4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /etc/apparmor/

Information

Monitor SELinux mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux/ and /usr/share/selinux/ directories.

Notes:

If a different Mandatory Access Control method is used, changes to the corresponding directories should be audited.

Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.

Rationale:

Changes to files in the /etc/selinux/ and /usr/share/selinux/ directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.

Solution

Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules
Example: vi /etc/audit/rules.d/MAC_policy.rules
Add the following lines:

-w /etc/selinux/ -p wa -k MAC-policy
-w /usr/share/selinux/ -p wa -k MAC-policy

See Also

https://workbench.cisecurity.org/files/2925

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv7|5.5

Plugin: Unix

Control ID: 199e69a0451ce2627208c008bffbbdc3e9a6c171c219baa1ed120bb04af2c8c5