MEDIUM M4: Audit Rules - SELinux P2

🟡 Pending 📦 Compare Branch

Overview

This remediation configures audit rules to monitor SELinux-related operations, ensuring all security context modifications are logged.

Settings

Rule Description
chcon Audit SELinux context changes
restorecon Audit SELinux context restoration
semanage Audit SELinux management commands
setfiles Audit SELinux file labeling
setsebool Audit SELinux boolean changes
seunshare Audit SELinux unshare operations

Implementation

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  name: 75-audit-privilege-medium
  labels:
    machineconfiguration.openshift.io/role: master
spec:
  config:
    ignition:
      version: 3.2.0
    storage:
      files:
        - path: /etc/audit/rules.d/75-selinux-audit.rules
          mode: 0644
          overwrite: true
          contents:
            inline: |
              ## SELinux command monitoring
              -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change
              -a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change
              -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change
              -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change
              -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change
              -a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change

Compliance Checks Remediated

Check Profile Docs
rhcos4-e8-worker-audit-rules-execution-chcon E8 📖
rhcos4-e8-worker-audit-rules-execution-restorecon E8 📖
rhcos4-e8-worker-audit-rules-execution-semanage E8 📖
rhcos4-e8-worker-audit-rules-execution-setfiles E8 📖
rhcos4-e8-worker-audit-rules-execution-setsebool E8 📖
rhcos4-e8-worker-audit-rules-execution-seunshare E8 📖

Source Remediation Files (6)

  • medium/rhcos4-e8-worker-audit-rules-execution-chcon.yaml
  • medium/rhcos4-e8-worker-audit-rules-execution-restorecon.yaml
  • medium/rhcos4-e8-worker-audit-rules-execution-semanage.yaml
  • medium/rhcos4-e8-worker-audit-rules-execution-setfiles.yaml
  • medium/rhcos4-e8-worker-audit-rules-execution-setsebool.yaml
  • medium/rhcos4-e8-worker-audit-rules-execution-seunshare.yaml

Security Impact

Monitoring SELinux operations is critical because:

  • SELinux provides mandatory access control enforcement
  • Unauthorized changes could weaken security boundaries
  • Audit trail helps detect policy bypass attempts
← M3 All Groups M5 →
Legend
Status
🔵 In Progress
🟡 Pending
⚪ On Hold
🟢 Complete
Severity
HIGH
MEDIUM
LOW
MANUAL

Keyboard Shortcuts

Navigation
j / Next row
k / Previous row
Enter Open selected / Expand details
Esc Clear selection / Close modal
Actions
/ Focus search
d Toggle dark mode
? Show this help
g h Go to home
Filters
1 Show all
2 Pending only
3 In Progress only
4 Complete only