ipv4-all-aredirect" selected="true" />
+ <select idref="rule-sysctl-ipv4-default-aredirect" selected="true" />
+ <select idref="rule-sysctl-ipv4-echobroadcast" selected="true" />
+ <select idref="rule-sysctl-icmpboguserror" selected="true" />
+ <select idref="rule-sysctl-ipv4-all-logmartians" selected="true" />
+ <select idref="rule-sysctl-ipv4-default-logmartians" selected="true" />
+ <select idref="rule-sysctl-ipv4-tcpsyncookies" selected="true" />
+ <select idref="rule-kernel-syncookies" selected="true" />
+ <select idref="rule-kernel-config-rand" selected="true" />
+ <select idref="rule-kernel-config-hwrand" selected="true" />
+ <select idref="rule-kernel-config-hwrand-detail" selected="true" />
+ <select idref="rule-kernel-config-audit" selected="true" />
+ <select idref="rule-kernel-config-audit-syscall" selected="true" />
+ <select idref="rule-kernel-ccstackprotect" selected="true" />
+ <select idref="rule-kernel-rodata" selected="true" />
+ <select idref="rule-kernel-strictdevmem" selected="true" />
+ <select idref="rule-kernel-prockcore" selected="true" />
+ <select idref="rule-kernel-nodmesg" selected="true" />
+ </Profile>
+ <Profile id="Full" extends="grSecurity">
+ <title>grSecurity (incl. PaX) kernel hardening</title>
+ <description>
+ Profile matching the recommended PaX settings and grSecurity
+ settings
+ </description>
+ <select idref="rule-kernel-grsec" selected="true" />
+ <select idref="rule-kernel-grsec-pax" selected="true" />
+ <select idref="rule-kernel-grsec-pax-noexec" selected="true" />
+ <select idref="rule-kernel-grsec-pax-anyexec" selected="true" />
+ <select idref="rule-kernel-grsec-pax-mprotect" selected="true" />
+ <select idref="rule-kernel-grsec-pax-aslr" selected="true" />
+ <select idref="rule-kernel-grsec-pax-randkstack" selected="true" />
+ <select idref="rule-kernel-grsec-pax-randustack" selected="true" />
+ <select idref="rule-kernel-grsec-pax-randmmap" selected="true" />
+ </Profile>
+ <Profile id="grSecurity" extends="Default">
+ <title>grSecurity specific kernel hardening</title>
+ <description>
+ Profile matching the recommended grSecurity settings (except PaX)
+ </description>
+ <select idref="rule-kernel-grsec" selected="true" />
+ <select idref="rule-kernel-tpe" selected="true" />
+ <select idref="rule-kernel-grsec-proc" selected="true" />
+ <select idref="rule-kernel-grsec-proc-user" selected="true" />
+ <select idref="rule-kernel-grsec-proc-usergroup" selected="true" />
+ <select idref="rule-kernel-grsec-proc-add" selected="true" />
+ <select idref="rule-kernel-grsec-link" selected="true" />
+ <select idref="rule-kernel-grsec-fifo" selected="true" />
+ <select idref="rule-kernel-grsec-chroot" selected="true" />
+ <select idref="rule-kernel-grsec-chroot-mount" selected="true" />
+ <select idref="rule-kernel-grsec-chroot-double" selected="true" />
+ <select idref="rule-kernel-grsec-chroot-pivot" selected="true" />
+ <select idref="rule-kernel-grsec-chroot-chdir" selected="true" />
+ <select idref="rule-kernel-grsec-chroot-chmod" selected="true" />
+ <select idref="rule-kernel-grsec-chroot-fchdir" selected="true" />
+ <select idref="rule-kernel-grsec-chroot-mknod" selected="true" />
+ <select idref="rule-kernel-grsec-chroot-shmat" selected="true" />
+ <select idref="rule-kernel-grsec-chroot-unix" selected="true" />
+ <select idref="rule-kernel-grsec-chroot-findtask" selected="true" />
+ <select idref="rule-kernel-grsec-chroot-nice" selected="true" />
+ <select idref="rule-kernel-grsec-chroot-sysctl" selected="true" />
+ <select idref="rule-kernel-grsec-chroot-caps" selected="true" />
+ </Profile>
+ <Group id="gt-kernelconfig">
+ <title>Kernel Configuration</title>
+ <description>
+ The Linux kernel should be configured using a sane security standard in
+ mind. When using grSecurity, additional security-enhancing settings can
+ be enabled.
+ <h:br />
+ <h:br />
+ In this guide, kernel configuration is shown in the short-hand notation.
+ This allows us to document configuration settings in a way that is somewhat more
+ future proof, since the position of the settings in the kernel configuration changes
+ often. In the resources below you will find instructions on how to convert short-hand
+ notation to the current, right location in the configuration.
+ <h:br />
+ <h:br />
+ Kernel configuration can be handled through <h:b>make menuconfig</h:b> within
+ the Linux kernel source code repository (usually <h:code>/usr/src/linux</h:code>).
