MEDIUM RHCOS (Node) M19: Usergroup Modification Audit P3
Remediation required. This group (5 checks) fails on vanilla RHCOS 9.8 and requires MachineConfig remediation. Verified on cnfdt16 (OCP 4.22, RHCOS 9.8) with compliance-operator v1.8.2.
Overview
Monitors individual identity files for modifications. Extends M7’s general usergroup monitoring with per-file watch rules for /etc/group, /etc/gshadow, /etc/opasswd, /etc/passwd, and /etc/shadow.
Profile: NIST 800-53 Moderate (rhcos4-moderate)
Compliance Checks
| Check | Description |
|---|---|
usergroup-modification-group |
Watch /etc/group for changes |
usergroup-modification-gshadow |
Watch /etc/gshadow for changes |
usergroup-modification-opasswd |
Watch /etc/opasswd for changes |
usergroup-modification-passwd |
Watch /etc/passwd for changes |
usergroup-modification-shadow |
Watch /etc/shadow for changes |
Verification
oc debug node/<node> -- chroot /host auditctl -l | grep -E 'group|gshadow|opasswd|passwd|shadow'
Upstream Proposal
The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:
| Setting | Scope | Target Repo | Target File | Rationale | Risk |
|---|---|---|---|---|---|
Usergroup modification file watches (5 files) |
RAN | openshift/os | /etc/audit/rules.d/50-usergroup-modification.rules |
Watches /etc/passwd, group, shadow, gshadow, opasswd for modifications. Detects unauthorized account changes.
Scope: Usergroup file watches are compliance-driven forensic logging. |
Low |