MEDIUM RHCOS (Node) M27: SSHD Moderate Extensions P3

Pending Compare Branch

Remediation required. This group (2 checks) fails on vanilla RHCOS 10.2 and requires MachineConfig remediation. Verified on cnfdt16 (OCP 5.0, RHCOS 10.2) with compliance-operator v1.8.2.

Overview

Additional SSHD hardening beyond M1 (E8). Sets idle session timeout, keepalive settings, and restricts SSH access to authorized users only.

Profile: NIST 800-53 Moderate (rhcos4-moderate)

Compliance Checks

Check Description
ClientAliveInterval Set SSH idle timeout interval
ClientAliveCountMax Set SSH keepalive count before disconnect
AllowUsers core Restrict SSH access to the core user only

Implementation Note: AllowUsers

The sshd-limit-user-access check is not detected by the compliance operator scan (returns notapplicable on RHCOS because the OVAL check can’t find the expected config pattern). However, the remediation is valid and recommended by NIST 800-53 Moderate.

The MachineConfig uses a systemd unit that checks if AllowUsers or AllowGroups is already set, and if not, creates a drop-in restricting SSH to the core user only.

Reference: cnf-features-deploy PR #2147 (closed but approach is valid)

Verification

oc debug node/<node> -- chroot /host bash -c '
sshd -T | grep -E "clientaliveinterval|clientalivecountmax|allowusers"
'

Expected output:

clientaliveinterval 600
clientalivecountmax 0
allowusers core

Upstream Proposal

The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:

ClientAliveInterval=300, ClientAliveCountMax=0 RAN Low
openshift/os /etc/ssh/sshd_config.d/50-hardening.conf
Automatically disconnects idle SSH sessions after 5 minutes. Prevents abandoned sessions from being hijacked.
Scope: 5-minute idle timeout is aggressive. Platform teams may need longer SSH sessions for debugging. Appropriate for hardened production deployments.

PR History

ClientAliveInterval=300, ClientAliveCountMax=0 Not Filed blocked
coreos/rhel-coreos-config
Session timeout via ClientAliveInterval/ClientAliveCountMax is operational policy, not a security default. The default ClientAliveInterval=0 means no keepalives. On OpenSSH 8.2p1+, these settings detect unresponsive TCP connections, not idle users β€” a CountMax=0 value disables termination entirely, which is counterproductive. RHCOS already has an SSHD drop-in at overlay.d/05rhcos/etc/ssh/sshd_config.d/40-rhcos-defaults.conf. The Compliance Operator Moderate scanner has a known drop-in detection limitation that causes FAIL even when settings are correctly applied.
bbs.archlinux.org/viewtopic.php?id=254707 access.redhat.com/discussions/6960435
← M26 All Groups M28 →
Legend
Status
πŸ”΅ In Progress
🟑 Pending
βšͺ On Hold
🟒 Complete
Severity
HIGH
MEDIUM
LOW
MANUAL

Keyboard Shortcuts

Navigation
j / Next row
k / Previous row
Enter Open selected / Expand details
Esc Clear selection / Close modal
Actions
/ Focus search
d Toggle dark mode
? Show this help
g h Go to home
Filters
1 Show all
2 Pending only
3 In Progress only
4 Complete only