MEDIUM RHCOS (Node) M14: Identity File Access Audit P3
Remediation required. This group (12 checks) fails on vanilla RHCOS 9.8 and requires MachineConfig remediation. Verified on cnfdt16 (OCP 4.22, RHCOS 9.8) with compliance-operator v1.8.2.
Overview
Monitors access to critical identity files (/etc/passwd, /etc/shadow, /etc/group, /etc/gshadow) by auditing open, openat, and open_by_handle_at syscalls. Detects unauthorized reads of password hashes and user account data.
Profile: NIST 800-53 Moderate (rhcos4-moderate)
Compliance Checks
| Check | Description |
|---|---|
etc-group-open |
Audit open() on /etc/group |
etc-group-openat |
Audit openat() on /etc/group |
etc-group-open-by-handle-at |
Audit open_by_handle_at() on /etc/group |
etc-gshadow-open |
Audit open() on /etc/gshadow |
etc-gshadow-openat |
Audit openat() on /etc/gshadow |
etc-gshadow-open-by-handle-at |
Audit open_by_handle_at() on /etc/gshadow |
etc-passwd-open |
Audit open() on /etc/passwd |
etc-passwd-openat |
Audit openat() on /etc/passwd |
etc-passwd-open-by-handle-at |
Audit open_by_handle_at() on /etc/passwd |
etc-shadow-open |
Audit open() on /etc/shadow |
etc-shadow-openat |
Audit openat() on /etc/shadow |
etc-shadow-open-by-handle-at |
Audit open_by_handle_at() on /etc/shadow |
Verification
oc debug node/<node> -- chroot /host auditctl -l | grep -E 'passwd|shadow|group|gshadow'
Upstream Proposal
The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:
| Setting | Scope | Target Repo | Target File | Rationale | Risk |
|---|---|---|---|---|---|
Identity file access audit rules (12 checks) |
RAN | openshift/os | /etc/audit/rules.d/50-identity-files.rules |
Tracks open/openat/open_by_handle_at on /etc/passwd, shadow, group, gshadow. Detects credential harvesting.
Scope: Identity file access auditing is compliance-driven. Significant audit overhead for general clusters. |
Low |