+ </description>
+ <reference href="http://www.gentoo.org/doc/en/kernel-config.xml#shorthand">Gentoo Kernel Configuration Guide - Shorthand notation information</reference>
+ <Group id="gt-kernelconfig-general">
+ <title>General kernel configuration settings</title>
+ <description>
+ Next to the grSecurity-related settings, general Linux kernel configuration entries have a positive
+ influence on the security of your system. These settings are described further in this section
+ </description>
+ <Group id="gt-kernelconfig-general-random">
+ <title>Enable random number generator</title>
+ <description>
+ If supported by your platform, enable the random number generator to provide
+ a high bandwidth, secure source of random numbers (which is important for cryptographic
+ functions). This can be accomplished using the <h:code>CONFIG_ARCH_RANDOM</h:code> setting.
+ <h:br />
+ <h:br />
+ Next, enable hardware-supported random generators (<h:code>CONFIG_HW_RANDOM</h:code>) and
+ select the random number generator for your platform. Examples are the Intel i8xx-based
+ random number generator (<h:code>CONFIG_HW_RANDOM_INTEL</h:code>) or the AMD 76x-based
+ ones (<h:code>CONFIG_HW_RANDOM_AMD</h:code>) but others exist as well.
+ </description>
+ <!-- @@GEN START rule-kernel-config-rand -->
+<Rule id="rule-kernel-config-rand" selected="false">
+ <title>kernel config CONFIG_ARCH_RANDOM must be y</title>
+ <description>Enable a secure random number generator</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:71" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-config-rand -->
+ <!-- @@GEN START rule-kernel-config-hwrand -->
+<Rule id="rule-kernel-config-hwrand" selected="false">
+ <title>kernel config CONFIG_HW_RANDOM must be y</title>
+ <description>Enable hardware-supported random number generator</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:73" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-config-hwrand -->
+ <!-- @@GEN START rule-kernel-config-hwrand-detail -->
+<Rule id="rule-kernel-config-hwrand-detail" selected="false">
+ <title>kernel config CONFIG_HW_RANDOM_* must be y</title>
+ <description>Enable specific hardware supported random number generators</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:75" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-config-hwrand-detail -->
+ </Group>
+ <!-- Do not enable, only works on systemd systems
+ <Group id="gt-kernelconfig-general-immutableuid">
+ <title>Make audit loginuid immutable</title>
+ <description>
+ </description>
+ </Group>
+ -->
+ <Group id="gt-kernelconfig-general-audit">
+ <title>Enable audit support</title>
+ <description>
+ If you need to enable auditing on the system (which definitely is a best practice to follow), you
+ will need to enable auditing in the kernel configuration (<h:code>CONFIG_AUDIT</h:code>) together
+ with support for auditing system calls (<h:code>CONFIG_AUDITSYSCALL</h:code>)
+ </description>
+ <!-- @@GEN START rule-kernel-config-audit -->
+<Rule id="rule-kernel-config-audit" selected="false">
+ <title>kernel config CONFIG_AUDIT must be y</title>
+ <description>Enable audit support</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:77" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-config-audit -->
+ <!-- @@GEN START rule-kernel-config-audit-syscall -->
+<Rule id="rule-kernel-config-audit-syscall" selected="false">
+ <title>kernel config CONFIG_AUDITSYSCALL must be y</title>
+ <description>Enable system call auditing support</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:79" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-config-audit-syscall -->
+ </Group>
+ <Group id="gt-kernelconfig-general-syncookie">
+ <title>Enable TCP SYN cookie protection support</title>
+ <description>
+ To support SYN cookies (a method to work around a denial-of-service attack using a flood
+ of SYN requests) the Linux kernel first needs to be configured to support the method. This
+ is handled through the <h:code>CONFIG_SYN_COOKIES</h:code> parameter.
+ <h:br />
+ <h:br />
+ Further configuration of this setting is then handled by the <h:b>sysctl</h:b> settings (which
+ we describe later in this guide).
+ </description>
+ <!-- @@GEN START rule-kernel-syncookies -->
+<Rule id="rule-kernel-syncookies" selected="false">
+ <title>kernel config CONFIG_SYN_COOKIES must be y</title>
+ <description>kernel config CONFIG_SYN_COOKIES must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:59" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-syncookies -->
+ </Group>
+ <Group id="gt-kernelconfig-general-stackprotect">
+ <title>Enable compiler-driven stack protection</title>
+ <description>
+ In Gentoo Hardened, the use of stack protection in the compiler is by default enabled, but for
+ the Linux kernel, this feature is only selectable through the <h:code>CONFIG_CC_STACKPROTECTOR</h:code>
+ selection.
+ <h:br />
+ <h:br />
+ Enabling this will provide some level of protection against stack based buffer overflows within
+ the Linux kernel memory (not the user processes). If detected, the kernel will die with a kernel panic.
+ <!--
+ This is not available if UDEREF is setĀµ
+ https://forums.grsecurity.net/viewtopic.php?t=2725
+ -->
+ </description>
+ <!-- @@GEN START rule-kernel-ccstackprotect -->
+<Rule id="rule-kernel-ccstackprotect" selected="false">
+ <title>kernel config CONFIG_CC_STACKPROTECTOR must be y</title>
+ <description>Enable kernel stack protection through compiler directive</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:61" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-ccstackprotect -->
+ </Group>
+ <Group id="gt-kernelconfig-general-rodata">
+ <title>Mark read-only data pages as write-protected</title>
+ <description>
+ When <h:code>CONFIG_DEBUG_RODATA</h:code> is set, the memory pages containing the Linux
+ kernel read-only data are marked as write-protected, so that any attempt to update the data is
+ trapped, prevented and reported.
