diff --git a/benchmarks/system-configurations/4.70-ensure-xdmcp-is-not-enabled.md b/benchmarks/system-configurations/4.70-ensure-xdmcp-is-not-enabled.md new file mode 100644 index 0000000000000000000000000000000000000000..ead255b80846175b041be363aa815f38eab55ce6 --- /dev/null +++ b/benchmarks/system-configurations/4.70-ensure-xdmcp-is-not-enabled.md @@ -0,0 +1,36 @@ +# 4.70 确保没有启用XDMCP + +## 安全等级 + +- Level 1 + +## 描述 + +X显示监控协议(X Display Manager Control Protocol, XDMCP):管理与操控 X server 的显示内容,并提供登录验证。 + +但XDMCP服务是不安全的: +- XDMCP不是加密协议,这可能导致用户的输入内容被攻击者捕获; +- XDMCP容易受到中间人攻击:攻击者伪装为XDMCP服务器,截获合法用户的登录请求,从而导致凭据泄露等问题。 + +## 修复建议 + +编辑文件`/etc/gdm/custom.conf`并删掉以下行: + +```bash +Enable=true +``` + +## 扫描检测 + +运行以下命令并验证输出结果: + +```bash +# grep -Eis '^\s*Enable\s*=\s*true' /etc/gdm/custom.conf +Nothing should be returned +``` + +如果没有任何输出,则说明通过检查,否则检测未通过。 + +## 参考 + +- cis: \ No newline at end of file diff --git a/docs/summary-of-rules.md b/docs/summary-of-rules.md index 75c80019efc7b43e046c4c98ddf9c6dbfe5c86fd..8f880836500fb6cd9283441b3e71713e4797bac5 100644 --- a/docs/summary-of-rules.md +++ b/docs/summary-of-rules.md @@ -169,6 +169,7 @@ | 4.67 | 4.67-ensure-system-histfilesize-100.md | 4.67 限制历史命令存储文件的保存数量 | benchmarks/system-configurations | 1 | | 4.68 | 4.68-ensure-permissions-TMP-is-correct.md | 4.68 为公共目录/tmp添加粘贴位 | benchmarks/system-configurations | 1 | | 4.69 | 4.69-ensure-permissions-on-ssh-priv-and-pub-key-are-right.md | 4.69 严格要求SSH公私钥文件权限配置正确 | benchmarks/system-configurations | 3 | +| 4.70 | 4.70-ensure-xdmcp-is-not-enabled.md | 4.70 确保没有启用XDMCP | benchmarks/system-configurations | 1 | | 5.1 | 5.1-ensure-selinux-is-installed.md | 5.1 确保SElinux工具已安装 | benchmarks/mandatory-access-control | 1 | | 5.2 | 5.2-ensure-selinux-policy-is-configured.md | 5.2 确保SELinux调用mls策略 | benchmarks/mandatory-access-control | 3 | | 5.3 | 5.3-ensure-the-selinux-mode-is-enabled.md | 5.3 确保SELinux不是禁用模式 | benchmarks/mandatory-access-control | 3 | diff --git a/remediation-kits/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh b/remediation-kits/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh new file mode 100644 index 0000000000000000000000000000000000000000..580737fa502c18963654f7d52e287e69401a98bb --- /dev/null +++ b/remediation-kits/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +grep -Eisq '^\s*Enable\s*=\s*true' /etc/gdm/custom.conf && sed -i '/\s*Enable\s*=\s*true/Id' /etc/gdm/custom.conf \ No newline at end of file diff --git a/scanners/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh b/scanners/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh new file mode 100644 index 0000000000000000000000000000000000000000..9f9867416d29e6fa951e6f6e72cd88aea66bd100 --- /dev/null +++ b/scanners/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +result=true + +grep -Eisq '^\s*Enable\s*=\s*true' /etc/gdm/custom.conf && result=false + +if [ "$result" == true ]; then + echo "pass" +else + echo "fail" +fi \ No newline at end of file