RH415 - ch08s03

This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Preface A: Introduction

Section A.1: Red Hat Security: Linux in Physical, Virtual, and Cloud

Section A.2: Orientation to the Classroom Environment

Section A.3: Internationalization

Chapter 1: Managing Security and Risk

Section 1.1: Managing Security and Risk

Section 1.2: Quiz: Managing Security and Risk

Section 1.3: Reviewing Recommended Security Practices

Section 1.4: Guided Exercise: Reviewing Recommended Security Practices

Section 1.5: Lab: Managing Security and Risk

Section 1.6: Summary

Chapter 2: Automating Configuration and Remediation with Ansible

Section 2.1: Configuring Ansible for Security Automation

Section 2.2: Guided Exercise: Configuring Ansible for Security Automation

Section 2.3: Remediating Issues with Ansible Playbooks

Section 2.4: Guided Exercise: Remediating Issues with Ansible Playbooks

Section 2.5: Managing Playbooks with Red Hat Ansible Tower

Section 2.6: Guided Exercise: Managing Playbooks with Red Hat Ansible Tower

Section 2.7: Lab: Automating Configuration and Remediation with Ansible

Section 2.8: Summary

Chapter 3: Protecting Data with LUKS and NBDE

Section 3.1: Managing File System Encryption with LUKS

Section 3.2: Guided Exercise: Managing File System Encryption with LUKS

Section 3.3: Controlling File System Decryption with NBDE

Section 3.4: Guided Exercise: Controlling File System Decryption with NBDE

Section 3.5: Lab: Protecting Data with LUKS and NBDE

Section 3.6: Summary

Chapter 4: Restricting USB Device Access

Section 4.1: Controlling USB Access with USBGuard

Section 4.2: Guided Exercise: Controlling USB access with USBGuard

Section 4.3: Lab: Restricting USB Device Access

Section 4.4: Summary

Chapter 5: Controlling Authentication with PAM

Section 5.1: Auditing the PAM Configuration

Section 5.2: Guided Exercise: Auditing the PAM Configuration

Section 5.3: Modifying the PAM Configuration

Section 5.4: Guided Exercise: Modifying the PAM Configuration

Section 5.5: Configuring Password Quality Requirements

Section 5.6: Guided Exercise: Configuring Password Quality Requirements

Section 5.7: Limiting Access After Failed Logins

Section 5.8: Guided Exercise: Limiting Access After Failed Logins

Section 5.9: Lab: Controlling Authentication with PAM

Section 5.10: Summary

Chapter 6: Recording System Events with Audit

Section 6.1: Configuring Audit to Record System Events

Section 6.2: Guided Exercise: Configuring Audit to Record System Events

Section 6.3: Inspecting Audit Logs

Section 6.4: Guided Exercise: Inspecting Audit Logs

Section 6.5: Writing Custom Audit Rules

Section 6.6: Guided Exercise: Writing Custom Audit Rules

Section 6.7: Enabling Prepackaged Audit Rule Sets

Section 6.8: Guided Exercise: Enabling Prepackaged Audit Rule Sets

Section 6.9: Lab: Recording System Events with Audit

Section 6.10: Summary

Chapter 7: Monitoring File System Changes

Section 7.1: Detecting File System Changes with AIDE

Section 7.2: Guided Exercise: Detecting File System Changes with AIDE

Section 7.3: Investigating File System Changes with AIDE

Section 7.4: Guided Exercise: Investigating File System Changes with AIDE

Section 7.5: Lab: Monitoring File System Changes

Section 7.6: Summary

Chapter 8: Mitigating Risk with SELinux

Section 8.1: Enabling SELinux from the Disabled State

Section 8.2: Guided Exercise: Enabling SELinux from the Disabled State

SectionSection 8.3: Controlling Access with Confined Users

Section 8.4: Guided Exercise: Controlling Access with Confined Users

Section 8.5: Auditing the SELinux Policy

Section 8.6: Guided Exercise: Auditing the SELinux Policy

Section 8.7: Lab: Mitigating Risk with SELinux

Section 8.8: Summary

Chapter 9: Managing Compliance with OpenSCAP

Section 9.1: Installing OpenSCAP

Section 9.2: Guided Exercise: Installing OpenSCAP

Section 9.3: Scanning and Analyzing Compliance

Section 9.4: Guided Exercise: Scanning and Analyzing Compliance

Section 9.5: Customizing OpenSCAP Policy

Section 9.6: Guided Exercise: Customizing OpenSCAP Policy

Section 9.7: Remediating OpenSCAP Issues with Ansible

Section 9.8: Guided Exercise: Remediating OpenSCAP Issues with Ansible

Section 9.9: Lab: Managing Compliance with OpenSCAP

Section 9.10: Summary

Chapter 10: Automating Compliance with Red Hat Satellite

Section 10.1: Configuring Red Hat Satellite for OpenSCAP

Section 10.2: Guided Exercise: Configuring Red Hat Satellite for OpenSCAP

Section 10.3: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.4: Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.5: Customize the OpenSCAP Policy in Red Hat Satellite

