Disable the ssh_sysadm_login SELinux Boolean
An XCCDF Rule
Description
By default, the SELinux boolean ssh_sysadm_login
is disabled.
If this setting is enabled, it should be disabled.
To disable the ssh_sysadm_login
SELinux boolean, run the following command:
$ sudo setsebool -P ssh_sysadm_login off
Rationale
Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.
- ID
- xccdf_org.ssgproject.content_rule_sebool_ssh_sysadm_login
- Severity
- Medium
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
if ! rpm -q --quiet "python3-libsemanage" ; then
dnf install -y "python3-libsemanage"
fi
Remediation - Ansible
- name: Disable the ssh_sysadm_login SELinux Boolean - Ensure python3-libsemanage
Installed
package:
name: python3-libsemanage
state: present
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]