MEDIUM RHCOS (Node) M18: Session & MAC Audit P3
Remediation required. This group (4 checks) fails on vanilla RHCOS 9.8 and requires MachineConfig remediation. Verified on cnfdt16 (OCP 4.22, RHCOS 9.8) with compliance-operator v1.8.2.
Overview
Audits session lifecycle events, Mandatory Access Control (MAC) policy modifications, media export operations, and makes audit rules immutable after loading to prevent tampering.
Profile: NIST 800-53 Moderate (rhcos4-moderate)
Compliance Checks
| Check | Description |
|---|---|
session-events |
Audit user session open/close events |
mac-modification |
Audit SELinux/MAC policy changes |
media-export |
Audit removable media mount operations |
immutable |
Make audit rules immutable (requires reboot to change) |
Verification
oc debug node/<node> -- chroot /host auditctl -l | grep -E 'session|MAC|mount|immutable'
Upstream Proposal
The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:
| Setting | Scope | Target Repo | Target File | Rationale | Risk |
|---|---|---|---|---|---|
Session, MAC, and media export audit rules |
RAN | openshift/os | /etc/audit/rules.d/50-session-mac.rules |
Tracks session initiation, SELinux policy changes, media export, and makes audit config immutable.
Scope: Session/MAC auditing and audit immutability are compliance-specific hardening. |
Low |