MEDIUM RHCOS (Node) M8: Audit Rules - Network Config P3

Verified CNF-23449 (In Progress) Compare Branch

Overview

This remediation configures audit rules to monitor network configuration changes, including hostname and domain modifications.

Settings

Rule Description
network_modification Audit sethostname, setdomainname syscalls

Implementation

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  name: 75-audit-network-medium
  labels:
    machineconfiguration.openshift.io/role: master
spec:
  config:
    ignition:
      version: 3.2.0
    storage:
      files:
        - path: /etc/audit/rules.d/75-network-config.rules
          mode: 0644
          overwrite: true
          contents:
            inline: |
              ## Network configuration monitoring
              -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
              -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
              -w /etc/issue -p wa -k system-locale
              -w /etc/issue.net -p wa -k system-locale
              -w /etc/hosts -p wa -k system-locale
              -w /etc/hostname -p wa -k system-locale
              -w /etc/sysconfig/network -p wa -k system-locale

Compliance Checks Remediated

Check Profile Docs
rhcos4-e8-worker-audit-rules-networkconfig-modification E8 📖

Source Remediation Files

  • medium/rhcos4-e8-worker-audit-rules-networkconfig-modification.yaml

Security Impact

Network configuration monitoring detects:

  • Unauthorized hostname changes (often used to hide identity)
  • DNS hijacking attempts via /etc/hosts modification
  • Network configuration tampering

Upstream Proposal

The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:

Network config audit rules RAN Low
openshift/os /etc/audit/rules.d/50-network-config.rules
Tracks hostname/domainname changes and network environment modifications.
Scope: Network config auditing is important for hardened deployments but not universally needed.

PR History

Network config audit rules Not Filed blocked
coreos/rhel-coreos-config
Audit rules are compliance monitoring policies, not security defaults. RHCOS ships no audit rules in rules.d by default — only samples in /usr/share/audit/sample-rules/ that Red Hat explicitly warns are 'not exhaustive nor up to date.' CoreOS maintainers debated whether to include the audit RPM at all (fedora-coreos-tracker#461) and called it 'an odd fit' (coreos/bugs#140). Audit messages already flood console on fresh boot (fedora-coreos-tracker#220). Deploying rules in the base image would substantially increase audit volume for all RHCOS deployments. The Compliance Operator's MachineConfig remediation model is the intended deployment path.
coreos/fedora-coreos-tracker/issues/461 coreos/fedora-coreos-tracker/issues/220 coreos/bugs/issues/140 docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/auditing-the-system_security-hardening
← M7 All Groups M9 →
Legend
Status
🔵 In Progress
🟡 Pending
⚪ On Hold
🟢 Complete
Severity
HIGH
MEDIUM
LOW
MANUAL

Keyboard Shortcuts

Navigation
j / Next row
k / Previous row
Enter Open selected / Expand details
Esc Clear selection / Close modal
Actions
/ Focus search
d Toggle dark mode
? Show this help
g h Go to home
Filters
1 Show all
2 Pending only
3 In Progress only
4 Complete only