CNF-21212: RAN Hardening (5.0) - PAM Empty Passwords (H2)#736
CNF-21212: RAN Hardening (5.0) - PAM Empty Passwords (H2)#736sebrandon1 wants to merge 1 commit into
Conversation
|
@sebrandon1: This pull request references CNF-21212 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: sebrandon1 The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughTwo new OpenShift ChangesPAM Hardening MachineConfigs
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Verification Test ResultsTested on cnfdt16 (OCP 4.22, RHCOS 9.8.20260403-0, 3 masters + 2 workers). Apply: Applied Result: PASS — |
88ead65 to
eb1ef29
Compare
|
I'm considering a potential upstream of this PAM Empty Passwords change. The upstream |
eb1ef29 to
9b9a40e
Compare
bb14e37 to
881c68d
Compare
|
Note: we have an upstream PR open to remove |
|
@sebrandon1: This pull request references CNF-21212 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
2dc0cff to
21c0ad2
Compare
Verification Test ResultsTested on cnfdt16 (OCP 5.0.0-0.nightly-2026-06-18-000016, RHCOS 10.2.20260617-0, Kubernetes v1.35.3, 3 masters + 2 workers). Baseline: All Result: PASS — All 6 PAM/SSHD empty password checks PASS. Note: vanilla RHCOS 10 already passes these checks (RHEL 10 updated the PAM stack). This MachineConfig provides defense-in-depth hardening. |
Remove nullok from PAM system-auth and password-auth on both master and worker nodes.
21c0ad2 to
0214074
Compare
|
Superseded by #821 — migrated to |
Summary
Adds MachineConfig to remove the
nullokoption from PAM authentication on both master and worker nodes.This addresses HIGH severity E8 compliance check
rhcos4-e8-no-empty-passwordswhich requires preventing authentication with empty passwords./etc/pam.d/system-authwithnullokremovedUpstream
We have an open PR to fix this in the RHCOS base image so this MachineConfig remediation would no longer be needed:
without-nullokWe also have an upstream fix for the broken compliance-operator remediation:
no_empty_passwordsremediation for RHCOS 9Files
75-pam-auth-high-master.yaml75-pam-auth-high-worker.yamlVerification
After applying to a cluster, verify with:
oc debug node/ -- chroot /host grep nullok /etc/pam.d/system-auth # Expected: no output (nullok removed)Compliance scan verification:
Jira
References