Goal

Detect when SELinux enforcement is disabled.

Strategy

This detection monitors the change of SELinux enforcing mode.

Triage & Response

1. Check which user or process disabled SELinux enforcing mode.
2. If the change is not expected, roll back to enable SELinux enforcing mode.
3. Investigate security signals (if present) occurring around the time of the event to establish an attack path.
4. Find and repair the root cause of the attack.

Requires Agent version 7.30 or greater