OCP 4.21 Remediation Groupings

This document catalogs all compliance remediations for OCP 4.21, collected from the OpenShift Compliance Operator and organized by severity (HIGH, MEDIUM, LOW).

Tip: Each group has a dedicated page with detailed implementation examples that you can link directly from PRs.

Quick Summary

From E8 (Essential Eight) and CIS benchmark scans: 82 total remediations

Severity	Groups	Settings	Status
HIGH	3 groups	3 unique	3 In Progress
MEDIUM	12 groups	36 unique	1 On Hold, 11 Pending
LOW	2 groups	2 unique	2 Pending

Remediation Status

Group	Category	Severity	Count	Status	Compare	Jira	PR
H1	Crypto Policy	HIGH	1	🔵 In Progress	-	CNF-21212	#529
H2	PAM Empty Passwords	HIGH	1	🔵 In Progress	-	CNF-21212	#529
H3	SSHD Empty Passwords	HIGH	1	🔵 In Progress	-	CNF-21326	#466
M1	SSHD Configuration	MEDIUM	7	🟡 Pending	📦	-	-
M2	Kernel Sysctl	MEDIUM	4	⚪ On Hold	📦	CNF-21196	-
M3	Audit DAC	MEDIUM	2	🟡 Pending	📦	-	-
M4	Audit SELinux	MEDIUM	6	🟡 Pending	📦	-	-
M5	Audit Modules	MEDIUM	3	🟡 Pending	📦	-	-
M6	Audit Time	MEDIUM	5	🟡 Pending	📦	-	-
M7	Audit Auth	MEDIUM	5	🟡 Pending	📦	-	-
M8	Audit Network	MEDIUM	1	🟡 Pending	📦	-	-
M9	Auditd Config	MEDIUM	1	🟡 Pending	📦	-	-
M10	API Encryption	MEDIUM	2	🟡 Pending	📦	-	-
M11	Ingress TLS	MEDIUM	1	🟡 Pending	📦	-	-
M12	Audit Profile	MEDIUM	1	🟡 Pending	📦	-	-
L1	SSHD LogLevel	LOW	1	🟡 Pending	📦	-	-
L2	Sysctl dmesg	LOW	1	🟡 Pending	📦	-	-

🔵 In Progress 🟡 Pending ⚪ On Hold 🟢 Complete

Group IDs: Groups are labeled by severity and sequence number:

H = HIGH severity (H1, H2, H3)
M = MEDIUM severity (M1-M12)
L = LOW severity (L1, L2)

HIGH Severity Remediations

H1: Crypto Policy — 🔵 In Progress — PR #529

File: 75-crypto-policy-high.yaml Jira: CNF-21212

Setting	Value	Description
crypto-policy	DEFAULT:NO-SHA1	System-wide crypto policy without SHA1

Source Files:

H2: PAM Empty Passwords — 🔵 In Progress — PR #529

File: 75-pam-auth-high.yaml Jira: CNF-21212

Setting	Description
no-empty-passwords	Disable nullok in PAM system-auth and password-auth

Source Files:

H3: SSHD Empty Passwords — 🔵 In Progress — PR #466

File: 75-sshd-hardening.yaml (consolidated with M1, L1) Jira: CNF-21326

Setting	Value	Description
PermitEmptyPasswords	no	Prevent SSH login with empty passwords

Source Files:

Note: This HIGH severity SSHD setting is consolidated into PR #466 along with MEDIUM (M1) and LOW (L1) SSHD settings.

Manual HIGH Checks — No auto-remediation available

These HIGH severity checks require manual intervention:

Check	Type	Description
`ocp4-cis-configure-network-policies-namespaces`	CIS	Ensure all application namespaces have NetworkPolicy defined
`ocp4-cis-rbac-least-privilege`	CIS	Review RBAC permissions for least privilege

MEDIUM Severity Remediations

M1: SSHD Configuration — 🔵 In Progress — PR #466

File: 75-sshd-hardening.yaml (consolidated with H3, L1) Jira: CNF-19031 Count: 7 settings

Setting	Value	Description
PermitRootLogin	no	Disable direct root SSH access
GSSAPIAuthentication	no	Disable GSSAPI authentication
IgnoreRhosts	yes	Disable rhost authentication
IgnoreUserKnownHosts	yes	Ignore user’s known_hosts file
PermitUserEnvironment	no	Block user environment variable passing
StrictModes	yes	Enable strict mode checking
PrintLastLog	yes	Display last login information

Source Files (7)

M2: Kernel Hardening (Sysctl) — ⚪ On Hold — PR #528 closed

File: 75-sysctl-medium.yaml Jira: CNF-21196 Count: 4 settings

Setting	Value	Description
kernel.randomize_va_space	2	Full ASLR - randomizes memory layout
kernel.unprivileged_bpf_disabled	1	Prevent BPF-based privilege escalation
kernel.yama.ptrace_scope	1	Restrict ptrace to parent-child processes
net.core.bpf_jit_harden	2	Harden BPF JIT against spraying attacks

Source Files (4)

M3: Audit Rules - DAC Modifications — 🟡 Pending

File: 75-audit-dac-medium.yaml Count: 2 settings

Rule	Description
chmod	Audit file permission changes via chmod
chown	Audit file ownership changes via chown

Source Files (2)

M4: Audit Rules - SELinux — 🟡 Pending

File: 75-audit-privilege-medium.yaml Count: 6 settings

Rule	Description
chcon	Audit SELinux context changes
restorecon	Audit SELinux context restoration
semanage	Audit SELinux management commands
setfiles	Audit SELinux file labeling
setsebool	Audit SELinux boolean changes
seunshare	Audit SELinux unshare operations

Source Files (6)

M5: Audit Rules - Kernel Modules — 🟡 Pending

File: 75-audit-modules-medium.yaml Count: 3 settings

Rule	Description
delete_module	Audit kernel module unloading (rmmod)
finit_module	Audit kernel module loading (finit)
init_module	Audit kernel module loading (init)

Source Files (3)

M6: Audit Rules - Time Modifications — 🟡 Pending

File: 75-audit-time-medium.yaml Count: 5 settings

Rule	Description
adjtimex	Audit fine-grained time adjustments
clock_settime	Audit clock setting operations
settimeofday	Audit time-of-day changes
stime	Audit legacy time setting
/etc/localtime	Watch for localtime file changes

Source Files (5)

M7: Audit Rules - Login Monitoring — 🟡 Pending

File: 75-audit-auth-medium.yaml Count: 5 settings

Rule	Description
faillock	Monitor failed login attempts
lastlog	Monitor last login records
tallylog	Monitor login attempt tallies
sudoers	Monitor sudo configuration changes
usergroup	Monitor /etc/passwd, /etc/group, /etc/shadow changes

Source Files (5)

M8: Audit Rules - Network Config — 🟡 Pending

File: 75-audit-network-medium.yaml Count: 1 setting

Rule	Description
network_modification	Audit sethostname, setdomainname syscalls

Source Files:

medium/rhcos4-e8-worker-audit-rules-networkconfig-modification.yaml

M9: Auditd Configuration — 🟡 Pending

File: 75-auditd-config-medium.yaml Count: 1 setting

Setting	Value	Description
name_format	hostname	Log hostname in audit records

Source Files:

medium/rhcos4-e8-worker-auditd-name-format.yaml

M10: API Server Encryption — 🟡 Pending

Type: APIServer CRD File: 75-api-server-encryption-medium.yaml Count: 2 remediations

Setting	Value	Description
encryption.type	aescbc	Enable AES-CBC encryption at rest

Source Files:

M11: Ingress TLS Ciphers — 🟡 Pending

Type: IngressController CRD File: 75-ingress-tls-medium.yaml Count: 1 remediation

Setting	Description
tlsSecurityProfile	Custom TLS profile with specific cipher suites

Source Files:

medium/ocp4-cis-ingress-controller-tls-cipher-suites.yaml

M12: Audit Profile — 🟡 Pending

Type: APIServer CRD File: 75-audit-profile-medium.yaml Count: 1 remediation

Setting	Value	Description
audit.profile	WriteRequestBodies	Enhanced audit logging

Source Files:

medium/ocp4-cis-audit-profile-set.yaml

LOW Severity Remediations

L1: SSHD LogLevel — 🔵 In Progress — PR #466

File: 75-sshd-hardening.yaml (consolidated with H3, M1) Jira: CNF-19031

Setting	Value	Description
LogLevel	INFO	Set SSH logging to INFO level

Source Files:

L2: Sysctl dmesg_restrict — 🟡 Pending

File: 75-sysctl-low.yaml

Setting	Value	Description
kernel.dmesg_restrict	1	Restrict kernel log access to privileged users

Source Files:

Notes

Severity Source: Severity levels come directly from Compliance Operator’s ComplianceCheckResult objects
File Naming: Use 75-<category>-<severity>.yaml pattern
SSHD Consolidation: All SSHD settings (H3, M1, L1) consolidated into 75-sshd-hardening.yaml in PR #466
PR #529: Non-SSHD HIGH severity items (crypto-policy, PAM)
PR #466: All SSHD hardening (HIGH + MEDIUM + LOW)

OCP 4.21 Remediation Groupings

Quick Summary

Remediation Status

HIGH Severity Remediations

MEDIUM Severity Remediations

LOW Severity Remediations

Notes

Keyboard Shortcuts