Hi, Shawn, Steve, Folks,
I know it because he(Yuichi Nakamura, famous person as SELinux developer)
is my friend, and he told to me about the discussion with you.
(I told to him about some of openscap profile is not checking SELinux policy).
In my understanding openscap tool can select many profile from xccdf file, but
some of profile was not selected SELinux. For example,
-------------------------------------------------------------------
<Profile id="standard">
--snip--
<select idref="selinux" selected="false"/>
<select idref="selinux-booleans" selected="false"/>
-------------------------------------------------------------------
I was checking old git repository, then let me check latest git
repository status.
Kind Regards,
OMO
2017-02-18 10:26 GMT+09:00 Steve Grubb <sgrubb(a)redhat.com>:
On Friday, February 17, 2017 5:14:59 PM EST Shawn Wells wrote:
> Spent the week at RSA. Someone from a large technology company in Japan
> approached asked why SELinux wasn't enabled in the RHEL7 PCI profile.
> Sure enough... it's not there:
>
>
https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/7/input/pro
> files/pci-dss.xml
>
https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/6/input/pr
> ofiles/pci-dss.xml
>
> I vaguely recall the enabled rules are direct PCI mappings (e.g. a
> minimum baseline)... but I don't really remember why SELinux isn't
> evaluated. Anyone else recall? Wanted to ping the mailing list prior to
> making a PR to add it!
PCI defines a minimum set of requirements. It does not say you can't exceed the
requirements. I'd say it should include basic hardening such as noexec mount
options on tmpfs, selinux enabled, and specific security related sysctls.
-Steve
_______________________________________________
scap-security-guide mailing list -- scap-security-guide(a)lists.fedorahosted.org
To unsubscribe send an email to scap-security-guide-leave(a)lists.fedorahosted.org
--
Kazuki Omo: ka-omo(a)sios.com
OSS &Security Evangelist
OSS Business Planning Dept.
CISSP #366942
Tel: +81364015149