Puppet Class: cis_security_hardening::rules::selinux_policy

Defined in:
manifests/rules/selinux_policy.pp

Summary

Ensure SELinux policy is configured

Overview

Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only.

Rationale: Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met.

Examples:

class { 'cis_security_hardening::rules::selinux_policy':
    enforce => true,
    selinux_policy => 'targeted',
}

Parameters:

  • enforce (Boolean) (defaults to: false)

    Enforce the rule

  • selinux_policy (String) (defaults to: 'targeted')

    SELinux policy

  • auto_reboot (Boolean) (defaults to: true)

    Trigger a reboot if this rule creates a change. Defaults to true.



27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
 
# File 'manifests/rules/selinux_policy.pp', line 27

class cis_security_hardening::rules::selinux_policy (
  Boolean $enforce       = false,
  String $selinux_policy = 'targeted',
  Boolean $auto_reboot   = true,
) {
  if $enforce {
    $notify = $auto_reboot ? {
      true  => Class['cis_security_hardening::reboot'],
      false => [],
    }

    ensure_resource('file', '/etc/selinux/config', {
        ensure => present,
        owner  => 'root',
        group  => 'root',
        mode   => '0644',
        notify => $notify
    })

    file_line { 'selinux_targeted':
      path   => '/etc/selinux/config',
      line   => "SELINUXTYPE=${selinux_policy}",
      match  => '^SELINUXTYPE=',
      notify => $notify,
    }
  }
}