ocp4: Enable sshd distributed config to check sshd_config.d drop-ins#14603
ocp4: Enable sshd distributed config to check sshd_config.d drop-ins#14603sebrandon1 wants to merge 1 commit intoComplianceAsCode:masterfrom
Conversation
OCP4 runs on RHCOS4, which already has sshd_distributed_config set to true. However, OCP4 product definition had it set to false, causing SSHD compliance checks to only scan /etc/ssh/sshd_config and miss settings in /etc/ssh/sshd_config.d/*.conf drop-in files. Since RHCOS 9 uses the drop-in config model, SSHD hardening settings in sshd_config.d/ are functionally correct but invisible to the scanner. This causes false FAIL results for checks like sshd_set_idle_timeout, sshd_disable_gssapi_auth, and sshd_set_loglevel_info when remediations use drop-in files. Enable sshd_distributed_config for OCP4 to match the underlying RHCOS4 behavior, allowing the scanner to check both the main sshd_config and drop-in files in sshd_config.d/.
|
Hi @sebrandon1. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Mab879
left a comment
There was a problem hiding this comment.
@yuumasato please take look as well.
|
@sebrandon1 Why do we need this change? The OCP4 data stream doesn't include any sshd rules. |
|
I double checked and I believe you are correct @yuumasato. I was originally debugging some sshd rules and failures on my cluster. Would it be worth still keeping this around incase there are potential sshd rules added to ocp4 in the future? Or should it just be closed for now? Thanks! |
|
@sebrandon1 I don't see sshd rules being added to OCP4 profiles. AFAIK all the SSHD configurations are done on the nodes. |
|
Are the issues related to https://redhat.atlassian.net/browse/CMP-3916? |
|
That issue sounds similar to what I was seeing when I was creating drop in files for sshd.d and it was still flagging my cluster as non-compliant. |
|
Closing this as I was able to verify that I didn't see any sshd drop-in failures in v1.8.2. Thanks @yuumasato |
Summary
sshd_distributed_configfor the OCP4 product to match the underlying RHCOS4 behaviortruein its product definitionfalse, causing SSHD compliance checks to only scan/etc/ssh/sshd_configand miss settings placed in/etc/ssh/sshd_config.d/*.confdrop-in filesProblem
RHCOS 9 uses the drop-in config model —
sshd_configcontains anInclude /etc/ssh/sshd_config.d/*.confdirective that loads drop-in files. When SSHD hardening remediations write settings to drop-in files (which is the standard approach for RHCOS), the settings are functionally correct (sshd -Tconfirms the effective config) but the scanner only checks the mainsshd_configand reports false FAILs.Affected checks include:
sshd_set_idle_timeoutsshd_set_keepalivesshd_disable_gssapi_authsshd_set_loglevel_infosshd_disable_root_loginsshd_enable_strictmodessshd_lineinfiletemplate checksFix
The
sshd_lineinfiletemplate and OVAL macros already fully support distributed config checking — whensshd_distributed_configistrue, the generated OVAL automatically scans both/etc/ssh/sshd_configAND/etc/ssh/sshd_config.d/*.conf. This is already enabled forrhcos4,rhel9,rhel10,fedora, and others.This PR simply enables the same behavior for
ocp4.Changes
products/ocp4/product.yml: Addsshd_distributed_config: "true"tests/data/product_stability/ocp4.yml: Changesshd_distributed_configfromfalsetotrueTesting
Verified on OCP 4.22 (cnfdt16 cluster) and OCP 4.21 (CRC):
sshd -T)sshd_distributed_configisfalse(current behavior)rhcos4product withsshd_distributed_config: "true"correctly detects drop-in settings