2.6 Enforce Allowlist aka Trusted Execution Checks

Information

This takes allowlist aka whitelisting to the next level - where all software, libraries and scripts that are not in the trusted signature database (TSD) in /etc/security/tsd/tsd.dat are blocked.

Rationale:

At Level 1 (recommendations 2.3, 2.4 and 2.5) - nothing is stopped from being utilized, but the controls are active and logging so that missing entries can be added to the TSD so that Level 2 will not cause a breach of availability.

Impact:

The step is reversible. By returning the TE policies STOP_UNTRUSTD and STOP_ON_CHKFAIL back to OFF the system will be returned to the Level 1 Profile.

An intermediate Level would be to set STOP_UNTRUSTD to TROJAN rather than ON (Level 2) or OFF (Level 1).

TROJAN Stops the loading of files that do not belong to the TSD and have one of the following security settings:

* Have suid/sgid bit set

* Linked to a file in the TSD

* Have entry in the privcmds Database

* Be linked to a file in the privcmds database

Solution

Execute one of the following commands:

trustchk -p stop_untrustd=on stop_on_chkfail=on te=on

or

trustchk -p stop_untrustd=trojan stop_on_chkfail=on te=on

Default Value:

TE=OFF

See Also

https://workbench.cisecurity.org/benchmarks/13069

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-7(5), 800-53|CM-10, 800-53|SI-7, 800-53|SI-7(1), CSCv7|2.7, CSCv7|2.8, CSCv7|2.9

Plugin: Unix

Control ID: d5fa73a45d4123425ee19dccae79ac41114d47b44b0c9d3256ebf7cb00c4361f