From 82c99e8de8f2ffef7d340fd7c1d9088367650eb5 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 10 May 2021 18:53:02 +0200 Subject: [PATCH] Update and select seboolean rules for R67 Fix description of sebool_deny_execmem, and warning about possible issues. Add rationale to rules the SELinux booleans. --- controls/anssi.yml | 14 +++++++++--- .../sebool_deny_execmem/rule.yml | 22 ++++++++++++++----- .../sebool_selinuxuser_execheap/rule.yml | 4 +++- .../sebool_selinuxuser_execstack/rule.yml | 3 ++- 4 files changed, 33 insertions(+), 10 deletions(-) diff --git a/controls/anssi.yml b/controls/anssi.yml index 705f8e25aab..ef9356a6fea 100644 --- a/controls/anssi.yml +++ b/controls/anssi.yml @@ -967,10 +967,18 @@ controls: allow_execstack to off, forbids processes to make their stack executable; secure_mode_insmod to on, prohibits dynamic loading of modules by any process; ssh_sysadm_login to off, forbids SSH logins to connect directly in sysadmin role. + notes: + In RHEL, the SELinux boolean allow_execheap is renamed to selinuxuser_execheap, and the + boolean allow_execstack is renamed to selinuxuser_execstack. And allow_execmem is not + available, deny_execmem provides the same functionality. + automated: yes rules: - # Add rule for sebool allow_execheap - # Add rule for sebool allow_execmem - # Add rule for sebool allow_execstack + - var_selinuxuser_execheap=off + - sebool_selinuxuser_execheap + - var_deny_execmem=on + - sebool_deny_execmem + - var_selinuxuser_execstack=off + - sebool_selinuxuser_execstack - var_secure_mode_insmod=on - sebool_secure_mode_insmod - sebool_ssh_sysadm_login diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml index f340ea4be11..e8453fbfb8d 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml @@ -2,14 +2,16 @@ documentation_complete: true prodtype: rhel7,rhel8,rhel9,rhv4 -title: 'Disable the deny_execmem SELinux Boolean' +title: 'Enable the deny_execmem SELinux Boolean' description: |- By default, the SELinux boolean deny_execmem is disabled. - If this setting is enabled, it should be disabled. + If this setting is disabled, it should be enabled. {{{ describe_sebool_disable(sebool="deny_execmem") }}} -rationale: "" +rationale: |- + Allowing user domain applications to map a memory region as both writable and + executable makes them more susceptible to data execution attacks. severity: medium @@ -19,10 +21,20 @@ identifiers: references: anssi: BP28(R67) - -{{{ complete_ocil_entry_sebool_disabled(sebool="deny_execmem") }}} + +{{{ complete_ocil_entry_sebool_enabled(sebool="deny_execmem") }}} + +warnings: + - general: |- + This rule doesn't come with a remediation, as enabling this SELinux boolean can cause + applications to malfunction, for example Graphical login managers and Firefox. + - functionality: |- + Proper function and stability should be assessed before applying enabling the SELinux boolean in production systems. template: name: sebool vars: seboolid: deny_execmem + backends: + bash: "off" + ansible: "off" diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml index 45aa81a1223..7fedaab6130 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml @@ -6,10 +6,12 @@ title: 'Disable the selinuxuser_execheap SELinux Boolean' description: |- By default, the SELinux boolean selinuxuser_execheap is disabled. + When enabled this boolean is enabled it allows selinuxusers to execute code from the heap. If this setting is enabled, it should be disabled. {{{ describe_sebool_disable(sebool="selinuxuser_execheap") }}} -rationale: "" +rationale: |- + Disabling code execution from the heap blocks buffer overflow attacks. severity: medium diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml index 2b20d0bfe4f..2e0b19f881d 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml @@ -10,7 +10,8 @@ description: |- to make their stack executable. {{{ describe_sebool_disable(sebool="selinuxuser_execstack") }}} -rationale: "" +rationale: |- + Disabling code execution from the stack blocks buffer overflow attacks. severity: medium