Information
Monitor SELinux mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux/ and /usr/share/selinux/ directories.
Notes:
-
If a different Mandatory Access Control method is used, changes to the corresponding directories should be audited.
-
Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.
Changes to files in the /etc/selinux/ and /usr/share/selinux/ directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.
Solution
Edit or create a file in the /etc/audit/rules.d/ directory ending inrules
Example: vi /etc/audit/rules.d/MAC_policy.rules
and add the following lines:
-w /etc/selinux/ -p wa -k MAC-policy
-w /usr/share/selinux/ -p wa -k MAC-policy