Skip to content

CNF-21212: RAN Hardening (5.0) - PAM Empty Passwords (H2)#736

Closed
sebrandon1 wants to merge 1 commit into
openshift-kni:mainfrom
sebrandon1:compliance/4.22/h2-pam-nullok
Closed

CNF-21212: RAN Hardening (5.0) - PAM Empty Passwords (H2)#736
sebrandon1 wants to merge 1 commit into
openshift-kni:mainfrom
sebrandon1:compliance/4.22/h2-pam-nullok

Conversation

@sebrandon1

@sebrandon1 sebrandon1 commented May 1, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds MachineConfig to remove the nullok option from PAM authentication on both master and worker nodes.

This addresses HIGH severity E8 compliance check rhcos4-e8-no-empty-passwords which requires preventing authentication with empty passwords.

  • Deploys the correct RHCOS 9 /etc/pam.d/system-auth with nullok removed
  • Uses the actual RHCOS 9 PAM stack (not the broken operator-generated RHEL 8 template)
  • Separate master and worker MachineConfig files

Upstream

We have an open PR to fix this in the RHCOS base image so this MachineConfig remediation would no longer be needed:

We also have an upstream fix for the broken compliance-operator remediation:

Files

  • 75-pam-auth-high-master.yaml
  • 75-pam-auth-high-worker.yaml

Verification

After applying to a cluster, verify with:

oc debug node/ -- chroot /host grep nullok /etc/pam.d/system-auth
# Expected: no output (nullok removed)

Compliance scan verification:

oc get compliancecheckresult -n openshift-compliance | grep no-empty-passwords
# Expected: PASS

Jira

References

@openshift-ci-robot

openshift-ci-robot commented May 1, 2026

Copy link
Copy Markdown
Collaborator

@sebrandon1: This pull request references CNF-21212 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

Adds MachineConfig to remove the nullok option from PAM authentication on both master and worker nodes.

This addresses HIGH severity E8 compliance check rhcos4-e8-no-empty-passwords which requires preventing authentication with empty passwords.

  • Deploys the correct RHCOS 9 /etc/pam.d/system-auth with nullok removed
  • Uses the actual RHCOS 9 PAM stack (not the broken operator-generated RHEL 8 template)
  • Separate master and worker MachineConfig files

Files

  • 75-pam-auth-high-master.yaml
  • 75-pam-auth-high-worker.yaml

Verification

After applying to a cluster, verify with:

oc debug node/<node> -- chroot /host grep nullok /etc/pam.d/system-auth
# Expected: no output (nullok removed)

Compliance scan verification:

oc get compliancecheckresult -n openshift-compliance | grep no-empty-passwords
# Expected: PASS

Jira

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci

openshift-ci Bot commented May 1, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sebrandon1
Once this PR has been reviewed and has the lgtm label, please assign irinamihai for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot requested review from fedepaol and yuvalk May 1, 2026 22:59
@coderabbitai

coderabbitai Bot commented May 1, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 94128791-0761-458c-b317-6e1fd2b59ce0

📥 Commits

Reviewing files that changed from the base of the PR and between 8da6552 and 0214074.

📒 Files selected for processing (2)
  • telco-ran/configuration/kube-compare-reference/informational/hardening/75-pam-auth-high-master.yaml
  • telco-ran/configuration/kube-compare-reference/informational/hardening/75-pam-auth-high-worker.yaml

📝 Walkthrough

Walkthrough

Two new OpenShift MachineConfig resources are added under the informational/hardening directory. 75-pam-auth-high-master targets the master role and 75-pam-auth-high-worker targets the worker role. Both use Ignition v3.5.0 to overwrite /etc/pam.d/system-auth and /etc/pam.d/password-auth (mode 0644, overwrite: true), embedding PAM stacks with nullok removed from pam_unix.so auth and password lines.

Changes

PAM Hardening MachineConfigs

Layer / File(s) Summary
PAM nullok removal MachineConfigs for master and worker
telco-ran/configuration/kube-compare-reference/informational/hardening/75-pam-auth-high-master.yaml, telco-ran/configuration/kube-compare-reference/informational/hardening/75-pam-auth-high-worker.yaml
Adds two new MachineConfig resources (75-pam-auth-high-master and 75-pam-auth-high-worker) using Ignition v3.5.0. Both overwrite /etc/pam.d/system-auth and /etc/pam.d/password-auth with mode 0644 and overwrite: true, embedding full PAM configuration stacks that remove nullok from pam_unix.so auth and password lines.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly references the primary change: adding PAM authentication hardening (removing nullok option) for compliance with E8 requirements, directly matching the changeset content.
Description check ✅ Passed The description comprehensively explains the PAM configuration changes, compliance objectives, file structure, and includes verification steps and upstream context, all directly related to the changeset.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@sebrandon1

Copy link
Copy Markdown
Contributor Author

Verification Test Results

Tested on cnfdt16 (OCP 4.22, RHCOS 9.8.20260403-0, 3 masters + 2 workers).

