Bug 2040282

Summary: Some rhcos rules have no scan type, all the rhcos rules should be marked as 'node'
Product: OpenShift Container Platform Reporter: hongyan li <hongyli>
Component: Compliance OperatorAssignee: Vincent Shen <wenshen>
Status: CLOSED ERRATA QA Contact: Prashant Dhamdhere <pdhamdhe>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.10CC: jhrozek, lbragsta, mrogers, stevsmit, wenshen, xiyuan
Target Milestone: ---   
Target Release: 4.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
* Previously, some rules associated with extended Open Vulnerability and Assessment Language (OVAL) definitions had a `checkType` of `None`. This was because the compliance Operator was not processing extended OVAL definitions when parsing rules. With this update, content from extended OVAL definitions is parsed so that these rules now have a `checkType` of either `Node` or `Platform`. (link:https://bugzilla.redhat.com/show_bug.cgi?id=2040282[*BZ#2040282*])
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-02-07 05:46:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description hongyan li 2022-01-13 11:03:42 UTC 
Description of problem:
Some rhcos rules have no scan type, all the rhcos rules should be marked as 'node'

Version-Release number of selected component (if applicable):
OCP: 4.10.0-0.nightly-2022-01-11-065245
Compliance Operator: compliance-operator.v0.1.47

How reproducible:
Always

Steps to Reproduce:
1. Get all the rules name with checkType
% rulesWithCheckType=$(oc get rules.compliance -ojsonpath='{range .items[?(@.checkType)]}{.metadata.name}{"|"}{end}')
2. Find rules without checkType
% oc get rules.compliance -ojsonpath='{range .items[*]}{.metadata.name}{"\n"}{end}'|grep -Ev ${rulesWithCheckType%?}
ocp4-accounts-restrict-service-account-tokens
ocp4-accounts-unique-service-account
ocp4-api-server-oauth-https-serving-cert
ocp4-api-server-openshift-https-serving-cert
ocp4-banner-or-login-template-set
ocp4-configure-network-policies
ocp4-controller-terminated-pod-gc-threshhold
ocp4-file-groupowner-kubeconfig
ocp4-file-groupowner-proxy-kubeconfig
ocp4-file-owner-kubeconfig
ocp4-file-owner-proxy-kubeconfig
ocp4-file-permissions-kube-scheduler
ocp4-file-permissions-kubeconfig
ocp4-general-apply-scc
ocp4-general-configure-imagepolicywebhook
ocp4-general-default-namespace-use
ocp4-general-default-seccomp-profile
ocp4-general-namespaces-in-use
ocp4-kubelet-disable-hostname-override
ocp4-kubelet-enable-protect-kernel-sysctl
ocp4-machine-volume-encrypted
ocp4-oauth-or-oauthclient-inactivity-timeout
ocp4-oauth-or-oauthclient-token-maxage
ocp4-partition-for-var-log-kube-apiserver
ocp4-partition-for-var-log-oauth-apiserver
ocp4-partition-for-var-log-openshift-apiserver
ocp4-rbac-limit-cluster-admin
ocp4-rbac-limit-secrets-access
ocp4-rbac-pod-creation-access
ocp4-rbac-wildcard-use
ocp4-resource-requests-quota
ocp4-scc-drop-container-capabilities
ocp4-scc-limit-ipc-namespace
ocp4-scc-limit-net-raw-capability
ocp4-scc-limit-network-namespace
ocp4-scc-limit-privilege-escalation
ocp4-scc-limit-privileged-containers
ocp4-scc-limit-process-id-namespace
ocp4-scc-limit-root-containers
ocp4-secrets-consider-external-storage
ocp4-secrets-no-environment-variables
rhcos4-account-use-centralized-automated-auth
rhcos4-audit-rules-file-deletion-events
rhcos4-audit-rules-kernel-module-loading
rhcos4-audit-rules-login-events
rhcos4-audit-rules-unsuccessful-file-modification
rhcos4-auditd-audispd-disk-full-action
rhcos4-auditd-audispd-network-failure-action
rhcos4-avahi-disable-publishing
rhcos4-bios-disable-usb-boot
rhcos4-chronyd-or-ntpd-specify-multiple-servers
rhcos4-chronyd-or-ntpd-specify-remote-server
rhcos4-configure-user-data-backups
rhcos4-dhcp-client-restrict-options
rhcos4-dhcp-server-minimize-served-info
rhcos4-encrypt-partitions
rhcos4-ftp-configure-firewall
rhcos4-ftp-limit-users
rhcos4-installed-os-is-fips-certified
rhcos4-iptables-sshd-disabled
rhcos4-kernel-disable-entropy-contribution-for-solid-state-drives
rhcos4-no-all-squash-exports
rhcos4-no-password-auth-for-systemaccounts
rhcos4-postfix-client-configure-relayhost
rhcos4-rsyslog-accept-remote-messages-tcp
rhcos4-rsyslog-accept-remote-messages-udp
rhcos4-service-chronyd-or-ntpd-enabled
rhcos4-set-ip6tables-default-rule
rhcos4-set-iptables-default-rule
rhcos4-set-iptables-default-rule-forward
rhcos4-sshd-limit-user-access
rhcos4-sudo-require-authentication
rhcos4-sysctl-crypto-fips-enabled
rhcos4-sysctl-fs-protected-hardlinks
rhcos4-sysctl-fs-protected-symlinks
rhcos4-sysctl-fs-suid-dumpable
rhcos4-sysctl-kernel-core-pattern
rhcos4-sysctl-kernel-dmesg-restrict
rhcos4-sysctl-kernel-kexec-load-disabled
rhcos4-sysctl-kernel-kptr-restrict
rhcos4-sysctl-kernel-perf-event-paranoid
rhcos4-sysctl-kernel-randomize-va-space
rhcos4-sysctl-kernel-unprivileged-bpf-disabled
rhcos4-sysctl-kernel-yama-ptrace-scope
rhcos4-sysctl-net-core-bpf-jit-harden
rhcos4-sysctl-net-ipv4-conf-all-accept-redirects
rhcos4-sysctl-net-ipv4-conf-all-accept-source-route
rhcos4-sysctl-net-ipv4-conf-all-log-martians
rhcos4-sysctl-net-ipv4-conf-all-rp-filter
rhcos4-sysctl-net-ipv4-conf-all-secure-redirects
rhcos4-sysctl-net-ipv4-conf-all-send-redirects
rhcos4-sysctl-net-ipv4-conf-default-accept-redirects
rhcos4-sysctl-net-ipv4-conf-default-accept-source-route
rhcos4-sysctl-net-ipv4-conf-default-log-martians
rhcos4-sysctl-net-ipv4-conf-default-rp-filter
rhcos4-sysctl-net-ipv4-conf-default-secure-redirects
rhcos4-sysctl-net-ipv4-conf-default-send-redirects
rhcos4-sysctl-net-ipv4-icmp-echo-ignore-broadcasts
rhcos4-sysctl-net-ipv4-icmp-ignore-bogus-error-responses
rhcos4-sysctl-net-ipv4-ip-forward
rhcos4-sysctl-net-ipv4-tcp-invalid-ratelimit
rhcos4-sysctl-net-ipv4-tcp-syncookies
rhcos4-sysctl-net-ipv6-conf-all-accept-ra
rhcos4-sysctl-net-ipv6-conf-all-accept-redirects
rhcos4-sysctl-net-ipv6-conf-all-accept-source-route
rhcos4-sysctl-net-ipv6-conf-all-disable-ipv6
rhcos4-sysctl-net-ipv6-conf-default-accept-ra
rhcos4-sysctl-net-ipv6-conf-default-accept-redirects
rhcos4-sysctl-net-ipv6-conf-default-accept-source-route
rhcos4-sysctl-net-ipv6-conf-default-disable-ipv6
rhcos4-sysctl-user-max-user-namespaces
rhcos4-usbguard-allow-hid
rhcos4-usbguard-allow-hid-and-hub
rhcos4-usbguard-allow-hub
rhcos4-wireless-disable-in-bios
rhcos4-zipl-enable-selinux

3. Check checkType of specific rule
% oc get rule rhcos4-zipl-enable-selinux -ojsonpath={.checkType}
No result
% oc get rule rhcos4-sysctl-user-max-user-namespaces -ojsonpath={.checkType}
No result

Actual results:
Many rhcos rules have no scan type

Expected results:

In general the algorithm is as follows:

 - does the rule have an OVAL check (automated check)?

   no: type = None

   yes:

   - does the rule check a kube object?

     no: node rule

     yes: platform rule

so all the rhcos rules should be marked as 'node' not 'none'.


Additional info:
Comment 1 Vincent Shen 2022-01-15 02:45:51 UTC 
Related fix PR: https://github.com/openshift/compliance-operator/pull/774
Comment 4 Prashant Dhamdhere 2022-02-01 10:53:50 UTC 
[Bug_Verification]

Looks good. The rules without checkType are reduced to 60 now, it was around 116 before the fix.


