Enable the antivirus_can_scan_system SELinux Boolean

An XCCDF Rule

Description

By default, the SELinux boolean antivirus_can_scan_system is disabled. This setting should be enabled as it allows antivirus programs to read non-security files on a system. To enable the antivirus_can_scan_system SELinux boolean, run the following command:

$ sudo setsebool -P antivirus_can_scan_system on

ID: xccdf_org.ssgproject.content_rule_sebool_antivirus_can_scan_system
Severity: Medium
References: 3.7.2
Updated: 5 days ago

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then

if ! rpm -q --quiet "python3-libsemanage" ; then
    yum install -y "python3-libsemanage"
fi

if selinuxenabled || [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then

    var_antivirus_can_scan_system='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_antivirus_can_scan_system" use="legacy"/>'

    setsebool -P antivirus_can_scan_system $var_antivirus_can_scan_system

else
    echo "Skipping remediation, SELinux is disabled";
    false
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-171-3.7.2
  - enable_strategy  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sebool_antivirus_can_scan_system

- name: Enable the antivirus_can_scan_system SELinux Boolean - Ensure python3-libsemanage
    Installed
  package:
    name: python3-libsemanage
    state: present
  when: '"kernel" in ansible_facts.packages'
  tags:
  - NIST-800-171-3.7.2
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sebool_antivirus_can_scan_system
- name: XCCDF Value var_antivirus_can_scan_system # promote to variable
  set_fact:
    var_antivirus_can_scan_system: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_antivirus_can_scan_system" use="legacy"/>
  tags:
    - always

- name: Enable the antivirus_can_scan_system SELinux Boolean - Set SELinux Boolean
    antivirus_can_scan_system Accordingly
  seboolean:
    name: antivirus_can_scan_system
    state: '{{ var_antivirus_can_scan_system }}'
    persistent: true
  when:
  - '"kernel" in ansible_facts.packages'
  - ansible_facts.selinux.status == 'enabled'
  tags:
  - NIST-800-171-3.7.2
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sebool_antivirus_can_scan_system

Enable the antivirus_can_scan_system SELinux Boolean

Description

Remediation - Shell Script

Remediation - Ansible