MEDIUM RHCOS (Node) M13: Extended DAC Audit P3
Remediation required. This group (11 checks) fails on vanilla RHCOS 9.8 and requires MachineConfig remediation. Verified on cnfdt16 (OCP 4.22, RHCOS 9.8) with compliance-operator v1.8.2.
Overview
Extends the basic DAC (Discretionary Access Control) audit rules from M3 to cover additional syscalls for file permission and ownership changes. While M3 covers chmod and chown, this group adds variants like fchmod, fchown, setxattr, and their ālā (symlink-aware) counterparts.
Profile: NIST 800-53 Moderate (rhcos4-moderate)
Compliance Checks
| Check | Description |
|---|---|
fchmod |
Audit file permission changes via fchmod |
fchmodat |
Audit file permission changes via fchmodat |
fchown |
Audit file ownership changes via fchown |
fchownat |
Audit file ownership changes via fchownat |
fremovexattr |
Audit extended attribute removal via fremovexattr |
fsetxattr |
Audit extended attribute setting via fsetxattr |
lchown |
Audit symlink ownership changes via lchown |
lremovexattr |
Audit symlink extended attribute removal |
lsetxattr |
Audit symlink extended attribute setting |
removexattr |
Audit extended attribute removal via removexattr |
setxattr |
Audit extended attribute setting via setxattr |
Verification
oc debug node/<node> -- chroot /host auditctl -l | grep -E 'fchmod|fchown|xattr'
Upstream Proposal
The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:
| Setting | Scope | Target Repo | Target File | Rationale | Risk |
|---|---|---|---|---|---|
Extended DAC audit rules (11 syscalls) |
RAN | openshift/os | /etc/audit/rules.d/50-dac-extended.rules |
Covers fchmod, fchown, xattr operations. Completes the DAC audit trail started by M3.
Scope: Extended DAC auditing adds significant log volume. Needed for compliance, not general use. |
Low |