+ </description>
+ <!-- @@GEN START rule-kernel-rodata -->
+<Rule id="rule-kernel-rodata" selected="false">
+ <title>kernel config CONFIG_DEBUG_RODATA must be y</title>
+ <description>Write-protect kernel read-only data structures</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:63" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-rodata -->
+ </Group>
+ <Group id="gt-kernelconfig-restrictmemaccess">
+ <title>Restrict memory access through /dev/mem</title>
+ <description>
+ Do not allow root processes full access to all of the systems' memory through <h:code>/dev/mem</h:code>
+ (which includes kernel memory and process memory). This should only be needed for kernel programmers or
+ kernel debugging.
+ <h:br />
+ <h:br />
+ By enabling <h:code>CONFIG_STRICT_DEVMEM</h:code> the (root) user can only access memory regions expected
+ for all legitimate common usage of <h:code>/dev/mem</h:code>.
+ </description>
+ <!-- @@GEN START rule-kernel-strictdevmem -->
+<Rule id="rule-kernel-strictdevmem" selected="false">
+ <title>kernel config CONFIG_STRICT_DEVMEM must be y</title>
+ <description>Filter access to /dev/mem</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:65" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-strictdevmem -->
+ </Group>
+ <Group id="gt-kernelconfig-prockcore">
+ <title>Disable /proc/kcore support</title>
+ <description>
+ When <h:code>CONFIG_PROC_KCORE</h:code> is selected, the system will have a <h:code>/proc/kcore</h:code>
+ pseudo-file which corresponds to the system memory. As we do not want users snooping around in our
+ memory, support for this must be disabled.
+ </description>
+ <!-- @@GEN START rule-kernel-prockcore -->
+<Rule id="rule-kernel-prockcore" selected="false">
+ <title>kernel config CONFIG_PROC_KCORE must not be set</title>
+ <description>Disable support for /proc/kcore</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:67" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-prockcore -->
+ </Group>
+ <Group id="gt-kernelconfig-nodmesg">
+ <title>Restrict access to the kernel syslog</title>
+ <description>
+ Users that hold no administrator function on the system should not need to access the
+ kernel system logs (through <h:b>dmesg</h:b>). You can enforce this through the
+ <h:code>CONFIG_SECURITY_DMESG_RESTRICT</h:code> option, but if you chose not to,
+ you can still enable it through the sysctl <h:code>kernel.dmesg_restrict</h:code>.
+ <h:br />
+ <h:br />
+ Also, grSecurity has a related kernel setting for this (<h:code>CONFIG_GRKERNSEC_DMESG</h:code>)
+ which accomplishes the same. As a matter of fact, the <h:code>CONFIG_SECURITY_DMESG_RESTRICT</h:code>
+ setting is somewhat based on the grSecurity patch and available in the main kernel tree.
+ </description>
+ <!-- @@GEN START rule-kernel-nodmesg -->
+<Rule id="rule-kernel-nodmesg" selected="false">
+ <title>kernel config CONFIG_SECURITY_DMESG_RESTRICT must be y</title>
+ <description>Restrict unprivileged access to dmesg (kernel syslog)</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:69" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-nodmesg -->
+ </Group>
+ </Group>
+ <Group id="gt-kernelconfig-grsec">
+ <title>Use grSecurity</title>
+ <description>
+ grSecurity is a set of kernel patches that provides additional countermeasures
+ against popular exploit methods and common vulnerabilities. Although the patchset
+ is not part of the mainstream Linux kernel sources, Gentoo offers grSecurity through
+ the <h:code>hardened-sources</h:code> kernel package.
+ <h:br />
+ <h:br />
+ If you do not intend to use grSecurity, then you can ignore the rest of this section.
+ </description>
+ <reference href="https://grsecurity.net">grSecurity Homepage</reference>
+ <reference href="http://www.gentoo.org/proj/en/hardened/grsecurity.xml">Gentoo grSecurity v2 Guide</reference>
+ <!-- @@GEN START rule-kernel-grsec -->
+<Rule id="rule-kernel-grsec" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC must be y</title>
+ <description>Enable grSecurity</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:27" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec -->
+ <Group id="gt-kernelconfig-grsec-pax">
+ <title>Use PaX</title>
+ <description>
+ With PaX, additional protection against memory corruption bugs and exploits
+ is enabled. We recommend to enable the following settings:
+ <h:ul>
+ <h:li>
+ <h:em>Use legacy ELF header marking</h:em> (<h:code>CONFIG_PAX_EI_PAX</h:code>) and
+ <h:em>Use ELF program header marking</h:em> (<h:code>CONFIG_PAX_PT_PAX_FLAGS</h:code>) so that
+ you can enable/disable PaX settings on a per-binary basis.
+ </h:li>
+ <h:li>
+ <h:em>Enforce non-executable pages</h:em> (<h:code>CONFIG_PAX_NOEXEC</h:code>) to disable allocation of
+ memory that is both executable (contains runnable code) and writeable. Write- and executable
+ pages are risky as it allows attackers to introduce code (through overflows or other methods)
+ in memory and then execute that code. However, the downside is that there are still applications
+ (or drivers) that depend on RWX memory.
