ComplianceAsCode · Arden97 · Feb 6, 2026 · Feb 6, 2026 · Feb 6, 2026 · Feb 6, 2026
diff --git a/components/audit.yml b/components/audit.yml
@@ -131,6 +131,7 @@ rules:
 - audit_rules_mac_modification_etc_apparmor_d
 - audit_rules_mac_modification_etc_selinux
 - audit_rules_mac_modification_usr_share
+- audit_rules_mac_modification_var_lib_selinux
 - audit_rules_media_export
 - audit_rules_networkconfig_modification
 - audit_rules_networkconfig_modification_etc_hosts

diff --git a/controls/cis_fedora.yml b/controls/cis_fedora.yml
@@ -2957,6 +2957,7 @@ controls:
       rules:
           - audit_rules_mac_modification_etc_selinux
           - audit_rules_mac_modification_usr_share
+          - audit_rules_mac_modification_var_lib_selinux
 
     - id: 6.3.3.24
       title: Ensure successful and unsuccessful attempts to use the chcon command are collected (Automated)

diff --git a/controls/cusp_fedora.yml b/controls/cusp_fedora.yml
@@ -177,6 +177,7 @@ controls:
           - audit_rules_file_deletion_events_unlinkat
           - audit_rules_mac_modification
           - audit_rules_mac_modification_usr_share
+          - audit_rules_mac_modification_var_lib_selinux
           - audit_rules_execution_chcon
           - audit_rules_execution_setfacl
           - audit_rules_execution_chacl

diff --git a/controls/hipaa.yml b/controls/hipaa.yml
@@ -124,6 +124,7 @@ controls:
           - audit_rules_immutable
           - audit_rules_mac_modification
           - audit_rules_mac_modification_usr_share
+          - audit_rules_mac_modification_var_lib_selinux
           - audit_rules_media_export
           - audit_rules_networkconfig_modification
           - audit_rules_session_events_utmp
@@ -289,6 +290,7 @@ controls:
           - audit_rules_immutable
           - audit_rules_mac_modification
           - audit_rules_mac_modification_usr_share
+          - audit_rules_mac_modification_var_lib_selinux
           - audit_rules_media_export
           - audit_rules_networkconfig_modification
           - audit_rules_session_events_utmp
@@ -484,6 +486,7 @@ controls:
           - audit_rules_immutable
           - audit_rules_mac_modification
           - audit_rules_mac_modification_usr_share
+          - audit_rules_mac_modification_var_lib_selinux
           - audit_rules_media_export
           - audit_rules_networkconfig_modification
           - audit_rules_session_events_utmp
@@ -1215,6 +1218,7 @@ controls:
           - audit_rules_immutable
           - audit_rules_mac_modification
           - audit_rules_mac_modification_usr_share
+          - audit_rules_mac_modification_var_lib_selinux
           - audit_rules_media_export
           - audit_rules_networkconfig_modification
           - audit_rules_session_events_utmp
@@ -1354,6 +1358,7 @@ controls:
           - audit_rules_immutable
           - audit_rules_mac_modification
           - audit_rules_mac_modification_usr_share
+          - audit_rules_mac_modification_var_lib_selinux
           - audit_rules_media_export
           - audit_rules_networkconfig_modification
           - audit_rules_session_events_utmp
@@ -1523,6 +1528,7 @@ controls:
           - audit_rules_immutable
           - audit_rules_mac_modification
           - audit_rules_mac_modification_usr_share
+          - audit_rules_mac_modification_var_lib_selinux
           - audit_rules_media_export
           - audit_rules_networkconfig_modification
           - audit_rules_session_events_utmp
@@ -1621,6 +1627,7 @@ controls:
           - audit_rules_immutable
           - audit_rules_mac_modification
           - audit_rules_mac_modification_usr_share
+          - audit_rules_mac_modification_var_lib_selinux
           - audit_rules_media_export
           - audit_rules_networkconfig_modification
           - audit_rules_session_events_utmp

