Puppet Class: cis_security_hardening::rules::selinux_state

Defined in:
manifests/rules/selinux_state.pp

Summary

Ensure the SELinux state is enforcing or permissive

Overview

Set SELinux to enable when the system is booted.

Rationale: SELinux must be enabled at boot time in to ensure that the controls it provides are in effect at all times.

Examples:

class { 'cis_security_hardening::rules::selinux_state':
    enforce => true,
    state => 'permissive',
}

Parameters:

  • enforce (Boolean) (defaults to: false)

    Enforce the rule

  • state (Enum['enforcing', 'permissive']) (defaults to: 'enforcing')

    SELinux state to set

  • auto_reboot (Boolean) (defaults to: true)

    Trigger a reboot if this rule creates a change. Defaults to true.



25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
 
# File 'manifests/rules/selinux_state.pp', line 25

class cis_security_hardening::rules::selinux_state (
  Boolean $enforce                       = false,
  Enum['enforcing', 'permissive'] $state = 'enforcing',
  Boolean $auto_reboot                   = true,
) {
  if $enforce {
    $notify = $auto_reboot ? {
      true  => Class['cis_security_hardening::reboot'],
      false => [],
    }

    ensure_resource('file', '/etc/selinux/config', {
        ensure => present,
        owner  => 'root',
        group  => 'root',
        mode   => '0644',
        notify => $notify
    })

    file_line { 'selinux_enforce':
      path     => '/etc/selinux/config',
      line     => "SELINUX=${state}",
      match    => '^SELINUX=',
      multiple => true,
      notify   => $notify,
    }
  }
}