4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected - /usr/share/selinux

Information

Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.

Solution

Add the following lines to the /etc/audit/audit.rules file:
-w /etc/selinux/ -p wa -k MAC-policy
-w /usr/share/selinux/ -p wa -k MAC-policy

See Also

https://workbench.cisecurity.org/files/1859

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12, CSCv6|3.6

Plugin: Unix

Control ID: a7011c64ff722090c986089e13ab56fd111d07efff34eb6736923b8ba5e64f38