[PATCH 10/11] OVAL update + remediation for selinux_policytype

Shawn Wells Tue, 12 Nov 2013 08:34:59 -0800

>From 928de982c9c2755a9cb9263966e2013a424d308c Mon Sep 17 00:00:00 2001
From: Shawn Wells <[email protected]>
Date: Sun, 10 Nov 2013 02:54:52 -0500
Subject: [PATCH 10/11] OVAL update + remediation for selinux_policytype
 - Naming to reflect selinux_* style
 - filename->filepath OVAL
 - Remediation


TESTING:
[root@SSG-RHEL6 checks]# grep SELINUXTYPE /etc/selinux/config
[root@SSG-RHEL6 checks]# var_selinux_policy_name=targeted ; export 
var_selinux_policy_name
[root@SSG-RHEL6 checks]# ./testcheck.py selinux_policytype.xml
external_variable with id : var_selinux_policy_name
Evaluating with OVAL tempfile : /tmp/selinux_policytypei3jTyb.xml
Writing results to : /tmp/selinux_policytypei3jTyb.xml-results
Definition oval:scap-security-guide.testing:def:297: false
Evaluation done.
[root@SSG-RHEL6 checks]# cd ../fixes/bash/
[root@SSG-RHEL6 bash]# bash selinux_policytype.sh
^C
[root@SSG-RHEL6 bash]# vim selinux_policytype.sh
[root@SSG-RHEL6 bash]# bash selinux_policytype.sh
[root@SSG-RHEL6 bash]# grep SELINUXTYPE /etc/selinux/config
SELINUXTYPE=targeted
[root@SSG-RHEL6 bash]# cd -
/var/www/html/scap-security-guide/RHEL6/input/checks
[root@SSG-RHEL6 checks]# ./testcheck.py selinux_policytype.xml
external_variable with id : var_selinux_policy_name
Evaluating with OVAL tempfile : /tmp/selinux_policytypevyVJJ0.xml
Writing results to : /tmp/selinux_policytypevyVJJ0.xml-results
Definition oval:scap-security-guide.testing:def:297: true
Evaluation done.
---
 RHEL6/input/auxiliary/stig_overlay.xml             |    2 +-
 RHEL6/input/checks/selinux_policytype.xml          |    3 +--
 RHEL6/input/fixes/bash/selinux_policytype.sh       |    8 ++++++++
 RHEL6/input/profiles/CS2.xml                       |    2 +-
 RHEL6/input/profiles/common.xml                    |    2 +-
 RHEL6/input/profiles/fisma-medium-rhel6-server.xml |    2 +-
 RHEL6/input/profiles/nist-CL-IL-AL.xml             |    2 +-
 RHEL6/input/profiles/rht-ccp.xml                   |    2 +-
 RHEL6/input/profiles/usgcb-rhel6-server.xml        |    2 +-
 RHEL6/input/system/selinux.xml                     |    2 +-
 10 files changed, 17 insertions(+), 10 deletions(-)
 create mode 100644 RHEL6/input/fixes/bash/selinux_policytype.sh

diff --git a/RHEL6/input/auxiliary/stig_overlay.xml 
b/RHEL6/input/auxiliary/stig_overlay.xml
index 0ab0708..4514436 100644
--- a/RHEL6/input/auxiliary/stig_overlay.xml
+++ b/RHEL6/input/auxiliary/stig_overlay.xml
@@ -45,7 +45,7 @@
        <overlay owner="disastig" ruleid="set_selinux_state" 
ownerid="RHEL-06-000020" disa="22" severity="medium">
                <title>The system must use a Linux Security Module configured 
to enforce limits on system services.</title>
        </overlay>
-       <overlay owner="disastig" ruleid="set_selinux_policy" 
ownerid="RHEL-06-000023" disa="22" severity="low">
+       <overlay owner="disastig" ruleid="selinux_policytype" 
ownerid="RHEL-06-000023" disa="22" severity="low">
                <title>The system must use a Linux Security Module configured 
to limit the privileges of system services.</title>
        </overlay>
        <overlay owner="disastig" ruleid="selinux_all_devicefiles_labeled" 
ownerid="RHEL-06-000025" disa="22" severity="low">
diff --git a/RHEL6/input/checks/selinux_policytype.xml 
b/RHEL6/input/checks/selinux_policytype.xml
index a694b9e..9880ad3 100644
--- a/RHEL6/input/checks/selinux_policytype.xml
+++ b/RHEL6/input/checks/selinux_policytype.xml
@@ -29,8 +29,7 @@
   datatype="string" id="var_selinux_policy_name" version="1" />
 
   <ind:textfilecontent54_object id="obj_selinux_policy" version="1">
-    <ind:path>/etc/selinux</ind:path>
-    <ind:filename>config</ind:filename>
+    <ind:filepath>/etc/selinux/config</ind:filepath>
     <ind:pattern operation="pattern 
match">^[\s]*SELINUXTYPE[\s]*=[\s]*([^\s]*)</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
diff --git a/RHEL6/input/fixes/bash/selinux_policytype.sh 
b/RHEL6/input/fixes/bash/selinux_policytype.sh
new file mode 100644
index 0000000..7bdceb7
--- /dev/null
+++ b/RHEL6/input/fixes/bash/selinux_policytype.sh
@@ -0,0 +1,8 @@
+source ./templates/support.sh
+populate var_selinux_policy_name
+
+grep -q ^SELINUXTYPE /etc/selinux/config && \
+  sed -i "s/SELINUXTYPE=.*/SELINUXTYPE=$var_selinux_policy_name/g" 
/etc/selinux/config
+if ! [ $? -eq 0 ]; then
+    echo "SELINUXTYPE=$var_selinux_policy_name" >> /etc/selinux/config
+fi
diff --git a/RHEL6/input/profiles/CS2.xml b/RHEL6/input/profiles/CS2.xml
index 83b90c6..32ebb66 100644
--- a/RHEL6/input/profiles/CS2.xml
+++ b/RHEL6/input/profiles/CS2.xml
@@ -176,7 +176,7 @@
 <select idref="selinux_confinement_of_daemons" selected="true" />
 <select idref="selinux_all_devicefiles_labeled" selected="true"/>
 <select idref="set_selinux_state" selected="true"/>
-<select idref="set_selinux_policy" selected="true"/>
+<select idref="selinux_policytype" selected="true"/>
 
