Monitor SELinux mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux directory.
Rationale:
Changes to files in this directory could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.
[yes/no]
Add the following lines to the /etc/audit/audit.rules file.
Add the following lines to /etc/audit/audit.rules
-w /etc/selinux/ -p wa -k MAC-policy
# Execute the following command to restart auditd
# pkill -P 1-HUP auditd
oval:org.secpod.oval:def:46256
SCAP Repo OVAL Definition
2018-07-05