CNF-21196: RAN Hardening (Sysctl) - High Severity

[sebrandon1]

Summary

We'll have a single MachineConfig per path, per severity. Future high level severity flags will be added to this file and rebuilt with new comment and source key/values.

Kernel hardening via sysctl:

• Added 75-sysctl-high.yaml to apply top 5 kernel hardening sysctl flags for worker nodes

Sysctl Settings Applied

Setting	Value	Description
kernel.dmesg_restrict	1	Restrict kernel log access to privileged users
kernel.randomize_va_space	2	Full ASLR - randomizes memory layout to prevent exploitation
kernel.unprivileged_bpf_disabled	1	Prevent BPF-based privilege escalation
kernel.yama.ptrace_scope	1	Restrict ptrace to parent-child processes
net.core.bpf_jit_harden	2	Harden BPF JIT against spraying attacks

Test Plan

• Apply MachineConfig to test cluster
• Verify nodes reboot successfully
• Check sysctl -a | grep -E 'dmesg_restrict|randomize_va_space|unprivileged_bpf|ptrace_scope|bpf_jit' shows expected values
• Monitor for any boot failures or performance issues

Related

• Jira: https://issues.redhat.com/browse/CNF-21196
• Similar to SSHD hardening: CNF-21326: RAN Hardening - SSHD (H3: PermitEmptyPasswords) #466

[openshift-ci-robot]

@sebrandon1: This pull request references CNF-21196 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Summary

We'll have a single MachineConfig per path, per severity. Future high level severity flags will be added to this file and rebuilt with new comment and source key/values.

Kernel hardening via sysctl:

• Added 75-sysctl-high.yaml to apply top 5 kernel hardening sysctl flags for worker nodes

Sysctl Settings Applied

Setting	Value	Description
kernel.dmesg_restrict	1	Restrict kernel log access to privileged users
kernel.randomize_va_space	2	Full ASLR - randomizes memory layout to prevent exploitation
kernel.unprivileged_bpf_disabled	1	Prevent BPF-based privilege escalation
kernel.yama.ptrace_scope	1	Restrict ptrace to parent-child processes
net.core.bpf_jit_harden	2	Harden BPF JIT against spraying attacks

Test Plan

• Apply MachineConfig to test cluster
• Verify nodes reboot successfully
• Check sysctl -a | grep -E 'dmesg_restrict|randomize_va_space|unprivileged_bpf|ptrace_scope|bpf_jit' shows expected values
• Monitor for any boot failures or performance issues

Related

• Jira: https://issues.redhat.com/browse/CNF-21196
• Similar to SSHD hardening: CNF-21326: RAN Hardening - SSHD (H3: PermitEmptyPasswords) #466

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sebrandon1
Once this PR has been reviewed and has the lgtm label, please assign irinamihai for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sebrandon1]

Closing this PR - the sysctl settings here are actually MEDIUM/LOW severity per the Compliance Operator, not HIGH severity as originally labeled.

We are currently focusing on HIGH severity remediations only. HIGH severity items are tracked in PR #529 (CNF-21212).

These sysctl settings may be revisited in a future PR when we address MEDIUM severity items.