OCP 5.0 Remediation Groups
| ← Back to OCP 5.0 Compliance Status | View Summary |
Each group below represents a logical set of related compliance checks that can be remediated together in a single MachineConfig or CRD.
HIGH Severity
| Group | Title | Priority | Status | Tested | Jira | PR |
|---|---|---|---|---|---|---|
| H1 | Crypto Policy | P1 | 🔵 In Progress | PASS | CNF-21212 | #735 |
| H2 | PAM Empty Passwords | P1 | 🔵 In Progress | PASS | CNF-21212 | #736 |
| H3 | SSHD Empty Passwords | P1 | 🟢 Complete | PASS | CNF-21326 | - |
MEDIUM Severity
| Group | Title | Priority | Status | Tested | Compare | Jira | PR |
|---|---|---|---|---|---|---|---|
| M1 | SSHD Configuration | P2 | 🔵 In Progress | PARTIAL | 📦 | CNF-22620 | - |
| M4 | Audit Rules - SELinux | P2 | 🔵 In Progress | PASS | 📦 | CNF-22621 | - |
| M6 | Audit Rules - Time Modifications | P2 | 🔵 In Progress | PASS | 📦 | CNF-22622 | - |
| M7 | Audit Rules - Login Monitoring | P2 | 🔵 In Progress | PASS | 📦 | CNF-22623 | - |
| M10 | API Server Encryption | P2 | 🔵 In Progress | PASS | 📦 | CNF-22624 | #678 |
| M2 | Kernel Hardening (Sysctl) | P3 | 🔵 In Progress | PASS | 📦 | CNF-21196 | #737 |
| M3 | Audit Rules - DAC Modifications | P3 | 🔵 In Progress | PASS | 📦 | CNF-23513 | - |
| M5 | Audit Rules - Kernel Modules | P3 | 🔵 In Progress | PASS | 📦 | CNF-23448 | #738 |
| M8 | Audit Rules - Network Config | P3 | 🔵 In Progress | PASS | 📦 | CNF-23449 | - |
| M9 | Auditd Configuration | P3 | 🔵 In Progress | PASS | 📦 | CNF-23514 | - |
| M11 | Ingress TLS Ciphers | P3 | 🟢 Complete | PASS | - | CNF-23451 | - |
| M12 | Audit Profile | P3 | 🔵 In Progress | PASS | 📦 | CNF-23452 | - |
| M13 | Extended DAC Audit | P3 | 🔵 In Progress | PASS | 📦 | CNF-23515 | - |
| M14 | Identity File Access Audit | P3 | 🔵 In Progress | PASS | 📦 | CNF-23516 | - |
| M15 | File Deletion Audit | P3 | 🔵 In Progress | PASS | 📦 | CNF-23517 | - |
| M16 | Unsuccessful File Modification Audit | P3 | 🔵 In Progress | PASS | 📦 | CNF-23518 | - |
| M17 | Privileged Commands Audit | P3 | 🔵 In Progress | PASS | 📦 | CNF-23519 | - |
| M18 | Session & MAC Audit | P3 | 🔵 In Progress | PASS | 📦 | CNF-23520 | - |
| M19 | Usergroup Modification Audit | P3 | 🔵 In Progress | PASS | 📦 | CNF-23521 | - |
| M20 | Auditd Data Retention | P3 | 🔵 In Progress | PASS | 📦 | CNF-23522 | - |
| M21 | Kernel Module Blacklist | P3 | 🔵 In Progress | PASS | 📦 | CNF-23523 | - |
| M22 | Network Sysctl Hardening | P3 | 🔵 In Progress | PASS | 📦 | CNF-23524 | - |
| M23 | Kernel Sysctl Extended | P3 | 🔵 In Progress | PASS | 📦 | CNF-23525 | - |
| M24 | CoreOS Kernel Arguments | P3 | 🔵 In Progress | PASS | 📦 | CNF-23526 | - |
| M25 | Chrony/NTP Configuration | P3 | 🔵 In Progress | PASS | 📦 | CNF-23527 | - |
| M26 | Systemd Hardening | P3 | 🔵 In Progress | PASS | 📦 | CNF-23528 | - |
| M27 | SSHD Moderate Extensions | P3 | 🔵 In Progress | PASS | 📦 | CNF-23529 | - |
| M28 | USBGuard | P3 | ⚪ On Hold | WARN | 📦 | - | - |
| M29 | System Access Controls | P3 | 🔵 In Progress | PASS | 📦 | CNF-23453 | - |
| M30 | OAuth Configuration | P3 | 🔵 In Progress | PASS | 📦 | CNF-23454 | - |
LOW Severity
| Group | Title | Priority | Status | Tested | Compare | Jira | PR |
|---|---|---|---|---|---|---|---|
| L1 | SSHD LogLevel | P4 | 🟢 Complete | PASS | - | - | - |
| L2 | Sysctl dmesg_restrict | P4 | 🔵 In Progress | PASS | 📦 | CNF-23450 | - |
Manual Checks (No Auto-Remediation)
These checks require manual operator review — no MachineConfig or CRD can fix them automatically.
| Group | Title | Checks | Priority | Status |
|---|---|---|---|---|
| MAN1 | Workload Security | 15 | P3 | 🟡 Pending |
| MAN2 | RBAC & Access Control | 5 | P2 | 🟡 Pending |
| MAN3 | Secrets Management | 2 | P3 | 🟡 Pending |
| MAN4 | Audit Log Partitions | 4 | P4 | 🟡 Pending |
| MAN5 | Hardware/BIOS & Alerting | 5 | P4 | 🟡 Pending |
Group Naming Convention
- H = HIGH severity (H1, H2, H3)
- M = MEDIUM severity (M1-M30)
- L = LOW severity (L1, L2)
- MAN = Manual checks (MAN1-MAN5)
Priority Legend
| Priority | Label | Criteria |
|---|---|---|
| P1 | Critical | HIGH severity - security critical |
| P2 | High | MEDIUM severity with high impact (5+ checks) or API/encryption |
| P3 | Medium | MEDIUM severity with standard impact |
| P4 | Low | LOW severity - best practices |
| P5 | Deferred | On hold or blocked |
Status Legend
| Status | Meaning |
|---|---|
| 🔵 In Progress | Active PR open for remediation |
| 🟡 Pending | Not yet started |
| ⚪ On Hold | Paused |
| 🟢 Complete | Merged and verified |
Linking to Groups from PRs
Use these URLs in your PR descriptions:
https://sebrandon1.github.io/compliance-scripts/versions/5.0/groups/H1.html
https://sebrandon1.github.io/compliance-scripts/versions/5.0/groups/M1.html
Example markdown for PR descriptions:
This PR implements [H1: Crypto Policy](https://sebrandon1.github.io/compliance-scripts/versions/5.0/groups/H1.html) and [H2: PAM Empty Passwords](https://sebrandon1.github.io/compliance-scripts/versions/5.0/groups/H2.html).