[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: audit log for "setenforce" changes?

From: Stephen Smalley <sds tycho nsa gov>
To: Chuck Anderson <cra WPI EDU>
Cc: fedora-selinux-list redhat com
Subject: Re: audit log for "setenforce" changes?
Date: Fri, 11 Jan 2008 16:16:21 -0500

On Fri, 2008-01-11 at 16:06 -0500, Chuck Anderson wrote:
> Is there any way to tell from the audit log or elsewhere when 
> someone/something changed SELinux from enforcing to permissive or vice 
> versa?

Look for MAC_STATUS records in the audit log, e.g.
	/sbin/ausearch -m MAC_STATUS

These include changes to enforcing mode, with the enforcing= and
old_enforcing= values.

-- 
Stephen Smalley
National Security Agency

Follow-Ups:
- Re: audit log for "setenforce" changes?
  - From: Chuck Anderson

References:
- audit log for "setenforce" changes?
  - From: Chuck Anderson

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]