MEDIUM RHCOS (Node) M16: Unsuccessful File Modification Audit P3

Pending Compare Branch

Remediation required. This group (32 checks) fails on vanilla RHCOS 10.2 and requires MachineConfig remediation. Verified on cnfdt16 (OCP 5.0, RHCOS 10.2) with compliance-operator v1.8.2.

Overview

Audits failed file modification attempts, catching permission-denied errors for chmod, chown, open, truncate, rename, unlink, and extended attribute operations. Critical for detecting unauthorized access attempts.

Profile: NIST 800-53 Moderate (rhcos4-moderate)

Compliance Checks

Check Description
chmod Audit failed chmod operations
chown Audit failed chown operations
creat Audit failed creat operations
fchmod Audit failed fchmod operations
fchmodat Audit failed fchmodat operations
fchown Audit failed fchown operations
fchownat Audit failed fchownat operations
fremovexattr Audit failed fremovexattr operations
fsetxattr Audit failed fsetxattr operations
ftruncate Audit failed ftruncate operations
lchown Audit failed lchown operations
lremovexattr Audit failed lremovexattr operations
lsetxattr Audit failed lsetxattr operations
open Audit failed open operations
open-by-handle-at Audit failed open-by-handle-at operations
open-by-handle-at-o-creat Audit failed open-by-handle-at-o-creat operations
open-by-handle-at-o-trunc-write Audit failed open-by-handle-at-o-trunc-write operations
open-o-creat Audit failed open-o-creat operations
open-o-trunc-write Audit failed open-o-trunc-write operations
openat Audit failed openat operations
openat-o-creat Audit failed openat-o-creat operations
openat-o-trunc-write Audit failed openat-o-trunc-write operations
removexattr Audit failed removexattr operations
rename Audit failed rename operations
renameat Audit failed renameat operations
setxattr Audit failed setxattr operations
truncate Audit failed truncate operations
unlink Audit failed unlink operations
unlinkat Audit failed unlinkat operations

Verification

oc debug node/<node> -- chroot /host auditctl -l | grep -c EACCES

Upstream Proposal

The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:

Unsuccessful file access audit rules (32 checks) RAN Low
openshift/os /etc/audit/rules.d/50-unsuccessful-access.rules
Tracks failed access attempts (EACCES/EPERM). Detects privilege escalation and unauthorized access probing.
Scope: 32 unsuccessful access rules generate substantial audit volume. Compliance-specific.

PR History

Unsuccessful file access audit rules (32 checks) Not Filed blocked
coreos/rhel-coreos-config
Audit rules are compliance monitoring policies, not security defaults. RHCOS ships no audit rules in rules.d by default — only samples in /usr/share/audit/sample-rules/ that Red Hat explicitly warns are 'not exhaustive nor up to date.' CoreOS maintainers debated whether to include the audit RPM at all (fedora-coreos-tracker#461) and called it 'an odd fit' (coreos/bugs#140). Audit messages already flood console on fresh boot (fedora-coreos-tracker#220). Deploying rules in the base image would substantially increase audit volume for all RHCOS deployments. The Compliance Operator's MachineConfig remediation model is the intended deployment path.
coreos/fedora-coreos-tracker/issues/461 coreos/fedora-coreos-tracker/issues/220 coreos/bugs/issues/140 docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/auditing-the-system_security-hardening
← M15 All Groups M17 →
Legend
Status
🔵 In Progress
🟡 Pending
On Hold
🟢 Complete
Severity
HIGH
MEDIUM
LOW
MANUAL

Keyboard Shortcuts

Navigation
j / Next row
k / Previous row
Enter Open selected / Expand details
Esc Clear selection / Close modal
Actions
/ Focus search
d Toggle dark mode
? Show this help
g h Go to home
Filters
1 Show all
2 Pending only
3 In Progress only
4 Complete only