CCI-002696

Install AIDE

Ensure SELinux State is Enforcing

Configure SELinux Policy

The application performing organization-defined security functions must verify correct operation of security functions.

The IBM Aspera High-Speed Transfer Server must configure the SELinux context type to allow the "aspshell".

The Ivanti MobileIron Core server must be configured with the periodicity of the following commands to the agent of six hours or less: - query connectivity status - query the current version of the managed device firmware/software - query the current version of installed mobile applications - read audit logs kept by the managed device.

The Mainframe Product performing organization-defined security functions must verify correct operation of security functions.

The MobileIron Core v10 server must be configured with a periodicity for reachable events of six hours or less for the following commands to the agent: - query connectivity status; - query the current version of the MD firmware/software; - query the current version of the hardware model of the device; - query the current version of installed mobile applications; - read audit logs kept by the MD.

Nutanix AOS must be configured to use SELinux Enforcing mode.

The configuration integrity of the container platform must be ensured and compliance policies must be configured.

The Samsung SDS EMM must be configured with a periodicity for reachable events of six hours or less for the following commands to the agent: - query connectivity status; - query the current version of the MD firmware/software; - query the current version of installed mobile applications; - read audit logs kept by the MD.

The UEM server must be configured with the periodicity of the following commands to the agent of six hours or less: - query connectivity status - query the current version of the managed device firmware/software - query the current version of installed mobile applications - read audit logs kept by the managed device.

The Workspace ONE UEM server must be configured with a periodicity for reachable events of six hours or less for the following commands to the agent: - query connectivity status; - query the current version of the MD firmware/software; - query the current version of installed mobile applications; - read audit logs kept by the MD.

The macOS system must ensure secure boot level set to full.

The Ubuntu operating system must use a file integrity tool to verify correct operation of all security functions.

The organization-defined role must verify correct operation of security functions in the container platform.

The operating system must verify correct operation of all security functions.

The Oracle Linux operating system must enable SELinux.

The Oracle Linux operating system must enable the SELinux targeted policy.

The Oracle Linux operating system must use a file integrity tool to verify correct operation of all security functions.

OL 8 must enable the SELinux targeted policy.

The OL 8 operating system must use a file integrity tool to verify correct operation of all security functions.

The Compliance Operator must be configured.

The Red Hat Enterprise Linux operating system must enable SELinux.

The Red Hat Enterprise Linux operating system must enable the SELinux targeted policy.

RHEL 8 must enable the SELinux targeted policy.

The Red Hat Enterprise Linux operating system must use a file integrity tool to verify correct operation of all security functions.

Advanced Intrusion Detection Environment (AIDE) must verify the baseline SUSE operating system configuration at least weekly.

The RHEL 8 operating system must use a file integrity tool to verify correct operation of all security functions.

The SUSE operating system must use a file integrity tool to verify correct operation of all security functions.

RHEL 9 must use a Linux Security Module configured to enforce limits on system services.

RHEL 9 must enable the SELinux targeted policy.

RHEL 9 must have the AIDE package installed.

The operating system must verify the correct operation of security functions in accordance with organization-defined conditions and in accordance with organization-defined frequency (if periodic verification).

The operating system must identify potentially security-relevant error conditions.

The VMM must verify correct operation of all security functions.

The ESXi host must implement Secure Boot enforcement.

The Photon operating system must have the auditd service running.

The macOS system must ensure Secure Boot level is set to "full".

Ubuntu 22.04 LTS must use a file integrity tool to verify correct operation of all security functions.

Ubuntu 22.04 LTS must configure AIDE to perform file integrity checking on the file system.

The Ivanti EPMM server must be configured with the periodicity of the following commands to the agent of six hours or less: - query connectivity status - query the current version of the managed device firmware/software - query the current version of installed mobile applications - read audit logs kept by the managed device.

SLEM 5 must enable the SELinux targeted policy.

Advanced Intrusion Detection Environment (AIDE) must verify the baseline SLEM 5 configuration at least weekly.

TOSS must enable the "SELinux" targeted policy.