2.8 Ensure the Trusted Execution Policies cannot be modified

Information

Set trusted execution policy LOCK_KERN_POLICIES to enabled. All of the other policies will then be locked and cannot be changed without disabling the LOCK_KERN_POLICIES policy and then restarting the system.

Rationale:

When policies are locked, unauthorized users cannot make changes to the policies to allow them to execute unapproved tools and then revert the settings afterwards. An unplanned system reboot is likely to be noticed and investigated

Solution

Execute the following command

trustchk -p LOCK_KERN_POLICIES=ON

See Also

https://workbench.cisecurity.org/benchmarks/7851