MEDIUM RHCOS (Node) M27: SSHD Moderate Extensions P3
Remediation required. This group (2 checks) fails on vanilla RHCOS 9.8 and requires MachineConfig remediation. Verified on cnfdt16 (OCP 4.22, RHCOS 9.8) with compliance-operator v1.8.2.
Overview
Additional SSHD hardening beyond M1 (E8). Sets idle session timeout, keepalive settings, and restricts SSH access to authorized users only.
Profile: NIST 800-53 Moderate (rhcos4-moderate)
Compliance Checks
| Check | Description |
|---|---|
ClientAliveInterval |
Set SSH idle timeout interval |
ClientAliveCountMax |
Set SSH keepalive count before disconnect |
AllowUsers core |
Restrict SSH access to the core user only |
Implementation Note: AllowUsers
The sshd-limit-user-access check is not detected by the compliance operator scan (returns notapplicable on RHCOS because the OVAL check can’t find the expected config pattern). However, the remediation is valid and recommended by NIST 800-53 Moderate.
The MachineConfig uses a systemd unit that checks if AllowUsers or AllowGroups is already set, and if not, creates a drop-in restricting SSH to the core user only.
Reference: cnf-features-deploy PR #2147 (closed but approach is valid)
Verification
oc debug node/<node> -- chroot /host bash -c '
sshd -T | grep -E "clientaliveinterval|clientalivecountmax|allowusers"
'
Expected output:
clientaliveinterval 600
clientalivecountmax 0
allowusers core
Upstream Proposal
The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:
| Setting | Scope | Target Repo | Target File | Rationale | Risk |
|---|---|---|---|---|---|
ClientAliveInterval=300, ClientAliveCountMax=0 |
RAN | openshift/os | /etc/ssh/sshd_config.d/50-hardening.conf |
Automatically disconnects idle SSH sessions after 5 minutes. Prevents abandoned sessions from being hijacked.
Scope: 5-minute idle timeout is aggressive. Platform teams may need longer SSH sessions for debugging. Appropriate for hardened production deployments. |
Low |