From: walid.fakim@cgi.com (Fakim, Walid) Date: Wed, 21 Dec 2016 14:22:26 +0000 Subject: [refpolicy] SELinux Monitoring Message-ID: <67130EC7AFA3FE4E9290B03665B351F4084C19@SE-EX021.groupinfra.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi Guys, In terms of monitoring any SELinux config changes on a system (to detect or prevent unauthorised config changes), what's the best way to approach that? I can think of a few triggers that would make sense for creating alerts: 1) Changing from Enforcing to Permissive mode a. Monitoring changes in the config file /etc/selinux/config b. Monitoring changes in running config file /selinux/enforce or via the audit logs for type=MAC_STATUS msg=audit(1482328134.582:7281): enforcing=0 old_enforcing=1 c. Monitoring changes in the grub config file for boot parameters /etc/grub.conf for the string enforcing=0 d. Monitoring via /var/log/boot.log & dmesg for boot-level parameters if manually disabled at boot. e. Monitoring uid=0 activities via /var/log/messages and /var/log/secure for users logged in as root or executing commands as root 2) SELinux Policy Change via audit logs and type=MAC_POLICY_LOAD msg=audit(1482328336.959:7292): policy loaded auid=0 ses=1187 3) Filesystem changes to SELinux-related files like file context definitions, creation of the /.autorelabel flag etc so monitoring of /etc/selinux/targeted for example for RHEL. Thoughts? Are there other things we can do to monitor 'SELinux services' and flag any changes to the SELinux config? It is arguable that given root access, the user could disable the logging anyway but there's no real way around that is there? Thanks. Best Regards, Walid Fakim -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20161221/2dfa4a41/attachment.html