The Compliance Operator has rules that evaluate SSH settings on RHCOS hosts. Some of these rules fail, and the Compliance Operator supplies a very broad remediations that it uses for all SSH rules. This means any SSH failure, and fix through the Compliance Operator, can result in unintended configuration changes to SSH, even though they're all technically hardening recommendations. This can be confusing for users since they didn't intend to change some configs based on the context of the rule that failed.

    All versions of the Compliance Operator, but 1.7.0 in particular since that's the latest.

    100%

    1. Install the Compliance Operator
    2. Run the `rhcos4-high` or `rhcos4-moderate` scans, which contain ssh rules
    3. Observer some of the SSH rules failing
    4. Obtain a copy of the existing sshd_config
    5. Check for any SSH rules that have a remediation
    6. Apply the remediation
    7. Observe that the remediation was applied, but it also applied many other remediations and configuration changes for SSH
    

    The actual result is that the Compliance Operator lays down a generic, hardened SSH configuration for all SSH remediations, instead of a specific remediation for the rule in question.

    The Compliance Operator remediations should be specific to the rule they're addressing. This makes the rules orthogonal and less likely that rules will have conflicting remediation guidance.