STIG: Rule xccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons fails on PCP processes

Solution Verified - Updated -

Issue

  • Evaluation of the system with CIS Server-L1 Profile fails on the following rule

    Title   Ensure No Daemons are Unconfined by SELinux
    Rule    xccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons
    Ident   CCE-80867-5
    Result  fail
    
  • Searching for unconfined_service_t processes, 2 processes part of PCP services are found

    # ps -eafZ | grep unconfined_service_t
    system_u:system_r:unconfined_service_t:s0 pcp 2673     1        [...] /usr/libexec/pcp/bin/pmpause
    system_u:system_r:unconfined_service_t:s0 pcp 2853     1        [...] /usr/libexec/pcp/bin/pmpause
    
    # grep "name=systemd" /proc/{2673,2853}/cgroup
    /proc/2673/cgroup:1:name=systemd:/system.slice/pmie_farm.service
    /proc/2853/cgroup:1:name=systemd:/system.slice/pmlogger_farm.service
    

    Note: PIDs may vary.

Environment

  • Red Hat Enterprise Linux 8 and 9
    • PCP
    • DISA/STIG CIS Server-L1 compliance

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content