Level 2 - Server Level 2 - Workstation
Monitor SELinux/AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux or /etc/apparmor and /etc/apparmor.d directories.
Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.
On systems using SELinux run the following command and verify output matches:
# grep MAC-policy /etc/audit/audit.rules -w /etc/selinux/ -p wa -k MAC-policy
On systems using AppArmor run the following command and verify output matches:
# grep MAC-policy /etc/audit/audit.rules -w /etc/apparmor/ -p wa -k MAC-policy -w /etc/apparmor.d/ -p wa -k MAC-policy
On systems using SELinux add the following line to the /etc/audit/audit.rules file:
-w /etc/selinux/ -p wa -k MAC-policy
On systems using AppArmor add the following line to the /etc/audit/audit.rules file:
-w /etc/apparmor/ -p wa -k MAC-policy -w /etc/apparmor.d/ -p wa -k MAC-policy