MEDIUM RHCOS (Node) M18: Session & MAC Audit P3
Remediation required. This group (4 checks) fails on vanilla RHCOS 10.2 and requires MachineConfig remediation. Verified on cnfdt16 (OCP 5.0, RHCOS 10.2) with compliance-operator v1.8.2.
Overview
Audits session lifecycle events, Mandatory Access Control (MAC) policy modifications, media export operations, and makes audit rules immutable after loading to prevent tampering.
Profile: NIST 800-53 Moderate (rhcos4-moderate)
Compliance Checks
| Check | Description |
|---|---|
session-events |
Audit user session open/close events |
mac-modification |
Audit SELinux/MAC policy changes |
media-export |
Audit removable media mount operations |
immutable |
Make audit rules immutable (requires reboot to change) |
Verification
oc debug node/<node> -- chroot /host auditctl -l | grep -E 'session|MAC|mount|immutable'
Upstream Proposal
The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:
Session, MAC, and media export audit rules
RAN
Low
openshift/os
/etc/audit/rules.d/50-session-mac.rules
Tracks session initiation, SELinux policy changes, media export, and makes audit config immutable.
Scope: Session/MAC auditing and audit immutability are compliance-specific hardening.
Scope: Session/MAC auditing and audit immutability are compliance-specific hardening.
PR History
Session, MAC, and media export audit rules
Audit rules are compliance monitoring policies, not security defaults. RHCOS ships no audit rules in rules.d by default — only samples in /usr/share/audit/sample-rules/ that Red Hat explicitly warns are 'not exhaustive nor up to date.' CoreOS maintainers debated whether to include the audit RPM at all (fedora-coreos-tracker#461) and called it 'an odd fit' (coreos/bugs#140). Audit messages already flood console on fresh boot (fedora-coreos-tracker#220). Deploying rules in the base image would substantially increase audit volume for all RHCOS deployments. The Compliance Operator's MachineConfig remediation model is the intended deployment path.