Apply: Applied 75-pam-auth-high-{master,worker}.yaml via oc apply.
Wait: MCP rolling update completed on all 5 nodes.
Verify:

$ oc debug node/cnfdt16-master-0 -- chroot /host grep -c nullok /etc/pam.d/system-auth /etc/pam.d/password-auth
/etc/pam.d/system-auth:0
/etc/pam.d/password-auth:0

$ oc debug node/cnfdt16-worker-0 -- chroot /host grep -c nullok /etc/pam.d/system-auth /etc/pam.d/password-auth
/etc/pam.d/system-auth:0
/etc/pam.d/password-auth:0

Result: PASS — nullok removed from both system-auth and password-auth PAM configs on all master and worker nodes.

@sebrandon1 sebrandon1 force-pushed the compliance/4.22/h2-pam-nullok branch from 88ead65 to eb1ef29 Compare May 4, 2026 20:34
@sebrandon1

Copy link
Copy Markdown
Contributor Author

I'm considering a potential upstream of this PAM Empty Passwords change.

authselect/authselect#94

The upstream authselect allows for the ability to disable empty passwords. I'm discussing what it would mean to disable empty passwords for RHCOS in Slack: https://redhat-internal.slack.com/archives/C08RWRUQ18T/p1778008748582319

@sebrandon1 sebrandon1 force-pushed the compliance/4.22/h2-pam-nullok branch from eb1ef29 to 9b9a40e Compare May 8, 2026 15:48
@sebrandon1 sebrandon1 force-pushed the compliance/4.22/h2-pam-nullok branch 2 times, most recently from bb14e37 to 881c68d Compare June 5, 2026 16:19
@sebrandon1

Copy link
Copy Markdown
Contributor Author

Note: we have an upstream PR open to remove nullok from the RHCOS base image directly — coreos/rhel-coreos-config#255. If that lands, this MachineConfig remediation would no longer be needed for new RHCOS builds.

@openshift-ci-robot

openshift-ci-robot commented Jun 11, 2026

Copy link
Copy Markdown
Collaborator

@sebrandon1: This pull request references CNF-21212 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

Adds MachineConfig to remove the nullok option from PAM authentication on both master and worker nodes.

This addresses HIGH severity E8 compliance check rhcos4-e8-no-empty-passwords which requires preventing authentication with empty passwords.

  • Deploys the correct RHCOS 9 /etc/pam.d/system-auth with nullok removed
  • Uses the actual RHCOS 9 PAM stack (not the broken operator-generated RHEL 8 template)
  • Separate master and worker MachineConfig files

Upstream

We have an open PR to fix this in the RHCOS base image so this MachineConfig remediation would no longer be needed:

We also have an upstream fix for the broken compliance-operator remediation:

Files

  • 75-pam-auth-high-master.yaml
  • 75-pam-auth-high-worker.yaml

Verification

After applying to a cluster, verify with:

oc debug node/ -- chroot /host grep nullok /etc/pam.d/system-auth
# Expected: no output (nullok removed)

Compliance scan verification:

oc get compliancecheckresult -n openshift-compliance | grep no-empty-passwords
# Expected: PASS

Jira

References

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@sebrandon1 sebrandon1 force-pushed the compliance/4.22/h2-pam-nullok branch 2 times, most recently from 2dc0cff to 21c0ad2 Compare June 18, 2026 16:51
@sebrandon1

Copy link
Copy Markdown
Contributor Author

Verification Test Results

Tested on cnfdt16 (OCP 5.0.0-0.nightly-2026-06-18-000016, RHCOS 10.2.20260617-0, Kubernetes v1.35.3, 3 masters + 2 workers).

Baseline: All no-empty-passwords and sshd-disable-empty-passwords checks already PASS on vanilla RHCOS 10 (SHA-1 distrusted and PAM stack updated in RHEL 10).
Apply: Applied 75-pam-auth-high-{master,worker}.yaml via oc apply.
Wait: MCP rolling update completed on all 5 nodes.
Verify:

$ oc get compliancecheckresult -n openshift-compliance | grep -i 'no-empty-passwords\|sshd-disable-empty'
rhcos4-e8-master-no-empty-passwords           PASS   high
rhcos4-e8-master-sshd-disable-empty-passwords PASS   high
rhcos4-e8-worker-no-empty-passwords           PASS   high
rhcos4-e8-worker-sshd-disable-empty-passwords PASS   high
rhcos4-moderate-master-no-empty-passwords     PASS   high
rhcos4-moderate-worker-no-empty-passwords     PASS   high

Result: PASS — All 6 PAM/SSHD empty password checks PASS. Note: vanilla RHCOS 10 already passes these checks (RHEL 10 updated the PAM stack). This MachineConfig provides defense-in-depth hardening.

Remove nullok from PAM system-auth and password-auth on both
master and worker nodes.
@sebrandon1

Copy link
Copy Markdown
Contributor Author

Superseded by #821 — migrated to compliance/5.0/h2-pam-nullok branch.

@sebrandon1 sebrandon1 closed this Jun 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants