OCP 5.0 Remediation Groupings
| β Back to OCP 5.0 Compliance Status | View Detailed Group Pages |
This page catalogs all compliance remediation groups for OCP 5.0, dynamically generated from tracking data.
Target baseline: RHCOS 10.2 (OCP 5.0) with compliance-operator and pinned content image.
Quick Summary
| Status | Count |
|---|---|
| β PASS on vanilla RHCOS 10.2+ | 0 groups |
| π’ Verified (remediation works) | 0 groups |
| π΅ In Progress | 0 groups |
| π‘ Pending | 35 groups |
| π Partial | 0 groups |
| π Manual | 5 groups |
Remediation Status
| Group | Category | Platform | Severity | Checks | Status | Upstream | Compare | Jira | PR |
|---|---|---|---|---|---|---|---|---|---|
| H1 | Crypto Policy | RHCOS | HIGH | 1 | π‘ Pending | π― RAN Only | π¦ | - | - |
| H2 | PAM Empty Passwords | RHCOS | HIGH | 1 | verified-needed | πΌ Candidate | π¦ | - | #821 |
| H3 | SSHD Empty Passwords | RHCOS | HIGH | 1 | π‘ Pending | β Pass | - | - | - |
| M1 | SSHD Configuration | RHCOS | MEDIUM | 7 | π‘ Pending | β Pass | π¦ | - | - |
| M2 | Kernel Hardening (Sysctl) | RHCOS | MEDIUM | 4 | verified-needed | π― RAN Only | π¦ | - | #822 |
| M3 | Audit Rules - DAC Modifications | RHCOS | MEDIUM | 2 | π‘ Pending | π― RAN Only | π¦ | - | - |
| M4 | Audit Rules - SELinux | RHCOS | MEDIUM | 6 | π‘ Pending | π― RAN Only | π¦ | - | - |
| M5 | Audit Rules - Kernel Modules | RHCOS | MEDIUM | 3 | verified-needed | π― RAN Only | π¦ | - | #823 |
| M6 | Audit Rules - Time Modifications | RHCOS | MEDIUM | 5 | π‘ Pending | π― RAN Only | π¦ | - | - |
| M7 | Audit Rules - Login Monitoring | RHCOS | MEDIUM | 6 | π‘ Pending | π― RAN Only | π¦ | - | - |
| M8 | Audit Rules - Network Config | RHCOS | MEDIUM | 1 | π‘ Pending | π― RAN Only | π¦ | - | - |
| M9 | Auditd Configuration | RHCOS | MEDIUM | 1 | verified-needed | π― RAN Only | π¦ | - | #824 |
| M10 | API Server Encryption | OCP | MEDIUM | 1 | verified-needed | βοΈ Platform | π¦ | - | #820 |
| M11 | Ingress TLS Ciphers | OCP | MEDIUM | 1 | π‘ Pending | β Pass | π¦ | - | - |
| M12 | Audit Profile | OCP | MEDIUM | 1 | π‘ Pending | βοΈ Platform | π¦ | - | - |
| L1 | SSHD LogLevel | RHCOS | LOW | 1 | π‘ Pending | β Pass | - | - | - |
| L2 | Sysctl dmesg_restrict | RHCOS | LOW | 1 | π‘ Pending | π― RAN Only | π¦ | - | - |
| M13 | Extended DAC Audit | RHCOS | MEDIUM | 11 | π‘ Pending | π― RAN Only | π¦ | - | - |
| M14 | Identity File Access Audit | RHCOS | MEDIUM | 12 | π‘ Pending | π― RAN Only | π¦ | - | - |
