MEDIUM RHCOS (Node) M13: Extended DAC Audit P3

Pending Compare Branch

Remediation required. This group (11 checks) fails on vanilla RHCOS 10.2 and requires MachineConfig remediation. Verified on cnfdt16 (OCP 5.0, RHCOS 10.2) with compliance-operator v1.8.2.

Overview

Extends the basic DAC (Discretionary Access Control) audit rules from M3 to cover additional syscalls for file permission and ownership changes. While M3 covers chmod and chown, this group adds variants like fchmod, fchown, setxattr, and their ā€˜lā€™ (symlink-aware) counterparts.

Profile: NIST 800-53 Moderate (rhcos4-moderate)

Compliance Checks

Check Description
fchmod Audit file permission changes via fchmod
fchmodat Audit file permission changes via fchmodat
fchown Audit file ownership changes via fchown
fchownat Audit file ownership changes via fchownat
fremovexattr Audit extended attribute removal via fremovexattr
fsetxattr Audit extended attribute setting via fsetxattr
lchown Audit symlink ownership changes via lchown
lremovexattr Audit symlink extended attribute removal
lsetxattr Audit symlink extended attribute setting
removexattr Audit extended attribute removal via removexattr
setxattr Audit extended attribute setting via setxattr

Verification

oc debug node/<node> -- chroot /host auditctl -l | grep -E 'fchmod|fchown|xattr'

Upstream Proposal

The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:

Extended DAC audit rules (11 syscalls) RAN Low
openshift/os /etc/audit/rules.d/50-dac-extended.rules
Covers fchmod, fchown, xattr operations. Completes the DAC audit trail started by M3.
Scope: Extended DAC auditing adds significant log volume. Needed for compliance, not general use.

PR History

Extended DAC audit rules (11 syscalls) Not Filed blocked
coreos/rhel-coreos-config
Audit rules are compliance monitoring policies, not security defaults. RHCOS ships no audit rules in rules.d by default ā€” only samples in /usr/share/audit/sample-rules/ that Red Hat explicitly warns are 'not exhaustive nor up to date.' CoreOS maintainers debated whether to include the audit RPM at all (fedora-coreos-tracker#461) and called it 'an odd fit' (coreos/bugs#140). Audit messages already flood console on fresh boot (fedora-coreos-tracker#220). Deploying rules in the base image would substantially increase audit volume for all RHCOS deployments. The Compliance Operator's MachineConfig remediation model is the intended deployment path.
coreos/fedora-coreos-tracker/issues/461 coreos/fedora-coreos-tracker/issues/220 coreos/bugs/issues/140 docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/auditing-the-system_security-hardening
← M12 All Groups M14 →
Legend
Status
šŸ”µ In Progress
šŸŸ” Pending
āšŖ On Hold
šŸŸ¢ Complete
Severity
HIGH
MEDIUM
LOW
MANUAL

Keyboard Shortcuts

Navigation
j / Next row
k / Previous row
Enter Open selected / Expand details
Esc Clear selection / Close modal
Actions
/ Focus search
d Toggle dark mode
? Show this help
g h Go to home
Filters
1 Show all
2 Pending only
3 In Progress only
4 Complete only