MEDIUM RHCOS (Node) M16: Unsuccessful File Modification Audit P3
Remediation required. This group (32 checks) fails on vanilla RHCOS 9.8 and requires MachineConfig remediation. Verified on cnfdt16 (OCP 4.22, RHCOS 9.8) with compliance-operator v1.8.2.
Overview
Audits failed file modification attempts, catching permission-denied errors for chmod, chown, open, truncate, rename, unlink, and extended attribute operations. Critical for detecting unauthorized access attempts.
Profile: NIST 800-53 Moderate (rhcos4-moderate)
Compliance Checks
| Check | Description |
|---|---|
chmod |
Audit failed chmod operations |
chown |
Audit failed chown operations |
creat |
Audit failed creat operations |
fchmod |
Audit failed fchmod operations |
fchmodat |
Audit failed fchmodat operations |
fchown |
Audit failed fchown operations |
fchownat |
Audit failed fchownat operations |
fremovexattr |
Audit failed fremovexattr operations |
fsetxattr |
Audit failed fsetxattr operations |
ftruncate |
Audit failed ftruncate operations |
lchown |
Audit failed lchown operations |
lremovexattr |
Audit failed lremovexattr operations |
lsetxattr |
Audit failed lsetxattr operations |
open |
Audit failed open operations |
open-by-handle-at |
Audit failed open-by-handle-at operations |
open-by-handle-at-o-creat |
Audit failed open-by-handle-at-o-creat operations |
open-by-handle-at-o-trunc-write |
Audit failed open-by-handle-at-o-trunc-write operations |
open-o-creat |
Audit failed open-o-creat operations |
open-o-trunc-write |
Audit failed open-o-trunc-write operations |
openat |
Audit failed openat operations |
openat-o-creat |
Audit failed openat-o-creat operations |
openat-o-trunc-write |
Audit failed openat-o-trunc-write operations |
removexattr |
Audit failed removexattr operations |
rename |
Audit failed rename operations |
renameat |
Audit failed renameat operations |
setxattr |
Audit failed setxattr operations |
truncate |
Audit failed truncate operations |
unlink |
Audit failed unlink operations |
unlinkat |
Audit failed unlinkat operations |
Verification
oc debug node/<node> -- chroot /host auditctl -l | grep -c EACCES
Upstream Proposal
The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:
| Setting | Scope | Target Repo | Target File | Rationale | Risk |
|---|---|---|---|---|---|
Unsuccessful file access audit rules (32 checks) |
RAN | openshift/os | /etc/audit/rules.d/50-unsuccessful-access.rules |
Tracks failed access attempts (EACCES/EPERM). Detects privilege escalation and unauthorized access probing.
Scope: 32 unsuccessful access rules generate substantial audit volume. Compliance-specific. |
Low |