From 9fbaa6ab52cb7b402e162457f8e0142ed69b271a Mon Sep 17 00:00:00 2001
From: Sven Vermeulen <sven.vermeulen@siphos.be>
Date: Thu, 19 Sep 2013 16:23:06 +0200
Subject: Update on baseline, now working on services

---
 xml/SCAP/Makefile                                  |   2 +-
 .../gentoo-sce_installation-toolchain-hardened.sh  |  43 ++
 xml/SCAP/gentoo-oval.xml                           | 551 +++++++++++++++-
 xml/SCAP/gentoo-xccdf.xml                          | 690 ++++++++++++++++-----
 4 files changed, 1107 insertions(+), 179 deletions(-)
 create mode 100755 xml/SCAP/bin/gentoo-sce_installation-toolchain-hardened.sh

diff --git a/xml/SCAP/Makefile b/xml/SCAP/Makefile
index fcbf549..3de65fa 100644
--- a/xml/SCAP/Makefile
+++ b/xml/SCAP/Makefile
@@ -1,7 +1,7 @@
 all: report.html guide.html remediate.sh #guide.pdf
 
 report.html: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml
-	oscap xccdf eval --cpe gentoo-cpe.xml --profile xccdf_org.gentoo.dev.swift_profile_default --results results-xccdf.xml --oval-results --report report.html gentoo-xccdf.xml
+	-oscap xccdf eval --cpe gentoo-cpe.xml --profile xccdf_org.gentoo.dev.swift_profile_default --results results-xccdf.xml --oval-results --report report.html gentoo-xccdf.xml
 
 guide.html: gentoo-cpe.xml gentoo-xccdf.xml gentoo-oval.xml
 	oscap xccdf generate guide --profile xccdf_org.gentoo.dev.swift_profile_default --output guide.html gentoo-xccdf.xml
diff --git a/xml/SCAP/bin/gentoo-sce_installation-toolchain-hardened.sh b/xml/SCAP/bin/gentoo-sce_installation-toolchain-hardened.sh
new file mode 100755
index 0000000..99ff12c
--- /dev/null
+++ b/xml/SCAP/bin/gentoo-sce_installation-toolchain-hardened.sh
@@ -0,0 +1,43 @@
+#!/bin/sh
+
+# Get CHOST value
+echo "Getting CHOST variable content through portageq.";
+my_chost=$(portageq envvar CHOST);
+if [ -z "${my_chost}" ];
+then
+  echo "-- The portageq command failed. Falling back to glibc build info.";
+  my_chost=$(cat /var/db/pkg/sys-libs/glibc-*/CHOST | tail -1);
+fi
+echo "-- Got CHOST=${my_chost}";
+
+# Get current GCC version
+echo "Getting current GCC version through /etc/env.d/gcc/config-*";
+current_gcc=$(grep CURRENT /etc/env.d/gcc/config-* | sed -e "s:CURRENT=${my_chost}-::g" | sed -e "s:\([0-9\.-r]*\){$,-.*$}:\1:g" );
+echo "-- Got version=${current_gcc}";
+
+# Get type
+echo "Getting compiler type (profile/spec) through its CURRENT= value.";
+current_type=$(grep CURRENT /etc/env.d/gcc/config-* | sed -e "s:CURRENT=${my_chost}-${current_gcc}::g" | sed -e 's:^-::g');
+echo "-- Got type=${current_type}";
+
+echo "Checking USE flags of gcc-${current_gcc} for hardened USE flag.";
+grep -q hardened /var/db/pkg/sys-devel/gcc-${current_gcc}/USE;
+current_hardened_use=$?;
+
+if [ ${current_hardened_use} -ne 0 ];
+then
+  echo "!! GCC ${current_gcc} is not build with USE=hardened!";
+  echo "!! Please enable a hardened profile.";
+  exit ${XCCDF_RESULT_FAIL};
+else
+  echo "-- GCC ${current_gcc} is build with USE=hardened.";
+  if [ -z "${current_type}" ];
+  then
+    echo "-- The default type is used which is a hardened type.";
+    exit ${XCCDF_RESULT_PASS};
+  else
+    echo "!! A non-default type is used: ${current_type}";
+    echo "!! This means not all hardened toolchain measures are enabled.";
+    exit ${XCCDF_RESULT_FAIL};
+  fi
+fi
diff --git a/xml/SCAP/gentoo-oval.xml b/xml/SCAP/gentoo-oval.xml
index 9fa2c1e..4fe52b9 100644
--- a/xml/SCAP/gentoo-oval.xml
+++ b/xml/SCAP/gentoo-oval.xml
@@ -1,17 +1,17 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5"
-	xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" 
-	xmlns:lin-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"
-	xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"
-	xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
-	xsi:schemaLocation="
-		http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd
-		http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd
-		http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd
-		http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd
-		http://standards.iso.org/iso/19770/-2/2009/schema.xsd schema.xsd">
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5"
+        xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" 
+        xmlns:lin-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"
+        xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"
+        xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
+        xsi:schemaLocation="
+                http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd
+                http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd
+                http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd
+                http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd
+                http://standards.iso.org/iso/19770/-2/2009/schema.xsd schema.xsd">
 
 <generator>
   <oval:product_name>OVAL Gentoo Linux</oval:product_name>
@@ -46,7 +46,7 @@
       <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14559-9"/>
       <description>
         This definition tests whether the /home location is a separate file
-	system.
+        system.
       </description>
     </metadata>
     <criteria operator="AND">
@@ -62,7 +62,7 @@
       </affected>
       <description>
         This definition tests whether the /home partition is mounted with the nosuid 
-	mount option.
+        mount option.
       </description>
     </metadata>
     <criteria operator="AND">
@@ -79,7 +79,7 @@
       </affected>
       <description>
         This definition tests whether the /home partition is mounted with the nodev 
-	mount option.
+        mount option.
       </description>
     </metadata>
     <criteria operator="AND">
@@ -97,7 +97,7 @@
       <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14161-4"/>
       <description>
         This definition tests whether the /tmp location is a separate file
-	system.
+        system.
       </description>
     </metadata>
     <criteria operator="AND">
@@ -105,7 +105,297 @@
     </criteria>
   </definition>
 
+  <definition id="oval:org.gentoo.dev.swift:def:6" version="1" class="compliance">
+    <metadata>
+      <title>The /var location must be a separate file system</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14777-7"/>
+      <description>
+        This definition tests whether the /var location is a separate file
+        system.
+      </description>
+    </metadata>
+    <criteria operator="AND">
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:6" comment="The /var location is on a separate partition" />
+    </criteria>
+  </definition>
+
+  <definition id="oval:org.gentoo.dev.swift:def:7" version="1" class="compliance">
+    <metadata>
+      <title>The /var/log location must be a separate file system</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14011-1"/>
+      <description>
+        This definition tests whether the /var/log location is a separate file
+        system.
+      </description>
+    </metadata>
+    <criteria operator="AND">
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:7" comment="The /var/log location is on a separate partition" />
+    </criteria>
+  </definition>
+
+  <definition id="oval:org.gentoo.dev.swift:def:8" version="1" class="compliance">
+    <metadata>
+      <title>The /var/log/audit location must be a separate file system</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14171-3"/>
+      <description>
+        This definition tests whether the /var/log/audit location is a separate file
+        system.
+      </description>
+    </metadata>
+    <criteria operator="AND">
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:8" comment="The /var/log/audit location is on a separate partition" />
+    </criteria>
+  </definition>
+
+  <definition id="oval:org.gentoo.dev.swift:def:9" version="1" class="compliance">
+    <metadata>
+      <title>The /var file system is mounted with the nodev option</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-4249-9"/>
+      <description>
+        This definition tests whether the /var partition is mounted with the nodev 
+        mount option.
+      </description>
+    </metadata>
+    <criteria operator="AND">
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:6" comment="The /var location is on a separate partition" />
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:9" comment="The /var partition is mounted with nodev mount option" />
+    </criteria>
+  </definition>
+
+  <definition id="oval:org.gentoo.dev.swift:def:10" version="1" class="compliance">
+    <metadata>
+      <title>The /var/log file system is mounted with the nodev option</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-4249-9"/>
+      <description>
+        This definition tests whether the /var/log partition is mounted with the nodev 
+        mount option.
+      </description>
+    </metadata>
+    <criteria operator="AND">
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:7" comment="The /var/log location is on a separate partition" />
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:10" comment="The /var/log partition is mounted with nodev mount option" />
+    </criteria>
+  </definition>
+
+  <definition id="oval:org.gentoo.dev.swift:def:11" version="1" class="compliance">
+    <metadata>
+      <title>The /var/log/audit file system is mounted with the nodev option</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-4249-9"/>
+      <description>
+        This definition tests whether the /var/log/audit partition is mounted with the nodev 
+        mount option.
