CNF-21212: RAN Hardening (4.22) - HIGH Severity Compliance Remediations

[sebrandon1]

Summary

Add 2 MachineConfigs for HIGH severity compliance remediations from the OpenShift Compliance Operator (E8/CIS benchmarks).

Remediation Groups

• H1: Crypto Policy - Configure system-wide crypto policy
• H2: PAM Empty Passwords - Disable empty password authentication

HIGH Severity Settings

Group	Category	MachineConfig	Setting	Value
H1	Crypto Policy	75-crypto-policy-high.yaml	crypto-policy	DEFAULT:NO-SHA1
H2	PAM Auth	75-pam-auth-high.yaml	nullok	removed from PAM

Implementation Notes

• Crypto policy: Uses a systemd oneshot unit with idempotency check
• PAM hardening: Uses sed to remove nullok option (prevents empty password auth)

Compliance Checks Remediated

• rhcos4-e8-worker-configure-crypto-policy
• rhcos4-e8-master-configure-crypto-policy
• rhcos4-e8-worker-no-empty-passwords
• rhcos4-e8-master-no-empty-passwords

Related

• Jira: CNF-21212 - RAN Hardening - Crypto/PAM (H1, H2)
• Epic: CNF-19031 - RAN Hardening (High Severity Compliance)
• Full Remediation Tracking

Test plan

• Apply MachineConfigs to a test cluster
• Verify crypto policy: update-crypto-policies --show (expect DEFAULT:NO-SHA1)
• Verify PAM: grep nullok /etc/pam.d/{system,password}-auth (expect no output)
• Run Compliance Operator scan to verify checks pass

🤖 Generated with Claude Code

[openshift-ci-robot]

@sebrandon1: This pull request references CNF-21212 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Summary

• Add 3 MachineConfigs for HIGH severity compliance remediations from the OpenShift Compliance Operator (E8/CIS benchmarks)
• These are the most critical security hardening settings per CO severity classification
• Related Jira: CNF-21212

HIGH Severity Settings

Group	Category	MachineConfig	Description
H1	Crypto Policy	75-crypto-policy-high.yaml	Configure system-wide crypto policy (DEFAULT:NO-SHA1)
H2	PAM Auth	75-pam-auth-high.yaml	Remove nullok from PAM to disable empty passwords
H3	SSHD	75-sshd-high.yaml	Set PermitEmptyPasswords no via sshd_config.d drop-in

Implementation Notes

• Crypto policy uses a systemd oneshot unit with idempotency check
• PAM hardening uses sed to remove nullok option (prevents empty password auth)
• SSHD uses a drop-in file approach for minimal impact

Test plan

• Apply MachineConfigs to a test cluster
• Verify crypto policy is set: update-crypto-policies --show
• Verify PAM files don't contain nullok: grep nullok /etc/pam.d/{system,password}-auth
• Verify sshd config: sshd -T | grep permitemptypasswords
• Run Compliance Operator scan to verify remediations

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sebrandon1
Once this PR has been reviewed and has the lgtm label, please assign imiller0 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@sebrandon1: This pull request references CNF-21212 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Summary

• Add 2 MachineConfigs for HIGH severity compliance remediations from the OpenShift Compliance Operator (E8/CIS benchmarks)
• These are the most critical security hardening settings per CO severity classification
• Related Jira: CNF-21212

HIGH Severity Settings

Group	Category	MachineConfig	Description
H1	Crypto Policy	75-crypto-policy-high.yaml	Configure system-wide crypto policy (DEFAULT:NO-SHA1)
H2	PAM Auth	75-pam-auth-high.yaml	Remove nullok from PAM to disable empty passwords

Note: The HIGH severity SSHD setting (PermitEmptyPasswords) is consolidated with other SSHD settings in PR #466 to keep all SSH hardening together.

Implementation Notes

• Crypto policy uses a systemd oneshot unit with idempotency check
• PAM hardening uses sed to remove nullok option (prevents empty password auth)

Test plan

• Apply MachineConfigs to a test cluster
• Verify crypto policy is set: update-crypto-policies --show
• Verify PAM files don't contain nullok: grep nullok /etc/pam.d/{system,password}-auth
• Run Compliance Operator scan to verify remediations

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@sebrandon1: This pull request references CNF-21212 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Summary

Add 2 MachineConfigs for HIGH severity compliance remediations from the OpenShift Compliance Operator (E8/CIS benchmarks).

