MEDIUM RHCOS (Node) M9: Auditd Configuration P3

Verified CNF-23514 Compare Branch Synced: 2026-05-04

Remediation required. This group (1 checks) fails on vanilla RHCOS 9.8 and requires MachineConfig remediation. Verified on cnfdt16 (OCP 4.22, RHCOS 9.8) with compliance-operator v1.8.2.

Overview

This remediation configures auditd to include hostname information in audit records, improving log correlation in multi-node environments.

Settings

Setting	Value	Description
`name_format`	`hostname`	Log hostname in audit records

Implementation

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  name: 75-auditd-config-medium
  labels:
    machineconfiguration.openshift.io/role: master
spec:
  config:
    ignition:
      version: 3.2.0
    storage:
      files:
        - path: /etc/audit/auditd.conf
          mode: 0640
          overwrite: true
          contents:
            inline: |
              # Auditd configuration
              log_file = /var/log/audit/audit.log
              log_format = ENRICHED
              log_group = root
              priority_boost = 4
              flush = INCREMENTAL_ASYNC
              freq = 50
              max_log_file = 8
              num_logs = 5
              name_format = hostname
              max_log_file_action = ROTATE
              space_left = 75
              space_left_action = SYSLOG
              admin_space_left = 50
              admin_space_left_action = SUSPEND
              disk_full_action = SUSPEND
              disk_error_action = SUSPEND

Compliance Checks Remediated

Check	Profile	Docs
`rhcos4-e8-worker-auditd-name-format`	E8	📖

Source Remediation Files

medium/rhcos4-e8-worker-auditd-name-format.yaml

Security Impact

Including hostname in audit records:

Enables log aggregation across multiple nodes
Simplifies SIEM correlation
Essential for OpenShift multi-node forensics

Upstream Proposal

The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:

Setting	Scope	Target Repo	Target File	Rationale	Risk
`auditd name_format=hostname`	All OCP	openshift/os View Proposed Change	`/etc/audit/auditd.conf`	Identifies audit log source by hostname. Critical for centralized log aggregation across multi-node clusters. Scope: All multi-node clusters benefit from hostname identification in audit logs for centralized aggregation.	Low

← M8 All Groups M10 →