Bug 2062530
| Summary: | CU found ocp4-var-oauth-inactivity-timeout and other compliance-operator variables are having an issue | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Mithilesh Kaur Bagga <mbagga> |
| Component: | Compliance Operator | Assignee: | Vincent Shen <wenshen> |
| Status: | CLOSED ERRATA | QA Contact: | xiyuan |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.8 | CC: | jhrozek, lbragsta, mrogers, wenshen, xiyuan |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Enhancement | |
| Doc Text: |
Feature: Added a remediation to set policies for various cryptographic back-ends on infrastructure through Machine Config settings.
Reason: Allows users the flexibility to update cryptographic back-end policies and apply that remediation through the compliance operator.
Result: Users can apply this remediation using the compliance operator and adjust it using a variable.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-11-02 16:00:53 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Comment 5
Vincent Shen
2022-03-28 16:10:30 UTC
Hi Vicent,
The auto remediation works. The crypto policy will be updated after auto-remediation applied.
However, just found one issue about this auto fix(sorry I didn't realize this issue earlier):
When the cluster has enabled fips, the auto-remediation will update the crypto policy to DEFAULT, which is not a FIPS policy.
Then the rules rhcos4-enable-fips-mode will fail. I don't think it is the expected result we would like to see.
Details seen from below:
####################apply auto-remediation for rule rhcos4-configure-crypto-policy:
$ oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
name: tp-node
namespace: openshift-compliance
spec:
description: test
title: test
enableRules:
- name: rhcos4-configure-crypto-policy
rationale: Node
EOF
tailoredprofile.compliance.openshift.io/tp-node created
$ oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
name: my-ssb1
profiles:
- apiGroup: compliance.openshift.io/v1alpha1
kind: TailoredProfile
name: tp-node
settingsRef:
apiGroup: compliance.openshift.io/v1alpha1
kind: ScanSetting
name: default-auto-apply
EOF
scansettingbinding.compliance.openshift.io/my-ssb1 configured
$ oc get suite -w
NAME PHASE RESULT
my-ssb1 LAUNCHING NOT-AVAILABLE
my-ssb1 LAUNCHING NOT-AVAILABLE
my-ssb1 RUNNING NOT-AVAILABLE
my-ssb1 RUNNING NOT-AVAILABLE
my-ssb1 AGGREGATING NOT-AVAILABLE
my-ssb1 AGGREGATING NOT-AVAILABLE
my-ssb1 DONE NON-COMPLIANT
my-ssb1 DONE NON-COMPLIANT
^C$ oc get ccr
NAME STATUS SEVERITY
tp-node-master-configure-crypto-policy FAIL high
tp-node-worker-configure-crypto-policy FAIL high
$ oc get mc -l compliance.openshift.io/suite=my-ssb1
NAME GENERATEDBYCONTROLLER IGNITIONVERSION AGE
75-tp-node-master-configure-crypto-policy 3.1.0 25s
75-tp-node-worker-configure-crypto-policy 3.1.0 25s
$ oc get mc 75-tp-node-master-configure-crypto-policy -o yaml
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
annotations:
compliance.openshift.io/remediation: ""
creationTimestamp: "2022-09-26T05:25:08Z"
generation: 1
labels:
compliance.openshift.io/scan-name: tp-node-master
compliance.openshift.io/suite: my-ssb1
machineconfiguration.openshift.io/role: master
name: 75-tp-node-master-configure-crypto-policy
resourceVersion: "122961"
uid: 3e4f1481-c298-40cd-989e-fd64f5d4f028
spec:
config:
ignition:
version: 3.1.0
systemd:
units:
- contents: |
[Unit]
Before=kubelet.service
[Service]
Type=oneshot
ExecStart=update-crypto-policies --set DEFAULT
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
enabled: true
name: configure-crypto-policy.service
$ oc get mcp -w
NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE
master rendered-master-5397c0bc55850dbe459f93d781252766 False True False 3 0 0 0 3h40m
worker rendered-worker-f4308d81441e68d03b3310a6de94de9e False True False 3 0 0 0 3h40m
...
