MEDIUM M1: SSHD Configuration P2

🟑 Pending πŸ“¦ Compare Branch

Overview

This remediation applies comprehensive SSH daemon hardening settings to improve security posture.

Settings

Setting Value Description
PermitRootLogin no Disable direct root SSH access
GSSAPIAuthentication no Disable GSSAPI authentication
IgnoreRhosts yes Disable rhost authentication
IgnoreUserKnownHosts yes Ignore user’s known_hosts file
PermitUserEnvironment no Block user environment variable passing
StrictModes yes Enable strict mode checking
PrintLastLog yes Display last login information

Implementation

The remediation applies a MachineConfig with SSHD hardening:

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  name: 75-sshd-medium
  labels:
    machineconfiguration.openshift.io/role: master
spec:
  config:
    ignition:
      version: 3.2.0
    storage:
      files:
        - path: /etc/ssh/sshd_config.d/75-medium-hardening.conf
          mode: 0600
          overwrite: true
          contents:
            inline: |
              # MEDIUM severity SSHD settings
              PermitRootLogin no
              GSSAPIAuthentication no
              IgnoreRhosts yes
              IgnoreUserKnownHosts yes
              PermitUserEnvironment no
              StrictModes yes
              PrintLastLog yes

Compliance Checks Remediated

This group addresses 7 compliance checks:

Check Profile Description Docs
rhcos4-e8-worker-sshd-disable-root-login E8 Disable root SSH login πŸ“–
rhcos4-e8-worker-sshd-disable-gssapi-auth E8 Disable GSSAPI authentication πŸ“–
rhcos4-e8-worker-sshd-disable-rhosts E8 Disable rhosts authentication πŸ“–
rhcos4-e8-worker-sshd-disable-user-known-hosts E8 Ignore user known_hosts πŸ“–
rhcos4-e8-worker-sshd-do-not-permit-user-env E8 Block user environment πŸ“–
rhcos4-e8-worker-sshd-enable-strictmodes E8 Enable strict modes πŸ“–
rhcos4-e8-worker-sshd-print-last-log E8 Print last login πŸ“–

Source Remediation Files

  • medium/rhcos4-e8-worker-sshd-disable-root-login.yaml
  • medium/rhcos4-e8-worker-sshd-disable-gssapi-auth.yaml
  • medium/rhcos4-e8-worker-sshd-disable-rhosts.yaml
  • medium/rhcos4-e8-worker-sshd-disable-user-known-hosts.yaml
  • medium/rhcos4-e8-worker-sshd-do-not-permit-user-env.yaml
  • medium/rhcos4-e8-worker-sshd-enable-strictmodes.yaml
  • medium/rhcos4-e8-worker-sshd-print-last-log.yaml

Verification

After applying the MachineConfig, verify SSHD settings:

oc debug node/<node-name> -- chroot /host sshd -T | grep -E "permitrootlogin|gssapiauthentication|ignorerhosts"
# Expected output:
# permitrootlogin no
# gssapiauthentication no
# ignorerhosts yes

Other SSHD hardening groups:

Legend
Status
πŸ”΅ In Progress
🟑 Pending
βšͺ On Hold
🟒 Complete
Severity
HIGH
MEDIUM
LOW
MANUAL

Keyboard Shortcuts

Navigation
j / Next row
k / Previous row
Enter Open selected / Expand details
Esc Clear selection / Close modal
Actions
/ Focus search
d Toggle dark mode
? Show this help
g h Go to home
Filters
1 Show all
2 Pending only
3 In Progress only
4 Complete only