OCP 4.22 Remediation Groupings

← Back to OCP 4.22 Compliance Status View Detailed Group Pages

This page catalogs all compliance remediation groups for OCP 4.22, dynamically generated from tracking.json.

Target baseline: RHCOS 9.8 (OCP 4.22) with compliance-operator v1.8.2 and pinned content quay.io/bapalm/k8scontent:v0.1.80.

Quick Summary

Status Count
βœ… PASS on vanilla RHCOS 9.8+ 4 groups
🟒 Verified (remediation works) 28 groups
πŸ”΅ In Progress 0 groups
🟑 Pending 5 groups
🟠 Partial 3 groups
πŸ“‹ Manual 5 groups

Remediation Status

Group Category Platform Severity Checks Status Compare Jira PR
H1 Crypto Policy RHCOS HIGH 1 🟒 Verified πŸ“¦ CNF-21212 -
H2 PAM Empty Passwords RHCOS HIGH 1 🟒 Verified πŸ“¦ CNF-21212 -
H3 SSHD Empty Passwords RHCOS HIGH 1 βœ… PASS (vanilla) - CNF-21326 -
M1 SSHD Configuration RHCOS MEDIUM 7 βœ… PASS (vanilla) - CNF-22620 -
M2 Kernel Hardening (Sysctl) RHCOS MEDIUM 4 🟒 Verified πŸ“¦ CNF-21196 -
M3 Audit Rules - DAC Modifications RHCOS MEDIUM 2 🟒 Verified πŸ“¦ CNF-23513 -
M4 Audit Rules - SELinux RHCOS MEDIUM 6 🟒 Verified πŸ“¦ CNF-22621 -
M5 Audit Rules - Kernel Modules RHCOS MEDIUM 3 🟒 Verified πŸ“¦ CNF-23448 -
M6 Audit Rules - Time Modifications RHCOS MEDIUM 5 🟒 Verified πŸ“¦ CNF-22622 -
M7 Audit Rules - Login Monitoring RHCOS MEDIUM 6 🟒 Verified πŸ“¦ CNF-22623 -
M8 Audit Rules - Network Config RHCOS MEDIUM 1 🟒 Verified πŸ“¦ CNF-23449 -
M9 Auditd Configuration RHCOS MEDIUM 1 🟒 Verified πŸ“¦ CNF-23514 -
M10 API Server Encryption OCP MEDIUM 1 🟒 Verified πŸ“¦ CNF-22624 #678
M11 Ingress TLS Ciphers OCP MEDIUM 1 βœ… PASS (vanilla) πŸ“¦ CNF-23451 -
M12 Audit Profile OCP MEDIUM 1 🟒 Verified πŸ“¦ CNF-23452 -
L1 SSHD LogLevel RHCOS LOW 1 βœ… PASS (vanilla) - - -
L2 Sysctl dmesg_restrict RHCOS LOW 1 🟒 Verified πŸ“¦ CNF-23450 -
M13 Extended DAC Audit RHCOS MEDIUM 11 🟒 Verified πŸ“¦ CNF-23515 -
M14 Identity File Access Audit RHCOS MEDIUM 12 🟒 Verified πŸ“¦ CNF-23516 -
M15 File Deletion Audit RHCOS MEDIUM 5 🟒 Verified πŸ“¦ CNF-23517 -
M16 Unsuccessful File Modification Audit RHCOS MEDIUM 32 🟒 Verified πŸ“¦ CNF-23518 -
M17 Privileged Commands Audit RHCOS MEDIUM 22 🟒 Verified πŸ“¦ CNF-23519 -
M18 Session & MAC Audit RHCOS MEDIUM 4 🟒 Verified πŸ“¦ CNF-23520 -
M19 Usergroup Modification Audit RHCOS MEDIUM 5 🟒 Verified πŸ“¦ CNF-23521 -
M20 Auditd Data Retention RHCOS MEDIUM 4 🟒 Verified πŸ“¦ CNF-23522 -
M21 Kernel Module Blacklist RHCOS MEDIUM 18 🟒 Verified πŸ“¦ CNF-23523 -
M22 Network Sysctl Hardening RHCOS MEDIUM 20 🟒 Verified πŸ“¦ CNF-23524 -
M23 Kernel Sysctl Extended RHCOS MEDIUM 3 🟒 Verified πŸ“¦ CNF-23525 -
M24 CoreOS Kernel Arguments RHCOS MEDIUM 6 🟒 Verified πŸ“¦ CNF-23526 -
M25 Chrony/NTP Configuration RHCOS MEDIUM 4 🟒 Verified πŸ“¦ CNF-23527 -
M26 Systemd Hardening RHCOS MEDIUM 6 🟒 Verified πŸ“¦ CNF-23528 -
M27 SSHD Moderate Extensions RHCOS MEDIUM 2 🟒 Verified πŸ“¦ CNF-23529 -
M28 USBGuard RHCOS MEDIUM 3 🟠 Partial πŸ“¦ - -
M29 System Access Controls Mixed MEDIUM 7 🟠 Partial πŸ“¦ CNF-23453 -
M30 OAuth Configuration Mixed MEDIUM 2 🟠 Partial πŸ“¦ CNF-23454 -
MAN1 Workload Security OCP MANUAL 19 🟑 Pending - - -
MAN2 RBAC & Access Control OCP MANUAL 7 🟑 Pending - - -
MAN3 Secrets Management OCP MANUAL 2 🟑 Pending - - -
MAN4 Audit Log Partitions OCP MANUAL 5 🟑 Pending - - -
MAN5 Hardware/BIOS & Alerting OCP MANUAL 17 🟑 Pending - - -