Section 10.6: Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite

Section 10.7: Lab: Automating Compliance with Red Hat Satellite

Section 10.8: Summary

Chapter 11: Analyzing and Remediating Issues with Red Hat Insights

Section 11.1: Registering Systems with Red Hat Insights

Section 11.2: Quiz: Registering Systems with Red Hat Insights

Section 11.3: Reviewing Red Hat Insights Reports

Section 11.4: Quiz: Reviewing Red Hat Insights Reports

Section 11.5: Automating Issue Remediation

Section 11.6: Quiz: Automating Issue Remediation

Section 11.7: Summary

Chapter 12: Comprehensive Review

Section 12.1: Comprehensive Review

Section 12.2: Lab: Automating Configuration and Remediation with Ansible

Section 12.3: Lab: Protecting Data with LUKS and NBDE

Section 12.4: Lab: Restricting USB Device Access and Mitigating Risk with SELinux

Section 12.5: Lab: Recording Events, Monitoring File System Changes and Managing Compliance with OpenSCAP

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Controlling Access with Confined Users

Objectives

After completing this section, students should be able to limit user access to the system and the root account by configuring them as confined users.

Defining SELinux Users

The SELinux policy defines its own SELinux users, which are distinct from Linux users. When a Linux user logs in, they are mapped to exactly one SELinux user. Like the Audit UID, the SELinux user cannot be changed during a login session. Normally, many Linux users may be mapped to the same SELinux user. The policy can place additional SELinux-enforced restrictions on what particular SELinux users can do.

You can list the SELinux users with semanage user -l command.

[root@demo ~]# semanage user -l

              Labeling  MLS/       MLS/
SELinux User  Prefix    MCS Level  MCS Range       SELinux Roles

guest_u       user      s0         s0              guest_r
root          user      s0         s0-s0:c0.c1023  staff_r sysadm_r system_r unconfined_r
staff_u       user      s0         s0-s0:c0.c1023  staff_r sysadm_r system_r unconfined_r
sysadm_u      user      s0         s0-s0:c0.c1023  sysadm_r
system_u      user      s0         s0-s0:c0.c1023  system_r unconfined_r
unconfined_u  user      s0         s0-s0:c0.c1023  system_r unconfined_r
user_u        user      s0         s0              user_r
xguest_u      user      s0         s0              xguest_r

Notice that each SELinux user has access to a set of SELinux roles, in the last column. These roles ultimately define which programs an SELinux user can run. For example, the sysadm_r role allows the use of the su and sudo commands. The xguest_r role restricts the commands that the user can use and only allows network access through Firefox.

The goal of this is to use SELinux to more tightly control the programs that a user can run.

Mapping Linux Users to SELinux Users

At login time, SELinux maps Linux users to SELinux users. This way, Linux users inherit the restrictions assigned to their associated SELinux users.

The semanage login -l command displays the table that SELinux uses for this mapping.

[root@demo ~]# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *

From this output, you can see that SELinux maps the Linux root user to the unconfined_u SELinux user. The __default__ entry instructs SELinux to map all the Linux users that are not explicitly mapped to an SELinux user to the unconfined_u SELinux user. Linux users mapped to unconfined_u (the "unconfined user") do not have additional user-based SELinux restrictions. Other SELinux policy restrictions still apply.

SELinux uses the system_u user for system services. Do not use it for your Linux users.

Note

By default, on a new Red Hat Enterprise Linux installation, Linux users are mapped to the SELinux user unconfined_u. This SELinux user does not have additional user-specific rules confining it.

Logged in Linux users can retrieve their associated SELinux user with the id -Z command.

[root@demo ~]# id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

To map an existing Linux user to an SELinux user, use the semanage login -a -s SELinux_user Linux_user command.

[root@demo ~]# semanage login -a -s sysadm_u  operator1

To remove the mapping, use the semanage login -d -s SELinux_user Linux_user command.

[root@demo ~]# semanage login -d -s sysadm_u  operator1

To modify the default mapping, use the semanage login -m -s SELinux_user -r s0 __default__ command.

[root@demo ~]# semanage login -m -s user_u -r s0 __default__

Important

The __default__ name has two underscores on either side of the word "default".

You can also map a new Linux user at creation time with the -Z option of the useradd command.

[root@demo ~]# useradd -Z staff_u developer1

Comparing the SELinux Users

On Red Hat Enterprise Linux, SELinux comes with a set of predefined SELinux users. You rarely have to create new ones because these existing users cover most use cases.

The following table lists the most useful confined SELinux users for system administration.

