CMP-3553: Add Kubernetes SSHD fixes for EL9 RHCOS4 nodes

yuumasato · yuumasato · commit 4db17cdc8f0f · 2025-09-30T23:33:00.000+02:00
Leverage the drop-in macro to create SSHD drop-in MachineConfigs.
This makes each SSHD rule's remediation granular and indepent from each
other, but only for OCP &gt;=4.13, as drop-in files for sshd_config is not
supported in OCP 4.12.
diff --git a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/kubernetes/shared.yml b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/kubernetes/shared.yml
@@ -16,3 +16,5 @@ spec:
         mode: 0600
         path: /etc/ssh/sshd_config
         overwrite: true
+---
+{{{ kubernetes_sshd_dropin('HostbasedAuthentication no', config_basename='00-complianceascode-disable_host_auth.conf') }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/kubernetes/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/kubernetes/shared.yml
@@ -5,3 +5,5 @@
 # complexity = low
 # disruption = low
 {{{ kubernetes_sshd_set() }}}
+---
+{{{ kubernetes_sshd_dropin('Compression {{{ xccdf_value("var_sshd_disable_compression") }}}', config_basename='00-complianceascode-sshd_disable_compression.conf') }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/kubernetes/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/kubernetes/shared.yml
@@ -5,3 +5,5 @@
 # complexity = low
 # disruption = low
 {{{ kubernetes_sshd_set() }}}
+---
+{{{ kubernetes_sshd_dropin('ClientAliveInterval {{{ xccdf_value("sshd_idle_timeout_value") }}}', config_basename='00-complianceascode-sshd_set_idle_timeout.conf') }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/kubernetes/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/kubernetes/shared.yml
@@ -5,3 +5,5 @@
 # complexity = low
 # disruption = low
 {{{ kubernetes_sshd_set() }}}
+---
+{{{ kubernetes_sshd_dropin('ClientAliveCountMax {{{ xccdf_value("var_sshd_set_keepalive") }}}', config_basename='00-complianceascode-sshd_set_keepalive.conf') }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/kubernetes/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/kubernetes/shared.yml
@@ -5,3 +5,5 @@
 # complexity = low
 # disruption = low
 {{{ kubernetes_sshd_set() }}}
+---
+{{{ kubernetes_sshd_dropin('ClientAliveCountMax 0', config_basename='00-complianceascode-sshd_set_keepalive_0.conf') }}}
diff --git a/shared/templates/sshd_lineinfile/kubernetes.template b/shared/templates/sshd_lineinfile/kubernetes.template
@@ -4,3 +4,9 @@
 # complexity = low
 # disruption = low
 {{{ kubernetes_sshd_set() }}}
+---
+{{% if XCCDF_VARIABLE %}}
+{{{ kubernetes_sshd_dropin(PARAMETER ~ ' {{.'~XCCDF_VARIABLE~'}}', config_basename='00-complianceascode-' ~ PARAMETER ~ '.conf') }}}
+{{% else %}}
+{{{ kubernetes_sshd_dropin(PARAMETER ~ " " ~ VALUE,config_basename='00-complianceascode-' ~ PARAMETER ~ '.conf') }}}
+{{% endif %}}