diff --git a/...ide/auditing/auditd_configure_rules/audit_rules_mac_modification_var_lib_selinux/rule.yml b/...ide/auditing/auditd_configure_rules/audit_rules_mac_modification_var_lib_selinux/rule.yml
@@ -0,0 +1,51 @@
+documentation_complete: true
+
+title: 'Record Events that Modify the System''s Mandatory Access Controls in /var/lib/selinux'
+
+description: |-
+    {{{ describe_audit_rules_watch("/var/lib/selinux/", "MAC-policy") }}}
+
+rationale: |-
+    The system's mandatory access policy (SELinux) should not be
+    arbitrarily changed by anything other than administrator action. All changes to
+    MAC policy should be audited.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-86459-5
+    cce@rhel9: CCE-86461-1
+    cce@rhel10: CCE-86465-2
+    cce@sle12: CCE-92326-8
+    cce@sle15: CCE-92614-7
+    cce@sle16: CCE-95718-3
+    cce@slmicro5: CCE-93661-7
+
+references:
+    cis@sle12: 4.1.6
+    cis@sle15: 4.1.6
+    cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
+    cui: 3.1.8
+    hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
+    isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
+    isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
+    iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.2.1,A.6.2.2
+    nist: AU-2(d),AU-12(c),CM-6(a)
+    nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
+    pcidss: Req-10.5.5
+
+ocil_clause: 'the system is not configured to audit attempts to change the MAC policy'
+
+ocil: |-
+    To determine if the system is configured to audit changes to its SELinux
+    configuration files, run the following command:
+    <pre>$ sudo auditctl -l | grep "dir=/var/lib/selinux"</pre>
+    If the system is configured to watch for changes to its SELinux
+    configuration, a line should be returned (including
+    <tt>perm=wa</tt> indicating permissions that are watched).
+
+template:
+    name: audit_rules_watch
+    vars:
+        path: "/var/lib/selinux/"
+        key: MAC-policy
@@ -2885,6 +2885,7 @@ controls:
       rules:
           - audit_rules_mac_modification_etc_selinux
           - audit_rules_mac_modification_usr_share
+          - audit_rules_mac_modification_var_lib_selinux
 
     - id: 6.3.3.27
       title: Ensure successful and unsuccessful attempts to use the chcon command are collected (Automated)

@@ -2849,6 +2849,7 @@ controls:
       rules:
           - audit_rules_mac_modification
           - audit_rules_mac_modification_usr_share
+          - audit_rules_mac_modification_var_lib_selinux
 
     - id: 6.3.3.15
       title: Ensure successful and unsuccessful attempts to use the chcon command are recorded (Automated)

@@ -2720,6 +2720,7 @@ controls:
       rules:
           - audit_rules_mac_modification
           - audit_rules_mac_modification_usr_share
+          - audit_rules_mac_modification_var_lib_selinux
 
     - id: 6.3.3.15
       title: Ensure successful and unsuccessful attempts to use the chcon command are collected (Automated)

diff --git a/shared/checks/oval/audit_rules_auditctl.xml b/shared/checks/oval/audit_rules_auditctl.xml
@@ -18,7 +18,7 @@
     <ind:object object_ref="object_audit_rules_auditctl" />
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="object_audit_rules_auditctl" version="1">
-{{% if product in ['rhel10', 'ol10'] %}}
+{{% if product in ['fedora', 'rhel10', 'ol10'] %}}
     <ind:filepath>/usr/lib/systemd/system/audit-rules.service</ind:filepath>
     <ind:pattern operation="pattern match">^ExecStart=\/sbin\/auditctl.*$</ind:pattern>
   {{% else %}}

diff --git a/shared/checks/oval/audit_rules_augenrules.xml b/shared/checks/oval/audit_rules_augenrules.xml
@@ -18,7 +18,7 @@
     <ind:object object_ref="object_audit_rules_augenrules" />
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="object_audit_rules_augenrules" version="1">
-  {{% if product in ['rhel10', 'ol10']  %}}
+  {{% if product in ['fedora', 'rhel10', 'ol10']  %}}
     <ind:filepath>/usr/lib/systemd/system/audit-rules.service</ind:filepath>
     <ind:pattern operation="pattern match">^ExecStart=(\/usr|)?\/sbin\/augenrules.*$</ind:pattern>
   {{% else %}}

diff --git a/shared/macros/20-test-scenarios.jinja b/shared/macros/20-test-scenarios.jinja
@@ -15,6 +15,23 @@ This macro changes the configuration of the audit service so that it looks like
 {{%- endmacro -%}}
 
 
+{{#
+This macro changes the configuration of the audit service so that it looks like augenrules is used to load rules.
+#}}
+
+{{%- macro setup_augenrules_environment () -%}}
+  {{% if product in ["fedora", "ol10", "rhel10"] %}}
+  sed -i "s%^ExecStart=.*%ExecStart=/sbin/augenrules%" /usr/lib/systemd/system/audit-rules.service
+  {{% else %}}
+  {{% if product == "sle15" %}}
+  sed -i "s%^#ExecStartPost=.*%ExecStartPost=-/sbin/augenrules%" /usr/lib/systemd/system/auditd.service
+  {{% else %}}
+  sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/augenrules%" /usr/lib/systemd/system/auditd.service
+  {{% endif %}}
+  {{% endif %}}
+{{%- endmacro -%}}
+
+
 {{#
 This macro is used by pam_account_password_faillock template to initialize
 the external variable and parameter value to a desired state.

