Ensure SELinux is not disabled in bootloader configuration – selinux=0

Details

Configure SELINUX to be enabled at boot time and verify that it has not been overwritten

by the grub boot parameters.

Rationale:

SELinux must be enabled at boot time in your grub configuration to ensure that the

controls it provides are not overridden.

Solution

For grub based systems edit /boot/grub/menu.lst and remove all instances of selinux=0
and enforcing=0 on all kernel lines.
For grub2 based systems edit /etc/default/grub and remove all instances of selinux=0 and
enforcing=0 from all CMDLINE_LINUX parameters:

GRUB_CMDLINE_LINUX_DEFAULT=”quiet”
GRUB_CMDLINE_LINUX=””

Run the following command to update the grub2 configuration:

# update-grub

# grub2-mkconfig -o /boot/grub2/guub.cfg

Notes:

This recommendation is designed around the grub bootloader, if LILO or another
bootloader is in use in your environment enact equivalent settings.

Supportive Information

The following resource is also helpful.

https://workbench.cisecurity.org/files/2420https://workbench.cisecurity.org/files/2420

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.

References

800-53|AC-3(3)

Source

Tenable.com/audits

Updated on July 16, 2022

Was this article helpful?

Yes No

Details

Solution

Supportive Information

References

Source

Related Articles