MEDIUM M27: SSHD Moderate Extensions P3

Verified Compare Branch

Overview

Additional SSHD hardening beyond M1 (E8). Sets idle session timeout, keepalive settings, and restricts SSH access to authorized users only.

Profile: NIST 800-53 Moderate (rhcos4-moderate)

Compliance Checks

Check Description
ClientAliveInterval Set SSH idle timeout interval
ClientAliveCountMax Set SSH keepalive count before disconnect
AllowUsers core Restrict SSH access to the core user only

Implementation Note: AllowUsers

The sshd-limit-user-access check is not detected by the compliance operator scan (returns notapplicable on RHCOS because the OVAL check can’t find the expected config pattern). However, the remediation is valid and recommended by NIST 800-53 Moderate.

The MachineConfig uses a systemd unit that checks if AllowUsers or AllowGroups is already set, and if not, creates a drop-in restricting SSH to the core user only.

Reference: cnf-features-deploy PR #2147 (closed but approach is valid)

Verification

oc debug node/<node> -- chroot /host bash -c '
sshd -T | grep -E "clientaliveinterval|clientalivecountmax|allowusers"
'

Expected output:

clientaliveinterval 600
clientalivecountmax 0
allowusers core
← M26 All Groups M28 →
Legend
Status
🔵 In Progress
🟡 Pending
On Hold
🟢 Complete
Severity
HIGH
MEDIUM
LOW
MANUAL

Keyboard Shortcuts

Navigation
j / Next row
k / Previous row
Enter Open selected / Expand details
Esc Clear selection / Close modal
Actions
/ Focus search
d Toggle dark mode
? Show this help
g h Go to home
Filters
1 Show all
2 Pending only
3 In Progress only
4 Complete only