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -1,6 +1,3 @@
-CCE-86459-5
-CCE-86461-1
-CCE-86465-2
 CCE-86466-0
 CCE-86468-6
 CCE-86469-4

diff --git a/shared/references/cce-sle12-avail.txt b/shared/references/cce-sle12-avail.txt
@@ -1,4 +1,3 @@
-CCE-92326-8
 CCE-92327-6
 CCE-92328-4
 CCE-92329-2

diff --git a/shared/references/cce-sle15-avail.txt b/shared/references/cce-sle15-avail.txt
@@ -1,4 +1,3 @@
-CCE-92614-7
 CCE-92615-4
 CCE-92616-2
 CCE-92617-0

diff --git a/shared/references/cce-sle16-avail.txt b/shared/references/cce-sle16-avail.txt
@@ -1,4 +1,3 @@
-CCE-95718-3
 CCE-95719-1
 CCE-95720-9
 CCE-95721-7

diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt
@@ -1,5 +1,3 @@
-CCE-93659-1
-CCE-93661-7
 CCE-93662-5
 CCE-93668-2
 CCE-93669-0

@@ -1,6 +1,8 @@
 #!/bin/bash
 # packages = audit
 
+{{{ setup_augenrules_environment() }}}
+
 path={{{ PATH }}}
 style={{{ audit_watches_style }}}
 filter_type={{{ FILTER_TYPE }}}

@@ -1,6 +1,8 @@
 #!/bin/bash
 # packages = audit
 
+{{{ setup_augenrules_environment() }}}
+
 path={{{ PATH }}}
 style={{{ audit_watches_style }}}
 filter_type={{{ FILTER_TYPE }}}

@@ -1,6 +1,8 @@
 #!/bin/bash
 # packages = audit
 
+{{{ setup_augenrules_environment() }}}
+
 path={{{ PATH }}}
 style={{{ audit_watches_style }}}
 filter_type={{{ FILTER_TYPE }}}

@@ -1,6 +1,8 @@
 #!/bin/bash
 # packages = audit
 
+{{{ setup_augenrules_environment() }}}
+
 path={{{ PATH }}}
 style={{{ audit_watches_style }}}
 filter_type={{{ FILTER_TYPE }}}

@@ -1,6 +1,8 @@
 #!/bin/bash
 # packages = audit
 
+{{{ setup_augenrules_environment() }}}
+
 path={{{ PATH }}}
 style={{{ audit_watches_style }}}
 filter_type={{{ FILTER_TYPE }}}

@@ -1,6 +1,8 @@
 #!/bin/bash
 # packages = audit
 
+{{{ setup_augenrules_environment() }}}
+
 path={{{ PATH }}}
 style={{{ audit_watches_style }}}
 filter_type={{{ FILTER_TYPE }}}

@@ -1,6 +1,7 @@
 #!/bin/bash
 # packages = audit
 
+{{{ setup_augenrules_environment() }}}
 
 rm -f /etc/audit/rules.d/*
 > /etc/audit/audit.rules

@@ -78,6 +78,7 @@ audit_rules_login_events_faillock
 audit_rules_login_events_lastlog
 audit_rules_mac_modification_etc_selinux
 audit_rules_mac_modification_usr_share
+audit_rules_mac_modification_var_lib_selinux
 audit_rules_media_export
 audit_rules_networkconfig_modification_etc_hosts
 audit_rules_networkconfig_modification_etc_issue

@@ -78,6 +78,7 @@ audit_rules_login_events_faillock
 audit_rules_login_events_lastlog
 audit_rules_mac_modification_etc_selinux
 audit_rules_mac_modification_usr_share
+audit_rules_mac_modification_var_lib_selinux
 audit_rules_media_export
 audit_rules_networkconfig_modification_etc_hosts
 audit_rules_networkconfig_modification_etc_issue

@@ -31,6 +31,7 @@ audit_rules_login_events_lastlog
 audit_rules_login_events_tallylog
 audit_rules_mac_modification_etc_selinux
 audit_rules_mac_modification_usr_share
+audit_rules_mac_modification_var_lib_selinux
 audit_rules_media_export
 audit_rules_networkconfig_modification
 audit_rules_privileged_commands_chage

