MEDIUM M9: Auditd Configuration P3
Overview
This remediation configures auditd to include hostname information in audit records, improving log correlation in multi-node environments.
Settings
| Setting | Value | Description |
|---|---|---|
name_format |
hostname |
Log hostname in audit records |
Implementation
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
name: 75-auditd-config-medium
labels:
machineconfiguration.openshift.io/role: master
spec:
config:
ignition:
version: 3.2.0
storage:
files:
- path: /etc/audit/auditd.conf
mode: 0640
overwrite: true
contents:
inline: |
# Auditd configuration
log_file = /var/log/audit/audit.log
log_format = ENRICHED
log_group = root
priority_boost = 4
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 8
num_logs = 5
name_format = hostname
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
Compliance Checks Remediated
| Check | Profile | Docs |
|---|---|---|
rhcos4-e8-worker-auditd-name-format |
E8 | 📖 |
Source Remediation Files
- medium/rhcos4-e8-worker-auditd-name-format.yaml
Security Impact
Including hostname in audit records:
- Enables log aggregation across multiple nodes
- Simplifies SIEM correlation
- Essential for OpenShift multi-node forensics