Disable SSH Server If Possible
An XCCDF Rule
Description
Instead of using ssh to remotely log in to a cluster node, it is recommended
to use oc debug
The sshd service can be disabled with the following manifest:
---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: master
name: 75-master-sshd-disable
spec:
config:
ignition:
version: 3.1.0
systemd:
units:
- enabled: false
name: sshd.service
This will disable the sshd service in all the
nodes labeled with the "master" role.
Note that this needs to be done for each MachineConfigPool
For more information on how to configure nodes with the Machine Config Operator see the relevant documentation.
Rationale
Red Hat Enterprise Linux CoreOS (RHCOS) is a single-purpose container operating system. RHCOS is only supported as a component of the OpenShift Container Platform. Remote management of the RHCOS nodes is performed at the OpenShift Container Platform API level. As a result, any direct remote access to the RHCOS nodes is unnecessary. Disabling the SSHD service helps reduce the number of open ports on each host.
- ID
- xccdf_org.ssgproject.content_rule_service_sshd_disabled
- Severity
- High
- Updated
Remediation - Kubernetes Patch
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
version: 3.1.0
Remediation - script:ignition
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
version: 3.1.0