search

dev-sec / cis-dil-benchmark

CIS Distribution Independent Linux Benchmark - InSpec Profile
Apache License 2.0
149 stars 92 forks source link

cis-dil-benchmark-1.6.1.3 - selinux config `Policy from config file:\s+(targeted|mls)` changed to targeted in RH7 #89

Open Bharathkumarraju opened 4 years ago

Bharathkumarraju commented 4 years ago

Hi Team,

The cis-dil-benchmark-1.6.1.3 is checking and giving below error.

Actually it is checking for selinux config with Policy from config file:\s+(targeted|mls) but in RH7 it is changed to the +Loaded policy name: targeted needed a fix i guess.

Failure:
----------->
× cis-dil-benchmark-1.6.1.3: Ensure SELinux policy is configured (1 failed)
✔ File /etc/selinux/config content is expected to match /^SELINUXTYPE=(targeted|mls)\s*(?:#.*)?$/
× Command: `sestatus` stdout is expected to match /Policy from config file:\s+(targeted|mls)/
expected "SELinux status: enabled\nSELinuxfs mount: /sys/fs/selinux\nSELinux ro... enabled\nPolicy deny_unknown status: allowed\nMax kernel policy version: 31\n" to match /Policy from config file:\s+(targeted|mls)/
Diff:
@@ -1,9 +1,17 @@
-/Policy from config file:\s+(targeted|mls)/
+SELinux status: enabled
+SELinuxfs mount: /sys/fs/selinux
+SELinux root directory: /etc/selinux
+Loaded policy name: targeted
+Current mode: enforcing
+Mode from config file: enforcing
+Policy MLS status: enabled
+Policy deny_unknown status: allowed
+Max kernel policy version: 31

thanks, https://bharathkumaraju.com

chris-rock commented 4 years ago

What is your proposed solution?