CMP-3624,CMP-3553: Sshd rules for rhel8 and rhel9 nodes

[yuumasato]

Description:

• Restrict current SSHD Kubernetes remediations to OCP <= 4.12
• Add new macro to create drop-in SSHD MachineConfigs
• Add new drop-in Kubernetes remediations in template and rules with explicit remediation

Rationale:

• The current Kubernetes SSHD remediations create a fixed sshd_config file
  • This does not allow rule level granularity
  • The RHEL8 RHCOS4 remediations break RHEL9 based nodes.
• Fixes CMP-3553 by adding support for SSHD drop-in files and not laying down a generic hardened SSHD configuration.
• Fixes CMP-3617 by adding drop-in support for OCP >=4.13 in sshd_lineinfile template. These rules will still fail on OCP 4.12.
• Fixes CMP-3624 by removing the Include directive from the static sshd_config.

Review Hints:

• Check that SSHD rules creates a single sshd_config file in el8 based nodes
• Check that SSHD rules creates multiple drop-in config files in el9 based nodes

[yuumasato]

Example of how remediations not matching the ocp-version can be found:

$ oc get events | grep SkippingRemediation
116m        Warning   SkippingRemediation                compliancescan/upstream-rhcos4-high-master                                     Skipping ComplianceRemediation 'openshift-compliance/upstream-rhcos4-high-master-sshd-disable-rhosts'. Cluster doesn't match version range <=4.13.0
117m        Warning   SkippingRemediation                compliancescan/upstream-rhcos4-high-worker                                     Skipping ComplianceRemediation 'openshift-compliance/upstream-rhcos4-high-worker-sshd-disable-rhosts'. Cluster doesn't match version range <=4.13.0

And then the second yaml file is applied:

$ oc get rems -oyaml upstream-rhcos4-high-master-sshd-disable-rhosts-1

apiVersion: compliance.openshift.io/v1alpha1
kind: ComplianceRemediation
metadata:
  annotations:
    compliance.openshift.io/ocp-version: '>=4.13.0'
    compliance.openshift.io/xccdf-value-used: var-rekey-limit-size,var-rekey-limit-time,var-sshd-set-login-grace-time,var-sshd-disable-compression,sshd-idle-timeout-value,var-sshd-set-keepalive,var-sshd-priv-separation
  creationTimestamp: "2025-09-29T19:21:59Z"
  generation: 2
  labels:
    compliance.openshift.io/scan-name: upstream-rhcos4-high-master
    compliance.openshift.io/suite: rhcos4-high
  name: upstream-rhcos4-high-master-sshd-disable-rhosts-1
  namespace: openshift-compliance
spec:
  apply: true
  current:
    object:
      apiVersion: machineconfiguration.openshift.io/v1
      kind: MachineConfig
      metadata: {}
      spec:
        config:
          ignition:
            version: 3.1.0
          storage:
            files:
            - contents:
                source: data:,IgnoreRhosts%20yes
              mode: 384
              overwrite: true
              path: /etc/ssh/sshd_config.d/00-complianceascode-IgnoreRhosts.conf
  outdated: {}
  type: Configuration
status:
  applicationState: Applied

[rhmdnd]

One comment on the version matching - otherwise this is looking good pending CI results.

[rhmdnd]

Are these really the only SSH rules we include for RHCOS that have kubernetes remediations?

$ find linux_os -type f -wholename "*ssh*kubernetes/shared.yml"
linux_os/guide/services/ssh/ssh_server/disable_host_auth/kubernetes/shared.yml
linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/kubernetes/shared.yml
linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/kubernetes/shared.yml
linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/kubernetes/shared.yml
linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/kubernetes/shared.yml

I thought there were more - but maybe not. Will we be able to reuse more of the SSH remediations that now that we're using this approach? I would think so because we don't have to stuff them all into a single sshd_config file. Or do we wait to make that change until 4.12 goes EOL?

[yuumasato]

Are these really the only SSH rules we include for RHCOS that have kubernetes remediations?

No, there are a bunch more SSHD rules leveraging the template:

$ grep -lr sshd_lineinfile linux_os
linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml
linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml
linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml
linux_os/guide/services/ssh/ssh_server/sshd_enable_pubkey_auth/rule.yml
linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/rule.yml
linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml
linux_os/guide/services/ssh/ssh_server/sshd_disable_root_password_login/rule.yml
linux_os/guide/services/ssh/ssh_server/sshd_disable_tcp_forwarding/rule.yml
linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml
linux_os/guide/services/ssh/ssh_server/sshd_enable_gssapi_auth/rule.yml
linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml
linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml
linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/rule.yml
linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml
linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml
linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
linux_os/guide/services/ssh/ssh_server/sshd_disable_forwarding/rule.yml
linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml
linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner_net/rule.yml
linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml
linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/rule.yml
linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml
linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml
linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml
linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml
linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml
linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml
linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml

Will we be able to reuse more of the SSH remediations that now that we're using this approach? I would think so because we don't have to stuff them all into a single sshd_config file. Or do we wait to make that change until 4.12 goes EOL?

