oranenj
commented
7 years ago I'm probably not going to work on these, but if anyone wants to, any of the other providers in my pull requests should be a good starting point.
Closed annmuor closed 2 years ago
oranenj
commented
7 years ago I'm probably not going to work on these, but if anyone wants to, any of the other providers in my pull requests should be a good starting point.
annmuor
commented
7 years ago I've done this in my ::selinux wrapper so I can share my code if you want.
oranenj
commented
7 years ago @kreon Send a PR and let's take a look. :)
annmuor
commented
7 years ago I would if the code was placed in the module. But it's inside our production wrapper for our defined selinux policy settings. All that I can is to cut some code and show you as attachment.
danofsatx
commented
5 years ago Hey folks, I stumbled across this issue while trying to find a module that will allow me to manage the SElinux context of the users to comply with the DISA STIG for RHEL 7. Adding this functionality to the module would be extremely beneficial to customers in the US Federal space that have to comply with NIST SP 800.
For reference, here is the STIG item in question:
Red Hat Enterprise Linux 7 Security Technical Implementation Guide :: Version 2, Release: 3 Benchmark Date: 26 Apr 2019 Vul ID: V-71971 | | Rule ID: SV-86595r2_rule | | STIG ID: RHEL-07-020020 |
Severity: CAT II | | Classification: Unclass
Group Title: SRG-OS-000324-GPOS-00125
Rule Title: The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
Discussion: Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.
Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.
Check Text: If an HBSS or HIPS is active on the system, this is Not Applicable.
Verify the operating system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
Get a list of authorized users (other than System Administrator and guest accounts) for the system.
Check the list against the system by using the following command:
# semanage login -l | more Login Name SELinux User MLS/MCS Range Service __default__ user_u s0-s0:c0.c1023 * root unconfined_u s0-s0:c0.c1023 * system_u system_u s0-s0:c0.c1023 * joe staff_u s0-s0:c0.c1023 *All administrators must be mapped to the "sysadm_u" or "staff_u" users role.
All authorized non-administrative users must be mapped to the "user_u" role.
If they are not mapped in this way, this is a finding.
Fix Text: Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
Use the following command to map a new user to the "sysdam_u" role:
# semanage login -a -s sysadm_u <username>Use the following command to map an existing user to the "sysdam_u" role:
# semanage login -m -s sysadm_u <username>Use the following command to map a new user to the "staff_u" role:
#semanage login -a -s staff_u <username>Use the following command to map an existing user to the "staff_u" role:
# semanage login -m -s staff_u <username>Use the following command to map a new user to the "user_u" role:
# semanage login -a -s user_u <username>Use the following command to map an existing user to the "user_u" role:
# semanage login -m -s user_u <username>References CCI: CCI-002165: The information system enforces organization-defined discretionary access control policies over defined subjects and objects. NIST SP 800-53 Revision 4 :: AC-3 (4)
CCI-002235: The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. NIST SP 800-53 Revision 4 :: AC-6 (10)
ekohl
commented
5 years ago AFAIK currently nobody is working on this, but PRs are very welcome.
annmuor
commented
5 years ago I already developed these features but my code is for old module versions.
16 мая 2019 г., в 17:45, Ewoud Kohl van Wijngaarden notifications@github.com написал(а):
AFAIK currently nobody is working on this, but PRs are very welcome.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.
Would you like to implement selinux::users ( semanage user ) and selinux::login ( semanage login )?