MEDIUM RHCOS (Node) M26: Systemd Hardening P3
Remediation required. This group (6 checks) fails on vanilla RHCOS 10.2 and requires MachineConfig remediation. Verified on cnfdt16 (OCP 5.0, RHCOS 10.2) with compliance-operator v1.8.2.
Overview
Disables dangerous systemd behaviors: prevents Ctrl-Alt-Del from rebooting nodes (both single-press and burst), disables core dump generation and storage to prevent information leakage.
Profile: NIST 800-53 Moderate (rhcos4-moderate)
Compliance Checks
| Check | Description |
|---|---|
Ctrl-Alt-Del burst action |
Disable CtrlAltDelBurstAction |
Ctrl-Alt-Del reboot |
Disable Ctrl-Alt-Del reboot target |
Coredump backtraces |
Disable coredump backtrace generation |
Coredump storage |
Disable coredump storage |
User coredumps |
Disable user coredumps via limits.conf |
Verification
oc debug node/<node> -- chroot /host systemctl status ctrl-alt-del.target
Upstream Proposal
The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:
Disable coredumps (Storage=none, ProcessSizeMax=0)
RAN
Med
openshift/os
/etc/systemd/coredump.conf.d/50-no-coredumps.conf
Container hosts shouldn't store core dumps. Prevents sensitive data leakage and disk exhaustion from crashed processes.
Scope: Disabling core dumps prevents crash debugging for node-level issues. Appropriate for hardened production but not dev/QE clusters.
Scope: Disabling core dumps prevents crash debugging for node-level issues. Appropriate for hardened production but not dev/QE clusters.
Mask ctrl-alt-del.target, CtrlAltDelBurstAction=none
RAN
Low
Prevents accidental or malicious reboot via keyboard. RHCOS nodes are headless servers, not interactive workstations.
Scope: Bare-metal operators use Ctrl-Alt-Del via BMC console to recover hung nodes when SSH is unavailable. Masking it removes a useful recovery tool. Appropriate for hardened RAN production nodes where accidental reboots are catastrophic.
Scope: Bare-metal operators use Ctrl-Alt-Del via BMC console to recover hung nodes when SSH is unavailable. Masking it removes a useful recovery tool. Appropriate for hardened RAN production nodes where accidental reboots are catastrophic.
PR History
Mask ctrl-alt-del.target, CtrlAltDelBurstAction=none
CoreOS maintainers addressed console security via GRUB bootloader passwords (coreos/fedora-coreos-tracker#134), not by disabling the reboot key sequence. Their position: Ctrl-Alt-Del is one step in an attack chain — the real fix is GRUB passwords, which prevent rd.break root shell access after reboot. Additionally, rhel-coreos-config maintainers prefer accepting RHEL defaults (PR #264 feedback). RHEL ships with Ctrl-Alt-Del enabled. Physical/BMC console access already implies ability to power cycle via IPMI, so disabling the keyboard shortcut doesn't meaningfully raise the security bar.