Bug 1940483
| Summary: | Instructions for some rules in Compliance Operator | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Nelson Lombo Paez <npaez> | |
| Component: | Compliance Operator | Assignee: | Juan Antonio Osorio <josorior> | |
| Status: | CLOSED ERRATA | QA Contact: | xiyuan | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 4.6 | CC: | josorior, mrogers, xiyuan | |
| Target Milestone: | --- | |||
| Target Release: | 4.8.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | No Doc Update | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1953514 (view as bug list) | Environment: | ||
| Last Closed: | 2021-07-07 11:29:56 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1953514, 1953522 | |||
|
Description
Nelson Lombo Paez
2021-03-18 14:17:40 UTC
We've just recently added a remediation for this rule upstream: https://github.com/ComplianceAsCode/content/pull/6787 commit 6335473924b67891e57189d5636fc0a1af0533ff Author: Juan Antonio Osorio Robles <jaosorior> Date: Thu Apr 1 13:39:14 2021 +0300 RHCOS4: Remediation and e2e test for `disable_ctrlaltdel_reboot` It was missing. Signed-off-by: Juan Antonio Osorio Robles <jaosorior> With this remediation added, a remediation object will be generated and it applies through the MCO, so there's no need to follow the text in the description. In the meanwhile you can use the MC remediation directly: apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: config: ignition: version: 3.1.0 systemd: units: - name: ctrl-alt-del.target mask: true Even though the rules that this refers to are being addressed. I'd like to fix this issue in general by adding MachineConfig-specific instructions to the content. This will mean doing additions to the ComplianceAsCode templates that build the rule descriptions. With the latest changes to ComplianceAsCode, we should now have more relevant instructions for most of the RHCOS content. It points users to how they should create MachineConfig objects to remediate the issues. Add more rules don't have clear instructions:
# oc get compliancecheckresults.compliance.openshift.io | grep proxy-kubeconfig
ocp4-cis-file-groupowner-proxy-kubeconfig MANUAL medium
ocp4-cis-file-owner-proxy-kubeconfig MANUAL medium
ocp4-cis-file-permissions-proxy-kubeconfig PASS medium
# oc get compliancecheckresults ocp4-cis-file-permissions-proxy-kubeconfig -o=jsonpath={.instructions}
To check the permissions of /config/kube-proxy-config.yaml, run the command:
$ ls -l /config/kube-proxy-config.yaml
If properly configured, the output should indicate the following permissions:
-rw-r--r--
# oc get compliancecheckresults ocp4-cis-file-owner-proxy-kubeconfig -o=jsonpath={.instructions}
To check the ownership of /config/kube-proxy-config.yaml, run the command: $ ls -lL /config/kube-proxy-config.yaml If properly configured, the output should indicate the following owner: root
# oc get compliancecheckresults ocp4-cis-file-permissions-proxy-kubeconfig -o=jsonpath={.instructions}
To check the permissions of /config/kube-proxy-config.yaml, run the command:
$ ls -l /config/kube-proxy-config.yaml
If properly configured, the output should indicate the following permissions:
-rw-r--r--
Verified pass with Cluster version is 4.8.0-0.nightly-2021-04-26-151924 and compliance-operator
# oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.8.0-0.nightly-2021-04-26-151924 True False 134m Cluster version is 4.8.0-0.nightly-2021-04-26-151924
# make deploy-local
Creating 'openshift-compliance' namespace/project
namespace/openshift-compliance created
podman build -t quay.io/compliance-operator/compliance-operator:latest -f build/Dockerfile .
STEP 1: FROM golang:1.15 AS builder
STEP 2: WORKDIR /go/src/github.com/openshift/compliance-operator
--> Using cache 66b795d4ea7c838ee1f6254ee3a39a9be0eacaaed50a24e57aa4d161857a8a3d
STEP 3: ENV GOFLAGS=-mod=vendor
--> Using cache ce07ab36554f20d89aa6ff7f4493d5edc9a43213be1e7314a38ceee365cc05cb
STEP 4: COPY . .
7c7e46d497603eddcc5bf33a40ff0a9e297ead894050bca67fba2845a1db35e0
STEP 5: RUN make manager
GOFLAGS=-mod=vendor GO111MODULE=auto go build -o /go/src/github.com/openshift/compliance-operator/build/_output/bin/compliance-operator github.com/openshift/compliance-operator/cmd/manager
233e397f48bba88a3abd1c0b79655b6d83d4746d4218bb753ed5e5fea17f6640
STEP 6: FROM registry.access.redhat.com/ubi8/ubi-minimal:latest
STEP 7: ENV OPERATOR=/usr/local/bin/compliance-operator USER_UID=1001 USER_NAME=compliance-operator
--> Using cache d54b05b0da9a0f1bd656c2d993052f900ea9e55220503ba7f364db8b71f33aa7
STEP 8: COPY --from=builder /go/src/github.com/openshift/compliance-operator/build/_output/bin/compliance-operator ${OPERATOR}
138e8ba1b02509045ad22dc125c3d3cd59cd96cffb589a8efb341298a8d4ce9b
...
