File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (51 lines) | stat: -rw-r--r-- 2,279 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
 
documentation_complete: true


title: 'Confine SELinux Users To Roles That Conform To Least Privilege'

description: |-
    Configure the operating system to confine SELinux users to roles that conform
    to least privilege. Use the following command to map the "staff_u" SELinux user
    to the "staff_r" and "sysadm_r" roles:
    <pre>$ sudo semanage user -m staff_u -R staff_r -R sysadm_r</pre>
    <br /><br />
    Use the following command to map the "user_u" SELinux user to the "user_r" role:
    <pre>$ sudo semanage -m user_u -R user_r</pre>

rationale: |-
    Preventing non-privileged users from executing privileged functions mitigates
    the risk that unauthorized individuals or processes may gain unnecessary access
    to information or privileges.
    <br /><br />
    Privileged functions include, for example,
    establishing accounts, performing system integrity checks, or administering
    cryptographic key management activities. Non-privileged users are individuals
    who do not possess appropriate authorizations. Circumventing intrusion detection
    and prevention mechanisms or malicious code protection mechanisms are examples
    of privileged functions that require protection from non-privileged users.

severity: medium

references:
    nist: AC-3(4),AC-6(10)
    srg: SRG-OS-000324-GPOS-00125
    stigid@ol7: OL07-00-020021

ocil_clause: 'selinux users are not confined to least privilege'

ocil: |-
    Verify the operating system confines SELinux users to roles that conform to least
    privilege. Check the SELinux User list to SELinux Roles mapping by using the
    following command:
    <pre>sudo semanage user -l</pre>
    The output should look like this:
    <pre>SELinuxUser LabelingPrefix MLS/MCSLevel MLS/MCSRange SELinuxRoles
    guest_u            user  s0  s0  guest_r
    root                   user  s0  s0-s0:c0.c1023  staff_r sysadm_r system_r unconfined_r
    staff_u              user  s0  s0-s0:c0.c1023  staff_r sysadm_r
    sysadm_u         user  s0  s0-s0:c0.c1023  sysadm_r
    system_u          user  s0  s0-s0:c0.c1023  system_r unconfined_r
    unconfined_u  user  s0  s0-s0:c0.c1023  system_r unconfined_r
    user_u               user  s0  s0  user_r
    xguest_u           user  s0  s0  xguest_r
    </pre>