By reuse you mean more granular remediations? Yes, the SSHD rules for OCP >=4.13 will be granular to the rule level.
To ilustrate, if you build the content locally: cat build/rhcos4/fixes_from_templates/kubernetes/sshd_disable_root_password_login.yml

# platform = multi_platform_ocp,multi_platform_rhcos
# reboot = false
# strategy = restrict
# complexity = low
# disruption = low
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  annotations:
    complianceascode.io/ocp-version: '<4.13.0'
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %0A%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018/04/09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D/usr/local/bin%3A/usr/bin%3A/usr/local/sbin%3A/usr/sbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20/etc/ssh/ssh_host_rsa_key%0AHostKey%20/etc/ssh/ssh_host_ecdsa_key%0AHostKey%20/etc/ssh/ssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20%7B%7B.var_rekey_limit_size%7D%7D%20%7B%7B.var_rekey_limit_time%7D%7D%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20/etc/sysconfig/sshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0ALogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%20%7B%7B.var_sshd_set_login_grace_time%7D%7D%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh/authorized_keys%20and%20.ssh/authorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh/authorized_keys%0AAuthorizedKeysFile%09.ssh/authorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20/etc/ssh/ssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~/.ssh/known_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~/.rhosts%20and%20~/.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s/key%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20/etc/pam.d/sshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20%7B%7B.var_sshd_disable_compression%7D%7D%0AClientAliveInterval%20%7B%7B.sshd_idle_timeout_value%7D%7D%0AClientAliveCountMax%20%7B%7B.var_sshd_set_keepalive%7D%7D%0A%23UseDNS%20no%0A%23PidFile%20/var/run/sshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20/etc/issue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMOD
IFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09/usr/libexec/openssh/sftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20%7B%7B.var_sshd_priv_separation%7D%7D }}
        mode: 0600
        path: /etc/ssh/sshd_config
        overwrite: true
---

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  annotations:
    complianceascode.io/ocp-version: '>=4.13.0'
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ PermitRootLogin%20prohibit-password }}
        mode: 0600
        path: /etc/ssh/sshd_config.d/00-complianceascode-PermitRootLogin.conf
        overwrite: true

You can see two remediations, one is the huge sshd_config, the other is the drop-in file.

[openshift-ci]

@yuumasato: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-openshift-node-compliance	7c090e7	link	true	/test e2e-aws-openshift-node-compliance

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[rhmdnd]

/lgtm

[xiaojiey]

@yuumasato I have verified with several test scenarios. Tried to make sure " when OCP ≤ 4.12: Replaces entire /etc/ssh/sshd_config file; when OCP ≥ 4.13: Uses drop-in files in /etc/ssh/sshd_config.d/". Generally speaking, it works as expected. Just one minor issue, seems I am not able to unapplying a remediation for rule sshd-disable-rhosts, it always failed. It will automatically be updated to "Applied". I would like to know whether it is a real issue. Could you please take a look? Thanks.

1. on a 4.12 cluster, tested whether "NULL pointer passed when /etc/ssh/sshd_config.d/ non-existent causing sshd to segfault" issue reproduced. Also tried to ssh to one node, it succeeded without any error.
   % oc get cr -oyaml | grep sshd_config.d
   %
2. On a 4.20 cluster, verified that it is using drop-in files in /etc/ssh/sshd_config.d/. Also tried to ssh to one node from a bastion server, it succeeded without any error.

% oc get cr -oyaml | grep sshd_config.d
                path: /etc/ssh/sshd_config.d/00-complianceascode-IgnoreRhosts.conf
                path: /etc/ssh/sshd_config.d/00-complianceascode-sshd_set_idle_timeout.conf
                path: /etc/ssh/sshd_config.d/00-complianceascode-sshd_set_keepalive.conf
                path: /etc/ssh/sshd_config.d/00-complianceascode-IgnoreRhosts.conf
                path: /etc/ssh/sshd_config.d/00-complianceascode-sshd_set_idle_timeout.conf
                path: /etc/ssh/sshd_config.d/00-complianceascode-sshd_set_keepalive.conf
%  oc get cr upstream-rhcos4-moderate-master-sshd-disable-rhosts-1  -o=jsonpath={.spec.current}
{"object":{"apiVersion":"machineconfiguration.openshift.io/v1","kind":"MachineConfig","metadata":{},"spec":{"config":{"ignition":{"version":"3.1.0"},"storage":{"files":[{"contents":{"source":"data:,IgnoreRhosts%20yes"},"mode":384,"overwrite":true,"path":"/etc/ssh/sshd_config.d/00-complianceascode-IgnoreRhosts.conf"}]}}}}}%

3. On the 4.20 cluster, try to [unapplying a remediation]
   (https://docs.redhat.com/en/documentation/openshift_container_platform/4.19/html/security_and_compliance/compliance-operator#compliance-unapplying_compliance-remediation) for rule sshd-disable-rhosts after the autoremediation applied, but it always failed. It will automatically be changed back to "Applied". I would like to know whether it is a real issue.

