Configure the secure_mode_insmod SELinux Boolean

An XCCDF Rule

Description

By default, the SELinux boolean secure_mode_insmod is disabled. This setting should be configured to .
To set the secure_mode_insmod SELinux boolean, run the following command:

$ sudo setsebool -P secure_mode_insmod

ID: xccdf_org.ssgproject.content_rule_sebool_secure_mode_insmod
Severity: Medium
References: BP28(R67)
Updated: about 1 year ago

- name: XCCDF Value var_secure_mode_insmod # promote to variable
  set_fact:
    var_secure_mode_insmod: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_secure_mode_insmod" use="legacy"/>
  tags:
    - always
- name: Configure the secure_mode_insmod SELinux Boolean - Ensure libsemanage-python
    installed
  ansible.builtin.package:
    name: libsemanage-python
    state: present
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sebool_secure_mode_insmod

- name: Configure the secure_mode_insmod SELinux Boolean - Set SELinux boolean secure_mode_insmod
    accordingly
  ansible.posix.seboolean:
    name: secure_mode_insmod
    state: '{{ var_secure_mode_insmod }}'
    persistent: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sebool_secure_mode_insmod

- name: Configure the secure_mode_insmod SELinux Boolean - Add vfat to static kernel
    module list
  ansible.builtin.lineinfile:
    create: true
    dest: /etc/modules-load.d/vfat.conf
    regexp: ^\s*\bvfat\b
    line: vfat
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sebool_secure_mode_insmod

- name: Configure the secure_mode_insmod SELinux Boolean - Regenerate initramfs
  ansible.builtin.command:
    cmd: dracut -f --regenerate-all
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sebool_secure_mode_insmod

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

var_secure_mode_insmod='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_secure_mode_insmod" use="legacy"/>'

setsebool -P secure_mode_insmod $var_secure_mode_insmod
# Preload vfat in initramfs, otherwise the system fails to reboot
echo "vfat" >> /etc/modules-load.d/vfat.conf
dracut -f --regenerate-all

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Configure the secure_mode_insmod SELinux Boolean

Description

Remediation - Ansible

Remediation - Shell Script