From e43061d474224b0858ebe1b79543323c05c86f73 Mon Sep 17 00:00:00 2001 From: Brandon Palm Date: Thu, 26 Mar 2026 19:01:23 -0500 Subject: [PATCH] Enable sshd distributed config checking for OCP4 OCP4 runs on RHCOS4, which already has sshd_distributed_config set to true. However, OCP4 product definition had it set to false, causing SSHD compliance checks to only scan /etc/ssh/sshd_config and miss settings in /etc/ssh/sshd_config.d/*.conf drop-in files. Since RHCOS 9 uses the drop-in config model, SSHD hardening settings in sshd_config.d/ are functionally correct but invisible to the scanner. This causes false FAIL results for checks like sshd_set_idle_timeout, sshd_disable_gssapi_auth, and sshd_set_loglevel_info when remediations use drop-in files. Enable sshd_distributed_config for OCP4 to match the underlying RHCOS4 behavior, allowing the scanner to check both the main sshd_config and drop-in files in sshd_config.d/. --- products/ocp4/product.yml | 2 ++ tests/data/product_stability/ocp4.yml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/products/ocp4/product.yml b/products/ocp4/product.yml index bb90cc09aff4..7e3ee42f751b 100644 --- a/products/ocp4/product.yml +++ b/products/ocp4/product.yml @@ -11,6 +11,8 @@ pkg_system: "rpm" init_system: "systemd" +sshd_distributed_config: "true" + reference_uris: cis: 'https://www.cisecurity.org/benchmark/kubernetes/' stigid: 'https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=container-platform' diff --git a/tests/data/product_stability/ocp4.yml b/tests/data/product_stability/ocp4.yml index ef26a4389444..9bdc873ce751 100644 --- a/tests/data/product_stability/ocp4.yml +++ b/tests/data/product_stability/ocp4.yml @@ -200,7 +200,7 @@ reference_uris: rsyslog_cafile: /etc/pki/tls/cert.pem sshd_config_base_dir: /etc/ssh sshd_config_dir: /etc/ssh/sshd_config.d -sshd_distributed_config: 'false' +sshd_distributed_config: 'true' sshd_hardening_config_basename: 00-complianceascode-hardening.conf sshd_main_config_file: /etc/ssh/sshd_config sshd_sysconfig_file: /etc/sysconfig/sshd