+      </description>
+    </metadata>
+    <criteria operator="AND">
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:8" comment="The /var/log/audit location is on a separate partition" />
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:11" comment="The /var/log/audit partition is mounted with nodev mount option" />
+    </criteria>
+  </definition>
+
+  <definition id="oval:org.gentoo.dev.swift:def:12" version="1" class="compliance">
+    <metadata>
+      <title>The /tmp file system is mounted with the nodev option</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-4249-9"/>
+      <description>
+        This definition tests whether the /tmp partition is mounted with the nodev 
+        mount option.
+      </description>
+    </metadata>
+    <criteria operator="AND">
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:5" comment="The /var/log/audit location is on a separate partition" />
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:12" comment="The /var/log/audit partition is mounted with nodev mount option" />
+    </criteria>
+  </definition>
+
+  <definition id="oval:org.gentoo.dev.swift:def:13" version="1" class="compliance">
+    <metadata>
+      <title>The /tmp file system is mounted with the nosuid option</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14940-1"/>
+      <description>
+        This definition tests whether the /tmp partition is mounted with the nosuid
+        mount option.
+      </description>
+    </metadata>
+    <criteria operator="AND">
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:5" comment="The /tmp location is on a separate partition" />
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:13" comment="The /tmp partition is mounted with nosuid mount option" />
+    </criteria>
+  </definition>
+
+  <definition id="oval:org.gentoo.dev.swift:def:14" version="1" class="compliance">
+    <metadata>
+      <title>The /dev/shm file system is mounted with the nosuid option</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14306-5"/>
+      <description>
+        This definition tests whether the /dev/shm partition is mounted with the nosuid
+        mount option.
+      </description>
+    </metadata>
+    <criteria operator="AND">
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:14" comment="The /dev/shm location is a separate file system" />
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:15" comment="The /dev/shm file system is mounted with nosuid mount option" />
+    </criteria>
+  </definition>
+
+  <definition id="oval:org.gentoo.dev.swift:def:15" version="1" class="compliance">
+    <metadata>
+      <title>The /tmp file system is mounted with the noexec option</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14927-8"/>
+      <description>
+        This definition tests whether the /tmp partition is mounted with the noexec
+        mount option.
+      </description>
+    </metadata>
+    <criteria operator="AND">
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:5" comment="The /tmp location is on a separate partition" />
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:16" comment="The /tmp partition is mounted with noexec mount option" />
+    </criteria>
+  </definition>
+
+  <definition id="oval:org.gentoo.dev.swift:def:16" version="1" class="compliance">
+    <metadata>
+      <title>The /dev/shm file system is mounted with the noexec option</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14703-3"/>
+      <description>
+        This definition tests whether the /dev/shm partition is mounted with the noexec
+        mount option.
+      </description>
+    </metadata>
+    <criteria operator="AND">
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:14" comment="The /dev/shm location is a separate file system" />
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:17" comment="The /dev/shm file system is mounted with nosuid mount option" />
+    </criteria>
+  </definition>
+
+  <definition id="oval:org.gentoo.dev.swift:def:17" version="1" class="compliance">
+    <metadata>
+      <title>The /var/tmp location is on a separate file system</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14584-7"/>
+      <description>
+        This definition tests whether the /var/tmp location is on its own file system.
+      </description>
+    </metadata>
+    <criteria operator="AND">
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:18" comment="The /var/tmp location is a separate file system" />
+    </criteria>
+  </definition>
+
+  <definition id="oval:org.gentoo.dev.swift:def:18" version="1" class="compliance">
+    <metadata>
+      <title>The kernel is build with quota support (CONFIG_QUOTA)</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <description>
+        This definition tests whether the Linux kernel is build with quota support (CONFIG_QUOTA).
+      </description>
+    </metadata>
+    <criteria>
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:19" comment="The Linux kernel is build with CONFIG_QUOTA" />
+    </criteria>
+  </definition>
+
+  <definition id="oval:org.gentoo.dev.swift:def:19" version="1" class="compliance">
+    <metadata>
+      <title>No process matching "telnetd" is running</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-3390-2" />
+      <description>
+        This definition tests if no telnet daemon processes are running.
+      </description>
+    </metadata>
+    <criteria>
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:20" comment="No telnet daemons are running" />
+    </criteria>
+  </definition>
 
+  <definition id="oval:org.gentoo.dev.swift:def:20" version="1" class="compliance">
+    <metadata>
+      <title>No process matching "ftpd" is running</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-4273-9" />
+      <description>
+        This definition tests if no FTP daemon processes are running.
+      </description>
+    </metadata>
+    <criteria>
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:21" comment="No FTP daemons are running" />
+    </criteria>
+  </definition>
+
+  <definition id="oval:org.gentoo.dev.swift:def:21" version="1" class="compliance">
+    <metadata>
+      <title>rc.conf's rc_shell should be set to /sbin/sulogin</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-4241-6" />
+      <description>
+        This definition tests if rc_shell in /etc/rc.conf is set to /sbin/sulogin, ensuring
+        that single user boots still require the root password to be provided.
+      </description>
+    </metadata>
+    <criteria>
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:22" comment="/etc/rc.conf rc_shell is set to /sbin/sulogin" />
+    </criteria>
+  </definition>
+
+  <definition id="oval:org.gentoo.dev.swift:def:22" version="1" class="compliance">
+    <metadata>
+      <title>Single user definitions in inittab should only refer to '/sbin/rc single' or '/sbin/sulogin'</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-4241-6" />
+      <description>
+        This definition tests if /etc/inittab single user login settings only refers
+        to '/sbin/rc single' or '/sbin/sulogin'.
+      </description>
+    </metadata>
+    <criteria>
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:23" comment="/etc/inittab single user settings refers only to '/sbin/rc single' or '/sbin/sulogin'" />
+    </criteria>
+  </definition>
 </definitions>
 
 <tests>
@@ -145,9 +435,158 @@
   <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:5" 
     version="1" check="all" check_existence="all_exist" 
     comment="Tests that /tmp is a separate file system">
-    <!-- /home partition -->
+    <!-- /tmp partition -->
+    <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:3" />
+  </lin-def:partition_test>
+
+  <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:6" 
+    version="1" check="all" check_existence="all_exist" 
+    comment="Tests that /var is a separate file system">
+    <!-- /var partition -->
+    <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:4" />
+  </lin-def:partition_test>
+
+  <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:7" 
+    version="1" check="all" check_existence="all_exist" 
+    comment="Tests that /var/log is a separate file system">
+    <!-- /var/log partition -->
+    <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:5" />
+  </lin-def:partition_test>
+
+  <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:8" 
+    version="1" check="all" check_existence="all_exist" 
+    comment="Tests that /var/log/audit is a separate file system">
+    <!-- /var/log/audit partition -->
+    <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:6" />
+  </lin-def:partition_test>
+
+  <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:9"
+    version="1" check="all" check_existence="all_exist"
+    comment="Tests that /var is mounted with nodev option">
+    <!-- /var partition -->
+    <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:4" />
+    <!-- "nodev" mount option -->
+    <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:2" />
+  </lin-def:partition_test>
+
+  <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:10"
+    version="1" check="all" check_existence="all_exist"
+    comment="Tests that /var/log is mounted with nodev option">
+    <!-- /var/log partition -->
+    <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:5" />
+    <!-- "nodev" mount option -->
+    <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:2" />
+  </lin-def:partition_test>
+
+  <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:11"
+    version="1" check="all" check_existence="all_exist"
+    comment="Tests that /var/log/audit is mounted with nodev option">
+    <!-- /var/log/audit partition -->
+    <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:6" />
+    <!-- "nodev" mount option -->
+    <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:2" />
