MEDIUM RHCOS (Node) M20: Auditd Data Retention P3
Remediation required. This group (4 checks) fails on vanilla RHCOS 9.8 and requires MachineConfig remediation. Verified on cnfdt16 (OCP 4.22, RHCOS 9.8) with compliance-operator v1.8.2.
Overview
Configures auditd behavior when disk space runs low, ensuring audit data is not silently lost. Sets actions for disk errors, disk full conditions, and low space warnings.
Profile: NIST 800-53 Moderate (rhcos4-moderate)
Compliance Checks
| Check | Description |
|---|---|
auditd-data-disk-error-action |
Set action on disk write errors (syslog) |
auditd-data-disk-full-action |
Set action when disk is full (halt) |
auditd-data-retention-admin-space-left-action |
Set admin space-left action (single) |
auditd-data-retention-space-left |
Configure space-left threshold |
Verification
oc debug node/<node> -- chroot /host grep -E 'disk_error_action|disk_full_action|admin_space_left_action|space_left ' /etc/audit/auditd.conf
Upstream Proposal
The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:
| Setting | Scope | Target Repo | Target File | Rationale | Risk |
|---|---|---|---|---|---|
auditd data retention settings |
All OCP |
openshift/os
View Proposed Change |
/etc/audit/auditd.conf |
Configures disk error/full actions and space_left thresholds. Ensures audit logs are preserved even under disk pressure.
Scope: All clusters should handle audit log disk pressure gracefully rather than silently dropping events. |
Low |