MEDIUM RHCOS (Node) M19: Usergroup Modification Audit P3
Remediation required. This group (5 checks) fails on vanilla RHCOS 10.2 and requires MachineConfig remediation. Verified on cnfdt16 (OCP 5.0, RHCOS 10.2) with compliance-operator v1.8.2.
Overview
Monitors individual identity files for modifications. Extends M7’s general usergroup monitoring with per-file watch rules for /etc/group, /etc/gshadow, /etc/opasswd, /etc/passwd, and /etc/shadow.
Profile: NIST 800-53 Moderate (rhcos4-moderate)
Compliance Checks
| Check | Description |
|---|---|
usergroup-modification-group |
Watch /etc/group for changes |
usergroup-modification-gshadow |
Watch /etc/gshadow for changes |
usergroup-modification-opasswd |
Watch /etc/opasswd for changes |
usergroup-modification-passwd |
Watch /etc/passwd for changes |
usergroup-modification-shadow |
Watch /etc/shadow for changes |
Verification
oc debug node/<node> -- chroot /host auditctl -l | grep -E 'group|gshadow|opasswd|passwd|shadow'
Upstream Proposal
The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:
Usergroup modification file watches (5 files)
RAN
Low
openshift/os
/etc/audit/rules.d/50-usergroup-modification.rules
Watches /etc/passwd, group, shadow, gshadow, opasswd for modifications. Detects unauthorized account changes.
Scope: Usergroup file watches are compliance-driven forensic logging.
Scope: Usergroup file watches are compliance-driven forensic logging.
PR History
Usergroup modification file watches (5 files)
Audit rules are compliance monitoring policies, not security defaults. RHCOS ships no audit rules in rules.d by default — only samples in /usr/share/audit/sample-rules/ that Red Hat explicitly warns are 'not exhaustive nor up to date.' CoreOS maintainers debated whether to include the audit RPM at all (fedora-coreos-tracker#461) and called it 'an odd fit' (coreos/bugs#140). Audit messages already flood console on fresh boot (fedora-coreos-tracker#220). Deploying rules in the base image would substantially increase audit volume for all RHCOS deployments. The Compliance Operator's MachineConfig remediation model is the intended deployment path.