diff --git a/components/audit.yml b/components/audit.yml
index bd1807988a47..018ead72842e 100644
--- a/components/audit.yml
+++ b/components/audit.yml
@@ -131,6 +131,7 @@ rules:
- audit_rules_mac_modification_etc_apparmor_d
- audit_rules_mac_modification_etc_selinux
- audit_rules_mac_modification_usr_share
+- audit_rules_mac_modification_var_lib_selinux
- audit_rules_media_export
- audit_rules_networkconfig_modification
- audit_rules_networkconfig_modification_etc_hosts
diff --git a/controls/cis_fedora.yml b/controls/cis_fedora.yml
index 031e276bc3d5..3f76e1c78eb6 100644
--- a/controls/cis_fedora.yml
+++ b/controls/cis_fedora.yml
@@ -2957,6 +2957,7 @@ controls:
rules:
- audit_rules_mac_modification_etc_selinux
- audit_rules_mac_modification_usr_share
+ - audit_rules_mac_modification_var_lib_selinux
- id: 6.3.3.24
title: Ensure successful and unsuccessful attempts to use the chcon command are collected (Automated)
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_var_lib_selinux/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_var_lib_selinux/rule.yml
new file mode 100644
index 000000000000..096b2fa83e8b
--- /dev/null
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_var_lib_selinux/rule.yml
@@ -0,0 +1,36 @@
+documentation_complete: true
+
+title: 'Record Events that Modify the System''s Mandatory Access Controls in /var/lib/selinux'
+
+description: |-
+ {{{ describe_audit_rules_watch("/var/lib/selinux/", "MAC-policy") }}}
+ Note that monitoring /var/lib/selinux/ will generate a significant burst of audit events
+ during both selinux-policy* package upgrade and policy rebuild.
+
+rationale: |-
+ The system's mandatory access policy (SELinux) should not be
+ arbitrarily changed by anything other than administrator action. All changes to
+ MAC policy should be audited.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: CCE-86459-5
+ cce@rhel9: CCE-86461-1
+ cce@rhel10: CCE-86465-2
+
+ocil_clause: 'the system is not configured to audit attempts to change the MAC policy'
+
+ocil: |-
+ To determine if the system is configured to audit changes to its SELinux
+ configuration files, run the following command:
+ $ sudo auditctl -l | grep "dir=/var/lib/selinux"
+ If the system is configured to watch for changes to its SELinux
+ configuration, a line should be returned (including
+ perm=wa indicating permissions that are watched).
+
+template:
+ name: audit_rules_watch
+ vars:
+ path: "/var/lib/selinux/"
+ key: MAC-policy
diff --git a/shared/checks/oval/audit_rules_auditctl.xml b/shared/checks/oval/audit_rules_auditctl.xml
index b08adf438882..27a4e5489599 100644
--- a/shared/checks/oval/audit_rules_auditctl.xml
+++ b/shared/checks/oval/audit_rules_auditctl.xml
@@ -18,7 +18,7 @@
-{{% if product in ['rhel10', 'ol10'] %}}
+{{% if product in ['fedora', 'rhel10', 'ol10'] %}}
/usr/lib/systemd/system/audit-rules.service
^ExecStart=\/sbin\/auditctl.*$
{{% else %}}
diff --git a/shared/checks/oval/audit_rules_augenrules.xml b/shared/checks/oval/audit_rules_augenrules.xml
index 7d651e43a0fb..7533f88e2866 100644
--- a/shared/checks/oval/audit_rules_augenrules.xml
+++ b/shared/checks/oval/audit_rules_augenrules.xml
@@ -18,7 +18,7 @@
- {{% if product in ['rhel10', 'ol10'] %}}
+ {{% if product in ['fedora', 'rhel10', 'ol10'] %}}
/usr/lib/systemd/system/audit-rules.service
^ExecStart=(\/usr|)?\/sbin\/augenrules.*$
{{% else %}}
diff --git a/shared/macros/20-test-scenarios.jinja b/shared/macros/20-test-scenarios.jinja
index 53bfe16e7338..87015c86b9f8 100644
--- a/shared/macros/20-test-scenarios.jinja
+++ b/shared/macros/20-test-scenarios.jinja
@@ -15,6 +15,23 @@ This macro changes the configuration of the audit service so that it looks like
{{%- endmacro -%}}
+{{#
+This macro changes the configuration of the audit service so that it looks like augenrules is used to load rules.
+#}}
+
+{{%- macro setup_augenrules_environment () -%}}
+ {{% if product in ["fedora", "ol10", "rhel10"] %}}
+ sed -i "s%^ExecStart=.*%ExecStart=/sbin/augenrules%" /usr/lib/systemd/system/audit-rules.service
+ {{% else %}}
+ {{% if product == "sle15" %}}
+ sed -i "s%^#ExecStartPost=.*%ExecStartPost=-/sbin/augenrules%" /usr/lib/systemd/system/auditd.service
+ {{% else %}}
+ sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/augenrules%" /usr/lib/systemd/system/auditd.service
+ {{% endif %}}
+ {{% endif %}}
+{{%- endmacro -%}}
+
+
{{#
This macro is used by pam_account_password_faillock template to initialize
the external variable and parameter value to a desired state.
