Skip to content

Add audit monitoring for SELinux policy changes in /var/lib/selinux#14367

Draft
Arden97 wants to merge 5 commits intoComplianceAsCode:masterfrom
Arden97:auditd_var_lib_selinux
Draft

Add audit monitoring for SELinux policy changes in /var/lib/selinux#14367
Arden97 wants to merge 5 commits intoComplianceAsCode:masterfrom
Arden97:auditd_var_lib_selinux

Conversation

@Arden97
Copy link
Contributor

@Arden97 Arden97 commented Feb 6, 2026
edited
Loading

Description:

  • This PR expands CIS requirements to cover custom selinux policies
  • Created new rule audit_rules_mac_modification_var_lib_selinux to monitor /var/lib/selinux/ directory
  • Integrated the rule into CIS benchmarks for RHEL 8, 9, 10, and Fedora
  • Added the rule to HIPAA and CUSP compliance profiles
  • Extended OVAL checks to properly support Fedora alongside RHEL 10 and OL 10
  • Added new setup_augenrules_environment() macro to configure test environments for augenrules
  • Updated all audit_rules_watch template tests to use the new environment setup macro

Rationale:

  • Fixes OPENSCAP-4183
  • The CIS policy does not mention the /var/lib/selinux
  • However, as was discussed in the linked issue, monitoring the active policy store is also important to ensure kernel policy integrity

Review Hints:

  • use automatus to verify, that new rule functions correctly on mentioned systems

@openshift-ci
Copy link

openshift-ci bot commented Feb 6, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Feb 6, 2026
@Arden97 Arden97 added this to the 0.1.80 milestone Feb 6, 2026
@Arden97
Copy link
Contributor Author

Arden97 commented Feb 8, 2026

/packit retest-failed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@matusmarhefka matusmarhefka Awaiting requested review from matusmarhefka matusmarhefka will be requested when the pull request is marked ready for review matusmarhefka is a code owner

@Mab879 Mab879 Awaiting requested review from Mab879 Mab879 will be requested when the pull request is marked ready for review Mab879 is a code owner

@vojtapolasek vojtapolasek Awaiting requested review from vojtapolasek vojtapolasek will be requested when the pull request is marked ready for review vojtapolasek is a code owner

@jan-cerny jan-cerny Awaiting requested review from jan-cerny jan-cerny will be requested when the pull request is marked ready for review jan-cerny is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

do-not-merge/work-in-progress Used by openshift-ci bot.

Projects

None yet

Milestone

0.1.80

Development

Successfully merging this pull request may close these issues.

1 participant

@Arden97