For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/a81-bja-19e.md. A documentation index is available at /llms.txt.

SELinux enforcement disabled

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

Deprecation Notice (June 30, 2026): This rule is deprecated in favor of the Interactive shell compromise attack correlation rule, which combines multiple interactive shell compromise signals into a single, higher-fidelity detection. You automatically benefit from the improved correlation-based detection without any action required.

What happened

SELinux was disabled, potentially by an attacker to disable defenses.

Goal

Detect when SELinux enforcement is disabled.

Strategy

This detection monitors the change of SELinux enforcing mode.

Triage & Response

  1. Check which user or process disabled SELinux enforcing mode.
  2. If the change is not expected, roll back to enable SELinux enforcing mode.
  3. Investigate security signals (if present) occurring around the time of the event to establish an attack path.
  4. Find and repair the root cause of the attack.

Requires Agent version 7.30 or greater