+ </h:li>
+ <h:li>
+ <h:em>Segmentation based non-executable pages</h:em> (<h:code>CONFIG_PAX_SEGMEXEC</h:code>) or
+ <h:em>Paging based non-executable pages</h:em> (<h:code>CONFIG_PAX_PAGEEXEC</h:code>) will support the
+ non-executable pages through memory segmentation or paging rules.
+ </h:li>
+ <h:li>
+ <h:em>Emulate trampolines</h:em> (<h:code>CONFIG_PAX_EMUTRAMP</h:code>) if you are on x86_32 architecture (the option
+ is not available for x86_64). This will enable emulation of trampolines (small bits of code in
+ non-executable memory pages) for those applications that you enable this on (which can be triggered
+ through <h:b>chpax</h:b> or <h:b>paxctl</h:b>).
+ </h:li>
+ <h:li>
+ <h:em>Restrict mprotect()</h:em> (<h:code>CONFIG_PAX_MPROTECT</h:code>) will restrict the use of <h:em>mprotect()</h:em>
+ so that applications cannot switch the purpose of pages (executable vs non-executable and such) after
+ creating them.
+ </h:li>
+ <h:li>
+ <h:em>Address Space Layout Randomization</h:em> (<h:code>CONFIG_PAX_ASLR</h:code>) to introduce some randomization
+ in the memory allocation so that attackers will find it much more difficult to guess the address
+ of specific pages correctly.
+ </h:li>
+ <h:li>
+ <h:em>Randomize kernel stack base</h:em> (<h:code>CONFIG_PAX_RANDKSTACK</h:code>) to randomize every task's kernel
+ stack on each system call, making it more difficult to both guess locations as well as use leaked
+ information from previous calls.
+ </h:li>
+ <h:li>
+ <h:em>Randomize user stack base</h:em> (<h:code>CONFIG_PAX_RANDUSTACK</h:code>) to randomize every task's userland
+ stack, providing similar protection as mentioned earlier but for user applications.
+ </h:li>
+ <h:li>
+ <h:em>Randomize mmap() base</h:em> (<h:code>CONFIG_PAX_RANDMMAP</h:code>) to randomize the base address of
+ mmap() requests (unless the requests specify an address themselves). This will cause dynamically
+ loaded libraries to appear at random addresses.
+ </h:li>
+ </h:ul>
+ </description>
+ <!-- @@GEN START rule-kernel-grsec-pax -->
+<Rule id="rule-kernel-grsec-pax" selected="false">
+ <title>kernel config CONFIG_PAX must be y</title>
+ <description>Enable PaX protection</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:31" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-pax -->
+ <!-- @@GEN START rule-kernel-grsec-pax-noexec -->
+<Rule id="rule-kernel-grsec-pax-noexec" selected="false">
+ <title>kernel config CONFIG_PAX_NOEXEC must be y</title>
+ <description>kernel config CONFIG_PAX_NOEXEC must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:32" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-pax-noexec -->
+ <!-- @@GEN START rule-kernel-grsec-pax-anyexec -->
+<Rule id="rule-kernel-grsec-pax-anyexec" selected="false">
+ <title>kernel config CONFIG_PAX_....EXEC must be y</title>
+ <description>kernel config CONFIG_PAX_....EXEC must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:33" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-pax-anyexec -->
+ <!-- @@GEN START rule-kernel-grsec-pax-mprotect -->
+<Rule id="rule-kernel-grsec-pax-mprotect" selected="false">
+ <title>kernel config CONFIG_PAX_MPROTECT must be y</title>
+ <description>kernel config CONFIG_PAX_MPROTECT must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:34" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-pax-mprotect -->
+ <!-- @@GEN START rule-kernel-grsec-pax-aslr -->
+<Rule id="rule-kernel-grsec-pax-aslr" selected="false">
+ <title>kernel config CONFIG_PAX_ASLR must be y</title>
+ <description>kernel config CONFIG_PAX_ASLR must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:35" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-pax-aslr -->
+ <!-- @@GEN START rule-kernel-grsec-pax-randkstack -->
+<Rule id="rule-kernel-grsec-pax-randkstack" selected="false">
+ <title>kernel config CONFIG_PAX_RANDKSTACK must be y</title>
+ <description>kernel config CONFIG_PAX_RANDKSTACK must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:36" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-pax-randkstack -->
+ <!-- @@GEN START rule-kernel-grsec-pax-randustack -->
+<Rule id="rule-kernel-grsec-pax-randustack" selected="false">
+ <title>kernel config CONFIG_PAX_RANDUSTACK must be y</title>
+ <description>kernel config CONFIG_PAX_RANDUSTACK must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:37" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-pax-randustack -->
+ <!-- @@GEN START rule-kernel-grsec-pax-randmmap -->
+<Rule id="rule-kernel-grsec-pax-randmmap" selected="false">
+ <title>kernel config CONFIG_PAX_RANDMMAP must be y</title>
+ <description>kernel config CONFIG_PAX_RANDMMAP must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:38" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-pax-randmmap -->
+ </Group>
+ <Group id="gt-kernelconfig-grsec-filesystem">
+ <title>Enable file system protection measures</title>
+ <description>
+ In the grSecurity patches, a set of additional protections are included to thwart information
+ leakage as well as further limit chroot environments. We recommend to enable the following settings:
+ <h:ul>
+ <h:li>
+ <h:em>Proc restrictions</h:em> (<h:code>CONFIG_GRKERNSEC_PROC</h:code>) so that the <h:code>/proc</h:code> file system
+ will be altered to enhance privacy (prevent information leakage).
