MEDIUM M8: Audit Rules - Network Config P3
Overview
This remediation configures audit rules to monitor network configuration changes, including hostname and domain modifications.
Settings
| Rule | Description |
|---|---|
network_modification |
Audit sethostname, setdomainname syscalls |
Implementation
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
name: 75-audit-network-medium
labels:
machineconfiguration.openshift.io/role: master
spec:
config:
ignition:
version: 3.2.0
storage:
files:
- path: /etc/audit/rules.d/75-network-config.rules
mode: 0644
overwrite: true
contents:
inline: |
## Network configuration monitoring
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/hostname -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
Compliance Checks Remediated
| Check | Profile | Docs |
|---|---|---|
rhcos4-e8-worker-audit-rules-networkconfig-modification |
E8 | 📖 |
Source Remediation Files
- medium/rhcos4-e8-worker-audit-rules-networkconfig-modification.yaml
Security Impact
Network configuration monitoring detects:
- Unauthorized hostname changes (often used to hide identity)
- DNS hijacking attempts via /etc/hosts modification
- Network configuration tampering