On 2/14/14, 12:15 PM, Kordell, Luke T wrote:
<Rule id="selinux_policytype">
<title>Configure SELinux Policy</title>
<description>The SELinux <tt>targeted</tt> policy is appropriate for
general-purpose desktops and servers, as well as systems in many other roles.
To configure the system to use this policy, add or correct the following line
in <tt>/etc/selinux/config</tt>:
<pre>SELINUXTYPE=targeted</pre>
Other policies, such as <tt>mls</tt>, provide additional security labeling
and greater confinement but are not compatible with many general-purpose
use cases.
</description>
<ocil clause="it does not">
Check the file <tt>/etc/selinux/config</tt> and ensure the following line
appears:
<pre>SELINUXTYPE=targeted</pre>
</ocil>
<rationale>
Setting the SELinux policy to <tt>targeted</tt> or a more specialized policy
ensures the system will confine processes that are likely to be
targeted for exploitation, such as network or system services.
</rationale>
<fix platform="cpe:/o:redhat:enterprise_linux:6" reboot="false"
disruption="low"system="urn:xccdf:fix:script:sh">
touch /home/ltk/success.txt
</fix>
<ident cce="26875-5" />
<oval id="selinux_policytype" value="var_selinux_policy_name"/>
<ref nist="AC-3,AC-3(3),AC-4,AC-6,AU-9" disa="22,32"/>
<tested by="DS" on="20121024"/>
</Rule>
</Group>
SSG docs aren't so great on this. Also, this will help answer Lee's
question too.
We broke the core SCAP components up into:
- RHEL/6/input/profiles: Houses XCCDF profiles
- RHEL/6/input/{services system}: Houses XCCDF content
- RHEL/6/input/checks: Houses OVAL content
- RHEL/6/input/fixes: Associated fix content
The build system will take the XCCDF rule, e.g. selinux_policytype, add
whatever OVAL is identified in the "oval id=" tag, include any XCCDF
variables, and merge things together. We kept the XCCDF and OVAL as
separate development files to ease multi-author content editing. Imagine
the git merge's if we were all working off the same file!
For fix content, the build will take the XCCDF rule name
(selinux_policytype) and first look for a bash script under
./RHEL/6/input/fixes/bash with the same name (selinux_policytype.sh). If
not found, it'll search ./shared/fixes/bash/. If neither condition is
true then remediation doesn't exist and it'll move onto the next rule.
Sometimes remediation scripts will be the same across multiple
platforms, e.g. disabling SELinux is the same in RHEL6 and RHEL7. As
such, the remediation would go under shared.
Occasionally system components differ, such as systemd in Fedora vs
service scripts in RHEL6. As such, the commands differ and the scripts
would be placed in the proper directories.
https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/RHEL/6/input/fixes/bash
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
