Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce rule to check if SELinux is not Disabled #10575

Merged
merged 3 commits into from
May 16, 2023
Merged

Introduce rule to check if SELinux is not Disabled #10575

merged 3 commits into from
May 16, 2023

Conversation

marcusburghardt
Copy link
Member

Description:

While highly recommended to use SELinux in enforcing mode, there are cases where site policy allows it to run in permissive mode. In this case, the only requirement is not to disable it.
This rule meets this scenario.

Rationale:

Better CIS coverage for RHEL 8 and RHEL 9.

@marcusburghardt
Introduce selinux_not_disabled rule
37ed5d5 
While highly recommended to use SELinux in enforcing mode, there are
cases where site policy allows it to run in permissive mode. In this
case, the only requirement is not to disable it. This rule meets this
scenario.
@marcusburghardt
Update CIS control files for RHEL8 and RHEL9
0203be4 
The CIS requirement 1.6.1.4 is now updated to automated since the
selinux_not_disabled rule was included.
@marcusburghardt marcusburghardt added New Rule Issues or pull requests related to new Rules. RHEL9 Red Hat Enterprise Linux 9 product related. RHEL8 Red Hat Enterprise Linux 8 product related. CIS CIS Benchmark related. labels May 16, 2023
@marcusburghardt marcusburghardt added this to the 0.1.68 milestone May 16, 2023
@marcusburghardt marcusburghardt requested a review from a team as a code owner May 16, 2023 12:44
@marcusburghardt marcusburghardt added the Update Profile Issues or pull requests related to Profiles updates. label May 16, 2023
@Mab879 Mab879 self-assigned this May 16, 2023
Mab879
Mab879 requested changes May 16, 2023
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one minor nitpick.

Thanks for the new rule.

linux_os/guide/system/selinux/selinux_not_disabled/oval/shared.xml Outdated Show resolved Hide resolved
@marcusburghardt @Mab879
Update linux_os/guide/system/selinux/selinux_not_disabled/oval/shared…
1ad1dd3 
….xml

Co-authored-by: Matthew Burket <m@tthewburket.com>
@github-actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@codeclimate
Copy link

codeclimate bot commented May 16, 2023

Code Climate has analyzed commit 1ad1dd3 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 52.4% (0.0% change).

View more on Code Climate.

@Mab879 Mab879 merged commit f650e3e into ComplianceAsCode:master May 16, 2023
32 of 33 checks passed
@marcusburghardt marcusburghardt deleted the cis_selinux_not_disabled branch May 17, 2023 06:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mab879 Mab879 Mab879 approved these changes

Assignees

@Mab879 Mab879

Labels
CIS CIS Benchmark related. New Rule Issues or pull requests related to new Rules. RHEL8 Red Hat Enterprise Linux 8 product related. RHEL9 Red Hat Enterprise Linux 9 product related. Update Profile Issues or pull requests related to Profiles updates.
Projects
None yet
Milestone
0.1.68
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@marcusburghardt @Mab879