4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected (Scored)

Level 2 - Server
Level 2 - Workstation

Description

Monitor SELinux mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux or directory.

Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.

Run the following command and verify output matches:

# grep MAC-policy /etc/audit/audit.rules 
-w /etc/selinux/ -p wa -k MAC-policy

Add the following line to the /etc/audit/audit.rules file:

-w /etc/selinux/ -p wa -k MAC-policy

4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected (Scored)

Profile Applicability

Description

Rationale

Audit

Remediation

SecScan