SELinux enforcement disabled

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when SELinux enforcement is disabled.

Strategy

This detection monitors the change of SELinux enforcing mode.

Triage & Response

  1. Check which user or process disabled SELinux enforcing mode.
  2. If the change is not expected, roll back to enable SELinux enforcing mode.
  3. Investigate security signals (if present) occurring around the time of the event to establish an attack path.
  4. Find and repair the root cause of the attack.

Requires Agent version 7.30 or greater