Level 2 - Server Level 2 - Workstation
Monitor SELinux mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux or directory.
Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.
Run the following command and verify output matches:
# grep MAC-policy /etc/audit/audit.rules -w /etc/selinux/ -p wa -k MAC-policy
Add the following line to the /etc/audit/audit.rules file:
-w /etc/selinux/ -p wa -k MAC-policy