| M15 | File Deletion Audit | RHCOS | MEDIUM | 5 | π‘ Pending | π― RAN Only | π¦ | - | - |
| M16 | Unsuccessful File Modification Audit | RHCOS | MEDIUM | 32 | π‘ Pending | π― RAN Only | π¦ | - | - |
| M17 | Privileged Commands Audit | RHCOS | MEDIUM | 22 | π‘ Pending | π― RAN Only | π¦ | - | - |
| M18 | Session & MAC Audit | RHCOS | MEDIUM | 4 | π‘ Pending | π― RAN Only | π¦ | - | - |
| M19 | Usergroup Modification Audit | RHCOS | MEDIUM | 5 | π‘ Pending | π― RAN Only | π¦ | - | - |
| M20 | Auditd Data Retention | RHCOS | MEDIUM | 4 | π‘ Pending | π― RAN Only | π¦ | - | - |
| M21 | Kernel Module Blacklist | RHCOS | MEDIUM | 18 | π‘ Pending | π― RAN Only | π¦ | - | - |
| M22 | Network Sysctl Hardening | RHCOS | MEDIUM | 20 | π‘ Pending | π― RAN Only | π¦ | - | - |
| M23 | Kernel Sysctl Extended | RHCOS | MEDIUM | 3 | π‘ Pending | π― RAN Only | π¦ | - | - |
| M24 | CoreOS Kernel Arguments | RHCOS | MEDIUM | 6 | π‘ Pending | π― RAN Only | π¦ | - | - |
| M25 | Chrony/NTP Configuration | RHCOS | MEDIUM | 4 | π‘ Pending | π Site | π¦ | - | - |
| M26 | Systemd Hardening | RHCOS | MEDIUM | 6 | π‘ Pending | π― RAN Only | π¦ | - | - |
| M27 | SSHD Moderate Extensions | RHCOS | MEDIUM | 2 | π‘ Pending | π― RAN Only | π¦ | - | - |
| M28 | USBGuard | RHCOS | MEDIUM | 3 | π‘ Pending | β N/A | π¦ | - | - |
| M29 | System Access Controls | Mixed | MEDIUM | 7 | π‘ Pending | βοΈ Platform | π¦ | - | - |
| M30 | OAuth Configuration | Mixed | MEDIUM | 2 | π‘ Pending | βοΈ Platform | π¦ | - | - |
| MAN1 | Workload Security | OCP | MANUAL | 19 | π‘ Pending | β N/A | - | - | - |
| MAN2 | RBAC & Access Control | OCP | MANUAL | 7 | π‘ Pending | β N/A | - | - | - |
| MAN3 | Secrets Management | OCP | MANUAL | 2 | π‘ Pending | β N/A | - | - | - |
| MAN4 | Audit Log Partitions | OCP | MANUAL | 5 | π‘ Pending | β N/A | - | - | - |
| MAN5 | Hardware/BIOS & Alerting | OCP | MANUAL | 17 | π‘ Pending | β N/A | - | - | - |
Remediation Details
H1: Crypto Policy β π‘ Pending
| Check | Description |
|---|---|
configure-crypto-policy |
System-wide crypto policy (DEFAULT:NO-SHA1) |
H2: PAM Empty Passwords β verified-needed β PR #821
| Check | Description |
|---|---|
no-empty-passwords |
Disable nullok in PAM system-auth and password-auth |
Verified on OCP 5.0 (cnfdt16, RHCOS 10.2). authselect templates still ship with nullok. without-nullok feature not enabled by default. Upstream PRs (coreos/rhel-coreos-config#255, ComplianceAsCode/content#14602) still open.
