For now we have decided to postpone submission of this proposal till the doubt if SCAP security guide should check just system configuration, or also the system runtime settings too, is solved (and focused on work on other sections of the guide).
We can propose new version, that in the default run would check just system configuration settings, and mark runtime checks as 'notapplicable' in the default version (to be set up / enabled by actual Fedora SCAP content users in case of desire / requirement). But would be good to know your general opinion on the topic (if SSG should check just configuration, or also runtime settings) to avoid this when submitting proposals for new rules in the future. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team ----- Original Message ----- > From: "Jan Lieskovsky" <[email protected]> > To: [email protected] > Sent: Friday, October 4, 2013 7:11:09 PM > Subject: [PATCH] [Fedora] Introduce 'Ensure SELinux Not Disabled in Currently > Running Kernel' rule > > > Introduce new SELinux section of the guide and first rule > for it - check if SELinux is enabled in currently > booted kernel. > > Please review. > > Thank you && Regards, Jan. > -- > Jan iankko Lieskovsky / Red Hat Security Technologies Team
From 0e491f63c5239146f6db353e5a3b7a5785a34bb8 Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky <[email protected]> Date: Fri, 4 Oct 2013 18:56:07 +0200 Subject: [PATCH] [Fedora] Introduce 'Ensure SELinux Not Disabled in Currently Running Kernel' rule Signed-off-by: Jan Lieskovsky <[email protected]> --- .../checks/enable_selinux_in_running_kernel.xml | 24 +++++++ Fedora/input/guide.xml | 2 +- Fedora/input/guide.xslt | 1 + Fedora/input/profiles/common.xml | 1 + Fedora/input/system/selinux.xml | 78 ++++++++++++++++++++++ Fedora/scap-security-guide.spec | 5 +- 6 files changed, 109 insertions(+), 2 deletions(-) create mode 100644 Fedora/input/checks/enable_selinux_in_running_kernel.xml create mode 100644 Fedora/input/system/selinux.xml diff --git a/Fedora/input/checks/enable_selinux_in_running_kernel.xml b/Fedora/input/checks/enable_selinux_in_running_kernel.xml new file mode 100644 index 0000000..15eabf0 --- /dev/null +++ b/Fedora/input/checks/enable_selinux_in_running_kernel.xml @@ -0,0 +1,24 @@ +<def-group> + <definition class="compliance" id="enable_selinux_in_running_kernel" version="1"> + <metadata> + <title>Ensure SELinux Not Disabled in Currently Running Kernel</title> + <affected family="unix"> + <platform>Fedora 19</platform> + </affected> + <description> + Ensure SELinux is not disabled in the currently running Linux kernel. + </description> + </metadata> + <criteria comment="ensure SELinux is not disabled in the currently running Linux kernel" operator="AND"> + <criterion comment="verify selinuxfs present in /proc/mounts file" test_ref="test_ensure_selinuxfs_in_proc_mounts" /> + </criteria> + </definition> + <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="check for existence of selinuxfs in /proc/mounts file" id="test_ensure_selinuxfs_in_proc_mounts" version="1" > + <ind:object object_ref="obj_ensure_selinuxfs_in_proc_mounts" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="obj_ensure_selinuxfs_in_proc_mounts" version="1"> + <ind:filepath>/proc/mounts</ind:filepath> + <ind:pattern operation="pattern match">^\s*selinuxfs\s*/sys/fs/selinux\s*selinuxfs\s*rw,relatime\s*0\s*0\s*$</ind:pattern> + <ind:instance datatype="int" operation="equals">1</ind:instance> + </ind:textfilecontent54_object> +</def-group> diff --git a/Fedora/input/guide.xml b/Fedora/input/guide.xml index 8d21fe8..ee40e47 100644 --- a/Fedora/input/guide.xml +++ b/Fedora/input/guide.xml @@ -36,5 +36,5 @@ trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies.</rear-matter> <platform idref="cpe:/o:fedoraproject:fedora:19" /> -<version>0.0.3</version> +<version>0.0.4</version> </Benchmark> diff --git a/Fedora/input/guide.xslt b/Fedora/input/guide.xslt index a24bdd9..27025d6 100644 --- a/Fedora/input/guide.xslt +++ b/Fedora/input/guide.xslt @@ -24,6 +24,7 @@ <xsl:copy> <xsl:copy-of select="@*|node()" /> <xsl:apply-templates select="document('system/software/software.xml')" /> + <xsl:apply-templates select="document('system/selinux.xml')" /> </xsl:copy> </xsl:template> diff --git a/Fedora/input/profiles/common.xml b/Fedora/input/profiles/common.xml index a7d856f..497b736 100644 --- a/Fedora/input/profiles/common.xml +++ b/Fedora/input/profiles/common.xml @@ -6,5 +6,6 @@ <select idref="ensure_gpgcheck_never_disabled" selected="true"/> <select idref="ensure_yum_fedora_updates_repo_enabled" selected="true"/> <select idref="security_patches_up_to_date" selected="true"/> +<select