Remediation Details

H1: Crypto Policy β€” 🟒 Verified

Jira: CNF-21212

Check Description
configure-crypto-policy System-wide crypto policy (DEFAULT:NO-SHA1)

Verified on cnfdt16 OCP 4.22 RHCOS 9.8. E8 PASS. Moderate crypto policy FAIL (expects FIPS, we set DEFAULT:NO-SHA1).

H2: PAM Empty Passwords β€” 🟒 Verified

Jira: CNF-21212

Check Description
no-empty-passwords Disable nullok in PAM system-auth and password-auth

FAIL on vanilla RHCOS 9.8. Remediation tested and works. Branch pending.

H3: SSHD Empty Passwords β€” βœ… PASS (vanilla RHCOS 9.8+)

These checks PASS on vanilla RHCOS 9.8+ (OCP 4.22+) without MachineConfig remediation.

Jira: CNF-21326

Check Description
sshd-disable-empty-passwords Prevent SSH login with empty passwords

PASS on vanilla RHCOS 9.8+ (OCP 4.22+). Older RHCOS versions still require remediation.

M1: SSHD Configuration β€” βœ… PASS (vanilla RHCOS 9.8+)

These checks PASS on vanilla RHCOS 9.8+ (OCP 4.22+) without MachineConfig remediation.

Jira: CNF-22620

Check Description
sshd-disable-root-login Disable direct root SSH access
sshd-disable-gssapi-auth Disable GSSAPI authentication
sshd-disable-rhosts Disable rhost authentication
sshd-disable-user-known-hosts Ignore user’s known_hosts file
sshd-do-not-permit-user-env Block user environment variable passing
sshd-enable-strictmodes Enable strict mode checking
sshd-print-last-log Display last login information

PASS on vanilla RHCOS 9.8+ (OCP 4.22+). Older RHCOS versions still require remediation.

M2: Kernel Hardening (Sysctl) β€” 🟒 Verified

Jira: CNF-21196

Check Description
sysctl-kernel-randomize-va-space Full ASLR - randomizes memory layout
sysctl-kernel-unprivileged-bpf-disabled Prevent BPF-based privilege escalation
sysctl-kernel-yama-ptrace-scope Restrict ptrace to parent-child processes
sysctl-net-core-bpf-jit-harden Harden BPF JIT against spraying attacks

FAIL on vanilla RHCOS 9.8. Remediation tested and works.

M3: Audit Rules - DAC Modifications β€” 🟒 Verified

Jira: CNF-23513

Check Description
audit-rules-dac-modification-chmod Audit DAC chmod
audit-rules-dac-modification-chown Audit DAC chown

Verified on cnfdt16 OCP 4.22 RHCOS 9.8. Audit rules deployed and compiled into audit.rules.

M4: Audit Rules - SELinux β€” 🟒 Verified

Jira: CNF-22621

Check Description
audit-rules-execution-chcon Audit SELinux chcon
audit-rules-execution-restorecon Audit SELinux restorecon
audit-rules-execution-semanage Audit SELinux semanage
audit-rules-execution-setfiles Audit SELinux setfiles
audit-rules-execution-setsebool Audit SELinux setsebool
audit-rules-execution-seunshare Audit SELinux seunshare

Verified on cnfdt16 OCP 4.22 RHCOS 9.8. Audit rules deployed and compiled into audit.rules.

M5: Audit Rules - Kernel Modules β€” 🟒 Verified

Jira: CNF-23448

Check Description
audit-rules-kernel-module-loading-delete Audit kernel module delete
audit-rules-kernel-module-loading-finit Audit kernel module finit
audit-rules-kernel-module-loading-init Audit kernel module init

FAIL on vanilla RHCOS 9.8. Remediation tested and works.

M6: Audit Rules - Time Modifications β€” 🟒 Verified

Jira: CNF-22622

Check Description
audit-rules-time-adjtimex Audit time adjtimex
audit-rules-time-clock-settime Audit time clock_settime
audit-rules-time-settimeofday Audit time settimeofday
audit-rules-time-stime Audit time stime
audit-rules-time-watch-localtime Audit time localtime

Verified on cnfdt16 OCP 4.22 RHCOS 9.8. Audit rules deployed and compiled into audit.rules.

M7: Audit Rules - Login Monitoring β€” 🟒 Verified

Jira: CNF-22623

Check Description
audit-rules-login-events-faillock Audit login faillock
audit-rules-login-events-lastlog Audit login lastlog
audit-rules-login-events-tallylog Audit login tallylog
audit-rules-login-events Audit login events
audit-rules-sysadmin-actions Audit sysadmin actions
audit-rules-usergroup-modification Audit usergroup modification

Verified on cnfdt16 OCP 4.22 RHCOS 9.8. Audit rules deployed and compiled into audit.rules.

M8: Audit Rules - Network Config β€” 🟒 Verified

Jira: CNF-23449

Check Description
audit-rules-networkconfig-modification Audit network config

FAIL on vanilla RHCOS 9.8. Remediation tested and works.

M9: Auditd Configuration β€” 🟒 Verified

Jira: CNF-23514

Check Description
auditd-name-format Auditd name format

Verified on cnfdt16 OCP 4.22 RHCOS 9.8. auditd name_format=hostname.

M10: API Server Encryption β€” 🟒 Verified β€” PR #678

Jira: CNF-22624

Check Description
api-server-encryption-provider-cipher API encryption

Verified on cnfdt16 OCP 4.22. API encryption type=aescbc, all resources encrypted.

M11: Ingress TLS Ciphers β€” βœ… PASS (vanilla RHCOS 9.8+)

These checks PASS on vanilla RHCOS 9.8+ (OCP 4.22+) without MachineConfig remediation.

Jira: CNF-23451

Check Description
ingress-controller-tls-cipher-suites Ingress TLS ciphers

Vanilla scan on OCP 4.22 confirms PASS. No remediation needed.

M12: Audit Profile β€” 🟒 Verified

Jira: CNF-23452

Check Description
audit-profile-set Audit profile

Verified on cnfdt16 OCP 4.22. Audit profile set to WriteRequestBodies.

L1: SSHD LogLevel β€” βœ… PASS (vanilla RHCOS 9.8+)

These checks PASS on vanilla RHCOS 9.8+ (OCP 4.22+) without MachineConfig remediation.

Check Description
sshd-set-loglevel-info Set SSH logging to INFO level

PASS on vanilla RHCOS 9.8+ (OCP 4.22+). Older RHCOS versions still require remediation.

L2: Sysctl dmesg_restrict β€” 🟒 Verified

Jira: CNF-23450

Check Description
sysctl-kernel-dmesg-restrict Restrict kernel log access to privileged users

FAIL on vanilla RHCOS 9.8. Remediation tested and works.