+ </h:li>
+ <h:li>
+ <h:em>Restrict /proc to user only</h:em> (<h:code>CONFIG_GRKERNSEC_PROC_USER</h:code>) so that non-root users cannot
+ see processes of other users.
+ </h:li>
+ <h:li>
+ <h:em>Allow special group</h:em> (<h:code>CONFIG_GRKERNSEC_PROC_USERGROUP</h:code>) so that the members of a specific
+ group can see other users' processes and network-related information.
+ </h:li>
+ <h:li>
+ <h:em>Additional restrictions</h:em> (<h:code>CONFIG_GRKERNSEC_PROC_ADD</h:code>) will prevent non-root users to
+ see device information and memory information which can be (ab)used for exploit purposes.
+ </h:li>
+ <h:li>
+ <h:em>Linking restrictions</h:em> (<h:code>CONFIG_GRKERNSEC_LINK</h:code>) will prevent users to follow
+ symlinks that are owned by other users in world-writeable sticky directories such as <h:code>/tmp</h:code>
+ (unless that user is the owner of that directory). This prevents a certain kind of race conditions.
+ </h:li>
+ <h:li>
+ <h:em>FIFO restrictions</h:em> (<h:code>CONFIG_GRKERNSEC_FIFO</h:code>) will prevent users to write into
+ FIFOs in world-writeable sticky directories (like <h:code>/tmp</h:code> if they do not own
+ these FIFOs themselves.
+ </h:li>
+ <h:li>
+ <h:em>Chroot jail restrictions</h:em> (<h:code>CONFIG_GRKERNSEC_CHROOT</h:code> and all chroot-related options) to
+ make the chroot jails more strict and less easy to break out from.
+ </h:li>
+ </h:ul>
+ </description>
+ <!-- @@GEN START rule-kernel-grsec-proc -->
+<Rule id="rule-kernel-grsec-proc" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_PROC must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_PROC must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:39" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-proc -->
+ <!-- @@GEN START rule-kernel-grsec-proc-user -->
+<Rule id="rule-kernel-grsec-proc-user" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_PROC_USER must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_PROC_USER must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:40" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-proc-user -->
+ <!-- @@GEN START rule-kernel-grsec-proc-usergroup -->
+<Rule id="rule-kernel-grsec-proc-usergroup" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_PROC_USERGROUP must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_PROC_USERGROUP must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:41" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-proc-usergroup -->
+ <!-- @@GEN START rule-kernel-grsec-proc-add -->
+<Rule id="rule-kernel-grsec-proc-add" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_PROC_ADD must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_PROC_ADD must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:42" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-proc-add -->
+ <!-- @@GEN START rule-kernel-grsec-link -->
+<Rule id="rule-kernel-grsec-link" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_LINK must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_LINK must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:43" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-link -->
+ <!-- @@GEN START rule-kernel-grsec-fifo -->
+<Rule id="rule-kernel-grsec-fifo" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_FIFO must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_FIFO must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:44" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-fifo -->
+ <!-- @@GEN START rule-kernel-grsec-chroot -->
+<Rule id="rule-kernel-grsec-chroot" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:45" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-chroot -->
+ <!-- @@GEN START rule-kernel-grsec-chroot-mount -->
+<Rule id="rule-kernel-grsec-chroot-mount" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_MOUNT must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_MOUNT must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:46" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-chroot-mount -->
+ <!-- @@GEN START rule-kernel-grsec-chroot-double -->
+<Rule id="rule-kernel-grsec-chroot-double" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_DOUBLE must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_DOUBLE must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:47" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-chroot-double -->
+ <!-- @@GEN START rule-kernel-grsec-chroot-pivot -->
+<Rule id="rule-kernel-grsec-chroot-pivot" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_PIVOT must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_PIVOT must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:48" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-chroot-pivot -->
+ <!-- @@GEN START rule-kernel-grsec-chroot-chdir -->
+<Rule id="rule-kernel-grsec-chroot-chdir" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_CHDIR must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_CHDIR must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:49" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-chroot-chdir -->
+ <!-- @@GEN START rule-kernel-grsec-chroot-chmod -->
+<Rule id="rule-kernel-grsec-chroot-chmod" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_CHMOD must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_CHMOD must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:50" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-chroot-chmod -->
+ <!-- @@GEN START rule-kernel-grsec-chroot-fchdir -->
+<Rule id="rule-kernel-grsec-chroot-fchdir" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_FCHDIR must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_FCHDIR must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:51" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-chroot-fchdir -->
+ <!-- @@GEN START rule-kernel-grsec-chroot-mknod -->
+<Rule id="rule-kernel-grsec-chroot-mknod" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_MKNOD must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_MKNOD must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:52" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-chroot-mknod -->
+ <!-- @@GEN START rule-kernel-grsec-chroot-shmat -->
+<Rule id="rule-kernel-grsec-chroot-shmat" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_SHMAT must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_SHMAT must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:53" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-chroot-shmat -->
+ <!-- @@GEN START rule-kernel-grsec-chroot-unix -->
+<Rule id="rule-kernel-grsec-chroot-unix" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_UNIX must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_UNIX must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:54" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-chroot-unix -->
+ <!-- @@GEN START rule-kernel-grsec-chroot-findtask -->
+<Rule id="rule-kernel-grsec-chroot-findtask" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_FINDTASK must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_FINDTASK must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:55" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-chroot-findtask -->
+ <!-- @@GEN START rule-kernel-grsec-chroot-nice -->
+<Rule id="rule-kernel-grsec-chroot-nice" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_NICE must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_NICE must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:56" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-chroot-nice -->
+ <!-- @@GEN START rule-kernel-grsec-chroot-sysctl -->
+<Rule id="rule-kernel-grsec-chroot-sysctl" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_SYSCTL must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_SYSCTL must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:57" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-chroot-sysctl -->
+ <!-- @@GEN START rule-kernel-grsec-chroot-caps -->
+<Rule id="rule-kernel-grsec-chroot-caps" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_CHROOT_CAPS must be y</title>
+ <description>kernel config CONFIG_GRKERNSEC_CHROOT_CAPS must be y</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:58" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-grsec-chroot-caps -->
+ </Group>
+ <Group id="gt-kernelconfig-grsec-tpe">
+ <title>Enable Trusted Path Execution</title>
+ <description>
+ When using <h:code>sys-kernel/hardened-sources</h:code>, enable
+ <h:code>CONFIG_GRKERNSEC_TPE</h:code>, which enabled <h:em>Trusted
+ Path Execution</h:em>, a safety measure that ensures that, for a set
+ of users, these users can only execute binaries and scripts from
+ root-owned directories.
