5.3.8 Record Events That Modify the System's Mandatory Access Controls - /etc/selinux/

Information

Monitor SELinux mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux directory.

Rationale:

Changes to files in this directory could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.

Solution

Add the following line to the /etc/audit/audit.rules file.

-w /etc/selinux/ -p wa -k MAC-policy

Execute the following command to restart auditd

# pkill -P 1-HUP auditd

Default Value:

OS Default: N/A

See Also

https://workbench.cisecurity.org/files/3096

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv7|5.5

Plugin: Unix

Control ID: b384757878487c6aad75a37b46c5b326402b6a773387581b67db820586702150