CNF-22620: RAN Hardening (4.23) - SSHD Configuration (M1)

[sebrandon1]

Summary

• MEDIUM severity SSHD hardening (7 settings) via drop-in at /etc/ssh/sshd_config.d/00-compliance-sshd-hardening.conf
• Uses 00- prefix to load before 50-redhat.conf (SSHD first-match-wins)
• Verified on OCP 4.22 (cnfdt16) — all 7 settings effective

Remediation Group

• M1: SSHD Configuration

Jira

• CNF-22620
• Epic: CNF-22573 — RAN Hardening for 4.23

Test plan

• Applied MachineConfig to OCP 4.22 cluster
• Verified all 7 SSHD settings effective via sshd -T
• MCP rollout completed without errors

[openshift-ci-robot]

@sebrandon1: This pull request references CNF-22620 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Summary

• MEDIUM severity SSHD hardening (7 settings) via drop-in at /etc/ssh/sshd_config.d/00-compliance-sshd-hardening.conf
• Uses 00- prefix to load before 50-redhat.conf (SSHD first-match-wins)
• Verified on OCP 4.22 (cnfdt16) — all 7 settings effective

Remediation Group

• M1: SSHD Configuration

Jira

• CNF-22620
• Epic: CNF-22573 — RAN Hardening for 4.23

Test plan

• Applied MachineConfig to OCP 4.22 cluster
• Verified all 7 SSHD settings effective via sshd -T
• MCP rollout completed without errors

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sebrandon1
Once this PR has been reviewed and has the lgtm label, please assign lack for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Warning

Rate limit exceeded

@sebrandon1 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 23 minutes and 43 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ee5db8e3-9822-4daf-a815-3e1f5583b459

📥 Commits

Reviewing files that changed from the base of the PR and between fc7f647 and 207208d.

📒 Files selected for processing (2)

• telco-ran/configuration/machineconfigs/sshd/00-compliance-sshd-hardening-master.yaml
• telco-ran/configuration/machineconfigs/sshd/00-compliance-sshd-hardening-worker.yaml

📝 Walkthrough

Walkthrough

Two new OpenShift MachineConfig resources are added to apply SSH hardening configurations to master and worker nodes. Each config provisions an SSH daemon configuration file with identical security settings, including disabling root login and GSSAPI authentication, and enabling additional security-related SSH options.

Changes

Cohort / File(s)	Summary
SSH Hardening MachineConfigs telco-ran/configuration/machineconfigs/sshd/00-compliance-sshd-hardening-master.yaml, telco-ran/configuration/machineconfigs/sshd/00-compliance-sshd-hardening-worker.yaml	Added two new MachineConfig resources that provision identical SSH hardening configurations to /etc/ssh/sshd_config.d/00-compliance-sshd-hardening.conf for master and worker node roles respectively. Configurations disable root login and GSSAPI authentication, enable IgnoreRhosts, IgnoreUserKnownHosts, StrictModes, and PrintLastLog, and disable PermitUserEnvironment.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: SSHD hardening configuration for RAN (M1) addressing JIRA CNF-22620, matching the changeset which adds SSH hardening MachineConfigs.
Description check	✅ Passed	The description is directly related to the changeset, providing context about the SSHD hardening settings, the drop-in configuration file, remediation group, verification testing, and relevant JIRA/Epic references.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}