11.4 Ensure Only the Necessary SELinux Booleans Are Enabled

Information

SELinux booleans allow or disallow behavior specific to the Apache web server. Common examples include whether CGI execution is allowed, or if the httpd server is allowed to communicate with the current terminal ('tty'). Communication with the terminal may be necessary for entering a passphrase during startup to decrypt a private key.

Rationale:

Enabling only the necessary httpd related booleans provides a defense in depth approach that will deny actions that are not in use or expected.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Perform the following to implement the recommended state:

To disable the SELinux httpd booleans that are determined to be unnecessary, use the 'setsebool' command as shown below with the '-P' option to make the change persistent.

# setsebool -P httpd_enable_cgi off
# getsebool httpd_enable_cgi
httpd_enable_cgi --> off

See Also

https://workbench.cisecurity.org/files/2378

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-4, CSCv6|18, CSCv7|9.2

Plugin: Unix

Control ID: f11f3505dfe74636c1269a86e7e8a85f512d5301dd68416e62033e4e7cddbc17