Shawn, Frank,
> Jan,
>
> Doh. The '/selinux/enforce' was RHEL 6 - for Fedora 19 - it's
> '/sys/fs/selinux/enforce'
>
> -Frank
>
>
> On 10/04/2013 02:49 PM, [email protected] wrote:
>
>
>
> Jan,
>
> You might consider checking if the '/selinux/enforce' file exists and the
> file contains '1' (1 is enforcing). That would ensure that SELinux enabled
> and enforcing the policy.
>
> Regards,
>
> Frank Caviggia
>
>
> On 10/04/2013 01:11 PM, Jan Lieskovsky wrote:
>
>
>
> Introduce new SELinux section of the guide and first rule
> for it - check if SELinux is enabled in currently
> booted kernel.
>
> Please review.
>
> Thank you && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Technologies Team
>
>
> Within the OVAL:
>
> + <ind:textfilecontent54_test check="all" check_existence="only_one_exists"
> comment="check for existence of selinuxfs in /proc/mounts file"
> id="test_ensure_selinuxfs_in_proc_mounts" version="1" >
> + <ind:object object_ref="obj_ensure_selinuxfs_in_proc_mounts" />
> + </ind:textfilecontent54_test>
> + <ind:textfilecontent54_object id="obj_ensure_selinuxfs_in_proc_mounts"
> version="1">
> + <ind:filepath>/proc/mounts</ind:filepath>
> + <ind:pattern operation="pattern
> match">^\s*selinuxfs\s*/sys/fs/selinux\s*selinuxfs\s*rw,relatime\s*0\s*0\s*$</ind:pattern>
> + <ind:instance datatype="int" operation="equals">1</ind:instance>
> + </ind:textfilecontent54_object>
>
>
> Caviggia and I were chatting earlier today.... while the /proc/mounts
> reflects that selinux is loaded into the kernel, IIRC, it doesn't indicate
> that it's actually *enforcing* on the system.
That proposed test should truly only check if SELinux is loaded in the currently
running kernel (there will be another rule for checking if SELinux is in
enforcing
state yet). The reason for separation is as follows:
Y
* SELinux completely disabled? ====> fix / remediate it by setting SELINUX in
/etc/selinux/config
to 'enforcing' value [fix the config]
and export the "reboot"
variable - ensure the reboot is needed
[fix the next running
environment]
Y
* SELinux is in permissive mode? ====> fix / remediate it by setting SELINUX in
/etc/selinux/config
to 'enforcing' value [fix the confid]
and also call
'setenforce 1' in user space [fix the
actual running environment]
> This poses an interesting
> challenge...
>
> Within the RHEL6 content, we:
> - Check for selinux=1 within grub
This is OK for default boot command line form, but can't ensure user / admin
didn't provide selinux=0
on the kernel command line.
> - Check for SELINUX=enforcing within /etc/selinux/config
Again OK. But checks only configuration (again user / admin could do
'enforcing=0' on the command line
and configuration wouldn't have impact on it).
>
> These checks do not reflect *runtime* enablement of SELinux, but
> unfortunately neither does /proc/mounts:
Based on libselinux, and should only check if SELinux file system is loaded in
the
currently booted kernel. For enforcing there will be another test (above).
>
>
> [shawn@SSG-RHEL6 checks]$ getenforce
> Enforcing
>
> [shawn@SSG-RHEL6 checks]$ cat /proc/mounts | grep selinux
> none /selinux selinuxfs rw,relatime 0 0
>
> [shawn@SSG-RHEL6 checks]$ sudo setenforce 0
> [sudo] password for shawn:
>
> [shawn@SSG-RHEL6 checks]$ cat /proc/mounts | grep selinux
> none /selinux selinuxfs rw,relatime 0 0 Is there another crafty way to verify
> that selinux is *enforcing*? Perhaps checking the value in /etc/selinux
> instead?
To split into subcases, i think there are two scenarios to check:
* in the configuration:
- is enabled / is enforcing? => check /etc/selinux/config
* in the runtime:
- is enabled? (IOW check if selinux=0/enforcing=0 wasn't provided on the
kernel command
line) => check if selinuxfs is mounted
- is enforcing? - like Frank mentioned already, check
/sys/fs/selinux/enforcing:
# cat /sys/fs/selinux/enforce ; echo
1
# getenforce
Enforcing
# setenforce 0
# cat /sys/fs/selinux/enforce ; echo
0
The question is what should SSG check (if the system configuration is sane?, if
the running
instance is safe?, or both?). If both, then we need to check all four cases.
>
>
> [shawn@SSG-RHEL6 self]$ cat /selinux/enforce
> 1
> [shawn@SSG-RHEL6 self]$ sudo setenforce 0
>
> [shawn@SSG-RHEL6 self]$ cat /selinux/enforce
> 0 If that's a non-reputable source of SELinux enablement, we should add an
> appropriate XCCDF and OVAL rule to Fedora & RHEL streams.
Like Frank already pointed out, on RHEL-6 the selinuxfs would be placed under
/selinux, therefore we should check /selinux/enforcing (=1 for enforcing, =0
for permissive)
for RHEL-6.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies
>
> _______________________________________________
> scap-security-guide mailing list
> [email protected]
> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
>
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
