MEDIUM RHCOS (Node) M17: Privileged Commands Audit P3
Remediation required. This group (22 checks) fails on vanilla RHCOS 9.8 and requires MachineConfig remediation. Verified on cnfdt16 (OCP 4.22, RHCOS 9.8) with compliance-operator v1.8.2.
Overview
Audits execution of privileged commands (setuid/setgid binaries) including su, sudo, mount, passwd, and other security-sensitive executables. Tracks privilege escalation and administrative actions.
Profile: NIST 800-53 Moderate (rhcos4-moderate)
Compliance Checks
| Check | Description |
|---|---|
at |
Audit at command execution |
chage |
Audit password aging changes |
chsh |
Audit shell changes |
crontab |
Audit crontab modifications |
gpasswd |
Audit group password changes |
mount |
Audit mount operations |
newgidmap |
Audit GID map changes |
newgrp |
Audit group membership changes |
newuidmap |
Audit UID map changes |
pam-timestamp-check |
Audit PAM timestamp checks |
passwd |
Audit password changes |
postdrop |
Audit postfix mail drop |
postqueue |
Audit postfix mail queue |
pt-chown |
Audit pseudo-terminal ownership |
ssh-keysign |
Audit SSH key signing |
su |
Audit su command execution |
sudo |
Audit sudo command execution |
sudoedit |
Audit sudoedit execution |
umount |
Audit unmount operations |
unix-chkpwd |
Audit password verification |
userhelper |
Audit userhelper execution |
usernetctl |
Audit network control changes |
Verification
oc debug node/<node> -- chroot /host auditctl -l | grep -c privileged
Upstream Proposal
The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:
| Setting | Scope | Target Repo | Target File | Rationale | Risk |
|---|---|---|---|---|---|
Privileged command audit rules (22 commands) |
RAN | openshift/os | /etc/audit/rules.d/50-privileged-commands.rules |
Tracks execution of setuid/setgid binaries (su, sudo, mount, passwd, etc.). Required by CIS and STIG.
Scope: Privileged command auditing is compliance-driven. 22 rules add audit overhead. |
Low |