From 920cb2103e2787b3aa3f885372b05c3308ff355e Mon Sep 17 00:00:00 2001
From: yishan_li <yishan_li@hust.edu.cn>
Date: Sun, 23 Apr 2023 15:20:34 +0800
Subject: [PATCH 1/2] Optimize md layout of system-configuration file

---
 .../4.70-ensure-xdmcp-is-not-enabled.md       | 34 +++++++++++++++++++
 docs/summary-of-rules.md                      |  1 +
 .../4.70-ensure-xdmcp-is-not-enabled.sh       |  3 ++
 .../4.70-ensure-xdmcp-is-not-enabled.sh       | 11 ++++++
 4 files changed, 49 insertions(+)
 create mode 100644 benchmarks/system-configurations/4.70-ensure-xdmcp-is-not-enabled.md
 create mode 100644 remediation-kits/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh
 create mode 100644 scanners/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh

diff --git a/benchmarks/system-configurations/4.70-ensure-xdmcp-is-not-enabled.md b/benchmarks/system-configurations/4.70-ensure-xdmcp-is-not-enabled.md
new file mode 100644
index 0000000..3119b60
--- /dev/null
+++ b/benchmarks/system-configurations/4.70-ensure-xdmcp-is-not-enabled.md
@@ -0,0 +1,34 @@
+# 4.70 确保没有启用XDMCP
+
+## 安全等级
+
+- Level 3
+
+## 描述
+
+X显示管理控制协议(X Display Manager Control Protocol, XDMCP)旨在为远程显示提供对显示管理服务的身份验证访问。
+
+XDMCP本质上是不安全的。首先，XDMCP不是加密协议，这可能使得攻击者能捕获用户输入的击键；其次，XDMCP容易受到中间人攻击，这可能允许攻击者通过冒充XDMCP服务器窃取合法用户的凭据。
+
+## 修复建议
+
+编辑文件`/etc/gdm/custom.conf`并删掉以下行：
+
+```bash
+Enable=true
+```
+
+## 扫描检测
+
+运行以下命令并验证输出结果:
+
+```bash
+# grep -Eis '^\s*Enable\s*=\s*true' /etc/gdm/custom.conf
+Nothing should be returned
+```
+
+如果没有任何输出，则说明通过检查，否则检测未通过。
+
+## 参考
+
+- cis: <https://www.cisecurity.org/benchmark/aliyun_linux>
\ No newline at end of file
diff --git a/docs/summary-of-rules.md b/docs/summary-of-rules.md
index 75c8001..c94aa71 100644
--- a/docs/summary-of-rules.md
+++ b/docs/summary-of-rules.md
@@ -169,6 +169,7 @@
 | 4.67     | 4.67-ensure-system-histfilesize-100.md                       | 4.67 限制历史命令存储文件的保存数量                  | benchmarks/system-configurations    | 1     |
 | 4.68     | 4.68-ensure-permissions-TMP-is-correct.md                    | 4.68 为公共目录/tmp添加粘贴位                        | benchmarks/system-configurations    | 1     |
 | 4.69     | 4.69-ensure-permissions-on-ssh-priv-and-pub-key-are-right.md | 4.69 严格要求SSH公私钥文件权限配置正确               | benchmarks/system-configurations    | 3     |
+| 4.70     | 4.70-ensure-xdmcp-is-not-enabled.md                          | 4.70 确保没有启用XDMCP                               | benchmarks/system-configurations    | 3     |
 | 5.1      | 5.1-ensure-selinux-is-installed.md                           | 5.1 确保SElinux工具已安装                            | benchmarks/mandatory-access-control | 1     |
 | 5.2      | 5.2-ensure-selinux-policy-is-configured.md                   | 5.2 确保SELinux调用mls策略                           | benchmarks/mandatory-access-control | 3     |
 | 5.3      | 5.3-ensure-the-selinux-mode-is-enabled.md                    | 5.3 确保SELinux不是禁用模式                          | benchmarks/mandatory-access-control | 3     |
diff --git a/remediation-kits/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh b/remediation-kits/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh
new file mode 100644
index 0000000..7281eac
--- /dev/null
+++ b/remediation-kits/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+sed -i '/\s*Enable\s*=\s*true/Id' /etc/gdm/custom.conf
\ No newline at end of file
diff --git a/scanners/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh b/scanners/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh
new file mode 100644
index 0000000..053c77b
--- /dev/null
+++ b/scanners/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+result=true
+
+grep -Eis '^\s*Enable\s*=\s*true' /etc/gdm/custom.conf && result=false
+
+if [ "$result" == true ]; then
+    echo "pass"
+else
+    echo "fail"
+fi
\ No newline at end of file
-- 
Gitee


