Disable the ssh_sysadm_login SELinux Boolean

An XCCDF Rule

Description

By default, the SELinux boolean ssh_sysadm_login is disabled. If this setting is enabled, it should be disabled. To disable the ssh_sysadm_login SELinux boolean, run the following command:

$ sudo setsebool -P ssh_sysadm_login off

Rationale

Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.

ID: xccdf_org.ssgproject.content_rule_sebool_ssh_sysadm_login
Severity: Medium
References: BP28(R67)

CCI-002165 CCI-002235

SRG-OS-000324-GPOS-00125

CCE-91264-2
Updated: about 1 year ago

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

zypper install -y "policycoreutils"
zypper install -y "policycoreutils-python-utils"
zypper install -y "selinux-tools"zypper install -y "python3-selinux"
zypper install -y "python3-semanage"


if selinuxenabled; then

    var_ssh_sysadm_login='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_ssh_sysadm_login" use="legacy"/>'

    setsebool -P ssh_sysadm_login $var_ssh_sysadm_login

else
    echo "Skipping remediation, SELinux is disabled";
    false
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Disable the ssh_sysadm_login SELinux Boolean - Ensure policycoreutils Installed
  package:
    name: policycoreutils
    state: present
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:  - CCE-91264-2
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sebool_ssh_sysadm_login

- name: Disable the ssh_sysadm_login SELinux Boolean - Ensure Additional Packages
    Installed
  become: true
  package:
    name:
    - policycoreutils-python-utils
    - selinux-tools
    - python3-selinux
    - python3-semanage
    state: present
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-91264-2
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sebool_ssh_sysadm_login
- name: XCCDF Value var_ssh_sysadm_login # promote to variable
  set_fact:
    var_ssh_sysadm_login: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_ssh_sysadm_login" use="legacy"/>
  tags:
    - always

- name: Disable the ssh_sysadm_login SELinux Boolean - Set SELinux Boolean ssh_sysadm_login
    Accordingly
  seboolean:
    name: ssh_sysadm_login
    state: '{{ var_ssh_sysadm_login }}'
    persistent: true
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ansible_facts.selinux.status == 'enabled'
  tags:
  - CCE-91264-2
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sebool_ssh_sysadm_login

Disable the ssh_sysadm_login SELinux Boolean

Description

Rationale

Remediation - Shell Script

Remediation - Ansible