MEDIUM RHCOS (Node) M14: Identity File Access Audit P3

Pending Compare Branch

Remediation required. This group (12 checks) fails on vanilla RHCOS 10.2 and requires MachineConfig remediation. Verified on cnfdt16 (OCP 5.0, RHCOS 10.2) with compliance-operator v1.8.2.

Overview

Monitors access to critical identity files (/etc/passwd, /etc/shadow, /etc/group, /etc/gshadow) by auditing open, openat, and open_by_handle_at syscalls. Detects unauthorized reads of password hashes and user account data.

Profile: NIST 800-53 Moderate (rhcos4-moderate)

Compliance Checks

Check Description
etc-group-open Audit open() on /etc/group
etc-group-openat Audit openat() on /etc/group
etc-group-open-by-handle-at Audit open_by_handle_at() on /etc/group
etc-gshadow-open Audit open() on /etc/gshadow
etc-gshadow-openat Audit openat() on /etc/gshadow
etc-gshadow-open-by-handle-at Audit open_by_handle_at() on /etc/gshadow
etc-passwd-open Audit open() on /etc/passwd
etc-passwd-openat Audit openat() on /etc/passwd
etc-passwd-open-by-handle-at Audit open_by_handle_at() on /etc/passwd
etc-shadow-open Audit open() on /etc/shadow
etc-shadow-openat Audit openat() on /etc/shadow
etc-shadow-open-by-handle-at Audit open_by_handle_at() on /etc/shadow

Verification

oc debug node/<node> -- chroot /host auditctl -l | grep -E 'passwd|shadow|group|gshadow'

Upstream Proposal

The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:

Identity file access audit rules (12 checks) RAN Low
openshift/os /etc/audit/rules.d/50-identity-files.rules
Tracks open/openat/open_by_handle_at on /etc/passwd, shadow, group, gshadow. Detects credential harvesting.
Scope: Identity file access auditing is compliance-driven. Significant audit overhead for general clusters.

PR History

Identity file access audit rules (12 checks) Not Filed blocked
coreos/rhel-coreos-config
Audit rules are compliance monitoring policies, not security defaults. RHCOS ships no audit rules in rules.d by default — only samples in /usr/share/audit/sample-rules/ that Red Hat explicitly warns are 'not exhaustive nor up to date.' CoreOS maintainers debated whether to include the audit RPM at all (fedora-coreos-tracker#461) and called it 'an odd fit' (coreos/bugs#140). Audit messages already flood console on fresh boot (fedora-coreos-tracker#220). Deploying rules in the base image would substantially increase audit volume for all RHCOS deployments. The Compliance Operator's MachineConfig remediation model is the intended deployment path.
coreos/fedora-coreos-tracker/issues/461 coreos/fedora-coreos-tracker/issues/220 coreos/bugs/issues/140 docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/auditing-the-system_security-hardening
← M13 All Groups M15 →
Legend
Status
🔵 In Progress
🟡 Pending
On Hold
🟢 Complete
Severity
HIGH
MEDIUM
LOW
MANUAL

Keyboard Shortcuts

Navigation
j / Next row
k / Previous row
Enter Open selected / Expand details
Esc Clear selection / Close modal
Actions
/ Focus search
d Toggle dark mode
? Show this help
g h Go to home
Filters
1 Show all
2 Pending only
3 In Progress only
4 Complete only