H3: SSHD Empty Passwords β π‘ Pending
| Check | Description |
|---|---|
sshd-disable-empty-passwords |
Prevent SSH login with empty passwords |
M1: SSHD Configuration β π‘ Pending
| Check | Description |
|---|---|
sshd-disable-root-login |
Disable direct root SSH access |
sshd-disable-gssapi-auth |
Disable GSSAPI authentication |
sshd-disable-rhosts |
Disable rhost authentication |
sshd-disable-user-known-hosts |
Ignore userβs known_hosts file |
sshd-do-not-permit-user-env |
Block user environment variable passing |
sshd-enable-strictmodes |
Enable strict mode checking |
sshd-print-last-log |
Display last login information |
M2: Kernel Hardening (Sysctl) β verified-needed β PR #822
| Check | Description |
|---|---|
sysctl-kernel-randomize-va-space |
Full ASLR - randomizes memory layout |
sysctl-kernel-unprivileged-bpf-disabled |
Prevent BPF-based privilege escalation |
sysctl-kernel-yama-ptrace-scope |
Restrict ptrace to parent-child processes |
sysctl-net-core-bpf-jit-harden |
Harden BPF JIT against spraying attacks |
Verified on OCP 5.0 (cnfdt16, RHCOS 10.2). kernel.randomize_va_space=2 and unprivileged_bpf_disabled=1 are already kernel defaults (no MC needed). net.core.bpf_jit_harden still defaults to 0 and kernel.yama.ptrace_scope still overridden to 0 by elfutils. Fedora 44 changes have NOT propagated to RHEL 10.
M3: Audit Rules - DAC Modifications β π‘ Pending
| Check | Description |
|---|---|
audit-rules-dac-modification-chmod |
Audit DAC chmod |
audit-rules-dac-modification-chown |
Audit DAC chown |
M4: Audit Rules - SELinux β π‘ Pending
| Check | Description |
|---|---|
audit-rules-execution-chcon |
Audit SELinux chcon |
audit-rules-execution-restorecon |
Audit SELinux restorecon |
audit-rules-execution-semanage |
Audit SELinux semanage |
audit-rules-execution-setfiles |
Audit SELinux setfiles |
audit-rules-execution-setsebool |
Audit SELinux setsebool |
audit-rules-execution-seunshare |
Audit SELinux seunshare |
M5: Audit Rules - Kernel Modules β verified-needed β PR #823
| Check | Description |
|---|---|
audit-rules-kernel-module-loading-delete |
Audit kernel module delete |
audit-rules-kernel-module-loading-finit |
Audit kernel module finit |
audit-rules-kernel-module-loading-init |
Audit kernel module init |
Verified on OCP 5.0 (cnfdt16, RHCOS 10.2). Stock audit.rules has only basic buffer/backlog setup. No kernel module audit rules ship by default.
M6: Audit Rules - Time Modifications β π‘ Pending
| Check | Description |
|---|---|
audit-rules-time-adjtimex |
Audit time adjtimex |
audit-rules-time-clock-settime |
Audit time clock_settime |
audit-rules-time-settimeofday |
Audit time settimeofday |
audit-rules-time-stime |
Audit time stime |
audit-rules-time-watch-localtime |
Audit time localtime |
M7: Audit Rules - Login Monitoring β π‘ Pending
| Check | Description |
|---|---|
audit-rules-login-events-faillock |
Audit login faillock |
audit-rules-login-events-lastlog |
Audit login lastlog |
audit-rules-login-events-tallylog |
Audit login tallylog |
audit-rules-login-events |
Audit login events |
audit-rules-sysadmin-actions |
Audit sysadmin actions |
audit-rules-usergroup-modification |
Audit usergroup modification |
M8: Audit Rules - Network Config β π‘ Pending
| Check | Description |
|---|---|
audit-rules-networkconfig-modification |
Audit network config |
M9: Auditd Configuration β verified-needed β PR #824
| Check | Description |
|---|---|
auditd-name-format |
Auditd name format |
Verified on OCP 5.0 (cnfdt16, RHCOS 10.2). Stock auditd.conf has name_format=NONE (should be hostname), space_left=75 (should be 100), *_action=SUSPEND (should be syslog), q_depth=2000 (should be 400).
M10: API Server Encryption β verified-needed β PR #820
| Check | Description |
|---|---|
api-server-encryption-provider-cipher |
API encryption |
Verified on OCP 5.0 (cnfdt16, RHCOS 10.2). API encryption not enabled by default (generation:2 confirms manual application). Default install uses identity encryption.
