MEDIUM RHCOS (Node) M15: File Deletion Audit P3
Remediation required. This group (5 checks) fails on vanilla RHCOS 10.2 and requires MachineConfig remediation. Verified on cnfdt16 (OCP 5.0, RHCOS 10.2) with compliance-operator v1.8.2.
Overview
Audits file deletion operations to track when files are removed from the system. Covers rename, renameat, rmdir, unlink, and unlinkat syscalls.
Profile: NIST 800-53 Moderate (rhcos4-moderate)
Compliance Checks
| Check | Description |
|---|---|
file-deletion-events-rename |
Audit file rename operations |
file-deletion-events-renameat |
Audit file renameat operations |
file-deletion-events-rmdir |
Audit directory removal |
file-deletion-events-unlink |
Audit file unlink (delete) |
file-deletion-events-unlinkat |
Audit file unlinkat operations |
Verification
oc debug node/<node> -- chroot /host auditctl -l | grep -E 'rename|rmdir|unlink'
Upstream Proposal
The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:
File deletion audit rules (5 syscalls)
RAN
Low
openshift/os
/etc/audit/rules.d/50-file-deletion.rules
Tracks rename, unlink, rmdir. Detects evidence tampering and unauthorized file removal.
Scope: File deletion auditing is compliance-driven forensic logging.
Scope: File deletion auditing is compliance-driven forensic logging.
PR History
File deletion audit rules (5 syscalls)
Audit rules are compliance monitoring policies, not security defaults. RHCOS ships no audit rules in rules.d by default — only samples in /usr/share/audit/sample-rules/ that Red Hat explicitly warns are 'not exhaustive nor up to date.' CoreOS maintainers debated whether to include the audit RPM at all (fedora-coreos-tracker#461) and called it 'an odd fit' (coreos/bugs#140). Audit messages already flood console on fresh boot (fedora-coreos-tracker#220). Deploying rules in the base image would substantially increase audit volume for all RHCOS deployments. The Compliance Operator's MachineConfig remediation model is the intended deployment path.