M13: Extended DAC Audit β€” 🟒 Verified

Jira: CNF-23515

Check Description
audit-rules-dac-modification-fchmod Audit fchmod operations
audit-rules-dac-modification-fchmodat Audit fchmodat operations
audit-rules-dac-modification-fchown Audit fchown operations
audit-rules-dac-modification-fchownat Audit fchownat operations
audit-rules-dac-modification-fremovexattr Audit fremovexattr operations
audit-rules-dac-modification-fsetxattr Audit fsetxattr operations
audit-rules-dac-modification-lchown Audit lchown operations
audit-rules-dac-modification-lremovexattr Audit lremovexattr operations
audit-rules-dac-modification-lsetxattr Audit lsetxattr operations
audit-rules-dac-modification-removexattr Audit removexattr operations
audit-rules-dac-modification-setxattr Audit setxattr operations

Verified on cnfdt16 OCP 4.22 RHCOS 9.8. 11 extended DAC audit rules deployed.

M14: Identity File Access Audit β€” 🟒 Verified

Jira: CNF-23516

Check Description
audit-rules-etc-group-open Audit /etc/group access
audit-rules-etc-group-openat Audit /etc/group access via openat
audit-rules-etc-group-open-by-handle-at Audit /etc/group access via open_by_handle_at
audit-rules-etc-gshadow-open Audit /etc/gshadow access
audit-rules-etc-gshadow-openat Audit /etc/gshadow access via openat
audit-rules-etc-gshadow-open-by-handle-at Audit /etc/gshadow access via open_by_handle_at
audit-rules-etc-passwd-open Audit /etc/passwd access
audit-rules-etc-passwd-openat Audit /etc/passwd access via openat
audit-rules-etc-passwd-open-by-handle-at Audit /etc/passwd access via open_by_handle_at
audit-rules-etc-shadow-open Audit /etc/shadow access
audit-rules-etc-shadow-openat Audit /etc/shadow access via openat
audit-rules-etc-shadow-open-by-handle-at Audit /etc/shadow access via open_by_handle_at

Verified on cnfdt16 OCP 4.22 RHCOS 9.8. 12 identity file audit rules deployed.

M15: File Deletion Audit β€” 🟒 Verified

Jira: CNF-23517

Check Description
audit-rules-file-deletion-events-rename Audit rename operations
audit-rules-file-deletion-events-renameat Audit renameat operations
audit-rules-file-deletion-events-rmdir Audit rmdir operations
audit-rules-file-deletion-events-unlink Audit unlink operations
audit-rules-file-deletion-events-unlinkat Audit unlinkat operations

Verified on cnfdt16 OCP 4.22 RHCOS 9.8. 5 file deletion audit rules deployed.