M11: Ingress TLS Ciphers β π‘ Pending
| Check | Description |
|---|---|
ingress-controller-tls-cipher-suites |
Ingress TLS ciphers |
M12: Audit Profile β π‘ Pending
| Check | Description |
|---|---|
audit-profile-set |
Audit profile |
L1: SSHD LogLevel β π‘ Pending
| Check | Description |
|---|---|
sshd-set-loglevel-info |
Set SSH logging to INFO level |
L2: Sysctl dmesg_restrict β π‘ Pending
| Check | Description |
|---|---|
sysctl-kernel-dmesg-restrict |
Restrict kernel log access to privileged users |
M13: Extended DAC Audit β π‘ Pending
| Check | Description |
|---|---|
audit-rules-dac-modification-fchmod |
Audit fchmod operations |
audit-rules-dac-modification-fchmodat |
Audit fchmodat operations |
audit-rules-dac-modification-fchown |
Audit fchown operations |
audit-rules-dac-modification-fchownat |
Audit fchownat operations |
audit-rules-dac-modification-fremovexattr |
Audit fremovexattr operations |
audit-rules-dac-modification-fsetxattr |
Audit fsetxattr operations |
audit-rules-dac-modification-lchown |
Audit lchown operations |
audit-rules-dac-modification-lremovexattr |
Audit lremovexattr operations |
audit-rules-dac-modification-lsetxattr |
Audit lsetxattr operations |
audit-rules-dac-modification-removexattr |
Audit removexattr operations |
audit-rules-dac-modification-setxattr |
Audit setxattr operations |
M14: Identity File Access Audit β π‘ Pending
| Check | Description |
|---|---|
audit-rules-etc-group-open |
Audit /etc/group access |
audit-rules-etc-group-openat |
Audit /etc/group access via openat |
audit-rules-etc-group-open-by-handle-at |
Audit /etc/group access via open_by_handle_at |
audit-rules-etc-gshadow-open |
Audit /etc/gshadow access |
audit-rules-etc-gshadow-openat |
Audit /etc/gshadow access via openat |
audit-rules-etc-gshadow-open-by-handle-at |
Audit /etc/gshadow access via open_by_handle_at |
audit-rules-etc-passwd-open |
Audit /etc/passwd access |
audit-rules-etc-passwd-openat |
Audit /etc/passwd access via openat |
audit-rules-etc-passwd-open-by-handle-at |
Audit /etc/passwd access via open_by_handle_at |
audit-rules-etc-shadow-open |
Audit /etc/shadow access |
audit-rules-etc-shadow-openat |
Audit /etc/shadow access via openat |
audit-rules-etc-shadow-open-by-handle-at |
Audit /etc/shadow access via open_by_handle_at |
M15: File Deletion Audit β π‘ Pending
| Check | Description |
|---|---|
audit-rules-file-deletion-events-rename |
Audit rename operations |
audit-rules-file-deletion-events-renameat |
Audit renameat operations |
audit-rules-file-deletion-events-rmdir |
Audit rmdir operations |
audit-rules-file-deletion-events-unlink |
Audit unlink operations |
audit-rules-file-deletion-events-unlinkat |
Audit unlinkat operations |
M16: Unsuccessful File Modification Audit β π‘ Pending
| Check | Description |
|---|---|
audit-rules-unsuccessful-file-modification-chmod |
Audit failed chmod |
audit-rules-unsuccessful-file-modification-open |
Audit failed open |
audit-rules-unsuccessful-file-modification-chown |
Audit failed chown |
audit-rules-unsuccessful-file-modification-creat |
Audit failed creat |
audit-rules-unsuccessful-file-modification-fchmod |
Audit failed fchmod |
audit-rules-unsuccessful-file-modification-fchmodat |
Audit failed fchmodat |
audit-rules-unsuccessful-file-modification-fchown |
Audit failed fchown |
audit-rules-unsuccessful-file-modification-fchownat |
Audit failed fchownat |
