RAN Hardening (SSHD) - High Severity

sebrandon1 · sebrandon1 · commit 69ef3a5d422f · 2025-11-19T15:14:28.000-06:00
diff --git a/telco-ran/configuration/machineconfigs/sshd/75-sshd_config-high.yaml b/telco-ran/configuration/machineconfigs/sshd/75-sshd_config-high.yaml
@@ -0,0 +1,28 @@
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+        - contents:
+            # Top Priority SSHD Security Settings:
+            # 1. Disable direct root SSH access - forces use of privilege escalation
+            # PermitRootLogin no
+            # 2. Disable password-based authentication - prevents brute-force, password spraying, credential stuffing
+            # PasswordAuthentication no
+            # PermitEmptyPasswords no
+            # 3. Implement automatic session timeout after 5 minutes - prevents abandoned session hijacking
+            # ClientAliveInterval 300
+            # ClientAliveCountMax 0
+            # 4. Enable public key authentication as primary method
+            # PubkeyAuthentication yes
+            source: data:,PermitRootLogin%20no%0APasswordAuthentication%20no%0APermitEmptyPasswords%20no%0AClientAliveInterval%20300%0AClientAliveCountMax%200%0APubkeyAuthentication%20yes%0A
+          mode: 384
+          overwrite: true
+          path: /etc/ssh/sshd_config
+metadata:
+  name: 75-sshd_config-high
+  labels:
+    machineconfiguration.openshift.io/role: worker
