11.1 Ensure SELinux Is Enabled in Enforcing Mode

Information

SELinux (Security-Enhanced Linux) is a Linux kernel security module that provides mandatory access control security policies with type enforcement that are checked after the traditional discretionary access controls. It was created by the US National Security Agency and can enforce rules on files and processes in a Linux system, and restrict actions, based on defined policies.

Rationale:

Web applications and services continue to be one of the leading attack vectors for black-hat criminals to gain access to information and servers. The threat is high because web servers are often externally accessible and typically have the greatest share of server-side vulnerabilities. The SELinux mandatory access controls provide a much stronger security model which can be used to implement a deny-by-default model only allowing what is explicitly permitted.

Solution

Perform the following to implement the recommended state:

If SELinux is not enabled in the configuration file, edit the file '/etc/selinux/config' and set the value of SELINUX as 'enforcing'. Reboot the system for the new configuration to be effective.

SELINUX=enforcing

If the current mode is not 'enforcing' and an immediate reboot is not possible, the current mode can be set to 'enforcing' with the command shown below.

# setenforce 1

See Also

https://workbench.cisecurity.org/files/2378

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3, CSCv6|14.4, CSCv7|14.7

Plugin: Unix

Control ID: f71550f83432d386bc31a8a2e7ab8a333beaaf5587c113655bf88f4d0bfac9a5