idref="enable_selinux_in_running_kernel" selected="true"/> </Profile> diff --git a/Fedora/input/system/selinux.xml b/Fedora/input/system/selinux.xml new file mode 100644 index 0000000..b89e235 --- /dev/null +++ b/Fedora/input/system/selinux.xml @@ -0,0 +1,78 @@ +<Group id="selinux"> +<title>SELinux</title> +<description>SELinux is a feature of the Linux kernel which can be +used to guard against misconfigured or compromised programs. +SELinux enforces the idea that programs should be limited in what +files they can access and what actions they can take. +<br /><br /> +The default SELinux policy, as configured on Fedora, has been +sufficiently developed and debugged that it should be usable on +almost any Fedora machine with minimal configuration and a small +amount of system administrator training. This policy prevents +system services - including most of the common network-visible +services such as mail servers, FTP servers, and DNS servers - from +accessing files which those services have no valid reason to +access. This action alone prevents a huge amount of possible damage +from network attacks against services, from trojaned software, and +so forth. +<br /><br /> +This guide recommends that SELinux be enabled using the +default (targeted) policy on every Fedora system, unless that +system has requirements which make a stronger policy +appropriate. +</description> + +<Group id="enabling_selinux"> +<title>Enable SELinux</title> +<description>Edit the file <tt>/etc/selinux/config</tt>. Add or correct the +following lines: +<pre> +SELINUX=enforcing +SELINUXTYPE=targeted +</pre> +The directive <tt>SELINUX=enforcing</tt> enables SELinux at boot time. +If SELinux is suspected of involvement with boot-time problems +(unlikely), it is possible to boot into the warning-only mode +<tt>SELINUX=permissive</tt> for debugging purposes. Make certain to change +the mode back to enforcing after debugging, set the filesystems to +be relabeled for consistency using the command <tt>touch +/.autorelabel</tt>, and reboot. +<br /><br /> +However, the Fedora default SELinux configuration should be +sufficiently reasonable that most systems will boot without serious +problems. Some applications that require deep or unusual system +privileges, such as virtual machine software, may not be compatible +with SELinux in its default configuration. However, this should be +uncommon, and SELinux's application support continues to improve. +In other cases, SELinux may reveal unusual or insecure program +behavior by design. +<br /><br /> +The directive <tt>SELINUXTYPE=targeted</tt> configures SELinux to use +the default targeted policy. +<br /><br /> +The SELinux boot mode specified in <tt>/etc/selinux/config</tt> can be +overridden by command-line arguments passed to the kernel. It is +necessary to check <tt>/etc/grub2.cfg</tt>, <tt>/etc/default/grub</tt>, +and <tt>grub2-mkconfig</tt> templates from <tt>/etc/grub.d</tt> to ensure +that this has not been done and to protect the boot process. +</description> + +<Rule id="enable_selinux_in_running_kernel" severity="medium"> +<title>Ensure SELinux Not Disabled in Currently Running Kernel</title> +<description> +SELinux can be disabled at boot time via a <tt>selinux=0</tt> kernel +boot command-line parameter. Remove any instances of <tt>selinux=0</tt> +from the kernel boot command-line arguments to prevent SELinux from being +disabled at boot. +</description> +<rationale> +Disabling a major host protection feature, such as SELinux, at boot time prevents +it from confining system services at boot time. Further, it increases +the chances that it will remain off during system operation. +</rationale> +<oval id="enable_selinux_in_running_kernel" /> +<ref nist="AC-3,AC-3(3),AC-6,AU-9" disa="22,32"/> +</Rule> +</Group> + +</Group> diff --git a/Fedora/scap-security-guide.spec b/Fedora/scap-security-guide.spec index d7118e1..58c6ec1 100644 --- a/Fedora/scap-security-guide.spec +++ b/Fedora/scap-security-guide.spec @@ -5,7 +5,7 @@ # file one level up - in the main scap-security-guide directory (instead of # this one). -%global fedorassgrelease 2.rc2 +%global fedorassgrelease 2.rc3 Name: scap-security-guide Version: 0.1 @@ -50,6 +50,9 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/xml/scap/ssg/fedora/19/* %changelog +* Fri Oct 04 2013 Jan iankko Lieskovsky <[email protected]> 0.1-2.rc3 +- Introduce 'Ensure SELinux Not Disabled in Currently Running Kernel' rule. + * Thu Oct 03 2013 Jan iankko Lieskovsky <[email protected]> 0.1-2.rc2 - Introduce 'Ensure Yum fedora-updates Repository Enabled' rule. - Introduce 'Ensure Software Security Patches Installed' rule. -- 1.7.11.7
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