M16: Unsuccessful File Modification Audit β€” 🟒 Verified

Jira: CNF-23518

Check Description
audit-rules-unsuccessful-file-modification-chmod Audit failed chmod
audit-rules-unsuccessful-file-modification-open Audit failed open
audit-rules-unsuccessful-file-modification-chown Audit failed chown
audit-rules-unsuccessful-file-modification-creat Audit failed creat
audit-rules-unsuccessful-file-modification-fchmod Audit failed fchmod
audit-rules-unsuccessful-file-modification-fchmodat Audit failed fchmodat
audit-rules-unsuccessful-file-modification-fchown Audit failed fchown
audit-rules-unsuccessful-file-modification-fchownat Audit failed fchownat
audit-rules-unsuccessful-file-modification-fremovexattr Audit failed fremovexattr
audit-rules-unsuccessful-file-modification-fsetxattr Audit failed fsetxattr
audit-rules-unsuccessful-file-modification-ftruncate Audit failed ftruncate
audit-rules-unsuccessful-file-modification-lchown Audit failed lchown
audit-rules-unsuccessful-file-modification-lremovexattr Audit failed lremovexattr
audit-rules-unsuccessful-file-modification-lsetxattr Audit failed lsetxattr
audit-rules-unsuccessful-file-modification-open-by-handle-at Audit failed open-by-handle-at
audit-rules-unsuccessful-file-modification-open-by-handle-at-o-creat Audit failed open-by-handle-at-o-creat
audit-rules-unsuccessful-file-modification-open-by-handle-at-o-trunc-write Audit failed open-by-handle-at-o-trunc-write
audit-rules-unsuccessful-file-modification-open-by-handle-at-rule-order Audit failed open-by-handle-at-rule-order
audit-rules-unsuccessful-file-modification-open-o-creat Audit failed open-o-creat
audit-rules-unsuccessful-file-modification-open-o-trunc-write Audit failed open-o-trunc-write
audit-rules-unsuccessful-file-modification-open-rule-order Audit failed open-rule-order
audit-rules-unsuccessful-file-modification-openat Audit failed openat
audit-rules-unsuccessful-file-modification-openat-o-creat Audit failed openat-o-creat
audit-rules-unsuccessful-file-modification-openat-o-trunc-write Audit failed openat-o-trunc-write
audit-rules-unsuccessful-file-modification-openat-rule-order Audit failed openat-rule-order
audit-rules-unsuccessful-file-modification-removexattr Audit failed removexattr
audit-rules-unsuccessful-file-modification-rename Audit failed rename
audit-rules-unsuccessful-file-modification-renameat Audit failed renameat
audit-rules-unsuccessful-file-modification-setxattr Audit failed setxattr
audit-rules-unsuccessful-file-modification-truncate Audit failed truncate
audit-rules-unsuccessful-file-modification-unlink Audit failed unlink
audit-rules-unsuccessful-file-modification-unlinkat Audit failed unlinkat

Verified on cnfdt16 OCP 4.22 RHCOS 9.8. 18 unsuccessful file modification audit rule files deployed.

M17: Privileged Commands Audit β€” 🟒 Verified

Jira: CNF-23519

Check Description
audit-rules-privileged-commands-su Audit su execution
audit-rules-privileged-commands-sudo Audit sudo execution
audit-rules-privileged-commands-passwd Audit passwd execution
audit-rules-privileged-commands-mount Audit mount execution
audit-rules-privileged-commands-at Audit privileged at
audit-rules-privileged-commands-chage Audit privileged chage
audit-rules-privileged-commands-chsh Audit privileged chsh
audit-rules-privileged-commands-crontab Audit privileged crontab
audit-rules-privileged-commands-gpasswd Audit privileged gpasswd
audit-rules-privileged-commands-newgidmap Audit privileged newgidmap
audit-rules-privileged-commands-newgrp Audit privileged newgrp
audit-rules-privileged-commands-newuidmap Audit privileged newuidmap
audit-rules-privileged-commands-pam-timestamp-check Audit privileged pam-timestamp-check
audit-rules-privileged-commands-postdrop Audit privileged postdrop
audit-rules-privileged-commands-postqueue Audit privileged postqueue
audit-rules-privileged-commands-pt-chown Audit privileged pt-chown
audit-rules-privileged-commands-ssh-keysign Audit privileged ssh-keysign
audit-rules-privileged-commands-sudoedit Audit privileged sudoedit
audit-rules-privileged-commands-umount Audit privileged umount
audit-rules-privileged-commands-unix-chkpwd Audit privileged unix-chkpwd
audit-rules-privileged-commands-userhelper Audit privileged userhelper
audit-rules-privileged-commands-usernetctl Audit privileged usernetctl

Verified on cnfdt16 OCP 4.22 RHCOS 9.8. 22 privileged command audit rules deployed.

M18: Session & MAC Audit β€” 🟒 Verified

Jira: CNF-23520

Check Description
audit-rules-session-events Audit session events
audit-rules-mac-modification Audit MAC policy changes
audit-rules-media-export Audit media export
audit-rules-immutable Make audit rules immutable

Verified on cnfdt16 OCP 4.22 RHCOS 9.8. Session, MAC-policy, export, immutable audit rules deployed.

