{"description": "Configure the operating system to prevent non-privileged users from executing\nprivileged functions to include disabling, circumventing, or altering\nimplemented security safeguards/countermeasures. All administrators must be\nmapped to the <tt>sysadm_u</tt> or <tt>staff_u</tt> users with the\nappropriate domains (<tt>sysadm_t</tt> and <tt>staff_t</tt>).\n<pre>$ sudo semanage login -m -s sysadm_u <i>USER</i></pre> or\n<pre>$ sudo semanage login -m -s staff_u <i>USER</i></pre>\n<br /><br />\nAll authorized non-administrative\nusers must be mapped to the <tt>user_u</tt> role or the appropriate domain\n(user_t).\n<pre>$ sudo semanage login -m -s user_u <i>USER</i></pre>", "rationale": "Preventing non-privileged users from executing privileged functions mitigates\nthe risk that unauthorized individuals or processes may gain unnecessary access\nto information or privileges.\n<br /><br />\nPrivileged functions include, for example,\nestablishing accounts, performing system integrity checks, or administering\ncryptographic key management activities. Non-privileged users are individuals\nwho do not possess appropriate authorizations. Circumventing intrusion detection\nand prevention mechanisms or malicious code protection mechanisms are examples\nof privileged functions that require protection from non-privileged users.", "severity": "medium", "references": {"srg": ["SRG-OS-000324-GPOS-00125"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "non-admin users are not confined correctly", "ocil": "To verify the operating system prevents non-privileged users from executing\nprivileged functions to include disabling, circumventing, or altering\nimplemented security safeguards/countermeasures, run the following\ncommand:\n<pre>$ sudo semanage login -l</pre>\nAll administrators must be mapped to the <tt>sysadm_u</tt> or <tt>staff_u</tt>\nusers with the appropriate domains (<tt>sysadm_t</tt> and <tt>staff_t</tt>).\n<br /><br />\nAll authorized non-administrative\nusers must be mapped to the <tt>user_u</tt> role or the appropriate domain\n(user_t).", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Map System Users To The Appropriate SELinux Role", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml", "template": null}