Profile Applicability:
• Level 1
Description:
Security-Enhanced Linux (SELinux) provides a robust Mandatory Access Control (MAC) framework for Linux systems. Installing SELinux is the foundational step towards implementing fine-grained access controls and enhancing system security.
Rationale:
Having SELinux installed enables the enforcement of security policies that restrict processes and users, thereby limiting potential damage from compromised accounts or applications.
Impact:
Pros:
Provides enhanced security through MAC policies.
Helps prevent unauthorized access and privilege escalation.
Cons:
Requires proper configuration and management to avoid access issues.
May introduce complexity in system administration.
Default Value:
SELinux is installed by default on many enterprise Linux distributions such as Red Hat Enterprise Linux and CentOS, but may not be installed on others.
Pre-requisites:
Root or sudo privileges to verify and install system packages.
Remediation:
Test Plan:
Using Linux command line:
Verify if SELinux packages are installed:
RPM-based systems:
rpm -q selinux-policy selinux-policy-targeted libselinux
Confirm SELinux modules and policies are present.
Check SELinux status:
sestatus
Implementation Plan:
Using Linux command line:
1. Install SELinux packages if missing:
yum install -y selinux-policy selinux-policy-targeted libselinux
2. Enable and start SELinux enforcing mode by editing /etc/selinux/config:
SELINUX=enforcing SELINUXTYPE=targeted
3. Reboot the system to apply changes.
4. Verify SELinux is active and enforcing:
sestatus
Backout Plan:
Using Linux command line:
- Disable SELinux temporarily by setting it to permissive or disabled in /etc/selinux/config:
SELINUX=permissive
Reboot the system.
Uninstall SELinux packages if necessary.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
SELinux Project Documentation
Red Hat SELinux Guide