M19: Usergroup Modification Audit β€” 🟒 Verified

Jira: CNF-23521

Check Description
audit-rules-usergroup-modification-group Watch /etc/group
audit-rules-usergroup-modification-gshadow Watch /etc/gshadow
audit-rules-usergroup-modification-opasswd Watch /etc/opasswd
audit-rules-usergroup-modification-passwd Watch /etc/passwd
audit-rules-usergroup-modification-shadow Watch /etc/shadow

Verified on cnfdt16 OCP 4.22 RHCOS 9.8. 5 usergroup modification file watches deployed.

M20: Auditd Data Retention β€” 🟒 Verified

Jira: CNF-23522

Check Description
auditd-data-disk-error-action Set disk error action
auditd-data-disk-full-action Set disk full action
auditd-data-retention-admin-space-left-action Set admin space-left action
auditd-data-retention-space-left Set space-left threshold

Verified on cnfdt16 OCP 4.22 RHCOS 9.8. Auditd data retention settings applied.

M21: Kernel Module Blacklist β€” 🟒 Verified

Jira: CNF-23523

Check Description
kernel-module-bluetooth-disabled Disable Bluetooth
kernel-module-usb-storage-disabled Disable USB storage
kernel-module-sctp-disabled Disable SCTP
kernel-module-atm-disabled Disable atm
kernel-module-can-disabled Disable can
kernel-module-cfg80211-disabled Disable cfg80211
kernel-module-cramfs-disabled Disable cramfs
kernel-module-firewire-core-disabled Disable firewire-core
kernel-module-freevxfs-disabled Disable freevxfs
kernel-module-hfs-disabled Disable hfs
kernel-module-hfsplus-disabled Disable hfsplus
kernel-module-iwlmvm-disabled Disable iwlmvm
kernel-module-iwlwifi-disabled Disable iwlwifi
kernel-module-jffs2-disabled Disable jffs2
kernel-module-mac80211-disabled Disable mac80211
kernel-module-squashfs-disabled Disable squashfs
kernel-module-tipc-disabled Disable tipc
kernel-module-udf-disabled Disable udf

Verified on cnfdt16 OCP 4.22 RHCOS 9.8. 18 kernel module blacklist files deployed.

M22: Network Sysctl Hardening β€” 🟒 Verified

Jira: CNF-23524

Check Description
sysctl-net-ipv4-conf-all-accept-redirects Reject ICMP redirects
sysctl-net-ipv4-tcp-syncookies Enable TCP SYN cookies
sysctl-net-ipv6-conf-all-accept-ra Reject IPv6 router advertisements
sysctl-net-ipv4-conf-all-accept-source-route Net sysctl ipv4-conf-all-accept-source-route
sysctl-net-ipv4-conf-all-log-martians Net sysctl ipv4-conf-all-log-martians
sysctl-net-ipv4-conf-all-rp-filter Net sysctl ipv4-conf-all-rp-filter
sysctl-net-ipv4-conf-all-secure-redirects Net sysctl ipv4-conf-all-secure-redirects
sysctl-net-ipv4-conf-all-send-redirects Net sysctl ipv4-conf-all-send-redirects
sysctl-net-ipv4-conf-default-accept-redirects Net sysctl ipv4-conf-default-accept-redirects
sysctl-net-ipv4-conf-default-log-martians Net sysctl ipv4-conf-default-log-martians
sysctl-net-ipv4-conf-default-rp-filter Net sysctl ipv4-conf-default-rp-filter
sysctl-net-ipv4-conf-default-secure-redirects Net sysctl ipv4-conf-default-secure-redirects
sysctl-net-ipv4-conf-default-send-redirects Net sysctl ipv4-conf-default-send-redirects
sysctl-net-ipv4-icmp-echo-ignore-broadcasts Net sysctl ipv4-icmp-echo-ignore-broadcasts
sysctl-net-ipv4-icmp-ignore-bogus-error-responses Net sysctl ipv4-icmp-ignore-bogus-error-responses
sysctl-net-ipv6-conf-all-accept-redirects Net sysctl ipv6-conf-all-accept-redirects
sysctl-net-ipv6-conf-all-accept-source-route Net sysctl ipv6-conf-all-accept-source-route
sysctl-net-ipv6-conf-default-accept-ra Net sysctl ipv6-conf-default-accept-ra
sysctl-net-ipv6-conf-default-accept-redirects Net sysctl ipv6-conf-default-accept-redirects
sysctl-net-ipv6-conf-default-accept-source-route Net sysctl ipv6-conf-default-accept-source-route

Verified on cnfdt16 OCP 4.22 RHCOS 9.8. 20 network sysctl hardening configs deployed.

M23: Kernel Sysctl Extended β€” 🟒 Verified

Jira: CNF-23525

Check Description
sysctl-kernel-kexec-load-disabled Disable kexec
sysctl-kernel-perf-event-paranoid Restrict perf_event
sysctl-kernel-core-pattern Disable core dumps

Verified on cnfdt16 OCP 4.22 RHCOS 9.8. core_pattern, kexec_load_disabled, perf_event_paranoid set.

M24: CoreOS Kernel Arguments β€” 🟒 Verified

Jira: CNF-23526

Check Description
coreos-pti-kernel-argument Enable PTI
coreos-audit-option Enable audit
coreos-nousb-kernel-argument Disable USB
coreos-audit-backlog-limit-kernel-argument CoreOS kernel arg
coreos-page-poison-kernel-argument CoreOS kernel arg
coreos-vsyscall-kernel-argument CoreOS kernel arg

Verified on cnfdt16 OCP 4.22 RHCOS 9.8. 6 kernel args: audit, audit_backlog_limit, nousb, page_poison, pti, vsyscall.

M25: Chrony/NTP Configuration β€” 🟒 Verified

Jira: CNF-23527

Check Description
chronyd-client-only Restrict chrony to client mode
chronyd-no-chronyc-network Disable chronyc network
chronyd-or-ntpd-set-maxpoll Chrony config
chronyd-or-ntpd-specify-multiple-servers Chrony config

Verified on cnfdt16 OCP 4.22 RHCOS 9.8. Chrony port=0, cmdport=0, maxpoll=10, 4 NTP servers.

M26: Systemd Hardening β€” 🟒 Verified

Jira: CNF-23528

Check Description
disable-ctrlaltdel-burstaction Disable Ctrl-Alt-Del burst
disable-ctrlaltdel-reboot Disable Ctrl-Alt-Del reboot
coredump-disable-backtraces Disable coredump backtraces
coredump-disable-storage Disable coredump storage
disable-users-coredumps Disable user coredumps
service-systemd-coredump-disabled Systemd coredump disabled

Verified on cnfdt16 OCP 4.22 RHCOS 9.8. Coredump disabled, ctrl-alt-del masked, systemd-coredump masked.

M27: SSHD Moderate Extensions β€” 🟒 Verified

Jira: CNF-23529

Check Description
sshd-set-idle-timeout Set SSH idle timeout
sshd-set-keepalive Set SSH keepalive

Verified on cnfdt16 OCP 4.22 RHCOS 9.8. Settings applied (sshd -T confirms ClientAliveInterval=300 ClientAliveCountMax=0). Moderate scanner FAIL is a known drop-in file detection limitation.

M28: USBGuard β€” 🟠 Partial
Check Description
package-usbguard-installed Install USBGuard
service-usbguard-enabled Enable USBGuard
usbguard-allow-hid-and-hub Allow HID/hub USB devices
M29: System Access Controls β€” 🟠 Partial

Jira: CNF-23453

Check Description
banner-etc-issue Set login banner
ensure-logrotate-activated Ensure logrotate active
service-debug-shell-disabled Disable debug shell
no-tmux-in-shells Restrict tmux in shells
banner-or-login-template-set Login banner template
no-direct-root-logins No direct root logins
openshift-motd-exists MOTD configuration

Verified on cnfdt16 OCP 4.22. RHCOS node checks (securetty, audit trail) PASS. OCP platform checks (banner-or-login-template-set, openshift-motd-exists) still FAIL β€” require per-deployment configuration.

M30: OAuth Configuration β€” 🟠 Partial

Jira: CNF-23454

Check Description
oauth-or-oauthclient-inactivity-timeout Set OAuth inactivity timeout
oauth-or-oauthclient-token-maxage Set OAuth token max age

Verified on cnfdt16 OCP 4.22. accessTokenInactivityTimeout set. oauth-or-oauthclient-token-maxage and PCI-DSS inactivity-timeout still FAIL. Branch needs update with accessTokenMaxAgeSeconds.

