Merge pull request #12826 from vojtapolasek/rhel10_audit_selinux_rules

rhel10: use new rule for auditing of changes to selinux configuration
ComplianceAsCode · Jan 20, 2025 · 6ed35ff · 6ed35ff
2 parents 2bf4c75 + 30f5816
commit 6ed35ff
Show file tree

Hide file tree

Showing 7 changed files with 82 additions and 2 deletions.
diff --git a/components/audit.yml b/components/audit.yml
@@ -126,6 +126,7 @@ rules:
 - audit_rules_mac_modification
 - audit_rules_mac_modification_etc_apparmor
 - audit_rules_mac_modification_etc_apparmor_d
+- audit_rules_mac_modification_etc_selinux
 - audit_rules_mac_modification_usr_share
 - audit_rules_media_export
 - audit_rules_networkconfig_modification

diff --git a/controls/anssi.yml b/controls/anssi.yml
@@ -1517,7 +1517,11 @@ controls:
     - audit_rules_time_stime
     - audit_rules_time_watch_localtime
 
+    {{% if product == "rhel10" %}}
+    - audit_rules_mac_modification_etc_selinux
+    {{% else %}}
     - audit_rules_mac_modification
+    {{% endif %}}
 
     - audit_rules_networkconfig_modification
 

diff --git a/controls/cis_rhel10.yml b/controls/cis_rhel10.yml
@@ -2650,7 +2650,7 @@ controls:
       - l2_workstation
     status: automated
     rules:
-      - audit_rules_mac_modification
+      - audit_rules_mac_modification_etc_selinux
       - audit_rules_mac_modification_usr_share
 
   - id: 6.3.3.15

diff --git a/controls/hipaa.yml b/controls/hipaa.yml
@@ -117,7 +117,11 @@ controls:
             - audit_rules_privileged_commands_unix_chkpwd
             - audit_rules_privileged_commands_userhelper
             - audit_rules_immutable
+            {{% if product == "rhel10" %}}
+            - audit_rules_mac_modification_etc_selinux
+            {{% else %}}
             - audit_rules_mac_modification
+            {{% endif %}}
             - audit_rules_mac_modification_usr_share
             - audit_rules_media_export
             - audit_rules_networkconfig_modification
@@ -278,7 +282,11 @@ controls:
             - audit_rules_privileged_commands_unix_chkpwd
             - audit_rules_privileged_commands_userhelper
             - audit_rules_immutable
+            {{% if product == "rhel10" %}}
+            - audit_rules_mac_modification_etc_selinux
+            {{% else %}}
             - audit_rules_mac_modification
+            {{% endif %}}
             - audit_rules_mac_modification_usr_share
             - audit_rules_media_export
             - audit_rules_networkconfig_modification
@@ -470,7 +478,11 @@ controls:
             - audit_rules_privileged_commands_unix_chkpwd
             - audit_rules_privileged_commands_userhelper
             - audit_rules_immutable
+            {{% if product == "rhel10" %}}
+            - audit_rules_mac_modification_etc_selinux
+            {{% else %}}
             - audit_rules_mac_modification
+            {{% endif %}}
             - audit_rules_mac_modification_usr_share
             - audit_rules_media_export
             - audit_rules_networkconfig_modification
@@ -1200,7 +1212,11 @@ controls:
             - audit_rules_privileged_commands_unix_chkpwd
             - audit_rules_privileged_commands_userhelper
             - audit_rules_immutable
+            {{% if product == "rhel10" %}}
+            - audit_rules_mac_modification_etc_selinux
+            {{% else %}}
             - audit_rules_mac_modification
+            {{% endif %}}
             - audit_rules_mac_modification_usr_share
             - audit_rules_media_export
             - audit_rules_networkconfig_modification
@@ -1336,7 +1352,11 @@ controls:
             - audit_rules_privileged_commands_unix_chkpwd
             - audit_rules_privileged_commands_userhelper
             - audit_rules_immutable
+            {{% if product == "rhel10" %}}
+            - audit_rules_mac_modification_etc_selinux
+            {{% else %}}
             - audit_rules_mac_modification
+            {{% endif %}}
             - audit_rules_mac_modification_usr_share
             - audit_rules_media_export
             - audit_rules_networkconfig_modification
@@ -1502,7 +1522,11 @@ controls:
             - audit_rules_privileged_commands_unix_chkpwd
             - audit_rules_privileged_commands_userhelper
             - audit_rules_immutable
+            {{% if product == "rhel10" %}}
+            - audit_rules_mac_modification_etc_selinux
+            {{% else %}}
             - audit_rules_mac_modification
+            {{% endif %}}
             - audit_rules_mac_modification_usr_share
             - audit_rules_media_export
             - audit_rules_networkconfig_modification
@@ -1596,7 +1620,11 @@ controls:
             - audit_rules_privileged_commands_unix_chkpwd
             - audit_rules_privileged_commands_userhelper
             - audit_rules_immutable
+            {{% if product == "rhel10" %}}
+            - audit_rules_mac_modification_etc_selinux
+            {{% else %}}
             - audit_rules_mac_modification
+            {{% endif %}}
             - audit_rules_mac_modification_usr_share
             - audit_rules_media_export
             - audit_rules_networkconfig_modification

diff --git a/controls/pcidss_4.yml b/controls/pcidss_4.yml
@@ -2860,7 +2860,11 @@ controls:
         - base
       status: automated
       rules:
+        {{% if product == "rhel10" %}}
+        - audit_rules_mac_modification_etc_selinux
+        {{% else %}}
         - audit_rules_mac_modification
+        {{% endif %}}
         - audit_rules_dac_modification_chmod
         - audit_rules_dac_modification_chown
         - audit_rules_dac_modification_fchmod

diff --git a/...s/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_etc_selinux/rule.yml b/...s/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_etc_selinux/rule.yml
@@ -0,0 +1,44 @@
+documentation_complete: true
+
+title: 'Record Events that Modify the System''s Mandatory Access Controls (/etc/selinux)'
+
+description: |-
+    If the <tt>auditd</tt> daemon is configured to use the
+    <tt>augenrules</tt> program to read audit rules during daemon startup (the
+    default), add the following line to a file with suffix <tt>.rules</tt> in the
+    directory <tt>/etc/audit/rules.d</tt>:
+    <pre>-w /etc/selinux/ -p wa -k MAC-policy</pre>
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
+    utility to read audit rules during daemon startup, add the following line to
+    <tt>/etc/audit/audit.rules</tt> file:
+    <pre>-w /etc/selinux/ -p wa -k MAC-policy</pre>
+
+rationale: |-
+    The system's mandatory access policy (SELinux) should not be
+    arbitrarily changed by anything other than administrator action. All changes to
+    MAC policy should be audited.
+
+severity: medium
+
+identifiers:
+    cce@rhel10: CCE-90737-8
+
+
+references:
+    hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
+    pcidss: Req-10.5.5
+
+ocil_clause: 'the system is not configured to audit attempts to change files within the /etc/selinux directory'
+
+ocil: |-
+    To determine if the system is configured to audit changes to its SELinux
+    configuration files, run the following command:
+    <pre>$ sudo auditctl -l | grep "dir=/etc/selinux"</pre>
+    If the system is configured to watch for changes to its SELinux
+    configuration, a line should be returned (including
+    <tt>perm=wa</tt> indicating permissions that are watched).
+
+template:
+    name: audit_rules_watch
+    vars:
+        path: /etc/selinux
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -2576,4 +2576,3 @@ CCE-90727-9
 CCE-90728-7
 CCE-90732-9
 CCE-90735-2
-CCE-90737-8