Red Hat Enterprise Linux CoreOS (RHCOS) must initiate session audits at system startup.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-257519	CNTR-OS-000170	SV-257519r921500_rule		High

Description
Initiating session audits at system startup allows for comprehensive monitoring of user activities and system events from the moment the system is powered on. Audit logs capture information about login attempts, commands executed, file access, and other system activities. By starting session audits at system startup, RHCOS ensures that all relevant events are recorded, providing a complete security monitoring solution. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. By initiating session audits at system startup, RHCOS enhances security monitoring, aids in timely incident detection and response, meets compliance requirements, facilitates forensic analysis, and promotes accountability and governance.

Description

Initiating session audits at system startup allows for comprehensive monitoring of user activities and system events from the moment the system is powered on. Audit logs capture information about login attempts, commands executed, file access, and other system activities. By starting session audits at system startup, RHCOS ensures that all relevant events are recorded, providing a complete security monitoring solution. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. By initiating session audits at system startup, RHCOS enhances security monitoring, aids in timely incident detection and response, meets compliance requirements, facilitates forensic analysis, and promotes accountability and governance.

STIG	Date
Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide	2023-08-28

Details

Check Text ( C-61254r921498_chk )
Verify the RHCOS boot loader configuration has audit enabled, including backlog: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep audit /boot/loader/entries/*.conf \|\| echo "not found"' 2>/dev/null; done If "audit" is not set to "1" or returns "not found", this is a finding. If "audit_backlog" is not set to 8192 or returns "not found", this is a finding.

Check Text ( C-61254r921498_chk )

Verify the RHCOS boot loader configuration has audit enabled, including backlog:

for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep audit /boot/loader/entries/*.conf || echo "not found"' 2>/dev/null; done

If "audit" is not set to "1" or returns "not found", this is a finding.

If "audit_backlog" is not set to 8192 or returns "not found", this is a finding.

Fix Text (F-61178r921499_fix)
Apply the machine config by executing the following: for mcpool in $(oc get mcp -oname \| sed "s:.*/::" ); do echo "apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig metadata: name: 05-kernelarg-audit-enabled-$mcpool labels: machineconfiguration.openshift.io/role: $mcpool spec: config: ignition: version: 3.1.0 kernelArguments: - audit=1 - audit_backlog_limit=8192 " \| oc create -f - done

Fix Text (F-61178r921499_fix)

Apply the machine config by executing the following:

for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do
echo "apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
name: 05-kernelarg-audit-enabled-$mcpool
labels:
machineconfiguration.openshift.io/role: $mcpool
spec:
config:
ignition:
version: 3.1.0
kernelArguments:
- audit=1
- audit_backlog_limit=8192
" | oc create -f -
done