From: walid.fakim@cgi.com (Fakim, Walid) Date: Mon, 9 Jan 2017 10:20:54 +0000 Subject: [refpolicy] SELinux Monitoring In-Reply-To: <67130EC7AFA3FE4E9290B03665B351F4084C19@SE-EX021.groupinfra.com> References: <67130EC7AFA3FE4E9290B03665B351F4084C19@SE-EX021.groupinfra.com> Message-ID: <67130EC7AFA3FE4E9290B03665B351F409536A@SE-EX021.groupinfra.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi All, Happy New Year! Any takers for the below? Thanks. Best Regards, Walid Fakim From: refpolicy-bounces@oss.tresys.com [mailto:refpolicy-bounces at oss.tresys.com] On Behalf Of Fakim, Walid via refpolicy Sent: 21 December 2016 14:22 To: refpolicy at oss.tresys.com Subject: [refpolicy] SELinux Monitoring Hi Guys, In terms of monitoring any SELinux config changes on a system (to detect or prevent unauthorised config changes), what's the best way to approach that? I can think of a few triggers that would make sense for creating alerts: 1) Changing from Enforcing to Permissive mode a. Monitoring changes in the config file /etc/selinux/config b. Monitoring changes in running config file /selinux/enforce or via the audit logs for type=MAC_STATUS msg=audit(1482328134.582:7281): enforcing=0 old_enforcing=1 c. Monitoring changes in the grub config file for boot parameters /etc/grub.conf for the string enforcing=0 d. Monitoring via /var/log/boot.log & dmesg for boot-level parameters if manually disabled at boot. e. Monitoring uid=0 activities via /var/log/messages and /var/log/secure for users logged in as root or executing commands as root 2) SELinux Policy Change via audit logs and type=MAC_POLICY_LOAD msg=audit(1482328336.959:7292): policy loaded auid=0 ses=1187 3) Filesystem changes to SELinux-related files like file context definitions, creation of the /.autorelabel flag etc so monitoring of /etc/selinux/targeted for example for RHEL. Thoughts? Are there other things we can do to monitor 'SELinux services' and flag any changes to the SELinux config? It is arguable that given root access, the user could disable the logging anyway but there's no real way around that is there? Thanks. Best Regards, Walid Fakim -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20170109/3d172464/attachment.html