MEDIUM M13: Extended DAC Audit P3

Verified Compare Branch

Overview

Extends the basic DAC (Discretionary Access Control) audit rules from M3 to cover additional syscalls for file permission and ownership changes. While M3 covers chmod and chown, this group adds variants like fchmod, fchown, setxattr, and their ā€˜lā€™ (symlink-aware) counterparts.

Profile: NIST 800-53 Moderate (rhcos4-moderate)

Compliance Checks

Check Description
fchmod Audit file permission changes via fchmod
fchmodat Audit file permission changes via fchmodat
fchown Audit file ownership changes via fchown
fchownat Audit file ownership changes via fchownat
fremovexattr Audit extended attribute removal via fremovexattr
fsetxattr Audit extended attribute setting via fsetxattr
lchown Audit symlink ownership changes via lchown
lremovexattr Audit symlink extended attribute removal
lsetxattr Audit symlink extended attribute setting
removexattr Audit extended attribute removal via removexattr
setxattr Audit extended attribute setting via setxattr

Verification

oc debug node/<node> -- chroot /host auditctl -l | grep -E 'fchmod|fchown|xattr'
← M12 All Groups M14 →
Legend
Status
šŸ”µ In Progress
šŸŸ” Pending
āšŖ On Hold
šŸŸ¢ Complete
Severity
HIGH
MEDIUM
LOW
MANUAL

Keyboard Shortcuts

Navigation
j / Next row
k / Previous row
Enter Open selected / Expand details
Esc Clear selection / Close modal
Actions
/ Focus search
d Toggle dark mode
? Show this help
g h Go to home
Filters
1 Show all
2 Pending only
3 In Progress only
4 Complete only