MEDIUM RHCOS (Node) M20: Auditd Data Retention P3
Remediation required. This group (4 checks) fails on vanilla RHCOS 10.2 and requires MachineConfig remediation. Verified on cnfdt16 (OCP 5.0, RHCOS 10.2) with compliance-operator v1.8.2.
Overview
Configures auditd behavior when disk space runs low, ensuring audit data is not silently lost. Sets actions for disk errors, disk full conditions, and low space warnings.
Profile: NIST 800-53 Moderate (rhcos4-moderate)
Compliance Checks
| Check | Description |
|---|---|
auditd-data-disk-error-action |
Set action on disk write errors (syslog) |
auditd-data-disk-full-action |
Set action when disk is full (halt) |
auditd-data-retention-admin-space-left-action |
Set admin space-left action (single) |
auditd-data-retention-space-left |
Configure space-left threshold |
Verification
oc debug node/<node> -- chroot /host grep -E 'disk_error_action|disk_full_action|admin_space_left_action|space_left ' /etc/audit/auditd.conf
Upstream Proposal
The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:
auditd data retention settings
All OCP
Low
Configures disk error/full actions and space_left thresholds. Ensures audit logs are preserved even under disk pressure.
Scope: All clusters should handle audit log disk pressure gracefully rather than silently dropping events.
Scope: All clusters should handle audit log disk pressure gracefully rather than silently dropping events.
PR History
auditd data retention settings
Same rationale as M9 — auditd data retention (space_left, disk_full_action, disk_error_action) is operational policy, not a security default. CoreOS maintainers are ambivalent about the audit subsystem (fedora-coreos-tracker#461). Retention thresholds are deployment-specific and depend on disk sizing.