MEDIUM RHCOS (Node) M4: Audit Rules - SELinux P2

Verified CNF-22621 Compare Branch Synced: 2026-05-04

Remediation required. This group (6 checks) fails on vanilla RHCOS 9.8 and requires MachineConfig remediation. Verified on cnfdt16 (OCP 4.22, RHCOS 9.8) with compliance-operator v1.8.2.

Overview

This remediation configures audit rules to monitor SELinux-related operations, ensuring all security context modifications are logged.

Settings

Rule Description
chcon Audit SELinux context changes
restorecon Audit SELinux context restoration
semanage Audit SELinux management commands
setfiles Audit SELinux file labeling
setsebool Audit SELinux boolean changes
seunshare Audit SELinux unshare operations

Implementation

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  name: 75-audit-privilege-medium
  labels:
    machineconfiguration.openshift.io/role: master
spec:
  config:
    ignition:
      version: 3.2.0
    storage:
      files:
        - path: /etc/audit/rules.d/75-selinux-audit.rules
          mode: 0644
          overwrite: true
          contents:
            inline: |
              ## SELinux command monitoring
              -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change
              -a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change
              -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change
              -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change
              -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change
              -a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change

Compliance Checks Remediated

Check Profile Docs
rhcos4-e8-worker-audit-rules-execution-chcon E8 📖
rhcos4-e8-worker-audit-rules-execution-restorecon E8 📖
rhcos4-e8-worker-audit-rules-execution-semanage E8 📖
rhcos4-e8-worker-audit-rules-execution-setfiles E8 📖
rhcos4-e8-worker-audit-rules-execution-setsebool E8 📖
rhcos4-e8-worker-audit-rules-execution-seunshare E8 📖

Source Remediation Files (6)

  • medium/rhcos4-e8-worker-audit-rules-execution-chcon.yaml
  • medium/rhcos4-e8-worker-audit-rules-execution-restorecon.yaml
  • medium/rhcos4-e8-worker-audit-rules-execution-semanage.yaml
  • medium/rhcos4-e8-worker-audit-rules-execution-setfiles.yaml
  • medium/rhcos4-e8-worker-audit-rules-execution-setsebool.yaml
  • medium/rhcos4-e8-worker-audit-rules-execution-seunshare.yaml

Security Impact

Monitoring SELinux operations is critical because:

  • SELinux provides mandatory access control enforcement
  • Unauthorized changes could weaken security boundaries
  • Audit trail helps detect policy bypass attempts

Upstream Proposal

The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:

Setting Scope Target Repo Target File Rationale Risk
SELinux command audit rules (6 commands) RAN openshift/os /etc/audit/rules.d/50-selinux-commands.rules Tracks SELinux policy modifications. Critical for security audit trail on hardened systems.
Scope: SELinux command auditing is valuable for hardened environments but adds audit log volume. 		Low
← M3 All Groups M5 →
Legend
Status
🔵 In Progress
🟡 Pending
⚪ On Hold
🟢 Complete
Severity
HIGH
MEDIUM
LOW
MANUAL

Keyboard Shortcuts

Navigation
j / Next row
k / Previous row
Enter Open selected / Expand details
Esc Clear selection / Close modal
Actions
/ Focus search
d Toggle dark mode
? Show this help
g h Go to home
Filters
1 Show all
2 Pending only
3 In Progress only
4 Complete only