+  </lin-def:partition_test>
+
+  <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:12"
+    version="1" check="all" check_existence="all_exist"
+    comment="Tests that /tmp is mounted with nodev option">
+    <!-- /tmp partition -->
+    <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:2" />
+    <!-- "nodev" mount option -->
+    <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:2" />
+  </lin-def:partition_test>
+
+  <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:13"
+    version="1" check="all" check_existence="all_exist"
+    comment="Tests that /tmp is mounted with nosuid option">
+    <!-- /tmp partition -->
+    <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:2" />
+    <!-- "nosuid" mount option -->
+    <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:1" />
+  </lin-def:partition_test>
+
+  <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:14"
+    version="1" check="all" check_existence="all_exist"
+    comment="Tests that /dev/shm is a separate file system">
+    <!-- /dev/shm file system -->
+    <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:7" />
+  </lin-def:partition_test>
+
+  <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:15"
+    version="1" check="all" check_existence="all_exist"
+    comment="Tests that /dev/shm is mounted with nosuid option">
+    <!-- /dev/shm file system -->
+    <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:7" />
+    <!-- "nosuid" mount option -->
+    <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:1" />
+  </lin-def:partition_test>
+
+  <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:16"
+    version="1" check="all" check_existence="all_exist"
+    comment="Tests that /tmp is mounted with noexec option">
+    <!-- /tmp file system -->
     <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:3" />
+    <!-- "noexec" mount option -->
+    <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:3" />
   </lin-def:partition_test>
+
+  <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:17"
+    version="1" check="all" check_existence="all_exist"
+    comment="Tests that /dev/shm is mounted with noexec option">
+    <!-- /dev/shm file system -->
+    <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:7" />
+    <!-- "noexec" mount option -->
+    <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:3" />
+  </lin-def:partition_test>
+
+  <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:18"
+    version="1" check="all" check_existence="all_exist"
+    comment="Tests that /var/tmp is on its own file system">
+    <!-- /var/tmp file system -->
+    <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:8" />
+  </lin-def:partition_test>
+
+  <ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:19"
+    version="1" check="at least one" check_existence="at_least_one_exists"
+    comment="Tests that CONFIG_QUOTA is in the kernel configuration">
+    <!-- The file containing kernel configuration -->
+    <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:9" />
+    <!-- Match for "^CONFIG_QUOTA=[ym]" -->
+    <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:4" />
+  </ind-def:textfilecontent54_test>
+
+  <unix-def:process58_test id="oval:org.gentoo.dev.swift:tst:20"
+    version="1" check="all" check_existence="none_exist"
+    comment="Tests that no telnet daemons are running">
+    <!-- Process matching "telnetd" -->
+    <unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:10" />
+  </unix-def:process58_test>
+
+  <unix-def:process58_test id="oval:org.gentoo.dev.swift:tst:21"
+    version="1" check="all" check_existence="none_exist"
+    comment="Tests that no FTP daemons are running">
+    <!-- Process matching "ftpd" -->
+    <unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:11" />
+  </unix-def:process58_test>
+
+  <ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:22"
+    version="1" check="at least one" check_existence="all_exist"
+    comment="Tests that rc_shell in /etc/rc.conf is set to /sbin/sulogin">
+    <!-- The variable settings in /etc/rc.conf -->
+    <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:12" />
+    <!-- Match for rc_shell=/sbin/sulogin -->
+    <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:5" />
+  </ind-def:textfilecontent54_test>
+
+  <ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:23"
+    version="1" check="all" check_existence="at_least_one_exists"
+    comment="Tests that single-user boot only triggers '/sbin/rc single' or '/sbin/sulogin'">
+    <!-- The single-user boot rules in /etc/inittab -->
+    <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:13" />
+    <!-- The '/sbin/rc single' or '/sbin/sulogin' matches -->
+    <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:6" />
+  </ind-def:textfilecontent54_test>
+
 </tests>
 
 <objects>
@@ -167,6 +606,64 @@
     <lin-def:mount_point>/tmp</lin-def:mount_point>
   </lin-def:partition_object>
 
+  <lin-def:partition_object id="oval:org.gentoo.dev.swift:obj:4"
+    version="1" comment="The /var partition">
+    <lin-def:mount_point>/var</lin-def:mount_point>
+  </lin-def:partition_object>
+
+  <lin-def:partition_object id="oval:org.gentoo.dev.swift:obj:5"
+    version="1" comment="The /var/log partition">
+    <lin-def:mount_point>/var/log</lin-def:mount_point>
+  </lin-def:partition_object>
+
+  <lin-def:partition_object id="oval:org.gentoo.dev.swift:obj:6"
+    version="1" comment="The /var/log/audit partition">
+    <lin-def:mount_point>/var/log/audit</lin-def:mount_point>
+  </lin-def:partition_object>
+
+  <lin-def:partition_object id="oval:org.gentoo.dev.swift:obj:7"
+    version="1" comment="The /dev/shm file system">
+    <lin-def:mount_point>/dev/shm</lin-def:mount_point>
+  </lin-def:partition_object>
+
+  <lin-def:partition_object id="oval:org.gentoo.dev.swift:obj:8"
+    version="1" comment="The /var/tmp file system">
+    <lin-def:mount_point>/var/tmp</lin-def:mount_point>
+  </lin-def:partition_object>
+
+  <ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:9"
+    version="1" comment="The file containing kernel configuration">
+    <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+    <ind-def:pattern operation="pattern match">^CONFIG_.*</ind-def:pattern>
+    <ind-def:instance operation="greater than or equal" datatype="int">1</ind-def:instance>
+  </ind-def:textfilecontent54_object>
+
+  <unix-def:process58_object id="oval:org.gentoo.dev.swift:obj:10"
+    version="1" comment="Process matching telnetd in its command name">
+    <unix-def:command_line operation="pattern match">.*[Tt][Ee][Ll][Nn][Ee][Tt][Dd].*</unix-def:command_line>
+    <unix-def:pid datatype="int" operation="greater than">0</unix-def:pid>
+  </unix-def:process58_object>
+
+  <unix-def:process58_object id="oval:org.gentoo.dev.swift:obj:11"
+    version="1" comment="Process matching ftpd in its command name">
+    <unix-def:command_line operation="pattern match">.*[Ff][Tt][Pp][Dd].*</unix-def:command_line>
+    <unix-def:pid datatype="int" operation="greater than">0</unix-def:pid>
+  </unix-def:process58_object>
+
+  <ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:12"
+    version="1" comment="The /etc/rc.conf variable declarations">
+    <ind-def:filepath>/etc/rc.conf</ind-def:filepath>
+    <ind-def:pattern operation="pattern match">^[[:space:]]*[\S]+[[:space:]]*=[[:space:]]*[\S]+</ind-def:pattern>
+    <ind-def:instance operation="greater than or equal" datatype="int">1</ind-def:instance>
+  </ind-def:textfilecontent54_object>
+
+  <ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:13"
+    version="1" comment="The /etc/inittab contents">
+    <ind-def:filepath>/etc/inittab</ind-def:filepath>
+    <ind-def:pattern operation="pattern match">^[\S]+:S:[\S]+:.*</ind-def:pattern>
+    <ind-def:instance operation="greater than or equal" datatype="int">1</ind-def:instance>
+  </ind-def:textfilecontent54_object>
+
 </objects>
 
 <states>
@@ -181,6 +678,26 @@
     <lin-def:mount_options entity_check="at least one">nodev</lin-def:mount_options>
   </lin-def:partition_state>
 
+  <lin-def:partition_state id="oval:org.gentoo.dev.swift:ste:3"
+    version="1" comment="The file system is mounted with the noexec mount option">
+    <lin-def:mount_options entity_check="at least one">noexec</lin-def:mount_options>
+  </lin-def:partition_state>
+
+  <ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:4"
+    version="1" comment="Matching ^CONFIG_QUOTA=[ym]">
+    <ind-def:text datatype="string" operation="pattern match" entity_check="all">^CONFIG_QUOTA=[ym]</ind-def:text>
+  </ind-def:textfilecontent54_state>
+
+  <ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:5"
+    version="1" comment="Matching rc_shell=/sbin/sulogin">
+    <ind-def:text datatype="string" operation="pattern match" entity_check="all">rc_shell[[:space:]]*=[[:space:]]*["]?/sbin/sulogin["]?</ind-def:text>
+  </ind-def:textfilecontent54_state>
+
+  <ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:6"
+    version="1" comment="Single user boot lines may only match '/sbin/rc single' or '/sbin/sulogin'">
+    <ind-def:text datatype="string" operation="pattern match" entity_check="all">su[[:digit:]]+:S:[\S]+:(/sbin/rc single|/sbin/sulogin)</ind-def:text>
+  </ind-def:textfilecontent54_state>
+
 </states>
 
 <!--
diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml
index 39af64c..bc6d977 100644
--- a/xml/SCAP/gentoo-xccdf.xml
+++ b/xml/SCAP/gentoo-xccdf.xml
@@ -8,6 +8,9 @@
   </description>
   <platform idref="cpe:/o:gentoo:linux"/>
   <version>20130917.1</version>
+  <model system="urn:xccdf:scoring:default" />
+  <model system="urn:xccdf:scoring:flat" />
+  <model system="urn:xccdf:scoring:flat-unweighted" />
   <Profile id="xccdf_org.gentoo.dev.swift_profile_intensive" extends="xccdf_org.gentoo.dev.swift_profile_default">
     <title>Intensive validation profile</title>
     <description>
@@ -26,13 +29,48 @@
