Profile Applicability:
• Level 1
Description:
SELinux enforces mandatory access control policies on Linux systems to restrict programs’ capabilities and contain potential security breaches. Proper SELinux policy configuration ensures that these controls are active and correctly applied.
Rationale:
A correctly configured SELinux policy provides robust protection by limiting process privileges and reducing the impact of compromised applications.
Impact:
Pros:
Enhances system security by enforcing fine-grained access controls.
Limits damage from compromised applications.
Cons:
Misconfiguration can lead to application failures or access denials.
Requires administrative effort to manage policies.
Default Value:
SELinux policies are usually pre-configured with the system but may require verification and tuning.
Pre-requisites:
Root or sudo privileges to view and manage SELinux policies.
Remediation:
Test Plan:
Using Linux command line:
- Check SELinux status and policy enforcement mode:
sestatus
Verify that SELinux is enabled and enforcing a valid policy.
Implementation Plan:
Using Linux command line:
- Install SELinux policy packages if missing:
yum install selinux-policy selinux-policy-targeted
- Enable SELinux enforcing mode:
setenforce 1
- Configure SELinux mode persistently by editing /etc/selinux/config:
SELINUX=enforcing SELINUXTYPE=targeted
Reboot system to apply persistent settings.
Backout Plan:
Using Linux command line:
- Switch SELinux to permissive mode if issues arise:
setenforce 0
Edit /etc/selinux/config to set SELINUX=permissive or disabled.
Reboot system as needed.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
SELinux Project Documentation
Red Hat SELinux Guide