Disable the abrt_upload_watch_anon_write SELinux Boolean
An XCCDF Rule
Description
By default, the SELinux boolean abrt_upload_watch_anon_write
is enabled.
This setting should be disabled as it allows the Automatic Bug Report Tool (ABRT)
to modify public files used for public file transfer services.
To disable the abrt_upload_watch_anon_write
SELinux boolean, run the following command:
$ sudo setsebool -P abrt_upload_watch_anon_write off
- ID
- xccdf_org.ssgproject.content_rule_sebool_abrt_upload_watch_anon_write
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
if ! rpm -q --quiet "libsemanage-python" ; then
yum install -y "libsemanage-python"
fi
Remediation - Ansible
- name: Disable the abrt_upload_watch_anon_write SELinux Boolean - Ensure libsemanage-python
Installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]