Profile Applicability:
• Level 2
Description:
The chcon command is used to change SELinux security contexts on files and processes. Recording both successful and unsuccessful attempts to use chcon is critical to detect unauthorized or suspicious modifications to security labels.
Rationale:
Auditing all uses of chcon helps maintain SELinux policy integrity by providing visibility into security context changes and potential misuse.
Impact:
Pros:
Provides comprehensive monitoring of SELinux context modifications.
Supports detection of policy violations or attacks targeting SELinux settings.
Cons:
May increase audit log volume; requires effective log management.
Default Value:
Audit of chcon command usage is often not enabled by default.
Pre-requisites:
Root or sudo privileges to configure audit rules.
Remediation:
Test Plan:
Using Linux command line:
Check current audit rules for chcon
auditctl -l | grep chcon
Verify audit rules exist for tracking chcon execution.
Implementation Plan:
Using Linux command line:
Add audit rules to log both successful and unsuccessful executions of chcon:
auditctl -w /usr/bin/chcon -p x -k chcon-change
Persist audit rules by adding the above line to /etc/audit/rules.d/audit.rules.
Backout Plan:
Using Linux command line:
Remove or disable the chcon audit rule if needed:
auditctl -W /usr/bin/chcon -p x -k chcon-change
Reload audit daemon configuration.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
SELinux Audit