{"description": "SELinux can be disabled at boot time by an argument in\n<tt>/etc/default/grub</tt>.\nRemove any instances of <tt>selinux=0</tt> from the kernel arguments in that\nfile to prevent SELinux from being disabled at boot.", "rationale": "Disabling a major host protection feature, such as SELinux, at boot time prevents\nit from confining system services at boot time.  Further, it increases\nthe chances that it will remain off during system operation.", "severity": "medium", "references": {"cis-csc": ["1", "11", "12", "13", "14", "15", "16", "18", "3", "4", "5", "6", "8", "9"], "cobit5": ["APO01.06", "APO11.04", "APO13.01", "BAI03.05", "DSS01.05", "DSS03.01", "DSS05.02", "DSS05.04", "DSS05.05", "DSS05.07", "DSS06.02", "DSS06.03", "DSS06.06", "MEA02.01"], "cui": ["3.1.2", "3.7.2"], "hipaa": ["164.308(a)(1)(ii)(D)", "164.308(a)(3)", "164.308(a)(4)", "164.310(b)", "164.310(c)", "164.312(a)", "164.312(e)"], "isa-62443-2009": ["4.2.3.4", "4.3.3.2.2", "4.3.3.3.9", "4.3.3.4", "4.3.3.5.1", "4.3.3.5.2", "4.3.3.5.3", "4.3.3.5.4", "4.3.3.5.5", "4.3.3.5.6", "4.3.3.5.7", "4.3.3.5.8", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.1", "4.3.3.7.2", "4.3.3.7.3", "4.3.3.7.4", "4.3.4.4.7", "4.4.2.1", "4.4.2.2", "4.4.2.4", "4.4.3.3"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.11", "SR 1.12", "SR 1.13", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.6", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 2.10", "SR 2.11", "SR 2.12", "SR 2.2", "SR 2.3", "SR 2.4", "SR 2.5", "SR 2.6", "SR 2.7", "SR 2.8", "SR 2.9", "SR 3.1", "SR 3.5", "SR 3.8", "SR 4.1", "SR 4.3", "SR 5.1", "SR 5.2", "SR 5.3", "SR 7.1", "SR 7.6"], "iso27001-2013": ["A.10.1.1", "A.11.1.4", "A.11.1.5", "A.11.2.1", "A.12.1.1", "A.12.1.2", "A.12.4.1", "A.12.4.2", "A.12.4.3", "A.12.4.4", "A.12.7.1", "A.13.1.1", "A.13.1.2", "A.13.1.3", "A.13.2.1", "A.13.2.2", "A.13.2.3", "A.13.2.4", "A.14.1.2", "A.14.1.3", "A.6.1.2", "A.7.1.1", "A.7.1.2", "A.7.3.1", "A.8.2.2", "A.8.2.3", "A.9.1.1", "A.9.1.2", "A.9.2.1", "A.9.2.3", "A.9.4.1", "A.9.4.4", "A.9.4.5"], "nerc-cip": ["CIP-003-8 R5.1.1", "CIP-003-8 R5.3", "CIP-004-6 R2.2.3", "CIP-004-6 R2.3", "CIP-007-3 R5.1", "CIP-007-3 R5.1.2", "CIP-007-3 R5.2", "CIP-007-3 R5.3.1", "CIP-007-3 R5.3.2", "CIP-007-3 R5.3.3"], "nist": ["AC-3", "AC-3(3)(a)"], "nist-csf": ["DE.AE-1", "ID.AM-3", "PR.AC-4", "PR.AC-5", "PR.AC-6", "PR.DS-5", "PR.PT-1", "PR.PT-3", "PR.PT-4"], "pcidss4": ["1.2.6", "1.2"]}, "control_references": {"pcidss4": ["1.2.6", "1.2"]}, "components": [], "identifiers": {}, "ocil_clause": "SELinux is disabled at boot time", "ocil": "Inspect <tt>/etc/default/grub</tt> for any instances of <tt>selinux=0</tt>\nin the kernel boot arguments.  Presence of <tt>selinux=0</tt> indicates\nthat SELinux is disabled at boot time.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "grub2", "platforms": ["grub2"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["grub2"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Ensure SELinux Not Disabled in /etc/default/grub", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/selinux/grub2_enable_selinux/rule.yml", "template": null}