audit-rules-unsuccessful-file-modification-fremovexattr |
Audit failed fremovexattr |
audit-rules-unsuccessful-file-modification-fsetxattr |
Audit failed fsetxattr |
audit-rules-unsuccessful-file-modification-ftruncate |
Audit failed ftruncate |
audit-rules-unsuccessful-file-modification-lchown |
Audit failed lchown |
audit-rules-unsuccessful-file-modification-lremovexattr |
Audit failed lremovexattr |
audit-rules-unsuccessful-file-modification-lsetxattr |
Audit failed lsetxattr |
audit-rules-unsuccessful-file-modification-open-by-handle-at |
Audit failed open-by-handle-at |
audit-rules-unsuccessful-file-modification-open-by-handle-at-o-creat |
Audit failed open-by-handle-at-o-creat |
audit-rules-unsuccessful-file-modification-open-by-handle-at-o-trunc-write |
Audit failed open-by-handle-at-o-trunc-write |
audit-rules-unsuccessful-file-modification-open-by-handle-at-rule-order |
Audit failed open-by-handle-at-rule-order |
audit-rules-unsuccessful-file-modification-open-o-creat |
Audit failed open-o-creat |
audit-rules-unsuccessful-file-modification-open-o-trunc-write |
Audit failed open-o-trunc-write |
audit-rules-unsuccessful-file-modification-open-rule-order |
Audit failed open-rule-order |
audit-rules-unsuccessful-file-modification-openat |
Audit failed openat |
audit-rules-unsuccessful-file-modification-openat-o-creat |
Audit failed openat-o-creat |
audit-rules-unsuccessful-file-modification-openat-o-trunc-write |
Audit failed openat-o-trunc-write |
audit-rules-unsuccessful-file-modification-openat-rule-order |
Audit failed openat-rule-order |
audit-rules-unsuccessful-file-modification-removexattr |
Audit failed removexattr |
audit-rules-unsuccessful-file-modification-rename |
Audit failed rename |
audit-rules-unsuccessful-file-modification-renameat |
Audit failed renameat |
audit-rules-unsuccessful-file-modification-setxattr |
Audit failed setxattr |
audit-rules-unsuccessful-file-modification-truncate |
Audit failed truncate |
audit-rules-unsuccessful-file-modification-unlink |
Audit failed unlink |
audit-rules-unsuccessful-file-modification-unlinkat |
Audit failed unlinkat |
M17: Privileged Commands Audit β π‘ Pending
| Check | Description |
|---|---|
audit-rules-privileged-commands-su |
Audit su execution |
audit-rules-privileged-commands-sudo |
Audit sudo execution |
audit-rules-privileged-commands-passwd |
Audit passwd execution |
audit-rules-privileged-commands-mount |
Audit mount execution |
audit-rules-privileged-commands-at |
Audit privileged at |
audit-rules-privileged-commands-chage |
Audit privileged chage |
audit-rules-privileged-commands-chsh |
Audit privileged chsh |
audit-rules-privileged-commands-crontab |
Audit privileged crontab |
audit-rules-privileged-commands-gpasswd |
Audit privileged gpasswd |
audit-rules-privileged-commands-newgidmap |
Audit privileged newgidmap |
audit-rules-privileged-commands-newgrp |
Audit privileged newgrp |
audit-rules-privileged-commands-newuidmap |
Audit privileged newuidmap |
audit-rules-privileged-commands-pam-timestamp-check |
Audit privileged pam-timestamp-check |
audit-rules-privileged-commands-postdrop |
Audit privileged postdrop |
audit-rules-privileged-commands-postqueue |
Audit privileged postqueue |
audit-rules-privileged-commands-pt-chown |
Audit privileged pt-chown |
audit-rules-privileged-commands-ssh-keysign |
Audit privileged ssh-keysign |
audit-rules-privileged-commands-sudoedit |