     </description>
     <!-- The /tmp location is a separate file system -->
     <select idref="xccdf_org.gentoo.dev.swift_rule_partition-tmp" selected="true" />
+    <!-- The /var location is a separate file system -->
+    <select idref="xccdf_org.gentoo.dev.swift_rule_partition-var" selected="true" />
+    <!-- The /var/log location is a separate file system -->
+    <select idref="xccdf_org.gentoo.dev.swift_rule_partition-varlog" selected="true" />
+    <!-- The /var/log/audit location is a separate file system -->
+    <select idref="xccdf_org.gentoo.dev.swift_rule_partition-varlogaudit" selected="true" />
     <!-- The /home location is a separate file system -->
     <select idref="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="true" />
-    <!-- The /home partition is mounted with nosuid -->
-    <select idref="xccdf_org.gentoo.dev.swift_rule_partition-home-nosuid" selected="true" />
+    <!-- The /var/tmp location is a separate file system -->
+    <select idref="xccdf_org.gentoo.dev.swift_rule_partition-vartmp" selected="true" />
+    <!-- The /var partition is mounted with nodev -->
+    <select idref="xccdf_org.gentoo.dev.swift_rule_partition-var-nodev" selected="true" />
+    <!-- The /var/log partition is mounted with nodev -->
+    <select idref="xccdf_org.gentoo.dev.swift_rule_partition-varlog-nodev" selected="true" />
+    <!-- The /var/log/audit partition is mounted with nodev -->
+    <select idref="xccdf_org.gentoo.dev.swift_rule_partition-varlogaudit-nodev" selected="true" />
     <!-- The /home partition is mounted with nodev -->
     <select idref="xccdf_org.gentoo.dev.swift_rule_partition-home-nodev" selected="true" />
-
+    <!-- The /tmp partition is mounted with nodev -->
+    <select idref="xccdf_org.gentoo.dev.swift_rule_partition-tmp-nodev" selected="true" />
+    <!-- The /tmp partition is mounted with nosuid -->
+    <select idref="xccdf_org.gentoo.dev.swift_rule_partition-tmp-nosuid" selected="true" />
+    <!-- The /home partition is mounted with nosuid -->
+    <select idref="xccdf_org.gentoo.dev.swift_rule_partition-home-nosuid" selected="true" />
+    <!-- The /dev/shm partition is mounted with nosuid -->
+    <select idref="xccdf_org.gentoo.dev.swift_rule_partition-devshm-nosuid" selected="true" />
+    <!-- The /tmp partition is mounted with noexec -->
+    <select idref="xccdf_org.gentoo.dev.swift_rule_partition-tmp-noexec" selected="true" />
+     <!-- The /dev/shm partition is mounted with noexec -->
+    <select idref="xccdf_org.gentoo.dev.swift_rule_partition-devshm-noexec" selected="true" />
+    <!-- The hardened toolchain must be installated and used -->
+    <select idref="xccdf_org.gentoo.dev.swift_rule_installation-toolchain-hardened" selected="true" />
+    <!-- Kernel quota support must be enabled -->
+    <select idref="xccdf_org.gentoo.dev.swift_rule_kernel-quota" selected="true" />
+    <!-- No telnetd process is running -->
+    <select idref="xccdf_org.gentoo.dev.swift_rule_telnetd-notrunning" selected="true" />
+    <!-- No ftpd process is running -->
+    <select idref="xccdf_org.gentoo.dev.swift_rule_ftpd-notrunning" selected="true" />
+    <!-- sulogin is used as shell for single user boot (definition /etc/rc.conf) -->
+    <select idref="xccdf_org.gentoo.dev.swift_rule_rcconf-sulogin" selected="true" />
+    <!-- sulogin is used as shell for single user boot (definition /etc/inittab) -->
+    <select idref="xccdf_org.gentoo.dev.swift_rule_inittab-sulogin" selected="true" />
   </Profile>
   <Group id="xccdf_org.gentoo.dev.swift_group_intro">
     <title>Introduction</title>
@@ -155,6 +193,84 @@
         Substitute the profile information in the commands above with the required profile.
       </description>
     </Group>
+    <Group id="xccdf_org.gentoo.dev.swift_group_intro-weights">
+      <title>About the rule weights</title>
+      <description>
+        Within this guide, weights are assigned to tests to give some importance to
+        the rule (higher weight is more important) as well as a severity.
+        <h:br />
+        <h:br />
+        The severity is one of the following:
+        <h:ul>
+          <h:li>
+            <h:em>high</h:em> constitutes a grave or critical problem. A rule with this severity
+            <h:em>MUST</h:em> be tackled as it detected a misconfiguration that is easily
+            exploitable and could lead to full system compromise.
+          </h:li>
+          <h:li>
+            <h:em>medium</h:em> reflects a fairly serious problem. A rule with this severity
+            <h:em>SHOULD</h:em> be tackled as it detected a misconfiguration that is easily
+            exploitable.
+          </h:li>
+          <h:li>
+            <h:em>low</h:em> reflects a non-serious problem. A rule with this severity
+            has detected a misconfiguration but its influence on the overall system security
+            is minor (if other compliance rules are followed).
+          </h:li>
+          <h:li>
+            <h:em>info</h:em> reflects an informational rule. Failure to comply with this rule
+            does not mean failure to comply with the document itself.
+          </h:li>
+        </h:ul>
+        It is important to understand though that rules with a low severity can still lead to 
+        grave security problems if they are not met. Chaining of vulnerabilities or
+        misconfiguration can still lead to full system compromise.
+        <h:br />
+        <h:br />
+        For this reason, weights are added to rules as well. A higher weight has a more
+        severe potential impact.
+        <h:br />
+        <h:br />
+        Weights are the CVSS score that the author assumes is the case for a misconfiguration.
+        They are calculated by NVD's CVSS calculator. Each rule is scored individually; a 
+        "chain" of misconfigurations might lead to a significantly higher issue, but this would
+        make it very hard to make proper scoring. 
+        <h:br />
+        <h:br />
+        As an example, take the rule that says <h:code>/var</h:code> has to be on its own
+        partition. The metrics we fill in in the calculator are currently based on the risk
+        that the root file system is filled (no more free space), which can halt the system.
+        <h:ul>
+          <h:li>
+            The <h:em>related exploit range</h:em> (access vector) is "Local", because this is
+            by itself not exploitable remotely - unless of course certain services are running
+            that can fill up <h:code>/var</h:code>, but we do not take such assumptions.
+          </h:li>
+          <h:li>
+            The <h:em>attack complexity</h:em> (access complexity) is "Low", as all that is
+            needed is a local account and we can find the necessary ways to fill up
+            <h:code>/var</h:code>.
+          </h:li>
+          <h:li>
+            The <h:em>level of authentication needed</h:em> (authentication) is "Single"
+            as the attacker needs one authentication step (local access) to exploit.
+          </h:li>
+          <h:li>
+            The <h:em>confidentiality impact</h:em> is "None" (no data leakage)
+          </h:li>
+          <h:li>
+            The <h:em>integrity impact</h:em> is "None" (no data manipulation)
+          </h:li>
+          <h:li>
+            The <h:em>availability impact</h:em> is "Complete" (system crash or halt).
+          </h:li>
+        </h:ul>
+        This results in the CVSS base score of 4.6. The environmental score metrics and
+        temporal score metrics are ignored as those are too specific for environments
+        and organizations.
+      </description>
+      <reference href="https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2">NVD CVSS calculator</reference>
+    </Group>
   </Group>
   <Group id="xccdf_org.gentoo.dev.swift_group_preinstallation">
     <title>Before we start</title>
@@ -279,7 +395,7 @@
         </description>
         <reference href="http://www.pathname.com/fhs/">Filesystem Hierarchy
         Standard</reference>
-	<Group id="xccdf_org.gentoo.dev.swift_group_installation-storage-partitioning-separate">
+        <Group id="xccdf_org.gentoo.dev.swift_group_installation-storage-partitioning-separate">
           <title>Separate file systems for important locations</title>
           <description>
             Having a separate file system for important locations has several advantages, but
@@ -331,11 +447,42 @@
               <h:li>
                 <h:code>/tmp</h:code> as this is a world-writable location and requires
                 specific mount options. When possible, this location can be made a 
-                <h:em>tmpfs</h:em> file system.
+                <h:em>tmpfs</h:em> file system. This is to protect the root file system
+                from being flooded.
+              </h:li>
+              <h:li>
+                <h:code>/var</h:code> as this contains variable data (and thus is prone
+                to grow extensively depending on the installed services). This is to protect
+                the root file system from being flooded.
+              </h:li>
+              <h:li>
+                <h:code>/var/log</h:code> as this contains logging data (and thus is prone
+                to grow extensively depending on the services). This is to protect the 
+                <h:code>/var</h:code> file system from being flooded, as this might impact
+                various services (like databases, web servers, etc.).
+              </h:li>
+              <h:li>
+                <h:code>/var/log/audit</h:code> as this contains (potentially sensitive)
+                logging data. Some services refuse to continue if the audit target location
+                is full. Having the location separate from <h:code>/var/log</h:code> protects
+                the audit file system when <h:code>/var/log</h:code> would be flooded.