Remediation Groups

• H1: Crypto Policy - Configure system-wide crypto policy
• H2: PAM Empty Passwords - Disable empty password authentication

HIGH Severity Settings

Group	Category	MachineConfig	Setting	Value
H1	Crypto Policy	75-crypto-policy-high.yaml	crypto-policy	DEFAULT:NO-SHA1
H2	PAM Auth	75-pam-auth-high.yaml	nullok	removed from PAM

Implementation Notes

• Crypto policy: Uses a systemd oneshot unit with idempotency check
• PAM hardening: Uses sed to remove nullok option (prevents empty password auth)

Compliance Checks Remediated

• rhcos4-e8-worker-configure-crypto-policy
• rhcos4-e8-master-configure-crypto-policy
• rhcos4-e8-worker-no-empty-passwords
• rhcos4-e8-master-no-empty-passwords

Related

• Jira: CNF-21212
• Full Remediation Tracking

Test plan

• Apply MachineConfigs to a test cluster
• Verify crypto policy: update-crypto-policies --show (expect DEFAULT:NO-SHA1)
• Verify PAM: grep nullok /etc/pam.d/{system,password}-auth (expect no output)
• Run Compliance Operator scan to verify checks pass

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@sebrandon1: This pull request references CNF-21212 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Summary

Add 2 MachineConfigs for HIGH severity compliance remediations from the OpenShift Compliance Operator (E8/CIS benchmarks).

Remediation Groups

• H1: Crypto Policy - Configure system-wide crypto policy
• H2: PAM Empty Passwords - Disable empty password authentication

HIGH Severity Settings

Group	Category	MachineConfig	Setting	Value
H1	Crypto Policy	75-crypto-policy-high.yaml	crypto-policy	DEFAULT:NO-SHA1
H2	PAM Auth	75-pam-auth-high.yaml	nullok	removed from PAM

Implementation Notes

• Crypto policy: Uses a systemd oneshot unit with idempotency check
• PAM hardening: Uses sed to remove nullok option (prevents empty password auth)

Compliance Checks Remediated

• rhcos4-e8-worker-configure-crypto-policy
• rhcos4-e8-master-configure-crypto-policy
• rhcos4-e8-worker-no-empty-passwords
• rhcos4-e8-master-no-empty-passwords

Related

• Jira: CNF-21212 - RAN Hardening - Crypto/PAM (H1, H2)
• Epic: CNF-19031 - RAN Hardening (High Severity Compliance)
• Full Remediation Tracking

Test plan

• Apply MachineConfigs to a test cluster
• Verify crypto policy: update-crypto-policies --show (expect DEFAULT:NO-SHA1)
• Verify PAM: grep nullok /etc/pam.d/{system,password}-auth (expect no output)
• Run Compliance Operator scan to verify checks pass

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Warning

Rate limit exceeded

@sebrandon1 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 59 minutes and 16 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 59 minutes and 16 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 265b3c7d-9a1b-4fe3-9998-72d3a1884457

📥 Commits

Reviewing files that changed from the base of the PR and between 3580903 and 0f629f6.

📒 Files selected for processing (9)

• telco-ran/configuration/kube-compare-reference/hack/compare_ignore
• telco-ran/configuration/kube-compare-reference/informational/hardening/75-crypto-policy-high-master.yaml
• telco-ran/configuration/kube-compare-reference/informational/hardening/75-crypto-policy-high-worker.yaml
• telco-ran/configuration/kube-compare-reference/informational/hardening/75-pam-auth-high-master.yaml
• telco-ran/configuration/kube-compare-reference/informational/hardening/75-pam-auth-high-worker.yaml
• telco-ran/configuration/kube-compare-reference/informational/hardening/75-sshd-permit-empty-passwords-master.yaml
• telco-ran/configuration/kube-compare-reference/informational/hardening/75-sshd-permit-empty-passwords-worker.yaml
• telco-ran/configuration/kube-compare-reference/informational/hardening/README.md
• telco-ran/configuration/kube-compare-reference/metadata.yaml

📝 Walkthrough

Walkthrough

Adds six new OpenShift MachineConfig resources for security hardening (crypto policy, PAM authentication, SSH configuration), registers them in metadata, updates ignore patterns, and provides documentation for the hardening reference configurations.

Changes

Cohort / File(s)	Summary
Crypto Policy Hardening telco-ran/configuration/kube-compare-reference/informational/hardening/75-crypto-policy-high-master.yaml, telco-ran/configuration/kube-compare-reference/informational/hardening/75-crypto-policy-high-worker.yaml	Adds MachineConfig resources for both master and worker roles that enable a systemd service to set crypto policy to DEFAULT:NO-SHA1, excluding SHA1 from allowed algorithms.
PAM Authentication Hardening telco-ran/configuration/kube-compare-reference/informational/hardening/75-pam-auth-high-master.yaml, telco-ran/configuration/kube-compare-reference/informational/hardening/75-pam-auth-high-worker.yaml	Adds MachineConfig resources for both master and worker roles that overwrite PAM configuration files (/etc/pam.d/system-auth and /etc/pam.d/password-auth) removing the nullok option from authentication modules.
SSHD Configuration Hardening telco-ran/configuration/kube-compare-reference/informational/hardening/75-sshd-permit-empty-passwords-master.yaml, telco-ran/configuration/kube-compare-reference/informational/hardening/75-sshd-permit-empty-passwords-worker.yaml	Adds MachineConfig resources for both master and worker roles that write SSHD configuration fragments disabling empty password authentication (PermitEmptyPasswords no).
Metadata and Supporting Configuration telco-ran/configuration/kube-compare-reference/metadata.yaml, telco-ran/configuration/kube-compare-reference/hack/compare_ignore	Registers the new informational-hardening part and component group in metadata; adds six hardening config paths to the compare_ignore list to treat validation differences as warnings.
Documentation telco-ran/configuration/kube-compare-reference/informational/hardening/README.md	Adds documentation describing the hardening reference configurations as informational guidance for HIGH severity compliance remediations from OpenShift Compliance Operator findings.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding HIGH severity compliance remediations for RAN hardening with specific reference to Jira ticket CNF-21212 and OpenShift version 4.22.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, providing context on the two MachineConfig groups (crypto policy and PAM authentication), implementation details, remediated compliance checks, and a test plan.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sebrandon1]

Updated H1 and H2 Remediations

Rewrote both MachineConfigs after discovering the compliance operator's own remediations are broken:

H1 (Crypto Policy): Now deploys systemd unit to both master and worker roles. Fixed service ordering. Removed single-run guard.

H2 (PAM Empty Passwords): Compliance operator generates RHEL 8 era PAM templates that don't match RHCOS 9. Scanner still reports FAIL after applying the operator's own remediation. Fix: use actual RHCOS 9 system-auth/password-auth with nullok surgically removed.

Verified on cnfdt16 (OCP 4.22, 3 masters + 2 workers): H1 PASS, H2 PASS, H3 PASS (via PR #466).

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@telco-ran/configuration/machineconfigs/crypto-policy/75-crypto-policy-high-master.yaml`:
- Around line 16-26: The unit currently only orders Before=sshd.service so many
services started by multi-user.target may inherit the old policy; modify the
unit that contains ExecStart=/usr/bin/update-crypto-policies --set
DEFAULT:NO-SHA1 (the oneshot service with RemainAfterExit=yes and
WantedBy=multi-user.target) to order it before multi-user.target (e.g., replace
or add Before=multi-user.target) so the crypto policy is applied before all
multi-user services start.

In
`@telco-ran/configuration/machineconfigs/crypto-policy/75-crypto-policy-high-worker.yaml`:
- Around line 16-26: The unit runs update-crypto-policies
(ExecStart=/usr/bin/update-crypto-policies --set DEFAULT:NO-SHA1) too late (only
Before=sshd.service, WantedBy=multi-user.target) so other critical daemons may
start without the new policy; modify the unit in
75-crypto-policy-high-worker.yaml to explicitly order it before workload
services (e.g., add Before=kubelet.service containerd.service docker.service
crio.service sshd.service) while keeping
After=systemd-machine-id-commit.service, and move the install target earlier
(e.g., change WantedBy=basic.target or sysinit.target) so the policy is applied
before those services initialize.

