Skip to content

CMP-3624,CMP-3553: Sshd rules for rhel8 and rhel9 nodes #13953

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

CMP-3624,CMP-3553: Sshd rules for rhel8 and rhel9 nodes #13953

wants to merge 5 commits into from

Conversation

yuumasato
Copy link
Member

Description:

  • Restrict current SSHD Kubernetes remediations to OCP <= 4.12
  • Add new macro to create drop-in SSHD MachineConfigs
  • Add new drop-in Kubernetes remediations in template and rules with explicit remediation

Rationale:

  • The current Kubernetes SSHD remediations create a fixed sshd_config file
    • This does not allow rule level granularity
    • The RHEL8 RHCOS4 remediations break RHEL9 based nodes.
  • Fixes CMP-3553 by adding support for SSHD drop-in files and not laying down a generic hardened SSHD configuration.
  • Fixes CMP-3617 by adding drop-in support for OCP >=4.13 in sshd_lineinfile template. These rules will still fail on OCP 4.12.
  • Fixes CMP-3624 by removing the Include directive from the static sshd_config.

Review Hints:

  • Check that SSHD rules creates a single sshd_config file in el8 based nodes
  • Check that SSHD rules creates multiple drop-in config files in el9 based nodes

@yuumasato
Make current SSHD Kubernetes fixes 4.12 only
83920e0 
This limit applicabiliy of current existing Kubernetes remediations to
OCP 4.12.
OCP 4.12 has RHEL8 based RHCOS nodes, which don't support drop-in
directories and are thus, remediated by a single file.
This leads to poor granularity with multiple rules being fixed a
single remediation.
@yuumasato
Limit MachineConfig to OCP 4.12
25eb600 
Limit applicability of this remediation to OCP 4.12 or older.
@yuumasato
Remove Include directive from RHEL8 node remediation
4cfb7cc 
Remove Include sshd_config.d directive from sshd_config_source() macro.
RHEL8 nodes don't support .d config directory for the daemon.
@yuumasato
Add macro for SSHD Kubernetes drop-in files
c1c0dc8 
Add a macro that renders a MachineConfig a for SSHD rules, applicable
from OCP 4.13 and newer.
They leverage the SSHD drop-in config directory.
@yuumasato
Add Kubernetes SSHD fixes for EL9 RHCOS4 nodes
c869d6a 
Leverage the drop-in macro to create SSHD drop-in MachineConfigs.
@yuumasato yuumasato added this to the 0.1.79 milestone Sep 29, 2025
@yuumasato yuumasato added the OpenShift OpenShift product related. label Sep 29, 2025
@yuumasato
Copy link
Member Author

Example of how remediations not matching the ocp-version can be found:

$ oc get events | grep SkippingRemediation
116m        Warning   SkippingRemediation                compliancescan/upstream-rhcos4-high-master                                     Skipping ComplianceRemediation 'openshift-compliance/upstream-rhcos4-high-master-sshd-disable-rhosts'. Cluster doesn't match version range <=4.13.0
117m        Warning   SkippingRemediation                compliancescan/upstream-rhcos4-high-worker                                     Skipping ComplianceRemediation 'openshift-compliance/upstream-rhcos4-high-worker-sshd-disable-rhosts'. Cluster doesn't match version range <=4.13.0

And then the second yaml file is applied:

$ oc get rems -oyaml upstream-rhcos4-high-master-sshd-disable-rhosts-1
apiVersion: compliance.openshift.io/v1alpha1
kind: ComplianceRemediation
metadata:
  annotations:
    compliance.openshift.io/ocp-version: '>=4.13.0'
    compliance.openshift.io/xccdf-value-used: var-rekey-limit-size,var-rekey-limit-time,var-sshd-set-login-grace-time,var-sshd-disable-compression,sshd-idle-timeout-value,var-sshd-set-keepalive,var-sshd-priv-separation
  creationTimestamp: "2025-09-29T19:21:59Z"
  generation: 2
  labels:
    compliance.openshift.io/scan-name: upstream-rhcos4-high-master
    compliance.openshift.io/suite: rhcos4-high
  name: upstream-rhcos4-high-master-sshd-disable-rhosts-1
  namespace: openshift-compliance
spec:
  apply: true
  current:
    object:
      apiVersion: machineconfiguration.openshift.io/v1
      kind: MachineConfig
      metadata: {}
      spec:
        config:
          ignition:
            version: 3.1.0
          storage:
            files:
            - contents:
                source: data:,IgnoreRhosts%20yes
              mode: 384
              overwrite: true
              path: /etc/ssh/sshd_config.d/00-complianceascode-IgnoreRhosts.conf
  outdated: {}
  type: Configuration
status:
  applicationState: Applied

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Sep 29, 2025

@yuumasato: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-openshift-platform-compliance c869d6a link true /test e2e-aws-openshift-platform-compliance
ci/prow/e2e-aws-openshift-node-compliance c869d6a link true /test e2e-aws-openshift-node-compliance

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Vincent056 Vincent056 Awaiting requested review from Vincent056

@xiaojiey xiaojiey Awaiting requested review from xiaojiey

@rhmdnd rhmdnd Awaiting requested review from rhmdnd

@Anna-Koudelkova Anna-Koudelkova Awaiting requested review from Anna-Koudelkova

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
OpenShift OpenShift product related.
Projects
None yet
Milestone
0.1.79
Development

Successfully merging this pull request may close these issues.
1 participant
@yuumasato