+              </h:li>
+              <h:li>
+                <h:code>/home</h:code> as this is completely under the control of end users.
+                It needs to be mounted with more secure settings (more about that later) and
+                should be separate both to protect the root file system, but also to allow
+                the <h:code>/home</h:code> location to be either shared or used elsewhere.
+              </h:li>
+              <h:li>
+                <h:code>/var/tmp</h:code> which is a "second" <h:code>/tmp</h:code> location,
+                but where the content is preserved after a reboot. Still, it is world-writable
+                and requires specific mount options, and should be on a different file system
+                to prevent <h:code>/var</h:code> to be flooded which might impact the
+                availability of services.
               </h:li>
             </h:ul>
           </description>
-          <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-tmp" selected="false">
+          <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-tmp" selected="false" severity="medium" weight="4.6">
             <title>Test if /tmp is a separate file system</title>
             <fixtext>
               Create a file system for <h:code>/tmp</h:code>; make sure it is added in
@@ -345,72 +492,60 @@
               <check-content-ref name="oval:org.gentoo.dev.swift:def:5" href="gentoo-oval.xml" />
             </check>
           </Rule>
-	</Group>
-        <Group id="xccdf_org.gentoo.dev.swift_group_installation-storage-partitioning-home">
-          <title>/home Location</title>
-          <description>
-            The <h:code>/home</h:code> location should be on its own partition,
-            allowing the administrator to mount this location with specific
-            options targetting the file systems' security settings or quota. It
-            also prevents the system to become unresponsive when a user starts
-            filling up his home directory, although quota support can be used
-            to mitigate this risk as well.
-            <h:br />
-            <h:br />
-            Next to the separate file system, it should also be mounted with
-            the <h:em>nosuid</h:em> mount option. When a vulnerability in a
-            software, or a rogue user, would somehow place a setuid binary in
-            this home directory in order to create a simple backdoor to gain
-            root privileges, this mount option disables the setuid ability.
-            <h:br />
-            <h:br />
-            There is also no reason for the <h:code>/home</h:code> location to
-            contain any device files, so mount it with <h:em>nodev</h:em> too.
-            If an attacker would somehow be able to create sensitive device files
-            with the rights for him to read/write to those device files, then he
-            might be able to impact the system security.
-          </description>
-          <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="false">
-            <title>Test if /home is a separate partition</title>
+          <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-var" selected="false" severity="medium" weight="4.6">
+            <title>Test if /var is a separate file system</title>
             <fixtext>
-              Create a file system for the user home files and mount it at <h:code>/home</h:code>
-              after migrating the users' files to it.
+              Create a file system for <h:code>/var</h:code>; make sure it is added in
+              the <h:code>/etc/fstab</h:code> file and reboot the system.
             </fixtext>
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <check-content-ref name="oval:org.gentoo.dev.swift:def:2" href="gentoo-oval.xml" />
+              <check-content-ref name="oval:org.gentoo.dev.swift:def:6" href="gentoo-oval.xml" />
             </check>
           </Rule>
-          <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home-nosuid" selected="false">
-            <title>Test if /home is mounted with nosuid</title>
-            <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-home-nosuid">Mount /home with nosuid mount option</fixtext>
-            <!-- TODO can we put in multiple fixes? I would like to add in one
-                 that asks the user (not automatically) to update fstab -->
-            <fix id="xccdf_org.gentoo.dev.swift_fix_partition-home-nosuid"
-              system="urn:xccdf:fix:system:commands"
-              platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
-mount -o remount,nosuid /home
-            </fix>
+          <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-varlog" selected="false" severity="low" weight="2.1">
+            <title>Test if /var/log is a separate file system</title>
+            <fixtext>
+              Create a file system for <h:code>/var/log</h:code>; make sure it is added in
+              the <h:code>/etc/fstab</h:code> file and reboot the system.
+            </fixtext>
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <check-content-ref name="oval:org.gentoo.dev.swift:def:3" href="gentoo-oval.xml" />
+              <check-content-ref name="oval:org.gentoo.dev.swift:def:7" href="gentoo-oval.xml" />
             </check>
           </Rule>
-          <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home-nodev" selected="false">
-            <title>Test if /home is mounted with nodev</title>
-            <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-home-nodev">Mount /home with nodev mount option</fixtext>
-            <fix id="xccdf_org.gentoo.dev.swift_fix_partition-home-nodev"
-              system="urn:xccdf:fix:system:commands"
-              platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
-mount -o remount,nodev /home
-            </fix>
+          <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-varlogaudit" selected="false" severity="low" weight="2.1">
+            <title>Test if /var/log/audit is a separate file system</title>
+            <fixtext>
+              Create a file system for <h:code>/var/log/audit</h:code>; make sure it is added in
+              the <h:code>/etc/fstab</h:code> file and reboot the system.
+            </fixtext>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <check-content-ref name="oval:org.gentoo.dev.swift:def:8" href="gentoo-oval.xml" />
+            </check>
+          </Rule>
+          <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home" selected="false" severity="medium" weight="4.6">
+            <title>Test if /home is a separate file system</title>
+            <fixtext>
+              Create a file system for <h:code>/home</h:code>; make sure it is added in
+              the <h:code>/etc/fstab</h:code> file and reboot the system.
+            </fixtext>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <check-content-ref name="oval:org.gentoo.dev.swift:def:2" href="gentoo-oval.xml" />
+            </check>
+          </Rule>
+          <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-vartmp" selected="false" severity="low" weight="2.1">
+            <title>Test if /var/tmp is a separate file system</title>
+            <fixtext>
+              Create a file system for <h:code>/var/tmp</h:code>; make sure it is added in
+              the <h:code>/etc/fstab</h:code> file and reboot the system.
+            </fixtext>
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <check-content-ref name="oval:org.gentoo.dev.swift:def:4" href="gentoo-oval.xml" />
+              <check-content-ref name="oval:org.gentoo.dev.swift:def:17" href="gentoo-oval.xml" />
             </check>
           </Rule>
         </Group>
       </Group>
     </Group>
-    <!-- 
-    <Group id="gt-installation-toolchain">
+    <Group id="xccdf_org.gentoo.dev.swift_group_installation-toolchain">
       <title>Use a Hardened Toolchain</title>
       <description>
         When you install Gentoo, use the hardened stages and hardened toolchain.
@@ -418,12 +553,25 @@ mount -o remount,nodev /home
         support for non-executable program stacks and buffer overflow detection.
         <h:br />
         <h:br />
+        <h:ul>
+          <h:li>
+            <h:em>Position Independent Executables (PIE)</h:em> and <h:em>Position Independent
+            Code (PIC)</h:em> implements a memory hardening approach where the application
+            (or library), when loaded to memory, does not have hard requirements where in
+            memory it is loaded. Together with ASLR this makes it more difficult for exploits
+            to know at which memory region certain data will be available.
+          </h:li>
+          <h:li>
+            <h:em>Stack Smashing Protection (SSP)</h:em> adds markers outside buffer areas
+            to detect buffer overflow attacks, killing the application rather than effectively
+            having the overflow succeed.
+          </h:li>
+        </h:ul>
         During installation, make sure that the <h:em>default</h:em> hardened
         toolchain is selected, not one of the <h:code>-hardenedno*</h:code> as
         those are toolchains where specific settings are disabled. The
         <h:code>-vanilla</h:code> one is a toolchain with no hardened patches.
-        <h:pre>
-# <h:b>gcc-config -l</h:b>
+        <h:pre># <h:b>gcc-config -l</h:b>
  [1] x86_64-pc-linux-gnu-4.4.5 *
  [2] x86_64-pc-linux-gnu-4.4.5-hardenednopie
  [3] x86_64-pc-linux-gnu-4.4.5-hardenednopie.gcc-config-ref
@@ -431,7 +579,19 @@ mount -o remount,nodev /home
  [5] x86_64-pc-linux-gnu-4.4.5-hardenednossp
  [6] x86_64-pc-linux-gnu-4.4.5-vanilla</h:pre>
       </description>
-    </Group>
+      <Rule id="xccdf_org.gentoo.dev.swift_rule_installation-toolchain-hardened" selected="false" severity="low" weight="0.0">
+        <title>Test if the hardened toolchain is used</title>
+        <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_installation-toolchain-hardened">
+          Use a hardened Gentoo profile and select the default compiler (not vanilla
+          nor any of the hardenedno* ones).
