MEDIUM RHCOS (Node) M23: Kernel Sysctl Extended P3
Remediation required. This group (3 checks) fails on vanilla RHCOS 10.2 and requires MachineConfig remediation. Verified on cnfdt16 (OCP 5.0, RHCOS 10.2) with compliance-operator v1.8.2.
Overview
Additional kernel hardening parameters beyond M2. Disables kexec (prevents kernel replacement at runtime), restricts perf_event access, and controls core dump file naming.
Profile: NIST 800-53 Moderate (rhcos4-moderate)
Compliance Checks
| Check | Description |
|---|---|
kernel.kexec_load_disabled=1 |
Disable kexec kernel loading |
kernel.perf_event_paranoid=2 |
Restrict perf_event to root only |
kernel.core_pattern=|/bin/false |
Disable core dump processing |
Verification
oc debug node/<node> -- chroot /host sysctl kernel.kexec_load_disabled kernel.perf_event_paranoid kernel.core_pattern
Upstream Proposal
The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:
kernel.core_pattern, kexec_load_disabled, perf_event_paranoid
RAN
Med
openshift/os
/usr/lib/sysctl.d/50-security-hardening.conf
Disables core dumps (data leakage), kexec (rootkit persistence), restricts perf_event (info disclosure). Standard KSPP hardening.
Scope: kexec_load_disabled is safe for upstream (RHCOS doesn't use kexec), but core_pattern and perf_event_paranoid break debugging and profiling tools needed by platform teams.
Scope: kexec_load_disabled is safe for upstream (RHCOS doesn't use kexec), but core_pattern and perf_event_paranoid break debugging and profiling tools needed by platform teams.
PR History
kernel.core_pattern, kexec_load_disabled, perf_event_paranoid
perf_event_paranoid=2 is already the RHEL default since RHEL 7.3. kexec_load_disabled=1 is a one-way toggle that cannot be reverted without reboot — breaks kdump/kexec crash recovery, which is a supported RHCOS feature. core_pattern modification is operational policy already covered by M26 coredump disable. All three settings defer to RHEL defaults per maintainer preference (PR #264 pattern).