Skip to content

4.1.3.14 Ensure events that modify the system's Mandatory Access Controls are collected

Audit#

On disk configuration

Run the following command to check the on disk rules: 

# awk '/^ *-w/ \
&&(/\/etc\/apparmor/ \
 ||/\/etc\/apparmor.d/) \
&&/ +-p *wa/ \
&&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules

Verify the output matches: 

-w /etc/apparmor/ -p wa -k MAC-policy
-w /etc/apparmor.d/ -p wa -k MAC-policy

Running configuration

Run the following command to check loaded rules: 

# auditctl -l | awk '/^ *-w/ \
&&(/\/etc\/apparmor/ \
 ||/\/etc\/apparmor.d/) \
&&/ +-p *wa/ \
&&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)'

Verify the output matches: 

-w /etc/apparmor/ -p wa -k MAC-policy
-w /etc/apparmor.d/ -p wa -k MAC-policy

Remediation#

Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify the system's Mandatory Access Controls.

Example: 

# printf "
-w /etc/apparmor/ -p wa -k MAC-policy
-w /etc/apparmor.d/ -p wa -k MAC-policy
" >> /etc/audit/rules.d/50-MAC-policy.rules

Merge and load the rules into active configuration: 

# augenrules --load

Check if reboot is required. 

# if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi