MEDIUM RHCOS (Node) M4: Audit Rules - SELinux P2

Verified CNF-22621 (In Progress) Compare Branch Synced: 2026-05-04

Overview

This remediation configures audit rules to monitor SELinux-related operations, ensuring all security context modifications are logged.

Settings

Rule Description
chcon Audit SELinux context changes
restorecon Audit SELinux context restoration
semanage Audit SELinux management commands
setfiles Audit SELinux file labeling
setsebool Audit SELinux boolean changes
seunshare Audit SELinux unshare operations

Implementation

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  name: 75-audit-privilege-medium
  labels:
    machineconfiguration.openshift.io/role: master
spec:
  config:
    ignition:
      version: 3.2.0
    storage:
      files:
        - path: /etc/audit/rules.d/75-selinux-audit.rules
          mode: 0644
          overwrite: true
          contents:
            inline: |
              ## SELinux command monitoring
              -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change
              -a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change
              -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change
              -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change
              -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change
              -a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change

Compliance Checks Remediated

Check Profile Docs
rhcos4-e8-worker-audit-rules-execution-chcon E8 📖
rhcos4-e8-worker-audit-rules-execution-restorecon E8 📖
rhcos4-e8-worker-audit-rules-execution-semanage E8 📖
rhcos4-e8-worker-audit-rules-execution-setfiles E8 📖
rhcos4-e8-worker-audit-rules-execution-setsebool E8 📖
rhcos4-e8-worker-audit-rules-execution-seunshare E8 📖

Source Remediation Files (6)

  • medium/rhcos4-e8-worker-audit-rules-execution-chcon.yaml
  • medium/rhcos4-e8-worker-audit-rules-execution-restorecon.yaml
  • medium/rhcos4-e8-worker-audit-rules-execution-semanage.yaml
  • medium/rhcos4-e8-worker-audit-rules-execution-setfiles.yaml
  • medium/rhcos4-e8-worker-audit-rules-execution-setsebool.yaml
  • medium/rhcos4-e8-worker-audit-rules-execution-seunshare.yaml

Security Impact

Monitoring SELinux operations is critical because:

  • SELinux provides mandatory access control enforcement
  • Unauthorized changes could weaken security boundaries
  • Audit trail helps detect policy bypass attempts

Upstream Proposal

The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:

SELinux command audit rules (6 commands) RAN Low
openshift/os /etc/audit/rules.d/50-selinux-commands.rules
Tracks SELinux policy modifications. Critical for security audit trail on hardened systems.
Scope: SELinux command auditing is valuable for hardened environments but adds audit log volume.

PR History

SELinux command audit rules (6 commands) Not Filed blocked
coreos/rhel-coreos-config
Audit rules are compliance monitoring policies, not security defaults. RHCOS ships no audit rules in rules.d by default — only samples in /usr/share/audit/sample-rules/ that Red Hat explicitly warns are 'not exhaustive nor up to date.' CoreOS maintainers debated whether to include the audit RPM at all (fedora-coreos-tracker#461) and called it 'an odd fit' (coreos/bugs#140). Audit messages already flood console on fresh boot (fedora-coreos-tracker#220). Deploying rules in the base image would substantially increase audit volume for all RHCOS deployments. The Compliance Operator's MachineConfig remediation model is the intended deployment path.
coreos/fedora-coreos-tracker/issues/461 coreos/fedora-coreos-tracker/issues/220 coreos/bugs/issues/140 docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/auditing-the-system_security-hardening
← M3 All Groups M5 →
Legend
Status
🔵 In Progress
🟡 Pending
⚪ On Hold
🟢 Complete
Severity
HIGH
MEDIUM
LOW
MANUAL

Keyboard Shortcuts

Navigation
j / Next row
k / Previous row
Enter Open selected / Expand details
Esc Clear selection / Close modal
Actions
/ Focus search
d Toggle dark mode
? Show this help
g h Go to home
Filters
1 Show all
2 Pending only
3 In Progress only
4 Complete only