+ </description>
+ <reference href="http://www.gentoo.org/proj/en/hardened/grsec-tpe.xml">Gentoo Hardened grSecurity TPE Guide</reference>
+ <!-- @@GEN START rule-kernel-tpe -->
+<Rule id="rule-kernel-tpe" selected="false">
+ <title>kernel config CONFIG_GRKERNSEC_TPE must be y</title>
+ <description>Enable Trusted Path Execution</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:29" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-kernel-tpe -->
+ </Group>
+ </Group>
+
+ </Group>
+ <Group id="gt-sysctl">
+ <title>Kernel Tunables (Sysctl)</title>
+ <description>
+ The Linux kernel offers an interface, called <h:b>sysctl</h:b>,
+ allowing to fine-tune kernel parameters (and even changing its
+ behavior). Many parameters offered through sysctl allow an
+ administrator to further strengthen his systems' security.
+ <h:br />
+ <h:br />
+ To read and change sysctl parameters, you can use the
+ <h:b>sysctl</h:b> command or the <h:code>/etc/sysctl.conf</h:code>
+ file (which is used by the <h:code>sysctl</h:code> service (init
+ script), part of the default boot process.
+ <h:pre>### Using sysctl command to read and set variables ###
+# <h:b>sysctl net.ipv4.ip_forward</h:b>
+net.ipv4.ip_forward = 1
+# <h:b>sysctl -w net.ipv4.ip_forward=0</h:b></h:pre>
+ The sysctl values can also be read through the
+ <h:code>/proc/sys</h:code> file system.
+ </description>
+ <Group id="gt-sysctl-ipv4forward">
+ <title>Disable IPv4 Forwarding</title>
+ <description>
+ The <h:code>net.ipv4.ip_forward</h:code> sysctl setting controls if
+ IP forwarding is allowed or not on the system.
+ <h:br />
+ <h:br />
+ Unless the system is used as a router or gateway, IPv4 forwarding
+ should be disabled.
+ </description>
+ <!-- @@GEN START rule-sysctl-ipv4-forward -->
+<Rule id="rule-sysctl-ipv4-forward" selected="false">
+ <title>sysctl net.ipv4.ip_forward must be 0</title>
+ <description>Disable IPv4 forwarding</description>
+ <fix>echo 0 > /proc/sys/net/ipv4/ip_forward</fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:2" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sysctl-ipv4-forward -->
+ </Group>
+ <Group id="gt-sysctl-sourceroute">
+ <title>Enable Source Route Verification</title>
+ <description>
+ To offer additional protection against IP spoofing, enable source
+ route verification on all interfaces. This is governed through the
+ <h:code>net.ipv4.conf.*.rp_filter=1</h:code> setting.
+ <h:br />
+ <h:br />
+ With source route verification, the Linux kernel validates that an IP
+ packet comes from the right interface. In other words, on a multi-homed
+ system, packets that claim to be from your internal network on your external
+ interface are dropped (and vice versa).
+ </description>
+ <!-- @@GEN START rule-sysctl-ipv4-all-rp_filter -->
+<Rule id="rule-sysctl-ipv4-all-rp_filter" selected="false">
+ <title>sysctl net.ipv4.conf.all.rp_filter must be 1</title>
+ <description>Enable source route verification</description>
+ <fix>echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter</fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:4" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sysctl-ipv4-all-rp_filter -->
+ <!-- @@GEN START rule-sysctl-ipv4-default-rp_filter -->
+<Rule id="rule-sysctl-ipv4-default-rp_filter" selected="false">
+ <title>sysctl net.ipv4.conf.default.rp_filter must be 1</title>
+ <description>Enable source route verification</description>
+ <fix>echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter</fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:6" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sysctl-ipv4-default-rp_filter -->
+ </Group>
+ <Group id="gt-sysctl-ipsrcroute">
+ <title>Disable IP Source Routing</title>
+ <description>
+ Disable IP source routing on all interfaces through the
+ <h:code>net.ipv4.conf.*.accept_source_route=0</h:code> setting.
