4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected
Information
Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.
Solution
Add the following line to the /etc/audit/audit.rules file: -w /etc/selinux/ -p wa -k MAC-policy