MEDIUM RHCOS (Node) M17: Privileged Commands Audit P3

Pending Compare Branch

Remediation required. This group (22 checks) fails on vanilla RHCOS 10.2 and requires MachineConfig remediation. Verified on cnfdt16 (OCP 5.0, RHCOS 10.2) with compliance-operator v1.8.2.

Overview

Audits execution of privileged commands (setuid/setgid binaries) including su, sudo, mount, passwd, and other security-sensitive executables. Tracks privilege escalation and administrative actions.

Profile: NIST 800-53 Moderate (rhcos4-moderate)

Compliance Checks

Check Description
at Audit at command execution
chage Audit password aging changes
chsh Audit shell changes
crontab Audit crontab modifications
gpasswd Audit group password changes
mount Audit mount operations
newgidmap Audit GID map changes
newgrp Audit group membership changes
newuidmap Audit UID map changes
pam-timestamp-check Audit PAM timestamp checks
passwd Audit password changes
postdrop Audit postfix mail drop
postqueue Audit postfix mail queue
pt-chown Audit pseudo-terminal ownership
ssh-keysign Audit SSH key signing
su Audit su command execution
sudo Audit sudo command execution
sudoedit Audit sudoedit execution
umount Audit unmount operations
unix-chkpwd Audit password verification
userhelper Audit userhelper execution
usernetctl Audit network control changes

Verification

oc debug node/<node> -- chroot /host auditctl -l | grep -c privileged

Upstream Proposal

The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:

Privileged command audit rules (22 commands) RAN Low
openshift/os /etc/audit/rules.d/50-privileged-commands.rules
Tracks execution of setuid/setgid binaries (su, sudo, mount, passwd, etc.). Required by CIS and STIG.
Scope: Privileged command auditing is compliance-driven. 22 rules add audit overhead.

PR History

Privileged command audit rules (22 commands) Not Filed blocked
coreos/rhel-coreos-config
Audit rules are compliance monitoring policies, not security defaults. RHCOS ships no audit rules in rules.d by default — only samples in /usr/share/audit/sample-rules/ that Red Hat explicitly warns are 'not exhaustive nor up to date.' CoreOS maintainers debated whether to include the audit RPM at all (fedora-coreos-tracker#461) and called it 'an odd fit' (coreos/bugs#140). Audit messages already flood console on fresh boot (fedora-coreos-tracker#220). Deploying rules in the base image would substantially increase audit volume for all RHCOS deployments. The Compliance Operator's MachineConfig remediation model is the intended deployment path.
coreos/fedora-coreos-tracker/issues/461 coreos/fedora-coreos-tracker/issues/220 coreos/bugs/issues/140 docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/auditing-the-system_security-hardening
← M16 All Groups M18 →
Legend
Status
🔵 In Progress
🟡 Pending
On Hold
🟢 Complete
Severity
HIGH
MEDIUM
LOW
MANUAL

Keyboard Shortcuts

Navigation
j / Next row
k / Previous row
Enter Open selected / Expand details
Esc Clear selection / Close modal
Actions
/ Focus search
d Toggle dark mode
? Show this help
g h Go to home
Filters
1 Show all
2 Pending only
3 In Progress only
4 Complete only