Map System Users To The Appropriate SELinux Role

Description

Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. All administrators must be mapped to the sysadm_u or staff_u users with the appropriate domains (sysadm_t and staff_t).

$ sudo semanage login -m -s sysadm_u USER

or

$ sudo semanage login -m -s staff_u USER

All authorized non-administrative users must be mapped to the user_u role or the appropriate domain (user_t).

$ sudo semanage login -m -s user_u USER

Rationale

Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.

Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.

ID: xccdf_org.ssgproject.content_rule_selinux_user_login_roles
Severity: Medium
References: CCI-002165 CCI-002235

SRG-OS-000324-GPOS-00125

RHEL-08-040400

CCE-86353-0

SV-254520r928805_rule
Updated: about 1 year ago