1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
|
documentation_complete: true
# This rule is applicable even to non-selinux platforms, as the selinux_state is leveraged
# by rules that deal with technologies that conflict with SELinux
title: 'Ensure SELinux State is Enforcing'
description: |-
The SELinux state should be set to <tt>{{{ xccdf_value("var_selinux_state") }}}</tt> at
system boot time. In the file <tt>/etc/selinux/config</tt>, add or correct the
following line to configure the system to boot into enforcing mode:
<pre>SELINUX={{{ xccdf_value("var_selinux_state") }}}</pre>
Ensure that all files have correct SELinux labels by running:
<pre>fixfiles onboot</pre>
Then reboot the system.
rationale: |-
Setting the SELinux state to enforcing ensures SELinux is able to confine
potentially compromised processes to the security policy, which is designed to
prevent them from causing damage to the system or further elevating their
privileges.
severity: high
identifiers:
cce@rhcos4: CCE-82531-5
cce@rhel8: CCE-80869-1
cce@rhel9: CCE-84079-3
cce@rhel10: CCE-89386-7
cce@sle12: CCE-91545-4
cce@sle15: CCE-91446-5
cce@slmicro5: CCE-94094-0
cce@slmicro6: CCE-95092-3
references:
cis-csc: 1,11,12,13,14,15,16,18,3,4,5,6,8,9
cobit5: APO01.06,APO11.04,APO13.01,BAI03.05,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.03,DSS06.06,MEA02.01
cui: 3.1.2,3.7.2
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e)
isa-62443-2009: 4.2.3.4,4.3.3.2.2,4.3.3.3.9,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4,4.4.3.3
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 7.1,SR 7.6'
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.2,CIP-003-8 R5.3,CIP-004-6 R2.2.3,CIP-004-6 R2.3,CIP-004-6 R3.3,CIP-007-3 R5.1,CIP-007-3 R5.1.2,CIP-007-3 R5.2,CIP-007-3 R5.3.1,CIP-007-3 R5.3.2,CIP-007-3 R5.3.3,CIP-007-3 R6.5
nist: AC-3,AC-3(3)(a),AU-9,SC-7(21)
nist-csf: DE.AE-1,ID.AM-3,PR.AC-4,PR.AC-5,PR.AC-6,PR.DS-5,PR.PT-1,PR.PT-3,PR.PT-4
ospp: FMT_MOF_EXT.1
srg: SRG-OS-000445-GPOS-00199,SRG-OS-000134-GPOS-00068
stigid@ol7: OL07-00-020210
stigid@ol8: OL08-00-010170
ocil_clause: 'SELINUX is not set to enforcing'
ocil: |-
Ensure that {{{ full_name }}} verifies correct operation of security functions.
Check if "SELinux" is active and in "{{{ xccdf_value("var_selinux_state") }}}" mode with the following command:
$ sudo getenforce
{{{ xccdf_value("var_selinux_state") }}}
fixtext: |-
Configure {{{ full_name }}} to verify correct operation of security functions.
Edit the file <tt>/etc/selinux/config</tt> and add or modify the following line:
<pre>SELINUX={{{ xccdf_value("var_selinux_state") }}}</pre>
A reboot is required for the changes to take effect.
srg_requirement: |-
{{{ full_name }}} must use a Linux Security Module configured to enforce limits on system services.
|
