MEDIUM M8: Audit Rules - Network Config P3

🟡 Pending 📦 Compare Branch

Overview

This remediation configures audit rules to monitor network configuration changes, including hostname and domain modifications.

Settings

Rule Description
network_modification Audit sethostname, setdomainname syscalls

Implementation

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  name: 75-audit-network-medium
  labels:
    machineconfiguration.openshift.io/role: master
spec:
  config:
    ignition:
      version: 3.2.0
    storage:
      files:
        - path: /etc/audit/rules.d/75-network-config.rules
          mode: 0644
          overwrite: true
          contents:
            inline: |
              ## Network configuration monitoring
              -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
              -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
              -w /etc/issue -p wa -k system-locale
              -w /etc/issue.net -p wa -k system-locale
              -w /etc/hosts -p wa -k system-locale
              -w /etc/hostname -p wa -k system-locale
              -w /etc/sysconfig/network -p wa -k system-locale

Compliance Checks Remediated

Check Profile Docs
rhcos4-e8-worker-audit-rules-networkconfig-modification E8 📖

Source Remediation Files

  • medium/rhcos4-e8-worker-audit-rules-networkconfig-modification.yaml

Security Impact

Network configuration monitoring detects:

  • Unauthorized hostname changes (often used to hide identity)
  • DNS hijacking attempts via /etc/hosts modification
  • Network configuration tampering
← M7 All Groups M9 →
Legend
Status
🔵 In Progress
🟡 Pending
⚪ On Hold
🟢 Complete
Severity
HIGH
MEDIUM
LOW
MANUAL

Keyboard Shortcuts

Navigation
j / Next row
k / Previous row
Enter Open selected / Expand details
Esc Clear selection / Close modal
Actions
/ Focus search
d Toggle dark mode
? Show this help
g h Go to home
Filters
1 Show all
2 Pending only
3 In Progress only
4 Complete only