Profile Applicability:
• Level 1
Description:
SELinux provides mandatory access control to enhance system security. Disabling SELinux mode reduces protection and increases risk. This check ensures that SELinux is enabled (in enforcing or permissive mode) and not disabled.
Rationale:
Enforcing SELinux policies strengthens system security by restricting unauthorized access and limiting the impact of compromises.
Impact:
Pros:
Maintains system protection through SELinux enforcement.
Helps prevent privilege escalation and unauthorized actions.
Cons:
May require configuration adjustments for application compatibility.
Default Value:
SELinux may be enabled or disabled by default depending on distribution and configuration.
Pre-requisites:
Root or sudo privileges to check and modify SELinux status.
Remediation:
Test Plan:
Using Linux command line:
- Check current SELinux mode:
sestatus | grep "SELinux status" sestatus | grep "Current mode"
Confirm SELinux is enabled and not disabled.
Implementation Plan:
Using Linux command line:
- If SELinux is disabled, edit /etc/selinux/config:
SELINUX=enforcing
Reboot the system for changes to take effect.
Verify SELinux is enabled after reboot.
Backout Plan:
Using Linux command line:
- If issues occur, set SELinux to permissive mode temporarily:
setenforce 0
Modify /etc/selinux/config to SELINUX=permissive if necessary.
Reboot system.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
SELinux Project Documentation
Red Hat SELinux Guide