Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Blocker
Fix Version/s: compliance-operator-1.8.0
Affects Version/s: compliance-operator-1.8.0
Component/s: Compliance Operator
Labels:
None

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Intelligence Requested:
Market:

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

PX Impact Score:

We refactored the SSH rules to support drop-in configuration files, which greatly improves the overall user experience of remediating SSH findings because remediating a single rule only results in updating a single SSH option (as opposed to what we were doing previously, where the remediations for all SSH rules were baked into a single fix and applied across all nodes - meaning users got various SSH hardening, even if they didn't want to apply a specific SSH option). This is the PR where we introduced that change:

https://github.com/ComplianceAsCode/content/pull/13953

While this new approach has it's benefits, we're now hitting another issue. The OVAL checks we rely on to scan SSH configuration options are not smart enough to deal with duplicate SSH configuration options in the same directory (e.g., /etc/ssh/sshd_config.d/). The OVAL check doesn't know which SSH option should take precedence.

You can recreate this easily using the GSSAPIAuthentication setting, because it's enabled by default in /etc/ssh/sshd_config.d/50-redhat.conf, and we have a rule that will produce a remediation that disables it in /etc/ssh/sshd_config.d/00-complianceascode-GSSAPIAuthentication.conf. As a result, the GSSAPIAuthentication setting will be specified twice in the /etc/ssh/ directory:

Here you can see the initial scan result using the rhcos4-e8 profile:

$ oc get ccr |grep rhcos4-e8-wrscan-sshd-disable-gssapi-auth
rhcos4-e8-wrscan-sshd-disable-gssapi-auth                   FAIL     medium

And that the remediation has been applied:

$ oc get cr |grep sshd-disable-gssapi-auth
rhcos4-e8-wrscan-sshd-disable-gssapi-auth-1                 Applied

Rerun the scan using the rescan annotation:

$ oc -n openshift-compliance annotate compliancescans/rhcos4-e8-wrscan compliance.openshift.io/rescan= compliancescan.compliance.openshift.io/rhcos4-e8-wrscan annotated
$ oc get scan -w
NAME               PHASE     RESULT
rhcos4-e8-wrscan   RUNNING   NOT-AVAILABLE
rhcos4-e8-wrscan   AGGREGATING   NOT-AVAILABLE
rhcos4-e8-wrscan   AGGREGATING   NOT-AVAILABLE
rhcos4-e8-wrscan   DONE          NON-COMPLIANT

Check the result, which should have passed, especially after having applied the remediation shipped with the Compliance Operator:

$ oc get ccr |grep rhcos4-e8-wrscan-sshd-disable-gssapi-auth
rhcos4-e8-wrscan-sshd-disable-gssapi-auth                   FAIL     medium

links to

openshift/cac-content-fork#75: CMP-3916: Support checking SSHD runtime configuration with SSH rules

Upstream OpenSCAP OVAL 5.12 issue

Assignee:: Lance Bragstad

Reporter:: Anna Koudelkova

QA Contact:: Xiaojie Yuan

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2025/11/07 2:07 PM

Updated:: 2025/11/20 7:58 PM

Resolved:: 2025/11/20 9:45 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates