1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
|
documentation_complete: true
title: 'Disable SSH Server If Possible'
description: |-
{{% if product == "rhcos4" %}}
Instead of using ssh to remotely log in to a cluster node, it is recommended
to use <tt>oc debug</tt>
{{{ describe_service_disable(service="sshd") }}}
{{% else %}}
The SSH server service, sshd, is commonly needed.
However, if it can be disabled, do so.
This is unusual, as SSH is a common method for encrypted and authenticated
remote access.
{{% endif %}}
rationale: |-
{{% if product == "rhcos4" %}}
Red Hat Enterprise Linux CoreOS (RHCOS) is a single-purpose container
operating system. RHCOS is only supported as a component of the
OpenShift Container Platform. Remote management of the RHCOS nodes is
performed at the OpenShift Container Platform API level. As a result,
any direct remote access to the RHCOS nodes is unnecessary. Disabling
the SSHD service helps reduce the number of open ports on each host.
{{% endif %}}
references:
nist: CM-3(6),IA-2(4)
srg: SRG-APP-000185-CTR-000490,SRG-APP-000141-CTR-000315
severity: high
identifiers:
cce@rhcos4: CCE-86189-8
ocil_clause: |-
{{{ ocil_clause_service_disabled(service="sshd") }}}
ocil: |-
{{{ ocil_service_disabled(service="sshd") }}}
template:
name: service_disabled
vars:
servicename: sshd
packagename: openssh-server
packagename@opensuse: openssh
packagename@sle12: openssh
daemonname@debian11: ssh
|
