Configure the secure_mode_insmod SELinux Boolean

An XCCDF Rule

Description

By default, the SELinux boolean secure_mode_insmod is disabled. This setting should be configured to .
To set the secure_mode_insmod SELinux boolean, run the following command:

$ sudo setsebool -P secure_mode_insmod

ID: xccdf_org.ssgproject.content_rule_sebool_secure_mode_insmod
Severity: Medium
References: BP28(R67)

CCE-91266-7
Updated: about 1 year ago

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

zypper install -y "policycoreutils"
zypper install -y "policycoreutils-python-utils"
zypper install -y "selinux-tools"zypper install -y "python3-selinux"
zypper install -y "python3-semanage"


if selinuxenabled; then

    var_secure_mode_insmod='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_secure_mode_insmod" use="legacy"/>'

    setsebool -P secure_mode_insmod $var_secure_mode_insmod

else
    echo "Skipping remediation, SELinux is disabled";
    false
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Configure the secure_mode_insmod SELinux Boolean - Ensure policycoreutils
    Installed
  package:
    name: policycoreutils
    state: present
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]  tags:
  - CCE-91266-7
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sebool_secure_mode_insmod

- name: Configure the secure_mode_insmod SELinux Boolean - Ensure Additional Packages
    Installed
  become: true
  package:
    name:
    - policycoreutils-python-utils
    - selinux-tools
    - python3-selinux
    - python3-semanage
    state: present
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-91266-7
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sebool_secure_mode_insmod
- name: XCCDF Value var_secure_mode_insmod # promote to variable
  set_fact:
    var_secure_mode_insmod: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_secure_mode_insmod" use="legacy"/>
  tags:
    - always

- name: Configure the secure_mode_insmod SELinux Boolean - Set SELinux Boolean secure_mode_insmod
    Accordingly
  seboolean:
    name: secure_mode_insmod
    state: '{{ var_secure_mode_insmod }}'
    persistent: true
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ansible_facts.selinux.status == 'enabled'
  tags:
  - CCE-91266-7
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sebool_secure_mode_insmod

Configure the secure_mode_insmod SELinux Boolean

Description

Remediation - Shell Script

Remediation - Ansible