Profile Applicability:
• Level 1
Description:
SELinux can be disabled at boot time through bootloader parameters. Ensuring SELinux is not disabled in the bootloader configuration guarantees that SELinux policies are enforced from system startup.
Rationale:
Preventing SELinux from being disabled at boot protects the system by maintaining mandatory access controls, which reduce the risk of unauthorized access and privilege escalation.
Impact:
Pros:
Maintains enforced SELinux security policies during boot.
Prevents accidental or intentional disabling of SELinux.
Cons:
If SELinux is misconfigured, system boot or application functionality might be impacted.
Default Value:
By default, SELinux is enabled unless bootloader parameters explicitly disable it.
Pre-requisites:
Root or sudo privileges to inspect and modify bootloader configuration.
Remediation:
Test Plan:
Using Linux command line:
Check bootloader configuration files for SELinux disable parameters:
GRUB config:
grep -i 'selinux=0' /etc/default/grub /boot/grub2/grub.cfg
Verify that selinux=0 or enforcing=0 is not set.
Implementation Plan:
Using Linux command line:
Edit /etc/default/grub or relevant bootloader config file to remove SELinux disable parameters.
- Regenerate GRUB configuration:
grub2-mkconfig -o /boot/grub2/grub.cfg
Reboot the system to apply changes.
- Confirm SELinux is enabled:
sestatus
Backout Plan:
Using Linux command line:
Restore previous bootloader configuration if necessary.
Regenerate GRUB config and reboot.
Test system functionality and SELinux status.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
GRUB 2 Manual - Kernel Parameters
SELinux Project Documentation