CNF-21212: RAN Hardening - HIGH Severity Compliance Remediations#529
CNF-21212: RAN Hardening - HIGH Severity Compliance Remediations#529sebrandon1 wants to merge 2 commits intoopenshift-kni:mainfrom
Conversation
Add MachineConfigs for HIGH severity compliance remediations from the OpenShift Compliance Operator (E8/CIS benchmarks): - 75-crypto-policy-high.yaml: Configure system-wide crypto policy (DEFAULT:NO-SHA1) - 75-pam-auth-high.yaml: Remove nullok from PAM to disable empty passwords - 75-sshd-high.yaml: Set PermitEmptyPasswords no via sshd_config.d drop-in These are the most critical security hardening settings per the Compliance Operator severity classification. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
|
@sebrandon1: This pull request references CNF-21212 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: sebrandon1 The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
SSHD hardening settings (all severities) will be consolidated into PR openshift-kni#466. This PR now focuses on non-SSHD HIGH severity items only: - crypto-policy - PAM auth (no empty passwords) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
|
@sebrandon1: This pull request references CNF-21212 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@sebrandon1: This pull request references CNF-21212 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@sebrandon1: This pull request references CNF-21212 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
2 participants
Summary
Add 2 MachineConfigs for HIGH severity compliance remediations from the OpenShift Compliance Operator (E8/CIS benchmarks).
Remediation Groups
HIGH Severity Settings
75-crypto-policy-high.yamlDEFAULT:NO-SHA175-pam-auth-high.yamlImplementation Notes
nullokoption (prevents empty password auth)Compliance Checks Remediated
rhcos4-e8-worker-configure-crypto-policyrhcos4-e8-master-configure-crypto-policyrhcos4-e8-worker-no-empty-passwordsrhcos4-e8-master-no-empty-passwordsRelated
Test plan
update-crypto-policies --show(expectDEFAULT:NO-SHA1)grep nullok /etc/pam.d/{system,password}-auth(expect no output)🤖 Generated with Claude Code