In `@telco-ran/configuration/machineconfigs/pam/75-pam-auth-high-master.yaml`:
- Around line 13-24: The MachineConfig "75-pam-auth-high-master.yaml" is pinning
full PAM files (system-auth and password-auth) via overwrite: true and encoded
source blobs, which will forever fork RHEL's authselect-managed files; instead
remove the overwrite/full-file contents for system-auth and password-auth and
implement the change as an authselect custom profile (deploy the custom profile
and enable it via authselect) so PAM is managed by authselect; update the
MachineConfig to deliver only the authselect profile assets or a bootstrap
script that runs authselect select/profile-apply rather than writing full
/etc/pam.d blobs (search for the keys overwrite: true, the source: "data:...,
and the target filenames system-auth and password-auth to locate the code to
change).

In `@telco-ran/configuration/machineconfigs/pam/75-pam-auth-high-worker.yaml`:
- Around line 13-24: The MachineConfig is overwriting the entire PAM stack by
setting overwrite: true and embedding full contents for /etc/pam.d/system-auth
and /etc/pam.d/password-auth (the long "source: data:..." blobs), which
conflicts with RHEL's authselect; instead, remove the full-file replacements and
implement the nullok removal via an authselect custom profile (authselect
create-profile myprofile --base-on sssd) or by changing the MachineConfig to
perform a targeted edit that patches only the specific pam_unix.so auth/password
lines; update the resources that reference /etc/pam.d/system-auth and
/etc/pam.d/password-auth accordingly, and ensure the MachineConfig no longer
uses overwrite: true for these paths so authselect-managed updates continue to
apply.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ea701be7-359b-470e-a785-f4b095d37e47

📥 Commits

Reviewing files that changed from the base of the PR and between d65ce23 and 91856c2.

📒 Files selected for processing (4)

• telco-ran/configuration/machineconfigs/crypto-policy/75-crypto-policy-high-master.yaml
• telco-ran/configuration/machineconfigs/crypto-policy/75-crypto-policy-high-worker.yaml
• telco-ran/configuration/machineconfigs/pam/75-pam-auth-high-master.yaml
• telco-ran/configuration/machineconfigs/pam/75-pam-auth-high-worker.yaml

[Demostenes777]

/lgtm

[imiller0]

I agree with the code-rabbit assessment. The pam config ends up bringing the full implementation of that file into the reference meaning we need to regularly check for any updates in the distribution version and make sure this stays up to date. Is there an alternative (as code rabbit suggests) implementation?

[openshift-ci]

New changes are detected. LGTM label has been removed.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@telco-ran/configuration/kube-compare-reference/informational/hardening/75-crypto-policy-high-worker.yaml`:
- Around line 16-24: The systemd unit in 75-crypto-policy-high-worker.yaml
contains "ConditionFirstBoot=no" which prevents the unit from running on the
first boot; remove that ConditionFirstBoot line from the [Unit] section so the
oneshot service (ExecStart=/usr/bin/update-crypto-policies --set
DEFAULT:NO-SHA1, Type=oneshot, RemainAfterExit=yes) runs on every boot, and
apply the same removal to the matching entries in
75-crypto-policy-high-master.yaml and the crypto-policy files under
telco-ran/configuration/machineconfigs/crypto-policy/.

In
`@telco-ran/configuration/kube-compare-reference/informational/hardening/75-pam-auth-high-master.yaml`:
- Around line 13-24: The Ignition entries that fully overwrite
/etc/pam.d/system-auth and /etc/pam.d/password-auth embed a frozen PAM stack
which will drift from RHCOS changes; replace the full-file overwrite approach in
the manifest (the two entries with path: /etc/pam.d/system-auth and path:
/etc/pam.d/password-auth) with a non-destructive strategy: either remove the
hardcoded contents and let RHCOS supply its upstream templates, generate the PAM
contents at build-time from the target RHCOS release templates (and document the
pinned RHCOS version), or apply only minimal drop-in/patch changes (e.g., add
specific pam_faillock/pwhistory lines) instead of replacing the whole file so
future RHCOS updates (including added modules/reordering) are preserved.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 37c12c85-392c-4d0f-a1ad-434c0f542e7a

📥 Commits

Reviewing files that changed from the base of the PR and between 91856c2 and af4aaa7.

📒 Files selected for processing (13)

• telco-ran/configuration/kube-compare-reference/informational/hardening/75-crypto-policy-high-master.yaml
• telco-ran/configuration/kube-compare-reference/informational/hardening/75-crypto-policy-high-worker.yaml
• telco-ran/configuration/kube-compare-reference/informational/hardening/75-pam-auth-high-master.yaml
• telco-ran/configuration/kube-compare-reference/informational/hardening/75-pam-auth-high-worker.yaml
• telco-ran/configuration/kube-compare-reference/informational/hardening/75-sshd-permit-empty-passwords-master.yaml
• telco-ran/configuration/kube-compare-reference/informational/hardening/75-sshd-permit-empty-passwords-worker.yaml
• telco-ran/configuration/kube-compare-reference/metadata.yaml
• telco-ran/configuration/machineconfigs/crypto-policy/75-crypto-policy-high-master.yaml
• telco-ran/configuration/machineconfigs/crypto-policy/75-crypto-policy-high-worker.yaml
• telco-ran/configuration/machineconfigs/pam/75-pam-auth-high-master.yaml
• telco-ran/configuration/machineconfigs/pam/75-pam-auth-high-worker.yaml
• telco-ran/configuration/machineconfigs/sshd/75-sshd-permit-empty-passwords-master.yaml
• telco-ran/configuration/machineconfigs/sshd/75-sshd-permit-empty-passwords-worker.yaml

✅ Files skipped from review due to trivial changes (8)

• telco-ran/configuration/kube-compare-reference/informational/hardening/75-sshd-permit-empty-passwords-worker.yaml
• telco-ran/configuration/machineconfigs/sshd/75-sshd-permit-empty-passwords-master.yaml
• telco-ran/configuration/kube-compare-reference/informational/hardening/75-sshd-permit-empty-passwords-master.yaml
• telco-ran/configuration/machineconfigs/crypto-policy/75-crypto-policy-high-worker.yaml
• telco-ran/configuration/machineconfigs/pam/75-pam-auth-high-worker.yaml
• telco-ran/configuration/machineconfigs/sshd/75-sshd-permit-empty-passwords-worker.yaml
• telco-ran/configuration/machineconfigs/crypto-policy/75-crypto-policy-high-master.yaml
• telco-ran/configuration/machineconfigs/pam/75-pam-auth-high-master.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

ConditionFirstBoot=no contradicts the stated intent and leaves a first-boot gap.

The PR description says the "single-run guard [was] removed so policy is enforced on boot", but ConditionFirstBoot=no is still a guard: systemd will skip this unit on the very first boot of the system. For nodes where this MachineConfig is delivered through Ignition at provisioning time (e.g., initial ZTP/install), the crypto policy will not be applied until the node reboots again — so freshly provisioned nodes briefly run with the default policy that still allows SHA-1.

If the goal is truly to enforce on every boot (idempotent oneshot + RemainAfterExit=yes makes that cheap and safe), drop the condition:

Proposed fix

             [Unit]
             Description=Configure System Crypto Policy
             Before=sshd.service
             After=systemd-machine-id-commit.service
-            ConditionFirstBoot=no
             [Service]
             Type=oneshot
             ExecStart=/usr/bin/update-crypto-policies --set DEFAULT:NO-SHA1
             RemainAfterExit=yes

Same fix applies to 75-crypto-policy-high-master.yaml and the corresponding files under telco-ran/configuration/machineconfigs/crypto-policy/.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@telco-ran/configuration/kube-compare-reference/informational/hardening/75-crypto-policy-high-worker.yaml`
around lines 16 - 24, The systemd unit in 75-crypto-policy-high-worker.yaml
contains "ConditionFirstBoot=no" which prevents the unit from running on the
first boot; remove that ConditionFirstBoot line from the [Unit] section so the
oneshot service (ExecStart=/usr/bin/update-crypto-policies --set
DEFAULT:NO-SHA1, Type=oneshot, RemainAfterExit=yes) runs on every boot, and
apply the same removal to the matching entries in
75-crypto-policy-high-master.yaml and the crypto-policy files under
telco-ran/configuration/machineconfigs/crypto-policy/.

[sebrandon1]

Closing this PR. The SSHD hardening component (H3) no longer needs remediation — sshd-disable-empty-passwords PASSes on vanilla RHCOS across all tested content versions (v0.1.78, v0.1.79, v0.1.80) with compliance-operator v1.8.2.

The H1 (crypto policy) and H2 (PAM no-empty-passwords) components of this PR do still FAIL and need remediation. These will be re-submitted as separate, focused PRs without the SSHD component.

Verification images: quay.io/bapalm/k8scontent

See CNF-19031 for updated scope.