lsm - Linux Security Modules¶
Linux Security Modules, such as AppArmor and SELinux, provide an extra level of security controls on a Linux system. They provide Mandatory Access Control (MAC) that checks system activities against security policy. These policies apply to all users, including root.
Overview¶
The STIG requires that SELinux is in enforcing mode to provide additional security against attacks. The security role will enable SELinux on CentOS systems and enable AppArmor on Ubuntu and Debian systems.
STIG requirements¶
All of the tasks for these STIG requirements are included in
tasks/rhel7stig/lsm.yml
.
V-71989¶
Summary: The operating system must enable SELinux.
Severity: High
Implementation Status: Implemented
Deployer/Auditor notes¶
The tasks in the security role enable the appropriate Linux Security Module (LSM) for the operating system.
For Ubuntu, openSUSE and SUSE Linux Enterprise 12 systems, AppArmor is installed and enabled. This change takes effect immediately.
For CentOS or Red Hat Enterprise Linux systems, SELinux is enabled (in enforcing mode) and its user tools are automatically installed. If SELinux is not in enforcing mode already, a reboot is required to enable SELinux and relabel the filesystem.
Warning
Relabeling a filesystem takes time and the server must be offline for the relabeling to complete. Filesystems with large amounts of files and filesystems on slow disks will cause the relabeling process to take more time.
Deployers can opt out of this change by setting the following Ansible variable:
security_rhel7_enable_linux_security_module: no
V-72039¶
Summary: All system device files must be correctly labeled to prevent unauthorized modification.
Severity: Medium
Implementation Status: Implemented - Red Hat Only
Deployer/Auditor notes¶
The tasks in the security role examine the SELinux contexts on each device file found on the system. Any devices without appropriate labels are printed in the Ansible output.
Deployers should investigate the unlabeled devices and ensure that the correct labels are applied for the class of device.
Note
This change applies only to CentOS or Red Hat Enterprise Linux systems since they rely on SELinux as their default Linux Security Module (LSM). Ubuntu, openSUSE Leap and SUSE Linux Enterprise systems use AppArmor, which uses policy files rather than labels applied to individual files.