MEDIUM RHCOS (Node) M23: Kernel Sysctl Extended P3
Remediation required. This group (3 checks) fails on vanilla RHCOS 9.8 and requires MachineConfig remediation. Verified on cnfdt16 (OCP 4.22, RHCOS 9.8) with compliance-operator v1.8.2.
Overview
Additional kernel hardening parameters beyond M2. Disables kexec (prevents kernel replacement at runtime), restricts perf_event access, and controls core dump file naming.
Profile: NIST 800-53 Moderate (rhcos4-moderate)
Compliance Checks
| Check | Description |
|---|---|
kernel.kexec_load_disabled=1 |
Disable kexec kernel loading |
kernel.perf_event_paranoid=2 |
Restrict perf_event to root only |
kernel.core_pattern=|/bin/false |
Disable core dump processing |
Verification
oc debug node/<node> -- chroot /host sysctl kernel.kexec_load_disabled kernel.perf_event_paranoid kernel.core_pattern
Upstream Proposal
The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:
| Setting | Scope | Target Repo | Target File | Rationale | Risk |
|---|---|---|---|---|---|
kernel.core_pattern, kexec_load_disabled, perf_event_paranoid |
RAN | openshift/os | /usr/lib/sysctl.d/50-security-hardening.conf |
Disables core dumps (data leakage), kexec (rootkit persistence), restricts perf_event (info disclosure). Standard KSPP hardening.
Scope: kexec_load_disabled is safe for upstream (RHCOS doesn't use kexec), but core_pattern and perf_event_paranoid break debugging and profiling tools needed by platform teams. |
Med |