STIGQter: STIG Summary: Red Hat Enterprise Linux 8 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021:

RHEL 8 must enable the SELinux targeted policy.

DISA Rule

SV-230282r627750_rule

Vulnerability Number

V-230282

Group Title

SRG-OS-000445-GPOS-00199

Rule Version

RHEL-08-010450

Severity

CAT II

CCI(s)

• CCI-002696 - The information system verifies correct operation of organization-defined security functions.

Weight

10

Fix Recommendation

Configure the operating system to verify correct operation of all security functions.

Set the "SELinuxtype" to the "targeted" policy by modifying the "/etc/selinux/config" file to have the following line:

SELINUXTYPE=targeted

A reboot is required for the changes to take effect.

Check Contents

Ensure the operating system verifies correct operation of all security functions.

Check if "SELinux" is active and is enforcing the targeted policy with the following command:

$ sudo sestatus

SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31

If the "Loaded policy name" is not set to "targeted", this is a finding.

Verify that the /etc/selinux/config file is configured to the "SELINUXTYPE" to "targeted":

$ sudo grep -i "selinuxtype" /etc/selinux/config | grep -v '^#'

SELINUXTYPE = targeted

If no results are returned or "SELINUXTYPE" is not set to "targeted", this is a finding.

Vulnerability Number

V-230282

Documentable

False

Rule Version

RHEL-08-010450

Severity Override Guidance

Ensure the operating system verifies correct operation of all security functions.

Check if "SELinux" is active and is enforcing the targeted policy with the following command:

$ sudo sestatus

SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31

If the "Loaded policy name" is not set to "targeted", this is a finding.

Verify that the /etc/selinux/config file is configured to the "SELINUXTYPE" to "targeted":

$ sudo grep -i "selinuxtype" /etc/selinux/config | grep -v '^#'

SELINUXTYPE = targeted

If no results are returned or "SELINUXTYPE" is not set to "targeted", this is a finding.

Check Content Reference

M

Target Key

2921

Comments