MEDIUM RHCOS (Node) M5: Audit Rules - Kernel Modules P3

Verified CNF-23448 (In Progress) PR #738 (open) Compare Branch

Overview

This remediation configures audit rules to monitor kernel module loading and unloading operations, which are critical for detecting rootkit installation attempts.

Settings

Rule Description
delete_module Audit kernel module unloading (rmmod)
finit_module Audit kernel module loading (finit)
init_module Audit kernel module loading (init)

Implementation

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  name: 75-audit-modules-medium
  labels:
    machineconfiguration.openshift.io/role: master
spec:
  config:
    ignition:
      version: 3.2.0
    storage:
      files:
        - path: /etc/audit/rules.d/75-kernel-modules.rules
          mode: 0644
          overwrite: true
          contents:
            inline: |
              ## Kernel module monitoring
              -a always,exit -F arch=b64 -S init_module -S finit_module -k module_load
              -a always,exit -F arch=b32 -S init_module -S finit_module -k module_load
              -a always,exit -F arch=b64 -S delete_module -k module_unload
              -a always,exit -F arch=b32 -S delete_module -k module_unload

Compliance Checks Remediated

Check Profile Docs
rhcos4-e8-worker-audit-rules-kernel-module-loading-delete E8 📖
rhcos4-e8-worker-audit-rules-kernel-module-loading-finit E8 📖
rhcos4-e8-worker-audit-rules-kernel-module-loading-init E8 📖

Source Remediation Files

  • medium/rhcos4-e8-worker-audit-rules-kernel-module-loading-delete.yaml
  • medium/rhcos4-e8-worker-audit-rules-kernel-module-loading-finit.yaml
  • medium/rhcos4-e8-worker-audit-rules-kernel-module-loading-init.yaml

Security Impact

Kernel module auditing is essential because:

  • Rootkits often install via kernel modules
  • Unauthorized modules can bypass security controls
  • Module loading should be rare on production systems

Upstream Proposal

The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:

Kernel module load/unload audit rules RAN Low
openshift/os /etc/audit/rules.d/50-kernel-modules.rules
Tracks kernel module operations (init_module, delete_module). Essential for detecting rootkit installation.
Scope: Module loading auditing is critical for security-sensitive deployments but unnecessary for general workloads.

PR History

Kernel module load/unload audit rules Not Filed blocked
coreos/rhel-coreos-config
Audit rules are compliance monitoring policies, not security defaults. RHCOS ships no audit rules in rules.d by default — only samples in /usr/share/audit/sample-rules/ that Red Hat explicitly warns are 'not exhaustive nor up to date.' CoreOS maintainers debated whether to include the audit RPM at all (fedora-coreos-tracker#461) and called it 'an odd fit' (coreos/bugs#140). Audit messages already flood console on fresh boot (fedora-coreos-tracker#220). Deploying rules in the base image would substantially increase audit volume for all RHCOS deployments. The Compliance Operator's MachineConfig remediation model is the intended deployment path.
coreos/fedora-coreos-tracker/issues/461 coreos/fedora-coreos-tracker/issues/220 coreos/bugs/issues/140 docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/auditing-the-system_security-hardening
← M4 All Groups M6 →
Legend
Status
🔵 In Progress
🟡 Pending
⚪ On Hold
🟢 Complete
Severity
HIGH
MEDIUM
LOW
MANUAL

Keyboard Shortcuts

Navigation
j / Next row
k / Previous row
Enter Open selected / Expand details
Esc Clear selection / Close modal
Actions
/ Focus search
d Toggle dark mode
? Show this help
g h Go to home
Filters
1 Show all
2 Pending only
3 In Progress only
4 Complete only