MEDIUM RHCOS (Node) M3: Audit Rules - DAC Modifications P3
Remediation required. This group (2 checks) fails on vanilla RHCOS 9.8 and requires MachineConfig remediation. Verified on cnfdt16 (OCP 4.22, RHCOS 9.8) with compliance-operator v1.8.2.
Overview
This remediation configures audit rules to monitor Discretionary Access Control (DAC) modifications, specifically file permission and ownership changes.
Settings
| Rule | Description |
|---|---|
chmod |
Audit file permission changes via chmod |
chown |
Audit file ownership changes via chown |
Implementation
The remediation applies audit rules via MachineConfig:
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
name: 75-audit-dac-medium
labels:
machineconfiguration.openshift.io/role: master
spec:
config:
ignition:
version: 3.2.0
storage:
files:
- path: /etc/audit/rules.d/75-dac-modification.rules
mode: 0644
overwrite: true
contents:
inline: |
## DAC modification monitoring
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -k perm_mod
Compliance Checks Remediated
| Check | Profile | Description | Docs |
|---|---|---|---|
rhcos4-e8-worker-audit-rules-dac-modification-chmod |
E8 | Audit chmod syscalls | 📖 |
rhcos4-e8-worker-audit-rules-dac-modification-chown |
E8 | Audit chown syscalls | 📖 |
Source Remediation Files
- medium/rhcos4-e8-worker-audit-rules-dac-modification-chmod.yaml
- medium/rhcos4-e8-worker-audit-rules-dac-modification-chown.yaml
Verification
After applying, verify audit rules are loaded:
oc debug node/<node-name> -- chroot /host auditctl -l | grep perm_mod
Security Impact
Monitoring DAC modifications helps detect:
- Unauthorized permission escalations
- Attempts to modify critical file permissions
- Potential privilege escalation attempts
Upstream Proposal
The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:
| Setting | Scope | Target Repo | Target File | Rationale | Risk |
|---|---|---|---|---|---|
chmod/chown DAC audit rules |
RAN | openshift/os | /etc/audit/rules.d/50-dac-modification.rules |
Standard CIS/STIG audit requirement. Tracks permission changes for forensic analysis.
Scope: Audit rules add overhead. Not all clusters need DAC modification forensic logging. |
Low |