Audit privileged sudoedit |
audit-rules-privileged-commands-umount |
Audit privileged umount |
audit-rules-privileged-commands-unix-chkpwd |
Audit privileged unix-chkpwd |
audit-rules-privileged-commands-userhelper |
Audit privileged userhelper |
audit-rules-privileged-commands-usernetctl |
Audit privileged usernetctl |
M18: Session & MAC Audit β π‘ Pending
| Check | Description |
|---|---|
audit-rules-session-events |
Audit session events |
audit-rules-mac-modification |
Audit MAC policy changes |
audit-rules-media-export |
Audit media export |
audit-rules-immutable |
Make audit rules immutable |
M19: Usergroup Modification Audit β π‘ Pending
| Check | Description |
|---|---|
audit-rules-usergroup-modification-group |
Watch /etc/group |
audit-rules-usergroup-modification-gshadow |
Watch /etc/gshadow |
audit-rules-usergroup-modification-opasswd |
Watch /etc/opasswd |
audit-rules-usergroup-modification-passwd |
Watch /etc/passwd |
audit-rules-usergroup-modification-shadow |
Watch /etc/shadow |
M20: Auditd Data Retention β π‘ Pending
| Check | Description |
|---|---|
auditd-data-disk-error-action |
Set disk error action |
auditd-data-disk-full-action |
Set disk full action |
auditd-data-retention-admin-space-left-action |
Set admin space-left action |
auditd-data-retention-space-left |
Set space-left threshold |
M21: Kernel Module Blacklist β π‘ Pending
| Check | Description |
|---|---|
kernel-module-bluetooth-disabled |
Disable Bluetooth |
kernel-module-usb-storage-disabled |
Disable USB storage |
kernel-module-sctp-disabled |
Disable SCTP |
kernel-module-atm-disabled |
Disable atm |
kernel-module-can-disabled |
Disable can |
kernel-module-cfg80211-disabled |
Disable cfg80211 |
kernel-module-cramfs-disabled |
Disable cramfs |
kernel-module-firewire-core-disabled |
Disable firewire-core |
kernel-module-freevxfs-disabled |
Disable freevxfs |
kernel-module-hfs-disabled |
Disable hfs |
kernel-module-hfsplus-disabled |
Disable hfsplus |
kernel-module-iwlmvm-disabled |
Disable iwlmvm |
kernel-module-iwlwifi-disabled |
Disable iwlwifi |
kernel-module-jffs2-disabled |
Disable jffs2 |
kernel-module-mac80211-disabled |
Disable mac80211 |
kernel-module-squashfs-disabled |
Disable squashfs |
kernel-module-tipc-disabled |
Disable tipc |
kernel-module-udf-disabled |
Disable udf |
M22: Network Sysctl Hardening β π‘ Pending
| Check | Description |
|---|---|
sysctl-net-ipv4-conf-all-accept-redirects |
Reject ICMP redirects |
sysctl-net-ipv4-tcp-syncookies |
Enable TCP SYN cookies |
sysctl-net-ipv6-conf-all-accept-ra |
Reject IPv6 router advertisements |
sysctl-net-ipv4-conf-all-accept-source-route |
Net sysctl ipv4-conf-all-accept-source-route |
sysctl-net-ipv4-conf-all-log-martians |
Net sysctl ipv4-conf-all-log-martians |
sysctl-net-ipv4-conf-all-rp-filter |
Net sysctl ipv4-conf-all-rp-filter |
sysctl-net-ipv4-conf-all-secure-redirects |
Net sysctl ipv4-conf-all-secure-redirects |
sysctl-net-ipv4-conf-all-send-redirects |
Net sysctl ipv4-conf-all-send-redirects |
sysctl-net-ipv4-conf-default-accept-redirects |
Net sysctl ipv4-conf-default-accept-redirects |
sysctl-net-ipv4-conf-default-log-martians |
Net sysctl ipv4-conf-default-log-martians |
sysctl-net-ipv4-conf-default-rp-filter |
Net sysctl ipv4-conf-default-rp-filter |
sysctl-net-ipv4-conf-default-secure-redirects |
Net sysctl ipv4-conf-default-secure-redirects |
