MEDIUM RHCOS (Node) M7: Audit Rules - Login Monitoring P2

Verified CNF-22623 Compare Branch Synced: 2026-05-04

Remediation required. This group (6 checks) fails on vanilla RHCOS 9.8 and requires MachineConfig remediation. Verified on cnfdt16 (OCP 4.22, RHCOS 9.8) with compliance-operator v1.8.2.

Overview

This remediation configures audit rules to monitor login events and authentication-related file modifications.

Settings

Rule Description
faillock Monitor failed login attempts
lastlog Monitor last login records
tallylog Monitor login attempt tallies
sudoers Monitor sudo configuration changes
usergroup Monitor /etc/passwd, /etc/group, /etc/shadow changes

Implementation

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  name: 75-audit-auth-medium
  labels:
    machineconfiguration.openshift.io/role: master
spec:
  config:
    ignition:
      version: 3.2.0
    storage:
      files:
        - path: /etc/audit/rules.d/75-login-events.rules
          mode: 0644
          overwrite: true
          contents:
            inline: |
              ## Login and authentication monitoring
              -w /var/log/faillock -p wa -k logins
              -w /var/log/lastlog -p wa -k logins
              -w /var/log/tallylog -p wa -k logins

              ## Sudo configuration
              -w /etc/sudoers -p wa -k actions
              -w /etc/sudoers.d/ -p wa -k actions

              ## User/group modification
              -w /etc/passwd -p wa -k identity
              -w /etc/group -p wa -k identity
              -w /etc/shadow -p wa -k identity
              -w /etc/gshadow -p wa -k identity

Compliance Checks Remediated

Check Profile Docs
rhcos4-e8-worker-audit-rules-login-events-faillock E8 📖
rhcos4-e8-worker-audit-rules-login-events-lastlog E8 📖
rhcos4-e8-worker-audit-rules-login-events-tallylog E8 📖
rhcos4-e8-worker-audit-rules-sysadmin-actions E8 📖
rhcos4-e8-worker-audit-rules-usergroup-modification E8 📖

Source Remediation Files (5)

  • medium/rhcos4-e8-worker-audit-rules-login-events-faillock.yaml
  • medium/rhcos4-e8-worker-audit-rules-login-events-lastlog.yaml
  • medium/rhcos4-e8-worker-audit-rules-login-events-tallylog.yaml
  • medium/rhcos4-e8-worker-audit-rules-sysadmin-actions.yaml
  • medium/rhcos4-e8-worker-audit-rules-usergroup-modification.yaml

Security Impact

Login monitoring helps detect:

  • Brute force authentication attempts
  • Unauthorized user account modifications
  • Privilege escalation via sudo changes
  • Account enumeration attacks

Upstream Proposal

The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:

Setting Scope Target Repo Target File Rationale Risk
Login/authentication audit rules RAN openshift/os /etc/audit/rules.d/50-login-events.rules Tracks failed logins, sudo usage, and user/group modifications. Core authentication audit trail.
Scope: Login auditing is standard for compliance but may be excessive for dev/test clusters. 		Low
← M6 All Groups M8 →
Legend
Status
🔵 In Progress
🟡 Pending
⚪ On Hold
🟢 Complete
Severity
HIGH
MEDIUM
LOW
MANUAL

Keyboard Shortcuts

Navigation
j / Next row
k / Previous row
Enter Open selected / Expand details
Esc Clear selection / Close modal
Actions
/ Focus search
d Toggle dark mode
? Show this help
g h Go to home
Filters
1 Show all
2 Pending only
3 In Progress only
4 Complete only