From b5dfdb2f6174efbd1c92d9278fe0ad69d4a3c76d Mon Sep 17 00:00:00 2001
From: yishan_li <yishan_li@hust.edu.cn>
Date: Sun, 23 Apr 2023 16:20:10 +0800
Subject: [PATCH 2/2] Fix the proposed problems

---
 .../4.70-ensure-xdmcp-is-not-enabled.md                   | 8 +++++---
 docs/summary-of-rules.md                                  | 2 +-
 .../4.70-ensure-xdmcp-is-not-enabled.sh                   | 2 +-
 .../4.70-ensure-xdmcp-is-not-enabled.sh                   | 2 +-
 4 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/benchmarks/system-configurations/4.70-ensure-xdmcp-is-not-enabled.md b/benchmarks/system-configurations/4.70-ensure-xdmcp-is-not-enabled.md
index 3119b60..ead255b 100644
--- a/benchmarks/system-configurations/4.70-ensure-xdmcp-is-not-enabled.md
+++ b/benchmarks/system-configurations/4.70-ensure-xdmcp-is-not-enabled.md
@@ -2,13 +2,15 @@
 
 ## 安全等级
 
-- Level 3
+- Level 1
 
 ## 描述
 
-X显示管理控制协议(X Display Manager Control Protocol, XDMCP)旨在为远程显示提供对显示管理服务的身份验证访问。
+X显示监控协议(X Display Manager Control Protocol, XDMCP)：管理与操控 X server 的显示内容，并提供登录验证。
 
-XDMCP本质上是不安全的。首先，XDMCP不是加密协议，这可能使得攻击者能捕获用户输入的击键；其次，XDMCP容易受到中间人攻击，这可能允许攻击者通过冒充XDMCP服务器窃取合法用户的凭据。
+但XDMCP服务是不安全的：
+- XDMCP不是加密协议，这可能导致用户的输入内容被攻击者捕获；
+- XDMCP容易受到中间人攻击：攻击者伪装为XDMCP服务器，截获合法用户的登录请求，从而导致凭据泄露等问题。
 
 ## 修复建议
 
diff --git a/docs/summary-of-rules.md b/docs/summary-of-rules.md
index c94aa71..8f88083 100644
--- a/docs/summary-of-rules.md
+++ b/docs/summary-of-rules.md
@@ -169,7 +169,7 @@
 | 4.67     | 4.67-ensure-system-histfilesize-100.md                       | 4.67 限制历史命令存储文件的保存数量                  | benchmarks/system-configurations    | 1     |
 | 4.68     | 4.68-ensure-permissions-TMP-is-correct.md                    | 4.68 为公共目录/tmp添加粘贴位                        | benchmarks/system-configurations    | 1     |
 | 4.69     | 4.69-ensure-permissions-on-ssh-priv-and-pub-key-are-right.md | 4.69 严格要求SSH公私钥文件权限配置正确               | benchmarks/system-configurations    | 3     |
-| 4.70     | 4.70-ensure-xdmcp-is-not-enabled.md                          | 4.70 确保没有启用XDMCP                               | benchmarks/system-configurations    | 3     |
+| 4.70     | 4.70-ensure-xdmcp-is-not-enabled.md                          | 4.70 确保没有启用XDMCP                               | benchmarks/system-configurations    | 1     |
 | 5.1      | 5.1-ensure-selinux-is-installed.md                           | 5.1 确保SElinux工具已安装                            | benchmarks/mandatory-access-control | 1     |
 | 5.2      | 5.2-ensure-selinux-policy-is-configured.md                   | 5.2 确保SELinux调用mls策略                           | benchmarks/mandatory-access-control | 3     |
 | 5.3      | 5.3-ensure-the-selinux-mode-is-enabled.md                    | 5.3 确保SELinux不是禁用模式                          | benchmarks/mandatory-access-control | 3     |
diff --git a/remediation-kits/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh b/remediation-kits/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh
index 7281eac..580737f 100644
--- a/remediation-kits/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh
+++ b/remediation-kits/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh
@@ -1,3 +1,3 @@
 #!/bin/bash
 
-sed -i '/\s*Enable\s*=\s*true/Id' /etc/gdm/custom.conf
\ No newline at end of file
+grep -Eisq '^\s*Enable\s*=\s*true' /etc/gdm/custom.conf && sed -i '/\s*Enable\s*=\s*true/Id' /etc/gdm/custom.conf
\ No newline at end of file
diff --git a/scanners/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh b/scanners/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh
index 053c77b..9f98674 100644
--- a/scanners/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh
+++ b/scanners/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh
@@ -2,7 +2,7 @@
 
 result=true
 
-grep -Eis '^\s*Enable\s*=\s*true' /etc/gdm/custom.conf && result=false
+grep -Eisq '^\s*Enable\s*=\s*true' /etc/gdm/custom.conf && result=false
 
 if [ "$result" == true ]; then
     echo "pass"
-- 
Gitee