-
Notifications
You must be signed in to change notification settings - Fork 706
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add new rule to replace audit_rules_mac_modification
the rule audit_rules_mac_modification is becoming applicable for multiple products. This new rule should make our live simpler in the future by being templated and selinux-specific.
- Loading branch information
1 parent
0b825f3
commit b36d3e5
Showing
2 changed files
with
45 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
44 changes: 44 additions & 0 deletions
44
...s/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_etc_selinux/rule.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| documentation_complete: true | ||
|
|
||
| title: 'Record Events that Modify the System''s Mandatory Access Controls (/etc/selinux)' | ||
|
|
||
| description: |- | ||
| If the <tt>auditd</tt> daemon is configured to use the | ||
| <tt>augenrules</tt> program to read audit rules during daemon startup (the | ||
| default), add the following line to a file with suffix <tt>.rules</tt> in the | ||
| directory <tt>/etc/audit/rules.d</tt>: | ||
| <pre>-w /etc/selinux/ -p wa -k MAC-policy</pre> | ||
| If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> | ||
| utility to read audit rules during daemon startup, add the following line to | ||
| <tt>/etc/audit/audit.rules</tt> file: | ||
| <pre>-w /etc/selinux/ -p wa -k MAC-policy</pre> | ||
| rationale: |- | ||
| The system's mandatory access policy (SELinux) should not be | ||
| arbitrarily changed by anything other than administrator action. All changes to | ||
| MAC policy should be audited. | ||
| severity: medium | ||
|
|
||
| identifiers: | ||
| cce@rhel10: CCE-86178-1 | ||
|
|
||
|
|
||
| references: | ||
| hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) | ||
| pcidss: Req-10.5.5 | ||
|
|
||
| ocil_clause: 'the system is not configured to audit attempts to change files within the /etc/selinux directory' | ||
|
|
||
| ocil: |- | ||
| To determine if the system is configured to audit changes to its SELinux | ||
| configuration files, run the following command: | ||
| <pre>$ sudo auditctl -l | grep "dir=/etc/selinux"</pre> | ||
| If the system is configured to watch for changes to its SELinux | ||
| configuration, a line should be returned (including | ||
| <tt>perm=wa</tt> indicating permissions that are watched). | ||
| template: | ||
| name: audit_rules_watch | ||
| vars: | ||
| path: /etc/selinux |