+        </fixtext>
+        <check system="http://open-scap.org/page/SCE">
+          <check-import import-name="stdout" />
+          <check-content-ref href="bin/gentoo-sce_installation-toolchain-hardened.sh" />
+        </check>
+      </Rule>
+    </Group> <!-- installation-toolchain -->
+    <!-- 
     <Group id="gt-installation-selinux">
       <title>Use a Mandatory Access Control system</title>
       <description>
@@ -452,84 +612,231 @@ mount -o remount,nodev /home
       <reference href="http://hardened.gentoo.org/selinux">Gentoo Hardened SELinux project page</reference>
     </Group>
     -->
-  </Group>
-  <!-- 
-  <Group id="gt-system">
-    <title>System Settings</title>
+  </Group> <!-- installation -->
+  <Group id="xccdf_org.gentoo.dev.swift_group_system">
+    <title>System settings</title>
     <description>
-      Within this chapter, we describe the (recommended) settings that can be
-      adjusted relatively easily, even when a Gentoo installation has already
-      been performed. This is the bulk of the security settings.
+      Within this chapter, the (recommended) settings that can be adjusted relatively easily
+      are presented, even when a Gentoo installation has already been performed. This is the
+      bulk of the security settings.
     </description>
-    <Group id="gt-system-mounts">
-      <title>Mounts and Mount Points</title>
+    <Group id="xccdf_org.gentoo.dev.swift_group_system-fs">
+      <title>File system related settings</title>
       <description>
-        When mounting file systems, options can be presented that add or remove
-        features from the mount point. Some of these options can be used to
-        restrict actions taken or originating from the file system.
-        <h:br />
-        <h:br />
-        Mount options can be set in <h:code>/etc/fstab</h:code> in the fourth column.
-        <h:pre>
-# <h:b>vim /etc/fstab</h:b>
-[...]
-tmpfs      /tmp      tmpfs      defaults<h:b>,nosuid,noexec,nodev</h:b>   0 0</h:pre>
-        <h:br />
-        Important mount options that are used later are:
-        <h:ul>
-          <h:li>
-            <h:code>nosuid</h:code> will ignore SUID bits on binaries. If such
-            a binary is encountered, it is executed as if it did not have the SUID
-            bit set.
-          </h:li>
-          <h:li>
-            <h:code>noexec</h:code> will prevent direct execution of files or
-            binaries from this partition.
-          </h:li>
-          <h:li>
-            <h:code>nodev</h:code> will ignore device files in this partition.
-          </h:li>
-        </h:ul>
-        <h:br />
-        Even though these mount options can be worked around, it is a first line
-        of defence against popular exploits and worms.
+        Servers and systems are about manipulating data. In this chapter, the security settings
+        for file systems are explained.
       </description>
-      <Group id="gt-system-mounts-tmp">
-        <title>Temporary Files</title>
+      <Group id="xccdf_org.gentoo.dev.swift_group_system-fs-mountoptions">
+        <title>Appropriate mount options for the file systems</title>
         <description>
-          The <h:code>/tmp</h:code> location is world writable, allowing for
-          any service to put temporary files in it that are required during
-          service operation.
+          Non-root file systems should be mounted with the <h:em>nodev</h:em> mount option.
+          This mount option ensures that device files are not allowed on these file systems
+          (and if they are there, they are ignored by the Linux kernel for any device
+          operation).
           <h:br />
           <h:br />
-          This location should be a tmpfs file system (so that its content is
-          cleared during shut down or reboot) and mounted with nosuid,noexec and
-          nodev mount options (to reduce the impact when an exploit is attempted from
-          within this location).
-          <h:pre>
-tmpfs   /tmp   tmpfs       defaults,nosuid,noexec,nodev     0 0</h:pre>
-          Also, the location must have the sticky bit set (cfr the trailing 't' in the
-          output of <h:b>ls -ld</h:b>).
-          <h:pre>
-# <h:b>ls -ld /tmp</h:b>
-drwxrwxrwt  9 root root  260  Dec 27  16:00  /tmp</h:pre>
-          Of course, using <h:code>tmpfs</h:code> does not give you freedom nor a 
-          secure means to write security sensitive information in <h:code>/tmp</h:code>.
-        </description>
-      </Group>
-      <Group id="gt-system-mounts-home">
-        <title>Home Directories</title>
-        <description>
-          The <h:code>/home</h:code> location is used to host end user files.
-          To reduce the risk of an exploit being launched, it is adviseable to
-          mount this partition with the <h:code>nosuid,nodev</h:code> mount options.
+          Having device files on non-root file systems could allow unauthorized people access
+          to sensitive data (for instance when having a readable raw disk device files) or
+          even manipulate the system.
           <h:br />
-          <h:pre>
-/dev/mapper/volgrp-home   /home   ext4     noatime,nosuid,nodev,data=journal   0 2</h:pre>
+          <h:br />
+          The privilege to create special device files (beyond regular sockets) such as
+          character and block device files is handled through the CAP_MKNOD capability
+          which is not granted to regular users. As such, the risk is when more privileged
+          users or processes are tricked to create such device files.
+          <h:br />
+          <h:br />
+          This setting is appropriate for file systems such as (non-exhaustive list):
+          <h:ul>
+            <h:li>
+              <h:code>/var</h:code> (as it is recommended to be a separate file system)
+            </h:li>
+            <h:li>
+              <h:code>/var/log</h:code> (as it is recommended to be a separate file system)
+            </h:li>
+            <h:li>
+              <h:code>/var/log/audit</h:code> (as it is recommended to be a separate file system)
+            </h:li>
+            <h:li>
+              <h:code>/home</h:code> (as it is recommended to be a separate file system)
+            </h:li>
+            <h:li>
+              <h:code>/tmp</h:code> (as it is recommended to be a separate file system)
+            </h:li>
+          </h:ul>
+          Specific file systems should also be mounted with the <h:em>nosuid</h:em> mount
+          option. This prevents setuid binaries to run as a different user when hosted
+          on this file system. As there are several locations where setuid binaries might
+          be needed, this only affects particular file systems:
+          <h:ul>
+            <h:li>
+              The <h:code>/tmp</h:code> file system should not be used for setuid binaries
+              as this is a world-writable location and often target storage for attacks.
+            </h:li>
+            <h:li>
+              The <h:code>/home</h:code> file system should not be used for setuid binaries
+              as this is the home location for non-root users.
+            </h:li>
+            <h:li>
+              The <h:code>/dev/shm</h:code> file system should not be used for any binaries
+              (shared memory region).
+            </h:li>
+          </h:ul>
+          Specific file systems should also be mounted with the <h:em>noexec</h:em> mount
+          option. This prevents some automated attacks to execute certain payload (exploits)
+          from these locations.
+          <h:br />
+          <h:br />
+          This is just one of the many "layers" though, as executing payload can still be
+          done using different methods. For instance, scripts can be invoked through the
+          shell itself (rather than directly) and in the past, binaries could even be
+          executed through the <h:code>ld-linux.so</h:code> binary (although this has
+          been fixed).
+          <h:br />
+          <h:br />
+          File systems for which <h:em>noexec</h:em> is recommended are:
+          <h:ul>
+            <h:li>
+              The <h:code>/tmp</h:code> file system as it is a popular target to store exploit
+              code in.
+            </h:li>
+            <h:li>
+              The <h:code>/dev/shm</h:code> file system as it is meant as a shared memory
+              location and is becoming a popular target to store exploit code in.
+            </h:li>
+          </h:ul>
         </description>
-      </Group>
-      <Group id="gt-system-mounts-quotas">
-        <title>Quota's</title>
+        <!-- CVSS2 AV:L/Au:M/C:C/I:C/A:C (high complexity as device node needs
+             to be created first and is then only exploitable after local access.
