MEDIUM M3: Audit Rules - DAC Modifications P3

Overview

This remediation configures audit rules to monitor Discretionary Access Control (DAC) modifications, specifically file permission and ownership changes.

Settings

Rule Description
chmod Audit file permission changes via chmod
chown Audit file ownership changes via chown

Implementation

The remediation applies audit rules via MachineConfig:

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  name: 75-audit-dac-medium
  labels:
    machineconfiguration.openshift.io/role: master
spec:
  config:
    ignition:
      version: 3.2.0
    storage:
      files:
        - path: /etc/audit/rules.d/75-dac-modification.rules
          mode: 0644
          overwrite: true
          contents:
            inline: |
              ## DAC modification monitoring
              -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
              -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
              -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -k perm_mod
              -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -k perm_mod

Compliance Checks Remediated

Check Profile Description Docs
rhcos4-e8-worker-audit-rules-dac-modification-chmod E8 Audit chmod syscalls 📖
rhcos4-e8-worker-audit-rules-dac-modification-chown E8 Audit chown syscalls 📖

Source Remediation Files

  • medium/rhcos4-e8-worker-audit-rules-dac-modification-chmod.yaml
  • medium/rhcos4-e8-worker-audit-rules-dac-modification-chown.yaml

Verification

After applying, verify audit rules are loaded:

oc debug node/<node-name> -- chroot /host auditctl -l | grep perm_mod

Security Impact

Monitoring DAC modifications helps detect:

  • Unauthorized permission escalations
  • Attempts to modify critical file permissions
  • Potential privilege escalation attempts
Legend
Status
🔵 In Progress
🟡 Pending
⚪ On Hold
🟢 Complete
Severity
HIGH
MEDIUM
LOW
MANUAL

Keyboard Shortcuts

Navigation
j / Next row
k / Previous row
Enter Open selected / Expand details
Esc Clear selection / Close modal
Actions
/ Focus search
d Toggle dark mode
? Show this help
g h Go to home
Filters
1 Show all
2 Pending only
3 In Progress only
4 Complete only