Puppet Class: cis_security_hardening::rules::selinux_bootloader

Defined in:
manifests/rules/selinux_bootloader.pp

Summary

Ensure SELinux is not disabled in bootloader configuration

Overview

Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters.

Rationale: SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden.

Examples:

class { 'cis_security_hardening::rules::selinux_bootloader':
    enforce => true,
}

Parameters:

  • enforce (Boolean) (defaults to: false)

    Enforce the rule



18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
 
# File 'manifests/rules/selinux_bootloader.pp', line 18

class cis_security_hardening::rules::selinux_bootloader (
  Boolean $enforce = false,
) {
  if $enforce {
    case $facts['os']['release']['major'] {
      '7', '8': {
        file_line { 'cmdline_definition':
          line   => 'GRUB_CMDLINE_LINUX_DEFAULT="quiet"',
          path   => '/etc/default/grub',
          match  => '^GRUB_CMDLINE_LINUX_DEFAULT',
          notify => Exec['selinux-grub-config'],
        }
        exec { 'selinux-grub-config':
          command     => 'grub2-mkconfig -o /boot/grub2/grub.cfg',
          path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
          refreshonly => true,
        }
      }
      '9': {
        exec { 'enable selinux with grubby':
          command => 'grubby --update-kernel ALL --remove-args "selinux=0 enforcing=0"',
          path    => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
          unless  => 'test -z "$(grubby --info=ALL | grep -Po \'(selinux|enforcing)=0\\b\')"',
        }
      }
      default: {
        # nothing to do yet
      }
    }
  }
}