+             Multiple authentication (one to create device file, one to log on)
+        -->
+        <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-var-nodev" selected="false" severity="low" weight="5.9">
+          <title>Test if /var is mounted with nodev</title>
+          <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-var-nodev">Mount /var with nodev mount option</fixtext>
+          <fix id="xccdf_org.gentoo.dev.swift_fix_partition-var-nodev"
+            system="urn:xccdf:fix:system:commands"
+            platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+mount -o remount,nodev /var
+          </fix>
+          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+            <check-content-ref name="oval:org.gentoo.dev.swift:def:9" href="gentoo-oval.xml" />
+          </check>
+        </Rule>
+        <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-varlog-nodev" selected="false" severity="low" weight="5.9">
+          <title>Test if /var/log is mounted with nodev</title>
+          <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-varlog-nodev">Mount /var/log with nodev mount option</fixtext>
+          <fix id="xccdf_org.gentoo.dev.swift_fix_partition-varlog-nodev"
+            system="urn:xccdf:fix:system:commands"
+            platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+mount -o remount,nodev /var/log
+          </fix>
+          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+            <check-content-ref name="oval:org.gentoo.dev.swift:def:10" href="gentoo-oval.xml" />
+          </check>
+        </Rule>
+        <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-varlogaudit-nodev" selected="false" severity="low" weight="5.9">
+          <title>Test if /var/log/audit is mounted with nodev</title>
+          <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-varlogaudit-nodev">Mount /var/log/audit with nodev mount option</fixtext>
+          <fix id="xccdf_org.gentoo.dev.swift_fix_partition-varlogaudit-nodev"
+            system="urn:xccdf:fix:system:commands"
+            platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+mount -o remount,nodev /var/log/audit
+          </fix>
+          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+            <check-content-ref name="oval:org.gentoo.dev.swift:def:11" href="gentoo-oval.xml" />
+          </check>
+        </Rule>
+        <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home-nodev" selected="false" severity="low" weight="5.9">
+          <title>Test if /home is mounted with nodev</title>
+          <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-home-nodev">Mount /home with nodev mount option</fixtext>
+          <fix id="xccdf_org.gentoo.dev.swift_fix_partition-home-nodev"
+            system="urn:xccdf:fix:system:commands"
+            platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+mount -o remount,nodev /home
+          </fix>
+          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+            <check-content-ref name="oval:org.gentoo.dev.swift:def:4" href="gentoo-oval.xml" />
+          </check>
+        </Rule>
+        <!-- Higher severity due to more best practices and world writeable,
+             also more likely that exploit of process is done towards /tmp -->
+        <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-tmp-nodev" selected="false" severity="medium" weight="5.9">
+          <title>Test if /tmp is mounted with nodev</title>
+          <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-tmp-nodev">Mount /tmp with nodev mount option</fixtext>
+          <fix id="xccdf_org.gentoo.dev.swift_fix_partition-tmp-nodev"
+            system="urn:xccdf:fix:system:commands"
+            platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+mount -o remount,nodev /tmp
+          </fix>
+          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+            <check-content-ref name="oval:org.gentoo.dev.swift:def:12" href="gentoo-oval.xml" />
+          </check>
+        </Rule>
+        <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-tmp-nosuid" selected="false" severity="medium" weight="5.9">
+          <title>Test if /tmp is mounted with nosuid</title>
+          <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-tmp-nosuid">Mount /tmp with nosuid mount option</fixtext>
+          <fix id="xccdf_org.gentoo.dev.swift_fix_partition-tmp-nosuid"
+            system="urn:xccdf:fix:system:commands"
+            platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+mount -o remount,nosuid /tmp
+          </fix>
+          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+            <check-content-ref name="oval:org.gentoo.dev.swift:def:13" href="gentoo-oval.xml" />
+          </check>
+        </Rule>
+        <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-home-nosuid" selected="false" severity="low" weight="5.9">
+          <title>Test if /home is mounted with nosuid</title>
+          <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-home-nosuid">Mount /home with nosuid mount option</fixtext>
+          <fix id="xccdf_org.gentoo.dev.swift_fix_partition-home-nosuid"
+            system="urn:xccdf:fix:system:commands"
+            platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+mount -o remount,nosuid /home
+          </fix>
+          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+            <check-content-ref name="oval:org.gentoo.dev.swift:def:3" href="gentoo-oval.xml" />
+          </check>
+        </Rule>
+        <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-devshm-nosuid" selected="false" severity="medium" weight="5.9">
+          <title>Test if /dev/shm is mounted with nosuid</title>
+          <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-devshm-nosuid">Mount /dev/shm with nosuid mount option</fixtext>
+          <fix id="xccdf_org.gentoo.dev.swift_fix_partition-devshm-nosuid"
+            system="urn:xccdf:fix:system:commands"
+            platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+mount -o remount,nosuid /dev/shm
+          </fix>
+          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+            <check-content-ref name="oval:org.gentoo.dev.swift:def:14" href="gentoo-oval.xml" />
+          </check>
+        </Rule>
+        <!-- Weight is 0 as this is a means to exploit, not exploitable by
+             itself -->
+        <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-tmp-noexec" selected="false" severity="medium" weight="0.0">
+          <title>Test if /tmp is mounted with noexec</title>
+          <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-tmp-noexec">Mount /tmp with noexec mount option</fixtext>
+          <fix id="xccdf_org.gentoo.dev.swift_fix_partition-tmp-noexec"
+            system="urn:xccdf:fix:system:commands"
+            platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+mount -o remount,noexec /tmp
+          </fix>
+          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+            <check-content-ref name="oval:org.gentoo.dev.swift:def:15" href="gentoo-oval.xml" />
+          </check>
+        </Rule>
+        <Rule id="xccdf_org.gentoo.dev.swift_rule_partition-devshm-noexec" selected="false" severity="medium" weight="0.0">
+          <title>Test if /dev/shm is mounted with noexec</title>
+          <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_partition-devshm-noexec">Mount /dev/shm with nosuid mount option</fixtext>
+          <fix id="xccdf_org.gentoo.dev.swift_fix_partition-devshm-noexec"
+            system="urn:xccdf:fix:system:commands"
+            platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+mount -o remount,noexec /dev/shm
+          </fix>
+          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+            <check-content-ref name="oval:org.gentoo.dev.swift:def:16" href="gentoo-oval.xml" />
+          </check>
+        </Rule>
+      </Group> <!-- system-fs-mountoptions -->
+      <Group id="xccdf_org.gentoo.dev.swift_group_system-fs-quotas">
+        <title>Disk quota support</title>
         <description>
           Most file systems support the notion of <h:em>quotas</h:em> - limits
           on the amount of data / files you are allowed to have on that
@@ -541,15 +848,13 @@ drwxrwxrwt  9 root root  260  Dec 27  16:00  /tmp</h:pre>
           <h:br />
           <h:br />
           Next, install the <h:code>sys-fs/quota</h:code> package.
-          <h:pre>
-# <h:b>emerge quota</h:b></h:pre>
+          <h:pre># <h:b>emerge quota</h:b></h:pre>
           Then add <h:code>usrquota</h:code> and <h:code>grpquota</h:code> to
           the partitions (in <h:code>/etc/fstab</h:code>) where you want to
           enable quotas on. For instance, the following snippet from
           <h:code>/etc/fstab</h:code> enables quotas on <h:code>/var</h:code>
           and <h:code>/home</h:code>.
-          <h:pre>
-/dev/mapper/volgrp-home  /home  ext4  noatime,nodev,nosuid,<h:b>usrquota,grpquota</h:b>  0 0
+          <h:pre>/dev/mapper/volgrp-home  /home  ext4  noatime,nodev,nosuid,<h:b>usrquota,grpquota</h:b>  0 0
 /dev/mapper/volgrp-var   /var   ext4  noatime,<h:b>usrquota,grpquota</h:b>               0 0
 </h:pre>
           Finally, add the <h:code>quota</h:code> service to the boot runlevel.
@@ -563,10 +868,17 @@ drwxrwxrwt  9 root root  260  Dec 27  16:00  /tmp</h:pre>
         href="http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch28_:_Managing_Disk_Usage_with_Quotas">Managing
         Disk Usage with Quotas (LinuxHomeNetworking)</reference>
         <reference href="http://www.gentoo.org/doc/en/kernel-config.xml#shorthand">Gentoo Linux Kernel Configuration - shorthand notation information</reference>
-      </Group>
-    </Group>
-    <Group id="gt-system-services">
-      <title>Services</title>
+        <Rule id="xccdf_org.gentoo.dev.swift_rule_kernel-quota" selected="false" severity="low" weight="1.7">
+          <title>Test if the kernel supports quota (CONFIG_QUOTA)</title>
+          <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_kernel-quota">Rebuild the Linux kernel with quota support (CONFIG_QUOTA)</fixtext>
+          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+            <check-content-ref name="oval:org.gentoo.dev.swift:def:18" href="gentoo-oval.xml" />
+          </check>
+        </Rule>
+      </Group> <!-- system-fs-quotas -->
+    </Group> <!-- system-fs -->
+    <Group id="xccdf_org.gentoo.dev.swift_group_system-services">
+      <title>System services</title>
       <description>
         Services (daemons) are the primary reason for a server to exist.
         They represent the function of the server. For instance, a web server
@@ -574,20 +886,20 @@ drwxrwxrwt  9 root root  260  Dec 27  16:00  /tmp</h:pre>
         named service.
         <h:br />
         <h:br />
-        In this benchmark, we will only focus on those services that are either
+        In this benchmark, the focus is on those services that are either
         default available on a Gentoo installation (like SSHd) or that are 
         commonly used in Gentoo server architectures (like rsync). For the other
-        services, we refer to other benchmarks.
+        services it is wise to consult other hardening guides specific for those
+        services.
