Ensure SELinux Not Disabled in /etc/default/grub

Docs > Datadog Security > OOTB Rules > Ensure SELinux Not Disabled in /etc/default/grub

Classification:

compliance

Framework:

Control:

Description

SELinux can be disabled at boot time by an argument in /etc/default/grub. Remove any instances of selinux=0 from the kernel arguments in that file to prevent SELinux from being disabled at boot.

Rationale

Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then

sed -i --follow-symlinks "s/selinux=0//gI" /etc/default/grub /etc/grub2.cfg /etc/grub.d/\*
sed -i --follow-symlinks "s/enforcing=0//gI" /etc/default/grub /etc/grub2.cfg /etc/grub.d/\*

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Gather the package facts
 package\_facts:
 manager: auto
 tags:
 - CCE-26961-3
 - NIST-800-171-3.1.2
 - NIST-800-171-3.7.2
 - NIST-800-53-AC-3
 - NIST-800-53-AC-3(3)(a)
 - grub2\_enable\_selinux
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy

- name: Ensure SELinux Not Disabled in /etc/default/grub - Find /etc/grub.d/ files
 ansible.builtin.find:
 paths:
 - /etc/grub.d/
 follow: true
 register: result\_grub\_d
 when:
 - ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - '"grub2-common" in ansible\_facts.packages'
 tags:
 - CCE-26961-3
 - NIST-800-171-3.1.2
 - NIST-800-171-3.7.2
 - NIST-800-53-AC-3
 - NIST-800-53-AC-3(3)(a)
 - grub2\_enable\_selinux
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy

- name: Ensure SELinux Not Disabled in /etc/default/grub - Ensure SELinux Not Disabled
 in /etc/grub.d/ files
 ansible.builtin.replace:
 dest: '{{ item.path }}'
 regexp: (selinux|enforcing)=0
 with\_items:
 - '{{ result\_grub\_d.files }}'
 when:
 - ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - '"grub2-common" in ansible\_facts.packages'
 tags:
 - CCE-26961-3
 - NIST-800-171-3.1.2
 - NIST-800-171-3.7.2
 - NIST-800-53-AC-3
 - NIST-800-53-AC-3(3)(a)
 - grub2\_enable\_selinux
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy

- name: Ensure SELinux Not Disabled in /etc/default/grub - Check if /etc/grub2.cfg
 exists
 ansible.builtin.stat:
 path: /etc/grub2.cfg
 register: result\_grub2\_cfg\_present
 when:
 - ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - '"grub2-common" in ansible\_facts.packages'
 tags:
 - CCE-26961-3
 - NIST-800-171-3.1.2
 - NIST-800-171-3.7.2
 - NIST-800-53-AC-3
 - NIST-800-53-AC-3(3)(a)
 - grub2\_enable\_selinux
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy

- name: Ensure SELinux Not Disabled in /etc/default/grub - Check if /etc/default/grub
 exists
 ansible.builtin.stat:
 path: /etc/default/grub
 register: result\_default\_grub\_present
 when:
 - ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - '"grub2-common" in ansible\_facts.packages'
 tags:
 - CCE-26961-3
 - NIST-800-171-3.1.2
 - NIST-800-171-3.7.2
 - NIST-800-53-AC-3
 - NIST-800-53-AC-3(3)(a)
 - grub2\_enable\_selinux
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy

- name: Ensure SELinux Not Disabled in /etc/default/grub - Ensure SELinux Not Disabled
 in /etc/grub2.cfg
 ansible.builtin.replace:
 dest: /etc/grub2.cfg
 regexp: (selinux|enforcing)=0
 when:
 - ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - '"grub2-common" in ansible\_facts.packages'
 - result\_grub2\_cfg\_present.stat.exists
 tags:
 - CCE-26961-3
 - NIST-800-171-3.1.2
 - NIST-800-171-3.7.2
 - NIST-800-53-AC-3
 - NIST-800-53-AC-3(3)(a)
 - grub2\_enable\_selinux
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy

- name: Ensure SELinux Not Disabled in /etc/default/grub - Ensure SELinux Not Disabled
 in /etc/default/grub
 ansible.builtin.replace:
 dest: /etc/default/grub
 regexp: (selinux|enforcing)=0
 when:
 - ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - '"grub2-common" in ansible\_facts.packages'
 - result\_default\_grub\_present.stat.exists
 tags:
 - CCE-26961-3
 - NIST-800-171-3.1.2
 - NIST-800-171-3.7.2
 - NIST-800-53-AC-3
 - NIST-800-53-AC-3(3)(a)
 - grub2\_enable\_selinux
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy