Potential Disabling of SELinux

  1[metadata]
  2creation_date = "2020/04/22"
  3integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5min_stack_version = "8.13.0"
  6min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
  7updated_date = "2025/01/15"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to
 13support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and
 14activities.
 15"""
 16from = "now-9m"
 17index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
 18language = "eql"
 19license = "Elastic License v2"
 20name = "Potential Disabling of SELinux"
 21risk_score = 47
 22rule_id = "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e"
 23setup = """## Setup
 24
 25This rule requires data coming in from one of the following integrations:
 26- Elastic Defend
 27- Auditbeat
 28
 29### Elastic Defend Integration Setup
 30Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 31
 32#### Prerequisite Requirements:
 33- Fleet is required for Elastic Defend.
 34- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 35
 36#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
 37- Go to the Kibana home page and click "Add integrations".
 38- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 39- Click "Add Elastic Defend".
 40- Configure the integration name and optionally add a description.
 41- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
 42- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 43- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 44- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 45For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
 46- Click "Save and Continue".
 47- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 48For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 49
 50### Auditbeat Setup
 51Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.
 52
 53#### The following steps should be executed in order to add the Auditbeat on a Linux System:
 54- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.
 55- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).
 56- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).
 57- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).
 58- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
 59"""
 60severity = "medium"
 61tags = [
 62    "Domain: Endpoint",
 63    "OS: Linux",
 64    "Use Case: Threat Detection",
 65    "Tactic: Defense Evasion",
 66    "Data Source: Elastic Endgame",
 67    "Data Source: Elastic Defend",
 68    "Data Source: Auditd Manager",
 69    "Data Source: Crowdstrike",
 70    "Data Source: SentinelOne",
 71    "Resources: Investigation Guide",
 72]
 73timestamp_override = "event.ingested"
 74type = "eql"
 75
 76query = '''
 77process where host.os.type == "linux" and event.type == "start" and
 78 event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
 79 process.name == "setenforce" and process.args == "0"
 80'''
 81note = """## Triage and analysis
 82
 83> **Disclaimer**:
 84> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 85
 86### Investigating Potential Disabling of SELinux
 87
 88SELinux is a critical security feature in Linux environments, enforcing access control policies to protect against unauthorized access. Adversaries may attempt to disable SELinux to evade detection and carry out malicious activities undetected. The detection rule identifies such attempts by monitoring for the execution of the 'setenforce 0' command, which switches SELinux to permissive mode, effectively disabling its enforcement capabilities. This rule leverages process monitoring to alert security teams of potential defense evasion tactics.
 89
 90### Possible investigation steps
 91
 92- Review the process execution details to confirm the presence of the 'setenforce 0' command, ensuring that the process name is 'setenforce' and the argument is '0'.
 93- Check the user account associated with the process execution to determine if it is a legitimate administrative user or a potential compromised account.
 94- Investigate the timeline of events leading up to and following the execution of the 'setenforce 0' command to identify any related suspicious activities or processes.
 95- Examine system logs and audit logs for any other unusual or unauthorized changes to SELinux settings or other security configurations.
 96- Assess the system for any signs of compromise or malicious activity, such as unexpected network connections, file modifications, or the presence of known malware indicators.
 97- Verify the current SELinux status and configuration to ensure it has been restored to enforcing mode if it was indeed set to permissive mode.
 98
 99### False positive analysis
100
101- System administrators may execute the 'setenforce 0' command during routine maintenance or troubleshooting, leading to false positives. To manage this, create exceptions for known maintenance windows or specific administrator accounts.
102- Some automated scripts or configuration management tools might temporarily set SELinux to permissive mode for deployment purposes. Identify these scripts and exclude their execution context from triggering alerts.
103- Development environments might require SELinux to be set to permissive mode for testing purposes. Consider excluding specific development hosts or environments from the rule to prevent unnecessary alerts.
104- In certain cases, SELinux might be disabled as part of a controlled security audit or penetration test. Coordinate with security teams to whitelist these activities during the audit period.
105
106### Response and remediation
107
108- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
109- Verify the current SELinux status on the affected system using the command `sestatus` to confirm if it has been switched to permissive mode.
110- If SELinux is in permissive mode, re-enable it by executing `setenforce 1` and ensure that the SELinux policy is correctly enforced.
111- Conduct a thorough review of system logs and process execution history to identify any unauthorized changes or suspicious activities that occurred while SELinux was disabled.
112- Scan the affected system for malware or unauthorized software installations using a trusted antivirus or endpoint detection and response (EDR) tool.
113- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised.
114- Implement additional monitoring and alerting for similar SELinux-related events to enhance detection capabilities and prevent recurrence."""
115
116
117[[rule.threat]]
118framework = "MITRE ATT&CK"
119[[rule.threat.technique]]
120id = "T1562"
121name = "Impair Defenses"
122reference = "https://attack.mitre.org/techniques/T1562/"
123[[rule.threat.technique.subtechnique]]
124id = "T1562.001"
125name = "Disable or Modify Tools"
126reference = "https://attack.mitre.org/techniques/T1562/001/"
127
128
129
130[rule.threat.tactic]
131id = "TA0005"
132name = "Defense Evasion"
133reference = "https://attack.mitre.org/tactics/TA0005/"