4.1.8 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /usr/share/selinux/

Information

Monitor SELinux/AppArmor mandatory access controls. The parameters below monitor
any write access (potential additional, deletion or modification of files in the directory) or
attribute changes to the /etc/selinux or /etc/apparmor and /etc/apparmor.d directories.

Rationale:

Changes to files in these directories could indicate that an unauthorized user is attempting
to modify access controls and change security contexts, leading to a compromise of the
system.

Solution

On systems using SELinux Edit or create a file in the /etc/audit/rules.d/ directory
ending in .rules
Example: vi /etc/audit/rules.d/audit.rules
and add the following lines:

-w /etc/selinux/ -p wa -k MAC-policy
-w /usr/share/selinux/ -p wa -k MAC-policy

On systems using AppArmor Edit or create a file in the /etc/audit/rules.d/ directory
ending in .rules
Example: vi /etc/audit/rules.d/audit.rules
and add the following lines:

-w /etc/apparmor/ -p wa -k MAC-policy
-w /etc/apparmor.d/ -p wa -k MAC-policy

Notes:

Reloading the auditd config to set active settings may require a system reboot.

See Also

https://workbench.cisecurity.org/files/2420

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv6|3.6, CSCv7|5.5

Plugin: Unix

Control ID: ca501a8602c7b90e3403a7127dad6b210af2f1ed962866af3b03b55ae767e986