8.1.7 Record Events That Modify the System's Mandatory Access Controls

Information

Monitor SELinux mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux directory. Changes to files in this directory could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.

Solution

Add the following lines to the /etc/audit/audit.rules file. Add the following lines to /etc/audit/audit.rules-w /etc/selinux/ -p wa -k MAC-policy# Execute the following command to restart auditd# pkill -P 1-HUP auditd

See Also

https://workbench.cisecurity.org/files/85

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c.

Plugin: Unix

Control ID: 745cf5b60dea19e6ecb5b664e965e9c2560f92e43e793d4c85b815c90b7f2541