Profile Applicability:
• Level 2
Description:
SELinux enforcing mode actively enforces the defined security policies, denying unauthorized actions and logging violations. Ensuring SELinux is in enforcing mode provides the strongest level of mandatory access control.
Rationale:
Operating SELinux in enforcing mode helps prevent unauthorized access and privilege escalation by strictly applying security policies.
Impact:
Pros:
Provides maximum protection through enforced policies.
Helps detect and prevent unauthorized activities.
Cons:
May cause legitimate applications to fail if not properly configured.
Requires careful policy management.
Default Value:
SELinux may be in permissive, enforcing, or disabled mode by default depending on system configuration.
Pre-requisites:
Root or sudo privileges to view and modify SELinux status.
Remediation:
Test Plan:
Using Linux command line
- Check SELinux current mode:
sestatus | grep "Current mode"
Confirm the mode is enforcing.
Implementation Plan:
Using Linux command line:
- Temporarily set SELinux to enforcing:
setenforce 1
- Edit /etc/selinux/config to persist enforcing mode:
SELINUX=enforcing
Reboot the system to apply persistent setting.
Backout Plan:
Using Linux command line:
1. Set SELinux to permissive mode if needed:
setenforce 0
2. Edit /etc/selinux/config to:
SELINUX=permissive
3. Reboot system.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
SELinux Project Documentation
Red Hat SELinux Guide