11.4 Ensure Only the Necessary SELinux Booleans are Enabled

Information

SELinux booleans allow or disallow behavior specific to the Apache web server. Common examples include whether CGI execution is allowed, or if the httpd server is allowed to communicate with the current terminal (tty). Communication with the terminal, may be necessary for entering a passphrase during start up to decrypt a private key.

Rationale:

Enabling only the necessary httpd related booleans provides a defense in depth approach, that will deny actions that are not in use or expected.

Solution

Perform the following to implement the recommended state:
To disable the SELinux httpd booleans that are determined to be unnecessary, use the setsebool command as shown below with the -P option to make the change persistent.

# setsebool -P httpd_enable_cgi off
# getsebool httpd_enable_cgi
httpd_enable_cgi --> off

Default Value:

SELinux is not enabled by default.

See Also

https://workbench.cisecurity.org/files/4548

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-7(5), 800-53|CM-10, 800-53|SI-7, 800-53|SI-7(1), CSCv7|9.2

Plugin: Unix

Control ID: d6b5e8c69b224097abea31b6a2a78414c8f6255979e3a6c877100081d6479dc6