4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected - /etc/selinux

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.

Solution

Add the following lines to the /etc/audit/audit.rules file:
-w /etc/selinux/ -p wa -k MAC-policy
-w /usr/share/selinux/ -p wa -k MAC-policy

See Also

https://workbench.cisecurity.org/files/1861

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12, CSCv6|3.6

Plugin: Unix

Control ID: 6489e6089ce89f322e8565a3fd4c4e810d7544e5d247baee6f805ec0b3d236dd