Mapping SELinux Users in FreeIPA for DoD Compliance

The DoD's Zero Trust Strategy, released in October 2022, mandates a shift away from perimeter-based defense, operating on the principle of "never trust, always verify". This framework is structured around seven pillars: User, Device, Applications & Workloads, Data, Network & Environment, Automation & Orchestration, and Visibility & Analytics. Centralizing SELinux user maps directly supports the "User" pillar by enforcing continuous verification and least-privilege access. Security-Enhanced Linux (SELinux) was originally developed by the U.S. National Security Agency (NSA) and released to the open-source community on December 22, 2000. It provides a mechanism for supporting mandatory access control (MAC) security policies, moving beyond the traditional discretionary access control (DAC) used in standard Unix permissions. This kernel-level module is a foundational component for hardening Linux systems according to CIS Benchmarks. In a FreeIPA environment, SELinux user maps link Linux users to specific SELinux security contexts, which consist of a user, a role, and a type. This mapping can be tied to Host-Based Access Control (HBAC) rules, ensuring that when a user's access to a host group changes, their SELinux context is automatically and consistently applied. SSSD evaluates these maps to determine the correct context for a user's session. For detection engineering, Splunk can be configured to monitor SELinux policy and configuration changes. A Splunk universal forwarder, combined with the Splunk Add-on for Unix and Linux, can collect logs from `/var/log/audit/audit.log`. Detection rules should be built to alert on modifications to the SELinux user mapping configuration, unauthorized changes to SELinux booleans, and attempts to set SELinux to permissive or disabled modes. Implementing SELinux in enforcing mode with Splunk can present challenges, as some Splunk processes may not have predefined SELinux contexts, requiring manual policy adjustments. Running SELinux in permissive mode can also impact Splunk performance by disabling Regex JIT, which can slow down regex processing significantly. Proper configuration and exception handling are crucial for environments requiring CIS Benchmark Level 2 hardening. The DoD has set a deadline of September 30, 2027, for all its components and partners to achieve a "target level" of Zero Trust. This initiative is guided by NIST Special Publication 800-207, which provides the foundational architecture for Zero Trust. This framework emphasizes that no network location is inherently trusted and access must be granted on a per-session basis.