Introduce new SELinux section of the guide and first rule
for it - check if SELinux is enabled in currently
booted kernel.
Please review.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
From 0e491f63c5239146f6db353e5a3b7a5785a34bb8 Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky <[email protected]>
Date: Fri, 4 Oct 2013 18:56:07 +0200
Subject: [PATCH] [Fedora] Introduce 'Ensure SELinux Not Disabled in Currently
Running Kernel' rule
Signed-off-by: Jan Lieskovsky <[email protected]>
---
.../checks/enable_selinux_in_running_kernel.xml | 24 +++++++
Fedora/input/guide.xml | 2 +-
Fedora/input/guide.xslt | 1 +
Fedora/input/profiles/common.xml | 1 +
Fedora/input/system/selinux.xml | 78 ++++++++++++++++++++++
Fedora/scap-security-guide.spec | 5 +-
6 files changed, 109 insertions(+), 2 deletions(-)
create mode 100644 Fedora/input/checks/enable_selinux_in_running_kernel.xml
create mode 100644 Fedora/input/system/selinux.xml
diff --git a/Fedora/input/checks/enable_selinux_in_running_kernel.xml b/Fedora/input/checks/enable_selinux_in_running_kernel.xml
new file mode 100644
index 0000000..15eabf0
--- /dev/null
+++ b/Fedora/input/checks/enable_selinux_in_running_kernel.xml
@@ -0,0 +1,24 @@
+<def-group>
+ <definition class="compliance" id="enable_selinux_in_running_kernel" version="1">
+ <metadata>
+ <title>Ensure SELinux Not Disabled in Currently Running Kernel</title>
+ <affected family="unix">
+ <platform>Fedora 19</platform>
+ </affected>
+ <description>
+ Ensure SELinux is not disabled in the currently running Linux kernel.
+ </description>
+ </metadata>
+ <criteria comment="ensure SELinux is not disabled in the currently running Linux kernel" operator="AND">
+ <criterion comment="verify selinuxfs present in /proc/mounts file" test_ref="test_ensure_selinuxfs_in_proc_mounts" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="check for existence of selinuxfs in /proc/mounts file" id="test_ensure_selinuxfs_in_proc_mounts" version="1" >
+ <ind:object object_ref="obj_ensure_selinuxfs_in_proc_mounts" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_ensure_selinuxfs_in_proc_mounts" version="1">
+ <ind:filepath>/proc/mounts</ind:filepath>
+ <ind:pattern operation="pattern match">^\s*selinuxfs\s*/sys/fs/selinux\s*selinuxfs\s*rw,relatime\s*0\s*0\s*$</ind:pattern>
+ <ind:instance datatype="int" operation="equals">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
diff --git a/Fedora/input/guide.xml b/Fedora/input/guide.xml
index 8d21fe8..ee40e47 100644
--- a/Fedora/input/guide.xml
+++ b/Fedora/input/guide.xml
@@ -36,5 +36,5 @@ trademarks or trademarks of Red Hat, Inc. in the United States and other
countries. All other names are registered trademarks or trademarks of their
respective companies.</rear-matter>
<platform idref="cpe:/o:fedoraproject:fedora:19" />
-<version>0.0.3</version>
+<version>0.0.4</version>
</Benchmark>
diff --git a/Fedora/input/guide.xslt b/Fedora/input/guide.xslt
index a24bdd9..27025d6 100644
--- a/Fedora/input/guide.xslt
+++ b/Fedora/input/guide.xslt
@@ -24,6 +24,7 @@
<xsl:copy>
<xsl:copy-of select="@*|node()" />
<xsl:apply-templates select="document('system/software/software.xml')" />
+ <xsl:apply-templates select="document('system/selinux.xml')" />
</xsl:copy>
</xsl:template>
diff --git a/Fedora/input/profiles/common.xml b/Fedora/input/profiles/common.xml
index a7d856f..497b736 100644
--- a/Fedora/input/profiles/common.xml
+++ b/Fedora/input/profiles/common.xml
@@ -6,5 +6,6 @@
<select idref="ensure_gpgcheck_never_disabled" selected="true"/>
<select idref="ensure_yum_fedora_updates_repo_enabled" selected="true"/>
<select idref="security_patches_up_to_date" selected="true"/>
+<select idref="enable_selinux_in_running_kernel" selected="true"/>
</Profile>
diff --git a/Fedora/input/system/selinux.xml b/Fedora/input/system/selinux.xml
new file mode 100644
index 0000000..b89e235
--- /dev/null
+++ b/Fedora/input/system/selinux.xml
@@ -0,0 +1,78 @@
+<Group id="selinux">
+<title>SELinux</title>
+<description>SELinux is a feature of the Linux kernel which can be
+used to guard against misconfigured or compromised programs.
