From: pebenito@ieee.org (Chris PeBenito)
Date: Mon, 9 Jan 2017 20:31:35 -0500
Subject: [refpolicy] SELinux Monitoring
In-Reply-To: <67130EC7AFA3FE4E9290B03665B351F4084C19@SE-EX021.groupinfra.com>
References: <67130EC7AFA3FE4E9290B03665B351F4084C19@SE-EX021.groupinfra.com>
Message-ID: <e50b7e4f-92f4-8714-b100-b86f3ddcb1d4@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/21/16 09:22, Fakim, Walid via refpolicy wrote:
> In terms of monitoring any SELinux config  changes on a system (to
> detect or prevent unauthorised config changes), what?s the best way to
> approach that? I can think of a few triggers that would make sense for
> creating alerts:

Ideally, your SELinux policy should be preventing unauthorized changes, 
but since you're including other things from before SELinux starts...

> 1)      Changing from Enforcing to Permissive mode
>
> a.       Monitoring changes in the config file /etc/selinux/config
>
> b.      Monitoring changes in running config file /selinux/enforceor via
> the audit logs for type=MAC_STATUS msg=audit(1482328134.582:7281):
> enforcing=0 old_enforcing=1
>
> c.       Monitoring changes in the grub config file for boot parameters
> /etc/grub.conffor the string enforcing=0
>
> d.      Monitoring via /var/log/boot.log & dmesg for boot-level
> parameters if manually disabled at boot.
>
> e.      Monitoring uid=0activities via /var/log/messagesand
> /var/log/securefor users logged in as rootor executing commands as root

You can use the audit subsystem to audit execs on commands of interest. 
 From the SELinux perspective, it's less interesting knowing when 
something runs as root vs. when it's running as unconfined_t, sysadm_t, 
load_policy_t, etc.


> 2)      SELinux Policy Change via audit logs and type=MAC_POLICY_LOAD
> msg=audit(1482328336.959:7292): policy loaded auid=0 ses=1187
 >
> 3)      Filesystem changes to SELinux-related files like file context
> definitions, creation of the /.autorelabel flag etc so monitoring of
> /etc/selinux/targeted for example for RHEL.

> Thoughts? Are there other things we can do to monitor ?SELinux services?
> and flag any changes to the SELinux config?

* SELinux Boolean changes
* Kernel image
* Kernel modules
* Executables like load_policy, semanage, semodule, etc.
* Shared libraries (libc, libselinux, etc)

I would suggest using something like AIDE to measure your filesystem 
integrity (or if you want to go full tilt, IMA).  Anything that goes 
into the proper functioning of SELinux needs to be kept at high a integrity.


-- 
Chris PeBenito