5.2 Verify SELinux security options, if applicable

Information

SELinux is an effective and easy-to-use Linux application security system. It is available on quite a few Linux distributions by default such asRed Hat and Fedora.

Rationale:

SELinux provides a Mandatory Access Control (MAC) system that greatly augments the default Discretionary Access Control (DAC) model.You can thus add an extra layer of safety by enabling SELinux on your Linux host, if applicable.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

If SELinuxis applicable for your Linux OS, use it. You may have to follow below set of steps:

1. Set the SELinux State.

2. Set the SELinux Policy.

3. Create or import a SELinux policy template for Docker containers.

4. Start Docker in daemon mode with SELinux enabled. For example,

docker daemon --selinux-enabled

5. Start your Docker container using the security options. For example,

docker run --interactive --tty --security-opt label=level:TopSecret centos /bin/bash

Impact:

The container (process) would have set of restrictions as defined in SELinux policy. If your SELinux policy is mis-configured, then the container may not entirely work as expected.


Default Value:

By default, no SELinux security options are applied on containers.

See Also

https://workbench.cisecurity.org/files/1476

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3(3)

Plugin: Unix

Control ID: 7bc625a1ad64b0720cc83fdd87ad37dc685193fb370e230ea8f4ee3af3303763