sysctl-net-ipv4-conf-default-send-redirects |
Net sysctl ipv4-conf-default-send-redirects |
sysctl-net-ipv4-icmp-echo-ignore-broadcasts |
Net sysctl ipv4-icmp-echo-ignore-broadcasts |
sysctl-net-ipv4-icmp-ignore-bogus-error-responses |
Net sysctl ipv4-icmp-ignore-bogus-error-responses |
sysctl-net-ipv6-conf-all-accept-redirects |
Net sysctl ipv6-conf-all-accept-redirects |
sysctl-net-ipv6-conf-all-accept-source-route |
Net sysctl ipv6-conf-all-accept-source-route |
sysctl-net-ipv6-conf-default-accept-ra |
Net sysctl ipv6-conf-default-accept-ra |
sysctl-net-ipv6-conf-default-accept-redirects |
Net sysctl ipv6-conf-default-accept-redirects |
sysctl-net-ipv6-conf-default-accept-source-route |
Net sysctl ipv6-conf-default-accept-source-route |
M23: Kernel Sysctl Extended β π‘ Pending
| Check | Description |
|---|---|
sysctl-kernel-kexec-load-disabled |
Disable kexec |
sysctl-kernel-perf-event-paranoid |
Restrict perf_event |
sysctl-kernel-core-pattern |
Disable core dumps |
M24: CoreOS Kernel Arguments β π‘ Pending
| Check | Description |
|---|---|
coreos-pti-kernel-argument |
Enable PTI |
coreos-audit-option |
Enable audit |
coreos-nousb-kernel-argument |
Disable USB |
coreos-audit-backlog-limit-kernel-argument |
CoreOS kernel arg |
coreos-page-poison-kernel-argument |
CoreOS kernel arg |
coreos-vsyscall-kernel-argument |
CoreOS kernel arg |
M25: Chrony/NTP Configuration β π‘ Pending
| Check | Description |
|---|---|
chronyd-client-only |
Restrict chrony to client mode |
chronyd-no-chronyc-network |
Disable chronyc network |
chronyd-or-ntpd-set-maxpoll |
Chrony config |
chronyd-or-ntpd-specify-multiple-servers |
Chrony config |
M26: Systemd Hardening β π‘ Pending
| Check | Description |
|---|---|
disable-ctrlaltdel-burstaction |
Disable Ctrl-Alt-Del burst |
disable-ctrlaltdel-reboot |
Disable Ctrl-Alt-Del reboot |
coredump-disable-backtraces |
Disable coredump backtraces |
coredump-disable-storage |
Disable coredump storage |
disable-users-coredumps |
Disable user coredumps |
service-systemd-coredump-disabled |
Systemd coredump disabled |
M27: SSHD Moderate Extensions β π‘ Pending
| Check | Description |
|---|---|
sshd-set-idle-timeout |
Set SSH idle timeout |
sshd-set-keepalive |
Set SSH keepalive |
M28: USBGuard β π‘ Pending
| Check | Description |
|---|---|
package-usbguard-installed |
Install USBGuard |
service-usbguard-enabled |
Enable USBGuard |
usbguard-allow-hid-and-hub |
Allow HID/hub USB devices |
M29: System Access Controls β π‘ Pending
| Check | Description |
|---|---|
banner-etc-issue |
Set login banner |
ensure-logrotate-activated |
Ensure logrotate active |
service-debug-shell-disabled |
Disable debug shell |
no-tmux-in-shells |
Restrict tmux in shells |
banner-or-login-template-set |
Login banner template |
no-direct-root-logins |
No direct root logins |
openshift-motd-exists |
MOTD configuration |
M30: OAuth Configuration β π‘ Pending
| Check | Description |
|---|---|
oauth-or-oauthclient-inactivity-timeout |
Set OAuth inactivity timeout |
oauth-or-oauthclient-token-maxage |
Set OAuth token max age |
MAN1: Workload Security β π‘ Pending
| Check | Description |
|---|---|
configure-network-policies-namespaces |
Manual: Configure network policies per namespace |
accounts-restrict-service-account-tokens |
Manual: Restrict SA token automounting |
accounts-unique-service-account |
Manual: Use unique service accounts |
general-apply-scc |
Manual: Apply SCCs to pods |
general-default-namespace-use |
Manual: Donβt use default namespace |
general-default-seccomp-profile |
Manual: Enable seccomp profiles |
general-namespaces-in-use |
Manual: Use namespaces for isolation |
scc-limit-privilege-escalation |
Manual: Limit privilege escalation |
scc-limit-privileged-containers |
Manual: Limit privileged containers |
scc-limit-root-containers |
Manual: Limit root containers |
scc-drop-container-capabilities |
Manual: Drop container capabilities |
scc-limit-container-allowed-capabilities |
Manual: Limit container capabilities |
scc-limit-ipc-namespace |
Manual: Limit IPC namespace |
scc-limit-net-raw-capability |
Manual: Limit NET_RAW |
scc-limit-network-namespace |
Manual: Limit network namespace |
scc-limit-process-id-namespace |
Manual: Limit PID namespace |
general-configure-imagepolicywebhook |
Manual: Image provenance |
resource-requests-limits-in-daemonset |
Manual: Resource requests in daemonsets |
resource-requests-quota |
Manual: Resource quotas |
MAN2: RBAC & Access Control β π‘ Pending
| Check | Description |
|---|---|
rbac-least-privilege |
Manual: Review RBAC least privilege |
rbac-limit-cluster-admin |
Manual: Limit cluster-admin usage |
rbac-limit-secrets-access |
Manual: Restrict secrets access |
rbac-pod-creation-access |
Manual: Minimize pod creation access |
rbac-wildcard-use |
Manual: Minimize wildcard roles |
idp-is-configured |
Manual: Configure identity provider |
kubeadmin-removed |
Manual: Remove kubeadmin |
MAN3: Secrets Management β π‘ Pending
| Check | Description |
|---|---|
secrets-consider-external-storage |
Manual: Use external secret storage |
secrets-no-environment-variables |
Manual: Donβt use env vars for secrets |
MAN4: Audit Log Partitions β π‘ Pending
| Check | Description |
|---|---|
audit-log-forwarding-enabled |
Manual: Audit log forwarding |
audit-log-forwarding-uses-tls |
Manual: Audit log forwarding TLS |
directory-access-var-log-audit |
Manual: Audit log access |
partition-for-var-log |
Manual: /var/log partition |
partition-for-var-log-audit |
Manual: /var/log/audit partition |
MAN5: Hardware/BIOS & Alerting β π‘ Pending
| Check | Description |
|---|---|
bios-disable-usb-boot |
Manual: Disable USB boot |
wireless-disable-in-bios |
Manual: Disable WiFi in BIOS |
acs-sensor-exists |
Manual: ACS sensor deployment |
cluster-version-operator-exists |
Manual: CVO check |
cluster-wide-proxy-set |
Manual: Cluster proxy configuration |
container-security-operator-exists |
Manual: Container security operator |
default-ingress-ca-replaced |
Manual: Replace default ingress CA |
enable-fips-mode |
Manual: Enable FIPS mode |
file-integrity-exists |
Manual: File integrity operator |
file-integrity-notification-enabled |
Manual: File integrity notifications |
fips-mode-enabled-on-all-nodes |
Manual: FIPS on all nodes |
ingress-controller-certificate |
Manual: Ingress controller certificate |
machine-volume-encrypted |
Manual: Encrypt machine volumes |
ocp-allowed-registries |
Manual: Configure allowed registries |
ocp-allowed-registries-for-import |
Manual: Allowed registries for import |
security-profiles-operator-exists |
Manual: Security profiles operator |
alert-receiver-configured |
Manual: Configure alert receiver |
Legend
- H = HIGH severity (H1βH3)
- M = MEDIUM severity (M1βM30)
- L = LOW severity (L1, L2)
- MAN = Manual checks (MAN1βMAN5)