@@ -74,6 +74,7 @@ audit_rules_login_events_faillock
 audit_rules_login_events_lastlog
 audit_rules_mac_modification
 audit_rules_mac_modification_usr_share
+audit_rules_mac_modification_var_lib_selinux
 audit_rules_media_export
 audit_rules_networkconfig_modification
 audit_rules_networkconfig_modification_network_scripts

@@ -74,6 +74,7 @@ audit_rules_login_events_faillock
 audit_rules_login_events_lastlog
 audit_rules_mac_modification
 audit_rules_mac_modification_usr_share
+audit_rules_mac_modification_var_lib_selinux
 audit_rules_media_export
 audit_rules_networkconfig_modification
 audit_rules_networkconfig_modification_network_scripts

@@ -27,6 +27,7 @@ audit_rules_login_events_faillock
 audit_rules_login_events_lastlog
 audit_rules_login_events_tallylog
 audit_rules_mac_modification
+audit_rules_mac_modification_var_lib_selinux
 audit_rules_media_export
 audit_rules_networkconfig_modification
 audit_rules_privileged_commands_chage

@@ -70,6 +70,7 @@ audit_rules_login_events_faillock
 audit_rules_login_events_lastlog
 audit_rules_mac_modification
 audit_rules_mac_modification_usr_share
+audit_rules_mac_modification_var_lib_selinux
 audit_rules_media_export
 audit_rules_networkconfig_modification
 audit_rules_networkconfig_modification_hostname_file

@@ -70,6 +70,7 @@ audit_rules_login_events_faillock
 audit_rules_login_events_lastlog
 audit_rules_mac_modification
 audit_rules_mac_modification_usr_share
+audit_rules_mac_modification_var_lib_selinux
 audit_rules_media_export
 audit_rules_networkconfig_modification
 audit_rules_networkconfig_modification_hostname_file

@@ -27,6 +27,7 @@ audit_rules_login_events_faillock
 audit_rules_login_events_lastlog
 audit_rules_login_events_tallylog
 audit_rules_mac_modification
+audit_rules_mac_modification_var_lib_selinux
 audit_rules_media_export
 audit_rules_networkconfig_modification
 audit_rules_privileged_commands_chage

@@ -2,8 +2,10 @@
 # packages = audit
 
 if [[ "$style" == "modern" ]] ; then
+    sed -i "/$filter_type=$(echo "$path" | sed 's/\//\\\//g')/d" /etc/audit/audit.rules 
     echo "-a always,exit -F arch=b32 -F $filter_type=$path -F perm=w -F key=logins" >> /etc/audit/audit.rules
     echo "-a always,exit -F arch=b64 -F $filter_type=$path -F perm=w -F key=logins" >> /etc/audit/audit.rules
 else
+    sed -i "\#-w $path#d" /etc/audit/audit.rules
     echo "-w $path -p w -k logins" >> /etc/audit/audit.rules
 fi
@@ -2,8 +2,10 @@
 # packages = audit
 
 if [[ "$style" == "modern" ]] ; then
+    sed -i "/$filter_type=$(echo "$path" | sed 's/\//\\\//g')/d" /etc/audit/audit.rules
     echo "-a always,exit -F arch=b32 -F $filter_type=$path -F perm=w" >> /etc/audit/audit.rules
     echo "-a always,exit -F arch=b64 -F $filter_type=$path -F perm=w" >> /etc/audit/audit.rules
 else
+    sed -i "\#-w $path#d" /etc/audit/audit.rules
     echo "-w $path -p w" >> /etc/audit/audit.rules
 fi
@@ -3,8 +3,10 @@
 
 
 if [[ "$style" == "modern" ]] ; then
+    sed -i "/$filter_type=$(echo "$path" | sed 's/\//\\\//g')/d" /etc/audit/rules.d/*.rules 2>/dev/null || true
     echo "-a always,exit -F arch=b32 -F $filter_type=$path -F perm=w -F key=logins" >> /etc/audit/rules.d/login.rules
     echo "-a always,exit -F arch=b64 -F $filter_type=$path -F perm=w -F key=logins" >> /etc/audit/rules.d/login.rules
 else
+    sed -i "\#-w $path#d" /etc/audit/rules.d/*.rules 2>/dev/null || true
     echo "-w $path -p w -k login" >> /etc/audit/rules.d/login.rules
 fi