+ <h:br />
+ <h:br />
+ IP source routing would allow a remote user (the sender) to specify
+ the route that the packet should take, rather than use the
+ (default) routing tables used by the routers between the sender and
+ the destination. This could be (ab)used to spoof IP addresses and still
+ get the replies (rather than sending the replies to the real owner
+ of the IP address).
+ </description>
+ <!-- @@GEN START rule-sysctl-ipv4-all-asr -->
+<Rule id="rule-sysctl-ipv4-all-asr" selected="false">
+ <title>sysctl net.ipv4.conf.all.accept_source_route must be 0</title>
+ <description>Enable IP source routing</description>
+ <fix>echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route</fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:8" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sysctl-ipv4-all-asr -->
+ <!-- @@GEN START rule-sysctl-ipv4-default-asr -->
+<Rule id="rule-sysctl-ipv4-default-asr" selected="false">
+ <title>sysctl net.ipv4.conf.default.accept_source_route must be 0</title>
+ <description>Enable IP source routing</description>
+ <fix>echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route</fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:10" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sysctl-ipv4-default-asr -->
+ </Group>
+ <Group id="gt-sysctl-redirect">
+ <title>Disable ICMP Redirects</title>
+ <description>
+ Set <h:code>net.ipv4.conf.*.accept_redirects=0</h:code> to disable
+ ICMP redirect support on the interfaces.
+ <h:br />
+ <h:br />
+ ICMP redirect messages are used by routers to inform hosts to use a
+ different gateway than the one used. These packets should only be
+ sent by the gateway of the system, but since you control that
+ gateway and know when this gateway is changed, there is no point in
+ allowing ICMP redirect messages on your system. After all, this would
+ allow for "remote" updating of your routing table, which could allow
+ an attacker to get all packets you want to send to the outside first
+ (rather than the packets immediately going to the real gateway).
+ </description>
+ <!-- @@GEN START rule-sysctl-ipv4-all-aredirect -->
+<Rule id="rule-sysctl-ipv4-all-aredirect" selected="false">
+ <title>sysctl net.ipv4.conf.all.accept_redirects must be 0</title>
+ <description>Disable ICMP redirects</description>
+ <fix>echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects</fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:12" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sysctl-ipv4-all-aredirect -->
+ <!-- @@GEN START rule-sysctl-ipv4-default-aredirect -->
+<Rule id="rule-sysctl-ipv4-default-aredirect" selected="false">
+ <title>sysctl net.ipv4.conf.default.accept_redirects must be 0</title>
+ <description>Disable ICMP redirects</description>
+ <fix>echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects</fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:14" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sysctl-ipv4-default-aredirect -->
+ </Group>
+ <Group id="gt-sysctl-echobroadcast">
+ <title>Ignore ICMP Echo Broadcasts</title>
+ <description>
+ When <h:code>net.ipv4.icmp_echo_ignore_broadcasts=1</h:code> is set,
+ then your system will not reply to broadcast 'ping' requests (a ping
+ is an ICMP Echo request). Similar to hiding a WIFI SSID, this makes
+ your system just a tiny bit more hidden from scanners.
+ </description>
+ <!-- @@GEN START rule-sysctl-ipv4-echobroadcast -->
+<Rule id="rule-sysctl-ipv4-echobroadcast" selected="false">
+ <title>sysctl net.ipv4.icmp_echo_ignore_broadcasts must be 1</title>
+ <description>Ignore ICMP broadcasts</description>
+ <fix>echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts</fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:16" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sysctl-ipv4-echobroadcast -->
+ </Group>
+ <Group id="gt-sysctl-icmpboguserror">
+ <title>Ignore ICMP Bogus Error Responses</title>
+ <description>
+ When an invalid response is given to broadcast frames (which occurs
+ sometimes in erronous routers), the Linux kernel will by default log this
+ event. To ensure that these (harmless) reports do not clutter your logs,
+ you can disable this through <h:code>net.ipv4.icmp_ignore_bogus_error_responses</h:code>
+ by setting it to 1.
+ </description>
+ <!-- @@GEN START rule-sysctl-icmpboguserror -->
+<Rule id="rule-sysctl-icmpboguserror" selected="false">
+ <title>sysctl net.ipv4.icmp_ignore_bogus_error_responses must be 1</title>
+ <description>Ignore ICMP Bogus Error Responses</description>
+ <fix>echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses</fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:18" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sysctl-icmpboguserror -->
+ </Group>
+ <Group id="gt-sysctl-martians">
+ <title>Enable Logging of Martians</title>
+ <description>
+ When you receive a packet that seemingly originates from a location where
+ you have no route for, this packet is dropped silently. You can enable logging
+ of these packets (which are called <h:em>martians</h:em>) so that you at least
+ are aware of them.
+ <h:br />
+ <h:br />
+ Note that martians can only exist if you do not use a "default gateway", since
+ a default gateway always matches (if no other route does) for any IP address.
+ <h:br />
+ <h:br />
+ Logging of martians can be enabled through <h:code>net.ipv4.conf.*.log_martians=1</h:code>.
