Enable the antivirus_can_scan_system SELinux Boolean

An XCCDF Rule

Description

By default, the SELinux boolean antivirus_can_scan_system is disabled. This setting should be enabled as it allows antivirus programs to read non-security files on a system. To enable the antivirus_can_scan_system SELinux boolean, run the following command:

$ sudo setsebool -P antivirus_can_scan_system on

ID: xccdf_org.ssgproject.content_rule_sebool_antivirus_can_scan_system
Severity: Medium
References: 3.7.2
Updated: about 1 year ago

- name: Enable the antivirus_can_scan_system SELinux Boolean - Ensure python3-libsemanage
    Installed
  package:
    name: python3-libsemanage
    state: present
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]  tags:
  - NIST-800-171-3.7.2
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sebool_antivirus_can_scan_system
- name: XCCDF Value var_antivirus_can_scan_system # promote to variable
  set_fact:
    var_antivirus_can_scan_system: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_antivirus_can_scan_system" use="legacy"/>
  tags:
    - always

- name: Enable the antivirus_can_scan_system SELinux Boolean - Set SELinux Boolean
    antivirus_can_scan_system Accordingly
  seboolean:
    name: antivirus_can_scan_system
    state: '{{ var_antivirus_can_scan_system }}'
    persistent: true
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ansible_facts.selinux.status == 'enabled'
  tags:
  - NIST-800-171-3.7.2
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sebool_antivirus_can_scan_system

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if ! rpm -q --quiet "python3-libsemanage" ; then
    yum install -y "python3-libsemanage"
fi

if selinuxenabled; then

    var_antivirus_can_scan_system='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_antivirus_can_scan_system" use="legacy"/>'

    setsebool -P antivirus_can_scan_system $var_antivirus_can_scan_system

else
    echo "Skipping remediation, SELinux is disabled";
    false
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Enable the antivirus_can_scan_system SELinux Boolean

Description

Remediation - Ansible

Remediation - Shell Script