MEDIUM RHCOS (Node) M3: Audit Rules - DAC Modifications P3

Verified CNF-23513 (In Progress) Compare Branch Synced: 2026-05-04

Overview

This remediation configures audit rules to monitor Discretionary Access Control (DAC) modifications, specifically file permission and ownership changes.

Settings

Rule Description
chmod Audit file permission changes via chmod
chown Audit file ownership changes via chown

Implementation

The remediation applies audit rules via MachineConfig:

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  name: 75-audit-dac-medium
  labels:
    machineconfiguration.openshift.io/role: master
spec:
  config:
    ignition:
      version: 3.2.0
    storage:
      files:
        - path: /etc/audit/rules.d/75-dac-modification.rules
          mode: 0644
          overwrite: true
          contents:
            inline: |
              ## DAC modification monitoring
              -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
              -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
              -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -k perm_mod
              -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -k perm_mod

Compliance Checks Remediated

Check Profile Description Docs
rhcos4-e8-worker-audit-rules-dac-modification-chmod E8 Audit chmod syscalls 📖
rhcos4-e8-worker-audit-rules-dac-modification-chown E8 Audit chown syscalls 📖

Source Remediation Files

  • medium/rhcos4-e8-worker-audit-rules-dac-modification-chmod.yaml
  • medium/rhcos4-e8-worker-audit-rules-dac-modification-chown.yaml

Verification

After applying, verify audit rules are loaded:

oc debug node/<node-name> -- chroot /host auditctl -l | grep perm_mod

Security Impact

Monitoring DAC modifications helps detect:

  • Unauthorized permission escalations
  • Attempts to modify critical file permissions
  • Potential privilege escalation attempts

Upstream Proposal

The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:

chmod/chown DAC audit rules RAN Low
openshift/os /etc/audit/rules.d/50-dac-modification.rules
Standard CIS/STIG audit requirement. Tracks permission changes for forensic analysis.
Scope: Audit rules add overhead. Not all clusters need DAC modification forensic logging.

PR History

chmod/chown DAC audit rules Not Filed blocked
coreos/rhel-coreos-config
Audit rules are compliance monitoring policies, not security defaults. RHCOS ships no audit rules in rules.d by default — only samples in /usr/share/audit/sample-rules/ that Red Hat explicitly warns are 'not exhaustive nor up to date.' CoreOS maintainers debated whether to include the audit RPM at all (fedora-coreos-tracker#461) and called it 'an odd fit' (coreos/bugs#140). Audit messages already flood console on fresh boot (fedora-coreos-tracker#220). Deploying rules in the base image would substantially increase audit volume for all RHCOS deployments. The Compliance Operator's MachineConfig remediation model is the intended deployment path.
coreos/fedora-coreos-tracker/issues/461 coreos/fedora-coreos-tracker/issues/220 coreos/bugs/issues/140 docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/auditing-the-system_security-hardening
← M2 All Groups M4 →
Legend
Status
🔵 In Progress
🟡 Pending
⚪ On Hold
🟢 Complete
Severity
HIGH
MEDIUM
LOW
MANUAL

Keyboard Shortcuts

Navigation
j / Next row
k / Previous row
Enter Open selected / Expand details
Esc Clear selection / Close modal
Actions
/ Focus search
d Toggle dark mode
? Show this help
g h Go to home
Filters
1 Show all
2 Pending only
3 In Progress only
4 Complete only