1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
documentation_complete: true
title: 'Ensure No Device Files are Unlabeled by SELinux'
description: |-
Device files, which are used for communication with important system
resources, should be labeled with proper SELinux types. If any device files
carry the SELinux type <tt>device_t</tt> or <tt>unlabeled_t</tt>, report the
bug so that policy can be corrected. Supply information about what the
device is and what programs use it.
<br /><br />
To check for incorrectly labeled device files, run following commands:
<pre>$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"</pre>
<pre>$ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"</pre>
It should produce no output in a well-configured system.
rationale: |-
If a device file carries the SELinux type <tt>device_t</tt> or
<tt>unlabeled_t</tt>, then SELinux cannot properly restrict access to the
device file.
severity: medium
identifiers:
cce@rhel8: CCE-80866-7
cce@rhel9: CCE-85920-7
cce@rhel10: CCE-90192-6
references:
cis-csc: 1,11,12,13,14,15,16,18,2,3,5,6,7,8,9
cobit5: APO01.06,APO11.04,BAI01.06,BAI03.05,BAI06.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06,MEA02.01
cui: '3.1.2,3.1.5,3.7.2'
isa-62443-2009: 4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 2.8,SR 2.9,SR 5.2,SR 6.2,SR 7.6'
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.2,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.5.1,A.12.6.2,A.12.7.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.14.2.7,A.15.2.1,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
nist: CM-7(a),CM-7(b),CM-6(a),AC-3(3)(a),AC-6
nist-csf: DE.CM-1,DE.CM-7,PR.AC-4,PR.DS-5,PR.IP-1,PR.IP-3,PR.PT-1,PR.PT-3
srg: SRG-OS-000480-GPOS-00227
stigid@ol7: OL07-00-020900
ocil_clause: 'there is output'
ocil: |-
To check for incorrectly labeled device files, run following commands:
<pre>$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"</pre>
<pre>$ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"</pre>
It should produce no output in a well-configured system.
warnings:
- general: |-
Automatic remediation of this control is not available. The remediation
can be achieved by amending SELinux policy.
|