+ </description>
+ <!-- @@GEN START rule-sysctl-ipv4-all-logmartians -->
+<Rule id="rule-sysctl-ipv4-all-logmartians" selected="false">
+ <title>sysctl net.ipv4.conf.all.log_martians must be 1</title>
+ <description>Log all packages that originate from an unknown, unroutable network</description>
+ <fix>echo 1 > /proc/sys/net/ipv4/conf/all/log_martians</fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:20" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sysctl-ipv4-all-logmartians -->
+ <!-- @@GEN START rule-sysctl-ipv4-default-logmartians -->
+<Rule id="rule-sysctl-ipv4-default-logmartians" selected="false">
+ <title>sysctl net.ipv4.conf.default.log_martians must be 1</title>
+ <description>Log all packages that originate from an unknown, unroutable network</description>
+ <fix>echo 1 > /proc/sys/net/ipv4/conf/default/log_martians</fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:22" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sysctl-ipv4-default-logmartians -->
+ </Group>
+ <Group id="gt-sysctl-tcpsyncookies">
+ <title>Enable TCP SYN Cookie Protection</title>
+ <description>
+ One denial of service attack against a service would be to flood the server with SYN requests
+ (the TCP packet that starts a handshake for a connection). Such a flood can easily lead to a
+ service disruption as connection state handling would consume a lot of resources in a small timeframe.
+ <h:br />
+ <h:br />
+ By enabling <h:code>net.ipv4.tcp_syncookies</h:code>, the Linux kernel will change its handshake
+ behavior when its SYN backlog queue overflows: it replies to SYN requests with the appropriate
+ SYN+ACK reply, but it does not store the connection in its backlog queue. Instead, it will only
+ do that when it gets the ACK reply on his SYN+ACK. Based on the information in this reply, the
+ Linux kernel can then reconstruct the necessary information to generate an entry in the backlog
+ queue.
+ <h:br />
+ <h:br />
+ It should be noted that enabling TCP cookies is a last-resort. It changes the TCP stack behavior
+ of the Linux kernel, violating TCP protocol and dropping support for certain TCP extensions whose
+ information is only available in a SYN packet.
+ <h:br />
+ <h:br />
+ To enable TCP SYN cookie protection, enable <h:code>CONFIG_SYN_COOKIES</h:code> in the kernel,
+ set <h:code>net.ipv4.tcp_syncookies=1</h:code> and set proper values for <h:code>net.ipv4.tcp_max_syn_backlog</h:code>,
+ <h:code>net.ipv4.tcp_synack_retries</h:code> and <h:code>net.ipv4.tcp_abort_on_overflow</h:code>.
+ </description>
+ <!-- @@GEN START rule-sysctl-ipv4-tcpsyncookies -->
+<Rule id="rule-sysctl-ipv4-tcpsyncookies" selected="false">
+ <title>sysctl net.ipv4.tcp_syncookies must be 1</title>
+ <description>Enable TCP SYN cookie protection</description>
+ <fix>echo 1 > /proc/sys/net/ipv4/tcp_syncookies</fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:24" href="scap-kernel-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sysctl-ipv4-tcpsyncookies -->
+ </Group>
+ </Group>
+</Benchmark>
next reply other threads:[~2015-09-02 20:24 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-02 20:24 Sven Vermeulen [this message]
-- strict thread matches above, loose matches on Subject: below --
2015-09-04 19:50 [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/ Sven Vermeulen
2014-03-30 20:08 Sven Vermeulen
2014-03-30 20:08 Sven Vermeulen
2014-03-30 18:29 Sven Vermeulen
2014-03-30 18:29 Sven Vermeulen
2014-03-26 21:07 Sven Vermeulen
2014-02-01 14:24 Sven Vermeulen
2014-02-01 14:24 Sven Vermeulen
2014-02-01 14:24 Sven Vermeulen
2014-02-01 14:24 Sven Vermeulen
2013-12-20 14:48 Sven Vermeulen
2013-12-20 14:47 Sven Vermeulen
2013-12-20 14:41 Sven Vermeulen
2013-12-20 14:38 Sven Vermeulen
2013-12-20 14:25 Sven Vermeulen
2013-12-20 14:15 Sven Vermeulen
2013-12-20 14:15 Sven Vermeulen
2013-12-20 13:56 Sven Vermeulen
2013-12-20 13:56 Sven Vermeulen
2013-12-20 13:56 Sven Vermeulen
2013-12-20 13:56 Sven Vermeulen
2013-12-20 13:56 Sven Vermeulen
2013-12-20 13:56 Sven Vermeulen
2013-12-20 10:59 Sven Vermeulen
2013-12-11 20:58 Sven Vermeulen
2013-12-11 20:58 Sven Vermeulen
2013-12-11 20:53 Sven Vermeulen
2013-12-11 20:53 Sven Vermeulen
2013-09-24 17:10 Sven Vermeulen
2013-09-23 11:46 Sven Vermeulen
2013-09-23 11:40 Sven Vermeulen
2013-09-19 19:26 Sven Vermeulen
2013-09-18 13:51 Sven Vermeulen
2013-09-17 19:07 Sven Vermeulen
2013-09-17 19:07 Sven Vermeulen
2013-09-17 19:07 Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1441225454.ec36b14065b253f45eaf9992b9b87cb22b52561c.swift@gentoo \
--to=swift@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox