Skip to content

ocp4: Enable sshd distributed config to check sshd_config.d drop-ins#14603

Open
sebrandon1 wants to merge 1 commit intoComplianceAsCode:masterfrom
sebrandon1:fix-ocp4-sshd-distributed-config
Open

ocp4: Enable sshd distributed config to check sshd_config.d drop-ins#14603
sebrandon1 wants to merge 1 commit intoComplianceAsCode:masterfrom
sebrandon1:fix-ocp4-sshd-distributed-config

Conversation

@sebrandon1
Copy link
Copy Markdown

@sebrandon1 sebrandon1 commented Mar 27, 2026

Summary

  • Enable sshd_distributed_config for the OCP4 product to match the underlying RHCOS4 behavior
  • OCP4 runs on RHCOS4, which already has this set to true in its product definition
  • The OCP4 product had it set to false, causing SSHD compliance checks to only scan /etc/ssh/sshd_config and miss settings placed in /etc/ssh/sshd_config.d/*.conf drop-in files

Problem

RHCOS 9 uses the drop-in config model — sshd_config contains an Include /etc/ssh/sshd_config.d/*.conf directive that loads drop-in files. When SSHD hardening remediations write settings to drop-in files (which is the standard approach for RHCOS), the settings are functionally correct (sshd -T confirms the effective config) but the scanner only checks the main sshd_config and reports false FAILs.

Affected checks include:

  • sshd_set_idle_timeout
  • sshd_set_keepalive
  • sshd_disable_gssapi_auth
  • sshd_set_loglevel_info
  • sshd_disable_root_login
  • sshd_enable_strictmodes
  • And all other sshd_lineinfile template checks

Fix

The sshd_lineinfile template and OVAL macros already fully support distributed config checking — when sshd_distributed_config is true, the generated OVAL automatically scans both /etc/ssh/sshd_config AND /etc/ssh/sshd_config.d/*.conf. This is already enabled for rhcos4, rhel9, rhel10, fedora, and others.

This PR simply enables the same behavior for ocp4.

Changes

  • products/ocp4/product.yml: Add sshd_distributed_config: "true"
  • tests/data/product_stability/ocp4.yml: Change sshd_distributed_config from false to true

Testing

Verified on OCP 4.22 (cnfdt16 cluster) and OCP 4.21 (CRC):

  • SSHD settings in drop-in files are functionally effective (confirmed via sshd -T)
  • Scanner reports FAIL when sshd_distributed_config is false (current behavior)
  • The rhcos4 product with sshd_distributed_config: "true" correctly detects drop-in settings

@sebrandon1
Enable sshd distributed config checking for OCP4
e43061d 
OCP4 runs on RHCOS4, which already has sshd_distributed_config set to
true. However, OCP4 product definition had it set to false, causing
SSHD compliance checks to only scan /etc/ssh/sshd_config and miss
settings in /etc/ssh/sshd_config.d/*.conf drop-in files.

Since RHCOS 9 uses the drop-in config model, SSHD hardening settings
in sshd_config.d/ are functionally correct but invisible to the scanner.
This causes false FAIL results for checks like sshd_set_idle_timeout,
sshd_disable_gssapi_auth, and sshd_set_loglevel_info when remediations
use drop-in files.

Enable sshd_distributed_config for OCP4 to match the underlying RHCOS4
behavior, allowing the scanner to check both the main sshd_config and
drop-in files in sshd_config.d/.
@openshift-ci openshift-ci bot added the needs-ok-to-test Used by openshift-ci bot. label Mar 27, 2026
@openshift-ci
Copy link
Copy Markdown

openshift-ci bot commented Mar 27, 2026

Hi @sebrandon1. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@Mab879 Mab879 self-assigned this Mar 27, 2026
Mab879
Mab879 approved these changes Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@yuumasato please take look as well.

@Mab879 Mab879 added this to the 0.1.81 milestone Mar 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mab879 Mab879 Mab879 approved these changes

@matusmarhefka matusmarhefka Awaiting requested review from matusmarhefka matusmarhefka is a code owner

@vojtapolasek vojtapolasek Awaiting requested review from vojtapolasek vojtapolasek is a code owner

@jan-cerny jan-cerny Awaiting requested review from jan-cerny jan-cerny is a code owner

Assignees

@Mab879 Mab879

Labels

needs-ok-to-test Used by openshift-ci bot.

Projects

None yet

Milestone

0.1.81

Development

Successfully merging this pull request may close these issues.

2 participants

@sebrandon1 @Mab879