MEDIUM RHCOS (Node) M26: Systemd Hardening P3
Remediation required. This group (6 checks) fails on vanilla RHCOS 9.8 and requires MachineConfig remediation. Verified on cnfdt16 (OCP 4.22, RHCOS 9.8) with compliance-operator v1.8.2.
Overview
Disables dangerous systemd behaviors: prevents Ctrl-Alt-Del from rebooting nodes (both single-press and burst), disables core dump generation and storage to prevent information leakage.
Profile: NIST 800-53 Moderate (rhcos4-moderate)
Compliance Checks
| Check | Description |
|---|---|
Ctrl-Alt-Del burst action |
Disable CtrlAltDelBurstAction |
Ctrl-Alt-Del reboot |
Disable Ctrl-Alt-Del reboot target |
Coredump backtraces |
Disable coredump backtrace generation |
Coredump storage |
Disable coredump storage |
User coredumps |
Disable user coredumps via limits.conf |
Verification
oc debug node/<node> -- chroot /host systemctl status ctrl-alt-del.target
Upstream Proposal
The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:
| Setting | Scope | Target Repo | Target File | Rationale | Risk |
|---|---|---|---|---|---|
Disable coredumps (Storage=none, ProcessSizeMax=0) |
RAN | openshift/os | /etc/systemd/coredump.conf.d/50-no-coredumps.conf |
Container hosts shouldn't store core dumps. Prevents sensitive data leakage and disk exhaustion from crashed processes.
Scope: Disabling core dumps prevents crash debugging for node-level issues. Appropriate for hardened production but not dev/QE clusters. |
Med |
Mask ctrl-alt-del.target, CtrlAltDelBurstAction=none |
RAN | openshift/os | systemd preset + /etc/systemd/system.conf.d/ |
Prevents accidental or malicious reboot via keyboard. RHCOS nodes are headless servers, not interactive workstations.
Scope: Bare-metal operators use Ctrl-Alt-Del via BMC console to recover hung nodes when SSH is unavailable. Masking it removes a useful recovery tool. Appropriate for hardened RAN production nodes where accidental reboots are catastrophic. |
Low |