File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (52 lines) | stat: -rw-r--r-- 2,787 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
 
documentation_complete: true


title: 'Ensure No Daemons are Unconfined by SELinux'

description: |-
    Daemons for which the SELinux policy does not contain rules will inherit the
    context of the parent process. Because daemons are launched during
    startup and descend from the <tt>init</tt> process, they inherit the <tt>unconfined_service_t</tt> context.
    <br />
    <br />
    To check for unconfined daemons, run the following command:
    <pre>$ sudo ps -eZ | grep "unconfined_service_t"</pre>
    It should produce no output in a well-configured system.

rationale: |-
    Daemons which run with the <tt>unconfined_service_t</tt> context may cause AVC denials,
    or allow privileges that the daemon does not require.

severity: medium

identifiers:
    cce@rhcos4: CCE-82688-3
    cce@rhel8: CCE-80867-5
    cce@rhel9: CCE-84075-1
    cce@rhel10: CCE-88979-0
    cce@sle15: CCE-91444-0

references:
    cis-csc: 1,11,12,13,14,15,16,18,3,5,6,9
    cobit5: APO01.06,APO11.04,BAI03.05,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06,MEA02.01
    cui: 3.1.2,3.1.5,3.7.2
    hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e)
    isa-62443-2009: 4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
    isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 2.8,SR 2.9,SR 5.2,SR 7.6'
    iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.2,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.5.1,A.12.6.2,A.12.7.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
    nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.3,CIP-004-6 R2.3,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R5.1.1,CIP-007-3 R5.1.2
    nist: CM-7(a),CM-7(b),CM-6(a),AC-3(3)(a),AC-6
    nist-csf: PR.AC-4,PR.DS-5,PR.IP-1,PR.PT-1,PR.PT-3

ocil_clause: 'There are unconfined daemons running on the system'

ocil: |-
    Ensure there are no unconfined daemons running on the system,
    the following command should produce no output:
    <pre>$ sudo ps -eZ | grep "unconfined_service_t"</pre>

warnings:
    - general: |-
        Automatic remediation of this control is not available. Remediation
        can be achieved by amending SELinux policy or stopping the unconfined
        daemons as outlined above.