+SELinux enforces the idea that programs should be limited in what
+files they can access and what actions they can take.
+<br /><br />
+The default SELinux policy, as configured on Fedora, has been
+sufficiently developed and debugged that it should be usable on
+almost any Fedora machine with minimal configuration and a small
+amount of system administrator training. This policy prevents
+system services - including most of the common network-visible
+services such as mail servers, FTP servers, and DNS servers - from
+accessing files which those services have no valid reason to
+access. This action alone prevents a huge amount of possible damage
+from network attacks against services, from trojaned software, and
+so forth.
+<br /><br />
+This guide recommends that SELinux be enabled using the
+default (targeted) policy on every Fedora system, unless that
+system has requirements which make a stronger policy
+appropriate.
+</description>
+
+<Group id="enabling_selinux">
+<title>Enable SELinux</title>
+<description>Edit the file <tt>/etc/selinux/config</tt>. Add or correct the
+following lines:
+<pre>
+SELINUX=enforcing
+SELINUXTYPE=targeted
+</pre>
+The directive <tt>SELINUX=enforcing</tt> enables SELinux at boot time.
+If SELinux is suspected of involvement with boot-time problems
+(unlikely), it is possible to boot into the warning-only mode
+<tt>SELINUX=permissive</tt> for debugging purposes. Make certain to change
+the mode back to enforcing after debugging, set the filesystems to
+be relabeled for consistency using the command <tt>touch
+/.autorelabel</tt>, and reboot.
+<br /><br />
+However, the Fedora default SELinux configuration should be
+sufficiently reasonable that most systems will boot without serious
+problems. Some applications that require deep or unusual system
+privileges, such as virtual machine software, may not be compatible
+with SELinux in its default configuration. However, this should be
+uncommon, and SELinux's application support continues to improve.
+In other cases, SELinux may reveal unusual or insecure program
+behavior by design.
+<br /><br />
+The directive <tt>SELINUXTYPE=targeted</tt> configures SELinux to use
+the default targeted policy.
+<br /><br />
+The SELinux boot mode specified in <tt>/etc/selinux/config</tt> can be
+overridden by command-line arguments passed to the kernel. It is
+necessary to check <tt>/etc/grub2.cfg</tt>, <tt>/etc/default/grub</tt>,
+and <tt>grub2-mkconfig</tt> templates from <tt>/etc/grub.d</tt> to ensure
+that this has not been done and to protect the boot process.
+</description>
+
+<Rule id="enable_selinux_in_running_kernel" severity="medium">
+<title>Ensure SELinux Not Disabled in Currently Running Kernel</title>
+<description>
+SELinux can be disabled at boot time via a <tt>selinux=0</tt> kernel
+boot command-line parameter. Remove any instances of <tt>selinux=0</tt>
+from the kernel boot command-line arguments to prevent SELinux from being
+disabled at boot.
+</description>
+<rationale>
+Disabling a major host protection feature, such as SELinux, at boot time prevents
+it from confining system services at boot time. Further, it increases
+the chances that it will remain off during system operation.
+</rationale>
+<oval id="enable_selinux_in_running_kernel" />
+<ref nist="AC-3,AC-3(3),AC-6,AU-9" disa="22,32"/>
+</Rule>
+</Group>
+
+</Group>
diff --git a/Fedora/scap-security-guide.spec b/Fedora/scap-security-guide.spec
index d7118e1..58c6ec1 100644
--- a/Fedora/scap-security-guide.spec
+++ b/Fedora/scap-security-guide.spec
@@ -5,7 +5,7 @@
# file one level up - in the main scap-security-guide directory (instead of
# this one).
-%global fedorassgrelease 2.rc2
+%global fedorassgrelease 2.rc3
Name: scap-security-guide
Version: 0.1
@@ -50,6 +50,9 @@ rm -rf $RPM_BUILD_ROOT
%{_datadir}/xml/scap/ssg/fedora/19/*
%changelog
+* Fri Oct 04 2013 Jan iankko Lieskovsky <[email protected]> 0.1-2.rc3
+- Introduce 'Ensure SELinux Not Disabled in Currently Running Kernel' rule.
+
* Thu Oct 03 2013 Jan iankko Lieskovsky <[email protected]> 0.1-2.rc2
- Introduce 'Ensure Yum fedora-updates Repository Enabled' rule.
- Introduce 'Ensure Software Security Patches Installed' rule.
--
1.7.11.7
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