SELinux user Purpose

SELinux user	Purpose
`user_u`	This is the account for standard, nonadministrative users. SELinux prevents Linux users mapped to `user_u` from becoming `root` by using su or sudo, or from executing most set user ID (setuid) programs.
`sysadm_u`	The `sysadm_u` SELinux user is for system administration. SELinux allows Linux users mapped to `sysadm_u` to use su and sudo. (Whether or not the user can do anything useful with sudo depends on its configuration, in the usual way.) In addition, users mapped to `sysadm_u` cannot log in using ssh unless the `ssh_sysadm_login` Boolean is set to `on`.
`staff_u`	Linux users mapped to `staff_u` can use sudo but not su. `staff_u` is for regular users who need to use sudo for specific tasks. For example, web developers may need to use sudo to restart the `httpd` service. By mapping them to `staff_u`, these developers can use sudo, but cannot get full `root` access by using su.

user_u

This is the account for standard, nonadministrative users.

SELinux prevents Linux users mapped to user_u from becoming root by using su or sudo, or from executing most set user ID (setuid) programs.

sysadm_u

The sysadm_u SELinux user is for system administration.

SELinux allows Linux users mapped to sysadm_u to use su and sudo. (Whether or not the user can do anything useful with sudo depends on its configuration, in the usual way.)

In addition, users mapped to sysadm_u cannot log in using ssh unless the ssh_sysadm_login Boolean is set to on.

staff_u

Linux users mapped to staff_u can use sudo but not su.

staff_u is for regular users who need to use sudo for specific tasks. For example, web developers may need to use sudo to restart the httpd service. By mapping them to staff_u, these developers can use sudo, but cannot get full root access by using su.

SELinux User Booleans

A number of Booleans can tune the restrictions set on confined users. The preceding table mentioned one, ssh_sysadm_login, which controls whether or not users mapped to sysadm_u can log in using ssh.

Another set of Booleans can be used to restrict whether or not these users can run executables in their home directory or in /tmp. These are user_exec_content, sysadm_exec_content, and staff_exec_content for user_u, sysadm_u, and staff_u respectively.

Confining User Accounts

Use the following guidelines to implement user confinement on your systems.

Update the default SELinux mapping to associate your Linux users to user_u.
```
[root@demo ~]# semanage login -m -s user_u -r s0 __default__
```

Map the system administrators to the sysadm_u SELinux user.

[root@demo ~]# semanage login -a -s sysadm_u  operator1
[root@demo ~]# semanage login -a -s sysadm_u  operator2
[root@demo ~]# semanage login -a -s sysadm_u  operator3

Optionally, map the Linux users who need sudo access to staff_u, and configure sudo.

[root@demo ~]# semanage login -a -s staff_u  developer1
[root@demo ~]# semanage login -a -s staff_u  developer2

Confining Different User Accounts

When you decide to confine all of your Linux users, you usually start by modifying the default mapping to user_u.

[root@demo ~]# semanage login -m -s user_u -r s0 __default__

This way, SELinux confines all your Linux users to an SELinux user with minimal privileges, by default. If you use the default mapping, no further configuration is needed; SELinux automatically confines all existing users that do not have a mapping on their next login.

For extra protection, you can also prevent users in user_u from executing programs in their home directories and /tmp. To do that, set the user_exec_content Boolean to off.

[root@demo ~]# setsebool -P user_exec_content off

Confining System Administrators

To confine your system administrators, map their Linux account to the sysadm_u SELinux user. For existing accounts, use the semanage login -a command:

[root@demo ~]# semanage login -a -s sysadm_u  operator1

For new users, you can use the -Z option of the useradd command to do the mapping at user creation time.

[root@demo ~]# useradd -G wheel -Z sysadm_u operator2

Notice that the previous command uses the -G option to add the new account to the Linux wheel group to benefit from the existing sudo rule for this group.

By default, and for extra protection, users mapped to sysadm_u cannot use SSH to log in. Set the ssh_sysadm_login Boolean to on if you need to allow this access.

[root@demo ~]# setsebool -P ssh_sysadm_login on

Remember to remove the mapping when deleting the Linux user account.

[root@demo ~]# userdel operator1
[root@demo ~]# semanage login -d -s sysadm_u  operator1

You can also use userdel -Z to remove the mapping at the same time you delete the user account.

[root@demo ~]# userdel -Z operator2

Confining Staff Users

Some standard Linux users may need to run specific commands as root. Map them to the staff_u SELinux user account and configure sudo.

For existing accounts, use the semanage login -a command:

[root@demo ~]# semanage login -a -s staff_u  developer1

For new users, you can use the -Z option of the useradd command to do the mapping at user creation time.

[root@demo ~]# useradd -Z staff_u developer2

The next step is to configure the sudoers files to list the commands these users can run as root.

For extra protection, you can also prevent the staff_u SELinux users from executing programs in their home directories and /tmp. For that, set the staff_exec_content Boolean to off.

[root@demo ~]# setsebool -P staff_exec_content off

Remember to remove the mapping when deleting the Linux user account.

[root@demo ~]# userdel -Z developer1

Note

Additional confined users such as xguest_u and guest_u exist that are more restricted than user_u. For more information, see the SELinux User's and Administrator's Guide.

References

semanage-login(8) and semanage-user(8) man pages.

For more information, refer to the Confining Users, and Confined and Unconfined Users chapters in the SELinux User's and Administrator's Guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/selinux_users_and_administrators_guide/

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-813735c