 <select idref="require_singleuser_auth" selected="true"/>
 <select idref="disable_ctrlaltdel_reboot" selected="true"/>
diff --git a/RHEL6/input/profiles/common.xml b/RHEL6/input/profiles/common.xml
index aa4ed08..f87d3ec 100644
--- a/RHEL6/input/profiles/common.xml
+++ b/RHEL6/input/profiles/common.xml
@@ -15,7 +15,7 @@
 <select idref="enable_selinux_bootloader" selected="true"/>
 <select idref="no_rsh_trust_files" selected="true"/>
 <select idref="set_selinux_state" selected="true"/>
-<select idref="set_selinux_policy" selected="true"/>
+<select idref="selinux_policytype" selected="true"/>
 <select idref="selinux_all_devicefiles_labeled" selected="true"/>
 <select idref="securetty_root_login_console_only" selected="true"/>
 <select idref="restrict_serial_port_logins" selected="true"/>
diff --git a/RHEL6/input/profiles/fisma-medium-rhel6-server.xml 
b/RHEL6/input/profiles/fisma-medium-rhel6-server.xml
index 318fdee..7e28b68 100644
--- a/RHEL6/input/profiles/fisma-medium-rhel6-server.xml
+++ b/RHEL6/input/profiles/fisma-medium-rhel6-server.xml
@@ -18,7 +18,7 @@
 <!--   AC-3, AC-3(3) -->
 <select idref="enable_selinux_bootloader" selected="true" />
 <select idref="set_selinux_state" selected="true" />
-<select idref="set_selinux_policy" selected="true" />
+<select idref="selinux_policytype" selected="true" />
 <select idref="service_restorecond_enabled" selected="true" />
 <select idref="sshd_use_approved_ciphers" selected="true" />
 
diff --git a/RHEL6/input/profiles/nist-CL-IL-AL.xml 
b/RHEL6/input/profiles/nist-CL-IL-AL.xml
index 82ee2a1..a02b714 100644
--- a/RHEL6/input/profiles/nist-CL-IL-AL.xml
+++ b/RHEL6/input/profiles/nist-CL-IL-AL.xml
@@ -112,7 +112,7 @@ assurance."</description>
 <select idref="sshd_use_approved_ciphers" selected="true" \>
 <select idref="enable_selinux_bootloader" selected="true" \>
 <select idref="set_selinux_state" selected="true" \>
-<select idref="set_selinux_policy" selected="true" \>
+<select idref="selinux_policytype" selected="true" \>
 <select idref="service_restorecond_enabled" selected="true" \>
 
 <!-- AC-4 -->
diff --git a/RHEL6/input/profiles/rht-ccp.xml b/RHEL6/input/profiles/rht-ccp.xml
index 550f3c3..ca72dd7 100644
--- a/RHEL6/input/profiles/rht-ccp.xml
+++ b/RHEL6/input/profiles/rht-ccp.xml
@@ -31,7 +31,7 @@
 <!-- SELINUX CHECKS -->
 <select idref="enable_selinux_bootloader" selected="true"/>
 <select idref="set_selinux_state" selected="true"/>
-<select idref="set_selinux_policy" selected="true"/>
+<select idref="selinux_policytype" selected="true"/>
 <select idref="selinux_all_devicefiles_labeled" selected="true"/>
 
 
diff --git a/RHEL6/input/profiles/usgcb-rhel6-server.xml 
b/RHEL6/input/profiles/usgcb-rhel6-server.xml
index 01b313d..6eab024 100644
--- a/RHEL6/input/profiles/usgcb-rhel6-server.xml
+++ b/RHEL6/input/profiles/usgcb-rhel6-server.xml
@@ -111,7 +111,7 @@
 <refine-value idref="var_selinux_state_name" selector="enforcing" />
 <select idref="set_selinux_state" selected="true" />
 <refine-value idref="var_selinux_policy_name" selector="targeted" />
-<select idref="set_selinux_policy" selected="true" />
+<select idref="selinux_policytype" selected="true" />
 <select idref="enable_selinux_bootloader" selected="true" />
 <select idref="selinux_confinement_of_daemons" selected="true" />
 <select idref="selinux_all_devicefiles_labeled" selected="true" />
diff --git a/RHEL6/input/system/selinux.xml b/RHEL6/input/system/selinux.xml
index d9615a3..80f4fc0 100644
--- a/RHEL6/input/system/selinux.xml
+++ b/RHEL6/input/system/selinux.xml
@@ -126,7 +126,7 @@ privileges.
 <tested by="DS" on="20121024"/>
 </Rule>
 
-<Rule id="set_selinux_policy">
+<Rule id="selinux_policytype">
 <title>Configure SELinux Policy</title>
 <description>The SELinux <tt>targeted</tt> policy is appropriate for
 general-purpose desktops and servers, as well as systems in many other roles.
-- 
1.7.1

_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

[PATCH 10/11] OVAL update + remediation for selinux_policytype

Reply via email to