1.6.1.1 Ensure SELinux is enabled in the bootloader configuration - security=selinux

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters.
Rationale:
SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden.

Solution

run the following command to configure GRUB and PAM and to create /.autorelabel
# selinux-activate
Edit /etc/default/grub and add the following parameters to the GRUB_CMDLINE_LINUX= line:
selinux=1
security=selinux
example:
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
GRUB_CMDLINE_LINUX="selinux=1 security=selinux enforcing=1 audit=1"
Run the following command to update the grub2 configuration:
# update-grub
Notes:
This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings.

See Also

https://workbench.cisecurity.org/files/2242

Item Details

Category: ACCESS CONTROL, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|AC-3, 800-53|SI-7, CSCv7|14.6

Plugin: Unix

Control ID: b0f0e4b40269968ccc205eaa9e6be6cc0302c969bfe92ccc436438d7c37c72ed