# oc create -f -<<EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSettingBinding
> metadata:
> name: my-ssb-r
> profiles:
> - name: ocp4-moderate
> kind: Profile
> apiGroup: compliance.openshift.io/v1alpha1
> - name: rhcos4-moderate
> kind: Profile
> apiGroup: compliance.openshift.io/v1alpha1
> settingsRef:
> name: default-auto-apply
> kind: ScanSetting
> apiGroup: compliance.openshift.io/v1alpha1
> EOF
scansettingbinding.compliance.openshift.io/my-ssb-r created
for rule rhcos4-moderate-master-disable-ctrlaltdel-reboot and rhcos4-moderate-worker-disable-ctrlaltdel-reboot , there are auto-remediation for them and working as expected. The instructions also works as expected.
# oc get complianceremediations --show-labels | grep disable-ctrlaltdel-reboot
rhcos4-moderate-master-disable-ctrlaltdel-reboot Applied compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-worker-disable-ctrlaltdel-reboot Applied compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r
# oc compliance fetch-fixes complianceremediation rhcos4-moderate-master-disable-ctrlaltdel-reboot
Persisted compliance remediation fix to rhcos4-moderate-master-disable-ctrlaltdel-reboot.yaml
[root@MiWiFi-RA69-srv compliance-operator]# cat rhcos4-moderate-master-disable-ctrlaltdel-reboot.yaml
---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
name: rhcos4-moderate-master-disable-ctrlaltdel-reboot
spec:
config:
ignition:
version: 3.1.0
systemd:
units:
- mask: true
name: ctrl-alt-del.target
# oc compliance fetch-fixes complianceremediation rhcos4-moderate-worker-disable-ctrlaltdel-reboot
Persisted compliance remediation fix to rhcos4-moderate-worker-disable-ctrlaltdel-reboot.yaml
# cat rhcos4-moderate-worker-disable-ctrlaltdel-reboot.yaml
---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
name: rhcos4-moderate-worker-disable-ctrlaltdel-reboot
spec:
config:
ignition:
version: 3.1.0
systemd:
units:
- mask: true
name: ctrl-alt-del.target
oc compliance rerun-now compliancesuite my-ssb-r
Rerunning scans from 'my-ssb-r': ocp4-moderate, rhcos4-moderate-worker, rhcos4-moderate-master
Re-running scan 'openshift-compliance/ocp4-moderate'
Re-running scan 'openshift-compliance/rhcos4-moderate-worker'
Re-running scan 'openshift-compliance/rhcos4-moderate-master'
After rescan finished, could check whether auto remediations is working as expected, whether the instructions is working as expected.
# oc get compliancecheckresults --show-labels | grep disable-ctrlaltdel-reboot
rhcos4-moderate-master-disable-ctrlaltdel-reboot PASS high compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=high,compliance.openshift.io/check-status=PASS,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-worker-disable-ctrlaltdel-reboot PASS high compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=high,compliance.openshift.io/check-status=PASS,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r
# oc get compliancecheckresults rhcos4-moderate-worker-disable-ctrlaltdel-reboot -o=jsonpath={.instructions}
To ensure the system is configured to mask the Ctrl-Alt-Del sequence, Check
that the ctrl-alt-del.target is masked and not active with the following
command:
sudo systemctl status ctrl-alt-del.target
The output should indicate that the target is masked and not active. It
might resemble following output:
ctrl-alt-del.target
Loaded: masked (/dev/null; bad)
Active: inactive (dead)
# oc debug node/xiyuan282-b7m5x-w-a-0.c.openshift-qe.internal -- chroot /host sudo systemctl status ctrl-alt-del.target
Starting pod/xiyuan282-b7m5x-w-a-0copenshift-qeinternal-debug ...
To use host binaries, run `chroot /host`
● ctrl-alt-del.target
Loaded: masked (Reason: Unit ctrl-alt-del.target is masked.)
Active: inactive (dead)
Removing debug pod ...
For the proxy-kubeconfig related cis rules, there is bug https://bugzilla.redhat.com/show_bug.cgi?id=1954572 created to track.
per https://bugzilla.redhat.com/show_bug.cgi?id=1940483#c6, verificaiton pass Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Compliance Operator version 0.1.35 for OpenShift Container Platform 4.6-4.8), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:2652 |