Dear Shawn, Steve, Folks, At first I want to make it clear that I'm talking about OpenSCAP/scap-security-guide.
I pulled latest OpenSCAP/scap-security-guide by git, and did "make rhel7" on my RHEL7. Then I was checking scap-security-guide/RHEL/7/dist/content/ssg-rhel7-xccdf.xml. I found description as below; <select idref="selinux" selected="false"/> <Profile id="standard"> <Profile id="pci-dss"> <Profile id="common"> <Profile id="cjis-rhel7-server"> <select idref="selinux_state" selected="true"/> <Profile id="C2S"> <Profile id="rht-ccp"> <Profile id="stig-rhel7-workstation-upstream"> <Profile id="stig-rhel7-server-gui-upstream"> <Profile id="stig-rhel7-server-upstream"> <Profile id="stig-rhevh-upstream"> <Profile id="ospp-rhel7-server"> <Profile id="nist-cl-il-al"> <Profile id="docker-host"> <Profile id="nist-800-171-cui"> So, selinux is not selected above 4(standard, pci-dss, common, cjis-rhel7-server) profiles. I understand PCI-DSS require minimum, but I hope enable SELinux on all of profile. Kind Regards, OMO 2017-02-18 11:10 GMT+09:00 面和毅 <[email protected]>: > Hi, Shawn, Steve, Folks, > > I know it because he(Yuichi Nakamura, famous person as SELinux developer) > is my friend, and he told to me about the discussion with you. > (I told to him about some of openscap profile is not checking SELinux policy). > > In my understanding openscap tool can select many profile from xccdf file, but > some of profile was not selected SELinux. For example, > ------------------------------------------------------------------- > <Profile id="standard"> > --snip-- > <select idref="selinux" selected="false"/> > <select idref="selinux-booleans" selected="false"/> > ------------------------------------------------------------------- > > I was checking old git repository, then let me check latest git > repository status. > > Kind Regards, > > OMO > > 2017-02-18 10:26 GMT+09:00 Steve Grubb <[email protected]>: >> On Friday, February 17, 2017 5:14:59 PM EST Shawn Wells wrote: >>> Spent the week at RSA. Someone from a large technology company in Japan >>> approached asked why SELinux wasn't enabled in the RHEL7 PCI profile. >>> Sure enough... it's not there: >>> >>> https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/7/input/pro >>> files/pci-dss.xml >>> https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/6/input/pr >>> ofiles/pci-dss.xml >>> >>> I vaguely recall the enabled rules are direct PCI mappings (e.g. a >>> minimum baseline)... but I don't really remember why SELinux isn't >>> evaluated. Anyone else recall? Wanted to ping the mailing list prior to >>> making a PR to add it! >> >> PCI defines a minimum set of requirements. It does not say you can't exceed >> the >> requirements. I'd say it should include basic hardening such as noexec mount >> options on tmpfs, selinux enabled, and specific security related sysctls. >> >> -Steve >> _______________________________________________ >> scap-security-guide mailing list -- >> [email protected] >> To unsubscribe send an email to >> [email protected] > > > > -- > Kazuki Omo: [email protected] > OSS &Security Evangelist > OSS Business Planning Dept. > CISSP #366942 > Tel: +81364015149 -- Kazuki Omo: [email protected] OSS &Security Evangelist OSS Business Planning Dept. CISSP #366942 Tel: +81364015149 _______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
