Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Profiles
DRAFT - BSI APP.4.4. and SYS.1.6
DRAFT - BSI APP.4.4. and SYS.1.6
An XCCDF Profile
Details
Items
Prose
3 rules organized in 2 groups
System Settings
3 Rules
Contains rules that check correct system settings.
SELinux
3 Rules
SELinux is a feature of the Linux kernel which can be used to guard against misconfigured or compromised programs. SELinux enforces the idea that programs should be limited in what files they can access and what actions they can take.
The default SELinux policy, as configured on Red Hat Enterprise Linux CoreOS 4, has been sufficiently developed and debugged that it should be usable on almost any system with minimal configuration and a small amount of system administrator training. This policy prevents system services - including most of the common network-visible services such as mail servers, FTP servers, and DNS servers - from accessing files which those services have no valid reason to access. This action alone prevents a huge amount of possible damage from network attacks against services, from trojaned software, and so forth.
This guide recommends that SELinux be enabled using the default (targeted) policy on every Red Hat Enterprise Linux CoreOS 4 system, unless that system has unusual requirements which make a stronger policy appropriate.
Ensure SELinux Not Disabled in the kernel arguments
Medium Severity
SELinux can be disabled at boot time by disabling it via a kernel argument. Remove any instances of
selinux=0
from the kernel arguments in that file to prevent SELinux from being disabled at boot.
Configure SELinux Policy
Medium Severity
The SELinux
targeted
policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in
/etc/selinux/config
:
SELINUXTYPE=
Other policies, such as
mls
, provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.
Ensure SELinux State is Enforcing
High Severity
The SELinux state should be set to
at system boot time. In the file
/etc/selinux/config
, add or correct the following line to configure the system to boot into enforcing mode:
SELINUX=