CMP-3916: Add runtime SSHD config checking for OpenShift #14118
+104
−15
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Vincent056
requested review from
Mab879,
ggbecker,
jan-cerny,
marcusburghardt and
vojtapolasek
as code owners
Vincent056
force-pushed
the
runtime-check-sshd
branch
from
b6e4613 to
73abb36
Compare
Add runtime SSHD config checking for OpenShift compliance operatorThe compliance operator fetches runtime SSHD config from the cluster andfeeds it to the scanner before scans. Adds `sshd_runtime_check` option(default: false, true for RHCOS4), updates OVAL macros, and sets default
Vincent056
force-pushed
the
runtime-check-sshd
branch
from
73abb36 to
22e46de
Compare
rhmdnd
reviewed
Nov 13, 2025
yuumasato
reviewed
Nov 14, 2025
rhmdnd
changed the title
Enhance the SSHD runtime configuration checking by updating the path for the compliance operator's runtime effective config file to a temp file. Modify the OVAL macros to conditionally adjust the criteria operator based on the runtime check status, ensuring accurate compliance checks.
Collaborator
|
I was able to get this running in a cluster using: diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja
index da83eefd2b..6ab2b0f245 100644
--- a/shared/macros/10-oval.jinja
+++ b/shared/macros/10-oval.jinja
@@ -1036,7 +1036,7 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
{{%- macro sshd_oval_check(parameter, value, missing_parameter_pass, config_is_distributed, runtime_check="false", xccdf_variable="", datatype="", rule_id=None, rule_title=None) -%}}
{{%- set sshd_config_path = "/etc/ssh/sshd_config" %}}
{{%- set sshd_config_dir = "/etc/ssh/sshd_config.d" -%}}
-{{%- set sshd_runtime_path = "/tmp/runtime/sshd_effective_config" -%}}
+{{%- set sshd_runtime_path = "/runtime/sshd_config" -%}}
{{%- if xccdf_variable -%}}
{{%- set description = "Ensure '" ~ parameter ~ "' is configured with value configured in " ~ xccdf_variable ~ " variable in " ~ sshd_config_path %}}
{{%- else -%}}But - after applying the GSS api authentication remediation, the rule still fails. |
This is a new parameter, that defaults to false. Update the test data so that it's included in product stability.
rhmdnd
force-pushed
the
runtime-check-sshd
branch
from
edeb792 to
f3038dd
Compare
yuumasato
reviewed
Nov 19, 2025
Co-authored-by: Watson Yuuma Sato <[email protected]>
…iguration check to a fixed "AND" instead of conditionally based on the runtime check status. This change simplifies the logic and ensures consistent behavior in compliance checks.
Mab879
reviewed
Nov 19, 2025
Member
Mab879
left a comment
Mab879
left a comment
There was a problem hiding this comment.
Based on my testing it seems that RHEL is fine. Once other reviewer's comments are addressed I can provide my approval.
|
@Vincent056: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Mab879
approved these changes
Nov 26, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
Add runtime SSHD config checking for OpenShift compliance operator
The compliance operator fetches runtime SSHD config from the cluster and feeds it to the scanner before scans. Adds
sshd_runtime_checkoption(default: false, true for RHCOS4), updates OVAL macros, and sets defaultRationale:
Fixs CMP-3916
Review Hints: