CNF-23448: RAN Hardening (5.0) - Audit Kernel Modules (M5)#738
CNF-23448: RAN Hardening (5.0) - Audit Kernel Modules (M5)#738sebrandon1 wants to merge 1 commit into
Conversation
|
@sebrandon1: This pull request references CNF-23448 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: sebrandon1 The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Warning Review limit reached
More reviews will be available in 59 minutes and 57 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Verification Test ResultsTested on cnfdt16 (OCP 4.22, RHCOS 9.8.20260403-0, 3 masters + 2 workers). Apply: Applied Result: PASS — Audit rules for kernel module loading/unloading deployed and compiled into |
0c9fa45 to
29a023f
Compare
5d5c5f6 to
5f2f7c7
Compare
d2b801b to
6f1da95
Compare
Verification Test ResultsTested on cnfdt16 (OCP 5.0.0-0.nightly-2026-06-18-000016, RHCOS 10.2.20260617-0, Kubernetes v1.35.3, 3 masters + 2 workers). Apply: Applied Verify: The audit rules ARE correctly loaded on the nodes: Finding: Despite the rules being functionally loaded, the scanner still reports FAIL on all 12 The audit daemon v4.x in RHEL 10 uses a different rule-loading mechanism that the ComplianceAsCode content doesn't yet support for the Result: FAIL on OCP 5.0 / RHCOS 10 - upstream ComplianceAsCode scanner content bug. The audit rules are functionally correct and active on the nodes. The MachineConfig works correctly for OCP 4.x (RHCOS 9) and needs an upstream OVAL fix for OCP 5.0. |
Update: Scanner FAIL is a content image version gap (upstream fix exists)After further investigation, this MachineConfig is correct and still needed for both OCP 4.x and 5.0. The scanner FAIL is a known content image version gap, not a problem with the MachineConfig. Root cause: RHCOS 10 uses Upstream fix already exists in ComplianceAsCode/content:
Fix path: Rebuild our compliance content image from latest ComplianceAsCode master (post-v0.1.81) which includes these OVAL fixes. The content image at Verification on cnfdt16: The audit rules ARE correctly loaded and active: This PR should remain open and be merged. The scanner will report PASS once the content image is updated. |
6f1da95 to
ede6218
Compare
|
Superseded by #823 — migrated to |
Summary
Adds MachineConfig to deploy audit rules for kernel module loading and unloading events on both master and worker nodes.
This addresses MEDIUM severity E8 compliance checks for auditing
init_module,finit_module, anddelete_modulesyscalls, ensuring all kernel module operations are recorded.Files
75-audit-kernel-modules-master.yaml75-audit-kernel-modules-worker.yamlVerification
After applying to a cluster, verify with:
Compliance scan verification:
Jira