Verified on:
4.10.0-0.nightly-2022-01-31-012936 + compliance-operator.v0.1.48

$ oc get csv
NAME                              DISPLAY                            VERSION    REPLACES   PHASE
compliance-operator.v0.1.48       Compliance Operator                0.1.48                Succeeded
elasticsearch-operator.5.3.4-13   OpenShift Elasticsearch Operator   5.3.4-13              Succeeded

$ oc get pods
NAME                                            READY   STATUS    RESTARTS        AGE
compliance-operator-bddd85dfd-xx8ns             1/1     Running   1 (3h16m ago)   3h17m
ocp4-openshift-compliance-pp-7785bff67c-6dw4q   1/1     Running   0               3h16m
rhcos4-openshift-compliance-pp-c84d79c7-jgzvm   1/1     Running   0               3h16m

$ oc get profile.compliance
NAME                 AGE
ocp4-cis             3h16m
ocp4-cis-node        3h16m
ocp4-e8              3h16m
ocp4-moderate        3h16m
ocp4-moderate-node   3h16m
ocp4-nerc-cip        3h16m
ocp4-nerc-cip-node   3h16m
ocp4-pci-dss         3h16m
ocp4-pci-dss-node    3h16m
rhcos4-e8            3h16m
rhcos4-moderate      3h16m
rhcos4-nerc-cip      3h16m


$ oc get rules.compliance -ojsonpath='{range .items[?(@.checkType=="Platform")]}{.metadata.name}{"\n"}{end}'|wc -l
116

$ oc get rules.compliance -ojsonpath='{range .items[?(@.checkType=="Platform")]}{.metadata.name}{"\n"}{end}' |head
ocp4-api-server-admission-control-plugin-alwaysadmit
ocp4-api-server-admission-control-plugin-alwayspullimages
ocp4-api-server-admission-control-plugin-namespacelifecycle
ocp4-api-server-admission-control-plugin-noderestriction
ocp4-api-server-admission-control-plugin-scc
ocp4-api-server-admission-control-plugin-securitycontextdeny
ocp4-api-server-admission-control-plugin-serviceaccount
ocp4-api-server-anonymous-auth
ocp4-api-server-api-priority-flowschema-catch-all
ocp4-api-server-api-priority-gate-enabled


$ oc get rule ocp4-api-server-admission-control-plugin-alwaysadmit -ojsonpath={.checkType}
Platform

$ oc get rule ocp4-api-server-api-priority-gate-enabled -ojsonpath={.checkType}
Platform


$ oc get rules.compliance -ojsonpath='{range .items[?(@.checkType=="Node")]}{.metadata.name}{"\n"}{end}'| wc -l
647


$  oc get rules.compliance -ojsonpath='{range .items[?(@.checkType=="Node")]}{.metadata.name}{"\n"}{end}'| tail -15
rhcos4-sysctl-net-ipv6-conf-default-accept-redirects
rhcos4-sysctl-net-ipv6-conf-default-accept-source-route
rhcos4-sysctl-net-ipv6-conf-default-disable-ipv6
rhcos4-sysctl-user-max-user-namespaces
rhcos4-usbguard-allow-hid
rhcos4-usbguard-allow-hid-and-hub
rhcos4-usbguard-allow-hub
rhcos4-wireless-disable-interfaces
rhcos4-zipl-audit-argument
rhcos4-zipl-audit-backlog-limit-argument
rhcos4-zipl-bls-entries-only
rhcos4-zipl-bootmap-is-up-to-date
rhcos4-zipl-page-poison-argument
rhcos4-zipl-slub-debug-argument
rhcos4-zipl-vsyscall-argument

$ oc get rule rhcos4-sysctl-user-max-user-namespaces -ojsonpath={.checkType}
Node

$ oc get rule rhcos4-zipl-vsyscall-argument -ojsonpath={.checkType}
Node

$ rulesWithCheckType=$(oc get rules.compliance -ojsonpath='{range .items[?(@.checkType)]}{.metadata.name}{"|"}{end}')

$ oc get rules.compliance -ojsonpath='{range .items[*]}{.metadata.name}{"\n"}{end}'|grep -Ev ${rulesWithCheckType%?} |wc -l
60

$ oc get rules.compliance -ojsonpath='{range .items[*]}{.metadata.name}{"\n"}{end}'|grep -Ev ${rulesWithCheckType%?} |tail
rhcos4-postfix-client-configure-relayhost
rhcos4-rsyslog-accept-remote-messages-tcp
rhcos4-rsyslog-accept-remote-messages-udp
rhcos4-set-ip6tables-default-rule
rhcos4-set-iptables-default-rule
rhcos4-set-iptables-default-rule-forward
rhcos4-sshd-limit-user-access
rhcos4-sysctl-crypto-fips-enabled
rhcos4-wireless-disable-in-bios
rhcos4-zipl-enable-selinux

$ oc get rule rhcos4-zipl-enable-selinux -ojsonpath={.checkType}
No result
Comment 6 errata-xmlrpc 2022-02-07 05:46:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Compliance Operator bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:0416