       </description>
       <reference href="http://www.cisecurity.org">Center for Internet Security,
       host of many service benchmarks</reference>
-      <Group id="gt-system-services-disable">
-        <title>Disable Unsafe Services</title>
+      <Group id="xccdf_org.gentoo.dev.swift_group_system-services-disable">
+        <title>Disable unsafe services</title>
         <description>
-          We recommend not to enable the following services unless absolutely
-          necessary. These services use plain-text protocols and as thus unsafe
-          to use on untrusted networks (like the Internet, but also internal
-          networks).
+          It is recommended to disable (or even uninstall) the following services unless
+          absolutely necessary. These services use plain-text protocols and are as such unsafe
+          to use on (untrusted) networks.
           <h:ul>
             <h:li>Telnet service</h:li>
             <h:li>FTP Service</h:li>
@@ -596,25 +908,76 @@ drwxrwxrwt  9 root root  260  Dec 27  16:00  /tmp</h:pre>
           It is recommended to substitute these services with their more secure
           counterparts (like sFTP, SSH, ...).
         </description>
+        <!-- Max score: password in clear text and your system is compromised (if it is root) -->
+	<Rule id="xccdf_org.gentoo.dev.swift_rule_telnetd-notrunning" selected="false" severity="high" weight="10.0">
+          <title>Test if no telnet daemons are running</title>
+          <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_telnetd-notrunning">Stop telnet services</fixtext>
+          <fix id="xccdf_org.gentoo.dev.swift_fix_telnetd-notrunning"
+            system="urn:xccdf:fix:system:commands"
+            platform="cpe:/o:gentoo:linux" complexity="low" disruption="high" reboot="false">
+for service in /etc/init.d/*telnet*; do test -f ${service} &amp;&amp; run_init rc-service ${service##*/} stop; done
+          </fix>
+          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+            <check-content-ref name="oval:org.gentoo.dev.swift:def:19" href="gentoo-oval.xml" />
+          </check>
+        </Rule>
+        <!-- Partial breach, assuming accounts are not system accounts -->
+        <Rule id="xccdf_org.gentoo.dev.swift_rule_ftpd-notrunning" selected="false" severity="medium" weight="7.5">
+          <title>Test if no FTP daemons are running</title>
+          <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_ftpd-notrunning">Stop FTPd services</fixtext>
+          <fix id="xccdf_org.gentoo.dev.swift_fix_ftpd-notrunning"
+            system="urn:xccdf:fix:system:commands"
+            platform="cpe:/o:gentoo:linux" complexity="low" disruption="high" reboot="false">
+for service in /etc/init.d/*ftp*; do test -f ${service} &amp;&amp; run_init rc-service ${service##*/} stop; done
+          </fix>
+          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+            <check-content-ref name="oval:org.gentoo.dev.swift:def:20" href="gentoo-oval.xml" />
+          </check>
+        </Rule>
       </Group>
-      <Group id="gt-system-services-sulogin">
-        <title>Require Single-User Boot to Give Root Password</title>
+      <Group id="xccdf_org.gentoo.dev.swift_group_system-services-sulogin">
+        <title>Require single-user boot to give root password</title>
         <description>
           When a system is booted in single user mode, some users might find it
-          handy to immediately get a root prompt; others even have a specific
+          handy to immediately get a root prompt; many even have a specific
           bootloader entry to boot in single user mode.
           <h:br />
           <h:br />
           It is important that, for a more secure server environment, even
           booting in single user mode requires the user to enter the root
-          password. This is already done by default in Gentoo and is part of
-          <h:code>/etc/inittab</h:code>'s definition:
-          <h:pre>
-su0:S:wait:/sbin/rc single
+          password. This is already done by default in Gentoo through the
+          <h:code>rc_shell</h:code> variable in <h:code>/etc/rc.conf</h:code>.
+          <h:br />
+          <h:br />
+          Administrators should also make sure that no direct shells are provided
+          in <h:code>/etc/inittab</h:code> for single-user mode. Gentoo's
+          <h:code>/etc/inittab</h:code> definition should look like so:
+          <h:pre>su0:S:wait:/sbin/rc single
 <h:b>su1:S:wait:/sbin/sulogin</h:b></h:pre>
         </description>
+        <!-- CVSS2: AV:L/AC:H/Au:S/C:C/I:C/A:C (high attack complexity due to console access) -->
+        <Rule id="xccdf_org.gentoo.dev.swift_rule_rcconf-sulogin" selected="false" severity="medium" weight="6.0">
+          <title>Test if sulogin is used for single-user boot (/etc/rc.conf)</title>
+          <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_rcconf-sulogin">Set /sbin/sulogin for rc_shell</fixtext>
+          <fix id="xccdf_org.gentoo.dev.swift_fix_rcconf-sulogin"
+            system="urn:xccdf:fix:system:commands"
+            platform="cpe:/o:gentoo:linux" complexity="low" disruption="low" reboot="false">
+sed -i -e 's:^rc_shell=.*:rc_shell="/sbin/sulogin":g' /etc/rc.conf
+          </fix>
+          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+            <check-content-ref name="oval:org.gentoo.dev.swift:def:21" href="gentoo-oval.xml" />
+          </check>
+        </Rule>
+        <Rule id="xccdf_org.gentoo.dev.swift_rule_inittab-sulogin" selected="false" severity="medium" weight="6.0">
+          <title>Test if sulogin is used for single-user boot (/etc/inittab)</title>
+          <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_inittab-sulogin">Set /sbin/sulogin or '/sbin/rc single' for single-user boot</fixtext>
+          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+            <check-content-ref name="oval:org.gentoo.dev.swift:def:22" href="gentoo-oval.xml" />
+          </check>
+        </Rule>
+
       </Group>
-      <Group id="gt-system-services-tcpwrappers">
+      <Group id="xccdf_org.gentoo.dev.swift_group_system-services-tcpwrappers">
         <title>Properly Configure TCP Wrappers</title>
         <description>
           With TCP wrappers, services that support TCP wrappers (or those
@@ -628,7 +991,7 @@ su0:S:wait:/sbin/rc single
           <h:b>man 5 hosts_access</h:b>.
         </description>
       </Group>
-      <Group id="gt-system-services-ssh">
+      <Group id="xccdf_org.gentoo.dev.swift_group_system-services-ssh">
         <title>SSH Service</title>
         <description>
           The SSH service is used for secure remote access towards a system, but
@@ -639,13 +1002,13 @@ su0:S:wait:/sbin/rc single
           Please use the "Hardening OpenSSH" guide for the necessary instructions.
         </description>
       </Group>
-      <Group id="gt-system-services-cron">
+      <Group id="xccdf_org.gentoo.dev.swift_group_system-services-cron">
         <title>Cron Service</title>
         <description>
           A cron service is used to schedule tasks and processes on predefined
           times. Cron is most often used for regular maintenance tasks.
         </description>
-        <Group id="gt-system-services-cron-acl">
+        <Group id="xccdf_org.gentoo.dev.swift_group_system-services-cron-acl">
           <title>Only Allow Trusted Accounts Cron Access</title>
           <description>
             Only allow trusted accounts to use cron. You should list trusted
@@ -653,14 +1016,14 @@ su0:S:wait:/sbin/rc single
           </description>
         </Group>
       </Group>
-      <Group id="gt-system-services-at">
+      <Group id="xccdf_org.gentoo.dev.swift_group_system-services-at">
         <title>At Service</title>
         <description>
           The at service allows users to execute a task once on a given time.
           Unlike cron, this is not scheduled repeatedly - once executed, the
           task is considered completed and at will not invoke it again.
         </description>
-        <Group id="gt-system-services-at-acl">
+        <Group id="xccdf_org.gentoo.dev.swift_group_system-services-at-acl">
           <title>Only Allow Trusted Accounts At Access</title>
           <description>
             Only allow trusted accounts to use at. You should list trusted
@@ -668,7 +1031,7 @@ su0:S:wait:/sbin/rc single
           </description>
         </Group>
       </Group>
-      <Group id="gt-system-services-ntp">
+      <Group id="xccdf_org.gentoo.dev.swift_group_system-services-ntp">
         <title>NTP Service</title>
         <description>
           With NTP, systems can synchronise their clocks, ensuring correct date
@@ -676,7 +1039,7 @@ su0:S:wait:/sbin/rc single
           cause misinterpretation of log files or even unwanted execution of
           commands.
         </description>
-        <Group id="gt-system-services-ntp-sync">
+        <Group id="xccdf_org.gentoo.dev.swift_group_system-services-ntp-sync">
           <title>Synchronise The System Clock</title>
           <description>
             Synchronise your systems' clock with an authorative NTP server, and
@@ -690,6 +1053,11 @@ su0:S:wait:/sbin/rc single
         </Group>
       </Group>
     </Group>
+  </Group> <!-- system -->
+    <!--
+    <Group id="gt-system-services">
+      
+    </Group>
     <Group id="gt-system-portage">
       <title>Portage Settings</title>
       <description>
-- 
cgit v1.2.3-65-gdbad