Ensure SELinux is Not Disabled
An XCCDF Rule
Description
The SELinux state should be set to enforcing
or permissive
at system boot
time. In the file /etc/selinux/config
, add or correct the following line to configure
the system to boot into enforcing or permissive mode:
SELINUX=enforcingOR
SELINUX=permissive
warning alert: Warning
In case the SELinux is "disabled", the automated remediation will adopt a more
conservative approach and set it to "permissive" in order to avoid any system disruption
and give the administrator the opportunity to assess the impact and necessary efforts
before setting it to "enforcing", which is strongly recommended.
Rationale
Running SELinux in disabled mode is strongly discouraged. It prevents enforcing the SELinux controls without a system reboot. It also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future.
- ID
- xccdf_org.ssgproject.content_rule_selinux_not_disabled
- Severity
- High
- References
- Updated
Remediation - Ansible
- name: Ensure SELinux is Not Disabled
block:
- name: Check for duplicate values
lineinfile:
path: /etc/selinux/config
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
if [ -e "/etc/selinux/config" ] ; then
LC_ALL=C sed -i "/^SELINUX=/Id" "/etc/selinux/config"