MAN1: Workload Security β€” 🟑 Pending
Check Description
configure-network-policies-namespaces Manual: Configure network policies per namespace
accounts-restrict-service-account-tokens Manual: Restrict SA token automounting
accounts-unique-service-account Manual: Use unique service accounts
general-apply-scc Manual: Apply SCCs to pods
general-default-namespace-use Manual: Don’t use default namespace
general-default-seccomp-profile Manual: Enable seccomp profiles
general-namespaces-in-use Manual: Use namespaces for isolation
scc-limit-privilege-escalation Manual: Limit privilege escalation
scc-limit-privileged-containers Manual: Limit privileged containers
scc-limit-root-containers Manual: Limit root containers
scc-drop-container-capabilities Manual: Drop container capabilities
scc-limit-container-allowed-capabilities Manual: Limit container capabilities
scc-limit-ipc-namespace Manual: Limit IPC namespace
scc-limit-net-raw-capability Manual: Limit NET_RAW
scc-limit-network-namespace Manual: Limit network namespace
scc-limit-process-id-namespace Manual: Limit PID namespace
general-configure-imagepolicywebhook Manual: Image provenance
resource-requests-limits-in-daemonset Manual: Resource requests in daemonsets
resource-requests-quota Manual: Resource quotas
MAN2: RBAC & Access Control β€” 🟑 Pending
Check Description
rbac-least-privilege Manual: Review RBAC least privilege
rbac-limit-cluster-admin Manual: Limit cluster-admin usage
rbac-limit-secrets-access Manual: Restrict secrets access
rbac-pod-creation-access Manual: Minimize pod creation access
rbac-wildcard-use Manual: Minimize wildcard roles
idp-is-configured Manual: Configure identity provider
kubeadmin-removed Manual: Remove kubeadmin
MAN3: Secrets Management β€” 🟑 Pending
Check Description
secrets-consider-external-storage Manual: Use external secret storage
secrets-no-environment-variables Manual: Don’t use env vars for secrets
MAN4: Audit Log Partitions β€” 🟑 Pending
Check Description
audit-log-forwarding-enabled Manual: Audit log forwarding
audit-log-forwarding-uses-tls Manual: Audit log forwarding TLS
directory-access-var-log-audit Manual: Audit log access
partition-for-var-log Manual: /var/log partition
partition-for-var-log-audit Manual: /var/log/audit partition
MAN5: Hardware/BIOS & Alerting β€” 🟑 Pending
Check Description
bios-disable-usb-boot Manual: Disable USB boot
wireless-disable-in-bios Manual: Disable WiFi in BIOS
acs-sensor-exists Manual: ACS sensor deployment
cluster-version-operator-exists Manual: CVO check
cluster-wide-proxy-set Manual: Cluster proxy configuration
container-security-operator-exists Manual: Container security operator
default-ingress-ca-replaced Manual: Replace default ingress CA
enable-fips-mode Manual: Enable FIPS mode
file-integrity-exists Manual: File integrity operator
file-integrity-notification-enabled Manual: File integrity notifications
fips-mode-enabled-on-all-nodes Manual: FIPS on all nodes
ingress-controller-certificate Manual: Ingress controller certificate
machine-volume-encrypted Manual: Encrypt machine volumes
ocp-allowed-registries Manual: Configure allowed registries
ocp-allowed-registries-for-import Manual: Allowed registries for import
security-profiles-operator-exists Manual: Security profiles operator
alert-receiver-configured Manual: Configure alert receiver

Legend

Legend
Status
πŸ”΅ In Progress
🟑 Pending
βšͺ On Hold
🟒 Complete
Severity
HIGH
MEDIUM
LOW
MANUAL

Keyboard Shortcuts

Navigation
j / Next row
k / Previous row
Enter Open selected / Expand details
Esc Clear selection / Close modal
Actions
/ Focus search
d Toggle dark mode
? Show this help
g h Go to home
Filters
1 Show all
2 Pending only
3 In Progress only
4 Complete only