MEDIUM RHCOS (Node) M15: File Deletion Audit P3

Verified CNF-23517 Compare Branch Synced: 2026-05-04

Remediation required. This group (5 checks) fails on vanilla RHCOS 9.8 and requires MachineConfig remediation. Verified on cnfdt16 (OCP 4.22, RHCOS 9.8) with compliance-operator v1.8.2.

Overview

Audits file deletion operations to track when files are removed from the system. Covers rename, renameat, rmdir, unlink, and unlinkat syscalls.

Profile: NIST 800-53 Moderate (rhcos4-moderate)

Compliance Checks

Check Description
file-deletion-events-rename Audit file rename operations
file-deletion-events-renameat Audit file renameat operations
file-deletion-events-rmdir Audit directory removal
file-deletion-events-unlink Audit file unlink (delete)
file-deletion-events-unlinkat Audit file unlinkat operations

Verification

oc debug node/<node> -- chroot /host auditctl -l | grep -E 'rename|rmdir|unlink'

Upstream Proposal

The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:

Setting Scope Target Repo Target File Rationale Risk
File deletion audit rules (5 syscalls) RAN openshift/os /etc/audit/rules.d/50-file-deletion.rules Tracks rename, unlink, rmdir. Detects evidence tampering and unauthorized file removal.
Scope: File deletion auditing is compliance-driven forensic logging. 		Low
← M14 All Groups M16 →
Legend
Status
🔵 In Progress
🟡 Pending
⚪ On Hold
🟢 Complete
Severity
HIGH
MEDIUM
LOW
MANUAL

Keyboard Shortcuts

Navigation
j / Next row
k / Previous row
Enter Open selected / Expand details
Esc Clear selection / Close modal
Actions
/ Focus search
d Toggle dark mode
? Show this help
g h Go to home
Filters
1 Show all
2 Pending only
3 In Progress only
4 Complete only