Profile Applicability:
• Level 2
Description:
Mandatory Access Controls (MAC) such as SELinux or AppArmor enforce security policies restricting access to system resources. Monitoring changes to MAC policies or configurations is critical to detect unauthorized or malicious modifications.
Rationale:
Collecting audit events related to MAC modifications helps maintain policy integrity, detect tampering, and supports forensic investigations.
Impact:
Pros:
Enhances visibility into critical security policy changes.
Supports compliance and security incident response.
Cons:
May increase audit log volume; requires proper log management.
Default Value:
Audit rules for MAC modifications may not be enabled by default.
Pre-requisites:
Root or sudo privileges to configure audit rules.
Remediation:
Test Plan:
Using Linux command line:
Check existing audit rules related to MAC modifications:
auditctl -l | grep selinux auditctl -l | grep apparmor
Verify audit rules exist for monitoring MAC policy changes.
Implementation Plan:
Using Linux command line:
Add audit rules to monitor MAC configuration files and commands. For example, for SELinux:
auditctl -w /etc/selinux/ -p wa -k MAC-policy auditctl -a always,exit -F arch=b64 -S setrlimit -k MAC-policy
Persist audit rules by adding them to /etc/audit/rules.d/audit.rules.
Backout Plan:
Using Linux command line:
Remove or disable MAC audit rules if necessary:
auditctl -W /etc/selinux/ -p wa -k MAC-policy auditctl -D -k MAC-policy
Reload audit daemon configuration.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
SELinux Audit