% oc edit cr upstream-rhcos4-moderate-master-sshd-disable-rhosts-1 upstream-rhcos4-moderate-worker-sshd-disable-rhosts-1
complianceremediation.compliance.openshift.io/upstream-rhcos4-moderate-master-sshd-disable-rhosts-1 edited
complianceremediation.compliance.openshift.io/upstream-rhcos4-moderate-worker-sshd-disable-rhosts-1 edited
% oc get cr | grep sshd
upstream-rhcos4-moderate-master-sshd-disable-rhosts-1                                                        NotApplied
upstream-rhcos4-moderate-master-sshd-set-idle-timeout-1                                                      Applied
upstream-rhcos4-moderate-master-sshd-set-keepalive-1                                                         Applied
upstream-rhcos4-moderate-worker-sshd-disable-rhosts-1                                                        NotApplied
upstream-rhcos4-moderate-worker-sshd-set-idle-timeout-1                                                      Applied
upstream-rhcos4-moderate-worker-sshd-set-keepalive-1                                                         Applied
% oc get mcp -w
NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
master   rendered-master-279e59329210d2a19031bf9845c2659f   False     True       False      3              0                   0                     0                      4h41m
worker   rendered-worker-fbcd9098077620e61b3282ac7c326f8a   False     True       False      3              0                   0                     0                      4h41m
worker   rendered-worker-fbcd9098077620e61b3282ac7c326f8a   False     True       False      3              0                   0                     0                      4h41m
...
master   rendered-master-279e59329210d2a19031bf9845c2659f   True      False      False      3              3                   3                     0                      5h53m
worker   rendered-worker-fbcd9098077620e61b3282ac7c326f8a   True      False      False      3              3                   3                     0                      5h53m
% oc get cr | grep sshd
upstream-rhcos4-moderate-master-sshd-disable-rhosts-1                                                        Applied
upstream-rhcos4-moderate-master-sshd-set-idle-timeout-1                                                      Applied
upstream-rhcos4-moderate-master-sshd-set-keepalive-1                                                         Applied
upstream-rhcos4-moderate-worker-sshd-disable-rhosts-1                                                        Applied
upstream-rhcos4-moderate-worker-sshd-set-idle-timeout-1                                                      Applied
upstream-rhcos4-moderate-worker-sshd-set-keepalive-1                                                         Applied
% oc get ssb rhcos4-moderate-compliance -oyaml
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"compliance.openshift.io/v1alpha1","kind":"ScanSettingBinding","metadata":{"annotations":{},"name":"rhcos4-moderate-compliance","namespace":"openshift-compliance"},"profiles":[{"apiGroup":"compliance.openshift.io/v1alpha1","kind":"Profile","name":"upstream-rhcos4-moderate"}],"settingsRef":{"apiGroup":"compliance.openshift.io/v1alpha1","kind":"ScanSetting","name":"default-auto-apply"}}
  creationTimestamp: "2025-10-15T03:43:33Z"
  generation: 1
  name: rhcos4-moderate-compliance
  namespace: openshift-compliance
  resourceVersion: "81837"
  uid: 4b716a9a-874a-49fb-9017-e2f86e87873f
profiles:
- apiGroup: compliance.openshift.io/v1alpha1
  kind: Profile
  name: upstream-rhcos4-moderate
settingsRef:
  apiGroup: compliance.openshift.io/v1alpha1
  kind: ScanSetting
  name: default-auto-apply
status:
  conditions:
  - lastTransitionTime: "2025-10-15T03:43:33Z"
    message: The scan setting binding was successfully processed
    reason: Processed
    status: "True"
    type: Ready
  outputRef:
    apiGroup: compliance.openshift.io
    kind: ComplianceSuite
    name: rhcos4-moderate-compliance
  phase: READY

[yuumasato]

@xiaojiey Thanks for thoroughly testing.

I seems to me that the remediation being re-applied is correct.
When using default-auto-apply ScanSetting, CO's Suite Reconciler will try to apply any remediation that is not applied.
The applyRemediation() function will unconditionally set Apply: true on all remediations related to a Suite with default-auto-apply ScanSetting.

[xiaojiey]

/lgtm