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index f1dff1792b67..06999bee9a08 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -1,6 +1,3 @@
-CCE-86459-5
-CCE-86461-1
-CCE-86465-2
CCE-86466-0
CCE-86468-6
CCE-86469-4
diff --git a/shared/templates/audit_rules_watch/tests/augenrules_correct.pass.sh b/shared/templates/audit_rules_watch/tests/augenrules_correct.pass.sh
index 5b03c4d941f3..ff32b83145e7 100644
--- a/shared/templates/audit_rules_watch/tests/augenrules_correct.pass.sh
+++ b/shared/templates/audit_rules_watch/tests/augenrules_correct.pass.sh
@@ -1,6 +1,8 @@
#!/bin/bash
# packages = audit
+{{{ setup_augenrules_environment() }}}
+
path={{{ PATH }}}
style={{{ audit_watches_style }}}
filter_type={{{ FILTER_TYPE }}}
diff --git a/shared/templates/audit_rules_watch/tests/augenrules_correct_extra_permission.pass.sh b/shared/templates/audit_rules_watch/tests/augenrules_correct_extra_permission.pass.sh
index 1dbc7bfc3085..845653165303 100644
--- a/shared/templates/audit_rules_watch/tests/augenrules_correct_extra_permission.pass.sh
+++ b/shared/templates/audit_rules_watch/tests/augenrules_correct_extra_permission.pass.sh
@@ -1,6 +1,8 @@
#!/bin/bash
# packages = audit
+{{{ setup_augenrules_environment() }}}
+
path={{{ PATH }}}
style={{{ audit_watches_style }}}
filter_type={{{ FILTER_TYPE }}}
diff --git a/shared/templates/audit_rules_watch/tests/augenrules_correct_without_key.pass.sh b/shared/templates/audit_rules_watch/tests/augenrules_correct_without_key.pass.sh
index bdd78b2296df..6726a76bd795 100644
--- a/shared/templates/audit_rules_watch/tests/augenrules_correct_without_key.pass.sh
+++ b/shared/templates/audit_rules_watch/tests/augenrules_correct_without_key.pass.sh
@@ -1,6 +1,8 @@
#!/bin/bash
# packages = audit
+{{{ setup_augenrules_environment() }}}
+
path={{{ PATH }}}
style={{{ audit_watches_style }}}
filter_type={{{ FILTER_TYPE }}}
diff --git a/shared/templates/audit_rules_watch/tests/augenrules_remove_all_rules.fail.sh b/shared/templates/audit_rules_watch/tests/augenrules_remove_all_rules.fail.sh
index 3fa1b4180dd2..3b1d1a24bd70 100644
--- a/shared/templates/audit_rules_watch/tests/augenrules_remove_all_rules.fail.sh
+++ b/shared/templates/audit_rules_watch/tests/augenrules_remove_all_rules.fail.sh
@@ -1,6 +1,8 @@
#!/bin/bash
# packages = audit
+{{{ setup_augenrules_environment() }}}
+
path={{{ PATH }}}
style={{{ audit_watches_style }}}
filter_type={{{ FILTER_TYPE }}}
diff --git a/shared/templates/audit_rules_watch/tests/augenrules_wrong_rule.fail.sh b/shared/templates/audit_rules_watch/tests/augenrules_wrong_rule.fail.sh
index 6530b87af549..a0cc8870ed87 100644
--- a/shared/templates/audit_rules_watch/tests/augenrules_wrong_rule.fail.sh
+++ b/shared/templates/audit_rules_watch/tests/augenrules_wrong_rule.fail.sh
@@ -1,6 +1,8 @@
#!/bin/bash
# packages = audit
+{{{ setup_augenrules_environment() }}}
+
path={{{ PATH }}}
style={{{ audit_watches_style }}}
filter_type={{{ FILTER_TYPE }}}
diff --git a/shared/templates/audit_rules_watch/tests/augenrules_wrong_rule_without_key.fail.sh b/shared/templates/audit_rules_watch/tests/augenrules_wrong_rule_without_key.fail.sh
index fce102beca00..5dad7131b0be 100644
--- a/shared/templates/audit_rules_watch/tests/augenrules_wrong_rule_without_key.fail.sh
+++ b/shared/templates/audit_rules_watch/tests/augenrules_wrong_rule_without_key.fail.sh
@@ -1,6 +1,8 @@
#!/bin/bash
# packages = audit
+{{{ setup_augenrules_environment() }}}
+
path={{{ PATH }}}
style={{{ audit_watches_style }}}
filter_type={{{ FILTER_TYPE }}}
diff --git a/shared/templates/audit_rules_watch/tests/rules_not_there.fail.sh b/shared/templates/audit_rules_watch/tests/rules_not_there.fail.sh
index 46629244c959..40930c2cdd10 100644
--- a/shared/templates/audit_rules_watch/tests/rules_not_there.fail.sh
+++ b/shared/templates/audit_rules_watch/tests/rules_not_there.fail.sh
@@ -1,6 +1,7 @@
#!/bin/bash
# packages = audit
+{{{ setup_augenrules_environment() }}}
rm -f /etc/audit/rules.d/*
> /etc/audit/audit.rules
diff --git a/tests/shared/audit_rules_watch/auditctl_wrong_rule.fail.sh b/tests/shared/audit_rules_watch/auditctl_wrong_rule.fail.sh
index e17d5be18d41..5151b4181df1 100644
--- a/tests/shared/audit_rules_watch/auditctl_wrong_rule.fail.sh
+++ b/tests/shared/audit_rules_watch/auditctl_wrong_rule.fail.sh
@@ -2,8 +2,11 @@
# packages = audit
if [[ "$style" == "modern" ]] ; then
+ escaped_path=$(echo "$path" | sed 's/\//\\\//g')
+ sed -i "/$filter_type=$escaped_path/d" /etc/audit/audit.rules
echo "-a always,exit -F arch=b32 -F $filter_type=$path -F perm=w -F key=logins" >> /etc/audit/audit.rules
echo "-a always,exit -F arch=b64 -F $filter_type=$path -F perm=w -F key=logins" >> /etc/audit/audit.rules
else
+ sed -i "\#-w $path#d" /etc/audit/audit.rules
echo "-w $path -p w -k logins" >> /etc/audit/audit.rules
fi
diff --git a/tests/shared/audit_rules_watch/auditctl_wrong_rule_without_key.fail.sh b/tests/shared/audit_rules_watch/auditctl_wrong_rule_without_key.fail.sh
index 4cf6a4c52725..98b0fdbcc042 100644
--- a/tests/shared/audit_rules_watch/auditctl_wrong_rule_without_key.fail.sh
+++ b/tests/shared/audit_rules_watch/auditctl_wrong_rule_without_key.fail.sh
@@ -2,8 +2,11 @@
# packages = audit
if [[ "$style" == "modern" ]] ; then
+ escaped_path=$(echo "$path" | sed 's/\//\\\//g')
+ sed -i "/$filter_type=$escaped_path/d" /etc/audit/audit.rules
echo "-a always,exit -F arch=b32 -F $filter_type=$path -F perm=w" >> /etc/audit/audit.rules
echo "-a always,exit -F arch=b64 -F $filter_type=$path -F perm=w" >> /etc/audit/audit.rules
else
+ sed -i "\#-w $path#d" /etc/audit/audit.rules
echo "-w $path -p w" >> /etc/audit/audit.rules
fi
diff --git a/tests/shared/audit_rules_watch/augenrules_wrong_rule.fail.sh b/tests/shared/audit_rules_watch/augenrules_wrong_rule.fail.sh
index ab664a4d6987..ceebf8688b9d 100644
--- a/tests/shared/audit_rules_watch/augenrules_wrong_rule.fail.sh
+++ b/tests/shared/audit_rules_watch/augenrules_wrong_rule.fail.sh
@@ -3,8 +3,11 @@
if [[ "$style" == "modern" ]] ; then
+ escaped_path=$(echo "$path" | sed 's/\//\\\//g')
+ sed -i "/$filter_type=$escaped_path/d" /etc/audit/rules.d/*.rules 2>/dev/null || true
echo "-a always,exit -F arch=b32 -F $filter_type=$path -F perm=w -F key=logins" >> /etc/audit/rules.d/login.rules
echo "-a always,exit -F arch=b64 -F $filter_type=$path -F perm=w -F key=logins" >> /etc/audit/rules.d/login.rules
else
+ sed -i "\#-w $path#d" /etc/audit/rules.d/*.rules 2>/dev/null || true
echo "-w $path -p w -k login" >> /etc/audit/rules.d/login.rules
fi
diff --git a/tests/shared/audit_rules_watch/augenrules_wrong_rule_without_key.fail.sh b/tests/shared/audit_rules_watch/augenrules_wrong_rule_without_key.fail.sh
index 80bd5f72cfc6..b5a1cb50b7a6 100644
--- a/tests/shared/audit_rules_watch/augenrules_wrong_rule_without_key.fail.sh
+++ b/tests/shared/audit_rules_watch/augenrules_wrong_rule_without_key.fail.sh
@@ -3,8 +3,11 @@
if [[ "$style" == "modern" ]] ; then
+ escaped_path=$(echo "$path" | sed 's/\//\\\//g')
+ sed -i "/$filter_type=$escaped_path/d" /etc/audit/rules.d/*.rules 2>/dev/null || true
echo "-a always,exit -F arch=b32 -F $filter_type=$path -F perm=w" >> /etc/audit/rules.d/login.rules
echo "-a always,exit -F arch=b64 -F $filter_type=$path -F perm=w" >> /etc/audit/rules.d/login.rules
else
+ sed -i "\#-w $path#d" /etc/audit/rules.d/*.rules 2>/dev/null || true
echo "-w $path -p w" >> /etc/audit/rules.d/login.rules
fi