Hi, Shawn, Steve, Folks,
I know it because he(Yuichi Nakamura, famous person as SELinux developer)
is my friend, and he told to me about the discussion with you.
(I told to him about some of openscap profile is not checking SELinux policy).
In my understanding openscap tool can select many profile from xccdf file, but
some of profile was not selected SELinux. For example,
-------------------------------------------------------------------
<Profile id="standard">
--snip--
<select idref="selinux" selected="false"/>
<select idref="selinux-booleans" selected="false"/>
-------------------------------------------------------------------
I was checking old git repository, then let me check latest git
repository status.
Kind Regards,
OMO
2017-02-18 10:26 GMT+09:00 Steve Grubb <[email protected]>:
> On Friday, February 17, 2017 5:14:59 PM EST Shawn Wells wrote:
>> Spent the week at RSA. Someone from a large technology company in Japan
>> approached asked why SELinux wasn't enabled in the RHEL7 PCI profile.
>> Sure enough... it's not there:
>>
>> https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/7/input/pro
>> files/pci-dss.xml
>> https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/6/input/pr
>> ofiles/pci-dss.xml
>>
>> I vaguely recall the enabled rules are direct PCI mappings (e.g. a
>> minimum baseline)... but I don't really remember why SELinux isn't
>> evaluated. Anyone else recall? Wanted to ping the mailing list prior to
>> making a PR to add it!
>
> PCI defines a minimum set of requirements. It does not say you can't exceed
> the
> requirements. I'd say it should include basic hardening such as noexec mount
> options on tmpfs, selinux enabled, and specific security related sysctls.
>
> -Steve
> _______________________________________________
> scap-security-guide mailing list -- [email protected]
> To unsubscribe send an email to
> [email protected]
--
Kazuki Omo: [email protected]
OSS &Security Evangelist
OSS Business Planning Dept.
CISSP #366942
Tel: +81364015149
_______________________________________________
scap-security-guide mailing list -- [email protected]
To unsubscribe send an email to [email protected]