master rendered-master-5397c0bc55850dbe459f93d781252766 False True False 3 1 1 0 3h49m
worker rendered-worker-f4308d81441e68d03b3310a6de94de9e False True False 3 1 1 0 3h49m
worker rendered-worker-f4308d81441e68d03b3310a6de94de9e False True False 3 1 2 0 3h51m
worker rendered-worker-f4308d81441e68d03b3310a6de94de9e False True False 3 2 2 0 3h51m
worker rendered-worker-f4308d81441e68d03b3310a6de94de9e False True False 3 2 2 0 3h51m
master rendered-master-5397c0bc55850dbe459f93d781252766 False True False 3 2 2 0 3h53m
...
master rendered-master-35afa1d4a71fb092809d421452dea4e4 True False False 3 3 3 0 4h5m
worker rendered-worker-f78c78960d277733dc4d87c428f10ba8 True False False 3 3 3 0 4h5m
$ oc get node
NAME STATUS ROLES AGE VERSION
xiyuan26-1-nmfmx-master-0 Ready control-plane,master 4h9m v1.24.0+8c7c967
xiyuan26-1-nmfmx-master-1 Ready control-plane,master 4h10m v1.24.0+8c7c967
xiyuan26-1-nmfmx-master-2 Ready control-plane,master 4h10m v1.24.0+8c7c967
xiyuan26-1-nmfmx-worker-southcentralus1-5sq9n Ready worker 3h53m v1.24.0+8c7c967
xiyuan26-1-nmfmx-worker-southcentralus2-nc9lt Ready worker 3h49m v1.24.0+8c7c967
xiyuan26-1-nmfmx-worker-southcentralus3-k4cdm Ready worker 3h53m v1.24.0+8c7c967
#################Fips mode checking after auto-remediation
$ oc debug node/xiyuan26-1-nmfmx-master-0 -- chroot /host fips-mode-setup --check
Starting pod/xiyuan26-1-nmfmx-master-0-debug ...
To use host binaries, run `chroot /host`
FIPS mode is enabled.
The current crypto policy (DEFAULT) is not a FIPS policy.
Removing debug pod ...
##################Rule rhcos4-enable-fips-mode check:
$ oc create -f - << EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
name: my-ssb-fips
profiles:
- name: rhcos4-moderate
kind: Profile
apiGroup: compliance.openshift.io/v1alpha1
settingsRef:
name: default
kind: ScanSetting
apiGroup: compliance.openshift.io/v1alpha1
EOF
scansettingbinding.compliance.openshift.io/my-ssb-fips created
$ oc get suite
NAME PHASE RESULT
my-ssb-fips DONE NON-COMPLIANT
my-ssb1 DONE NON-COMPLIANT
$ oc get ccr | grep fips
rhcos4-moderate-master-enable-fips-mode FAIL high
rhcos4-moderate-worker-enable-fips-mode FAIL high
Add one more point, if the 'update-crypto-policies --set FIPS:DISABLE-CBC' command not supported on node, the auto remediation will fail: $ oc debug node/xiyuan26-1-nmfmx-master-0 Starting pod/xiyuan26-1-nmfmx-master-0-debug ... To use host binaries, run `chroot /host` Pod IP: 10.0.0.7 If you don't see a command prompt, try pressing enter. sh-4.4# chroot /host sh-4.4# update-crypto-policies --set FIPS:DISABLE-CBC Unknown policy `DISABLE-CBC`: file `DISABLE-CBC.pmod` not found in (., policies/modules, /etc/crypto-policies/policies/modules, /usr/share/crypto-policies/policies/modules) sh-4.4# update-crypto-policies --show FIPS sh-4.4# exit exit sh-4.4# exit exit Removing debug pod ... (In reply to xiyuan from comment #12) > Add one more point, if the 'update-crypto-policies --set FIPS:DISABLE-CBC' > command not supported on node, the auto remediation will fail: > > $ oc debug node/xiyuan26-1-nmfmx-master-0 > Starting pod/xiyuan26-1-nmfmx-master-0-debug ... > To use host binaries, run `chroot /host` > Pod IP: 10.0.0.7 > If you don't see a command prompt, try pressing enter. > sh-4.4# chroot /host > sh-4.4# update-crypto-policies --set FIPS:DISABLE-CBC > Unknown policy `DISABLE-CBC`: file `DISABLE-CBC.pmod` not found in (., > policies/modules, /etc/crypto-policies/policies/modules, > /usr/share/crypto-policies/policies/modules) > sh-4.4# update-crypto-policies --show > FIPS > sh-4.4# exit > exit > sh-4.4# exit > exit > > Removing debug pod ... Where are you seeing DISABLE-CBC? We had a different bug open with a customer case (OCPBUGS-510) where the customer tried to set the same policy, but that policy does not exist. So I think we should find where do we suggest that policy name and change the reference to something that does exist. Nice catch! @xiyuan This is expected behavior, the default value for var_system_crypto_policy is different based on the profile, if you use the rule without the profile, the default value is DEFAULT, but when you use it in the profile ex. in moderate, it will set var_system_crypto_policy to fips. Hi vincent,
I tried to test with 4.12.0-0.nightly-2022-09-26-111919 and compliance-operator.v0.1.55, create a ssb with moderate profiles. When the scan done, there is no related ccr for rule rhcos4-configure-crypto-policy. Not sure where goes wrong. Could you please help to check? Thanks.
$ oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
name: test
profiles:
- apiGroup: compliance.openshift.io/v1alpha1
kind: Profile
name: ocp4-moderate
- apiGroup: compliance.openshift.io/v1alpha1
kind: Profile
name: ocp4-moderate-node
settingsRef:
apiGroup: compliance.openshift.io/v1alpha1
kind: ScanSetting
name: default-auto-apply
> EOF
scansettingbinding.compliance.openshift.io/test created
$ oc get ccr | grep policy
ocp4-moderate-general-configure-imagepolicywebhook MANUAL medium
@xiyuan rhcos4-configure-crypto-policy is in rhcos4-moderate profile, I think you need to test it use that profile Verification pass with 4.12.0-0.nightly-2022-09-26-111919 and compliance-operator.v0.1.55.
For fips enabled cluster, by default rule check pass for rhcos4-configure-crypto-policy; for FIPS:DISABLE-CBC crypto policy, need to apply sub policy DISABLE-CBC first, then apply auto-remediation with tailoredprofile.
$ oc get ccr
NAME STATUS SEVERITY
tp-node-master-configure-crypto-policy PASS high
tp-node-worker-configure-crypto-policy PASS high
$ oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.12.0-0.nightly-2022-09-26-111919 True False 4h28m Cluster version is 4.12.0-0.nightly-2022-09-26-111919
$ oc get csv
NAME DISPLAY VERSION REPLACES PHASE
compliance-operator.v0.1.55 Compliance Operator 0.1.55 Succeeded
elasticsearch-operator.v5.6.0 OpenShift Elasticsearch Operator 5.6.0 elasticsearch-operator.5.5.2 Succeeded
loki-operator.v5.6.0 Loki Operator 5.6.0 loki-operator.5.5.2 Succeeded
##########For a fips enabled cluster,the rule rhcos4-configure-crypto-policy will PASS:
$ oc debug node/xiyuan28-1-jlfqz-master-0 -- chroot /host fips-mode-setup --check
Starting pod/xiyuan28-1-jlfqz-master-0-debug ...
To use host binaries, run `chroot /host`
FIPS mode is enabled.
Removing debug pod ...
$ oc debug node/xiyuan28-1-jlfqz-master-0 -- chroot /host update-crypto-policies --show
Starting pod/xiyuan28-1-jlfqz-master-0-debug ...
To use host binaries, run `chroot /host`
FIPS
Removing debug pod ...
$ oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
name: test
profiles:
- apiGroup: compliance.openshift.io/v1alpha1
kind: Profile
name: rhcos4-moderate
settingsRef:
apiGroup: compliance.openshift.io/v1alpha1
kind: ScanSetting
name: default
EOF
scansettingbinding.compliance.openshift.io/test created
$ oc get ccr | grep configure-crypto-policy
rhcos4-moderate-master-configure-crypto-policy PASS high
rhcos4-moderate-worker-configure-crypto-policy PASS high
###############################apply FIPS:DISABLE-CBC policy
Per https://www.redhat.com/en/blog/configuring-rhel-8-compliance-crypto-policy-related-cipher-block-chaining,
create sub policy DISABLE-CBC through below mc:
$ oc apply -f -<<EOF
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
generation: 1
labels:
machineconfiguration.openshift.io/role: worker
name: disable-cbc-worker
spec:
config:
ignition:
version: 3.1.0
storage:
files:
- contents:
source: data:,cipher%20%3D%20AES-256-CBC%20%20AES-128-CBC%0Acipher%40TLS%20%3D%20AES-256-CBC%20AES-128-CBC
mode: 0644
overwrite: true
path: /etc/crypto-policies/policies/modules/DISABLE-CBC.pmod
---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
generation: 1
labels:
machineconfiguration.openshift.io/role: master
name: disable-cbc-master
spec:
config:
ignition:
version: 3.1.0
storage:
files:
- contents:
source: data:,cipher%20%3D%20AES-256-CBC%20%20AES-128-CBC%0Acipher%40TLS%20%3D%20AES-256-CBC%20AES-128-CBC
mode: 0644
overwrite: true
path: /etc/crypto-policies/policies/modules/DISABLE-CBC.pmod
EOF
machineconfig.machineconfiguration.openshift.io/disable-cbc-worker created
machineconfig.machineconfiguration.openshift.io/disable-cbc-master created
###########wait until cluster reboot finish,
oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
name: tp-node
namespace: openshift-compliance
spec:
description: test
title: test
enableRules:
- name: rhcos4-configure-crypto-policy
rationale: Node
setValues:
- name: rhcos4-var-system-crypto-policy
value: "FIPS:DISABLE-CBC"
rationale: test
EOF
$ oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
name: my-ssb1
profiles:
- apiGroup: compliance.openshift.io/v1alpha1
kind: TailoredProfile
name: tp-node
settingsRef:
apiGroup: compliance.openshift.io/v1alpha1
kind: ScanSetting
name: default-auto-apply
EOF
scansettingbinding.compliance.openshift.io/my-ssb1 created
$ oc get ccr
NAME STATUS SEVERITY
tp-node-master-configure-crypto-policy FAIL high
tp-node-worker-configure-crypto-policy FAIL high
$ oc get cr
NAME STATE
tp-node-master-configure-crypto-policy Applied
tp-node-worker-configure-crypto-policy Applied
$ oc get mc 75-tp-node-master-configure-crypto-policy -o yaml
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
annotations:
compliance.openshift.io/remediation: ""
creationTimestamp: "2022-09-28T05:53:56Z"
generation: 1
labels:
compliance.openshift.io/scan-name: tp-node-master
compliance.openshift.io/suite: my-ssb1
machineconfiguration.openshift.io/role: master
name: 75-tp-node-master-configure-crypto-policy
resourceVersion: "257732"
uid: fef33759-4f87-4574-9758-5cb357dd1d62
spec:
config:
ignition:
version: 3.1.0
systemd:
units:
- contents: |
[Unit]
Before=kubelet.service
[Service]
Type=oneshot
ExecStart=update-crypto-policies --set FIPS:DISABLE-CBC
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
enabled: true
name: configure-crypto-policy.service
$ oc get mcp -w
NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE
master rendered-master-a4cd02a77daf2e4b1c8e8ee29a03a1f2 False True False 3 2 2 0 4h51m
worker rendered-worker-0075f8531ee9f6b9666f167aa063c99b False True False 3 2 2 0 4h51m
worker rendered-worker-0075f8531ee9f6b9666f167aa063c99b False True False 3 2 3 0 4h51m
worker rendered-worker-ffbeaedc398d860bde1ebb5c0022d3f1 True False False 3 3 3 0 4h51m
master rendered-master-a4cd02a77daf2e4b1c8e8ee29a03a1f2 False True False 3 2 3 0 4h54m
master rendered-master-0bdb10a513a8a2588f41f9949844d9db True False False 3 3 3 0 4h54m
^C[xiyuan@MiWiFi-RA69-srv func]$ oc get ssb
NAME AGE
my-ssb1 25m
$ oc compliance rerun-now scansettingbinding my-ssb1
Rerunning scans from 'my-ssb1': tp-node-master, tp-node-worker
Re-running scan 'openshift-compliance/tp-node-master'
Re-running scan 'openshift-compliance/tp-node-worker'
[xiyuan@MiWiFi-RA69-srv func]$ oc get suite -w
NAME PHASE RESULT
my-ssb1 LAUNCHING NOT-AVAILABLE
my-ssb1 RUNNING NOT-AVAILABLE
my-ssb1 RUNNING NOT-AVAILABLE
my-ssb1 AGGREGATING NOT-AVAILABLE
my-ssb1 AGGREGATING NOT-AVAILABLE
my-ssb1 DONE COMPLIANT
my-ssb1 DONE COMPLIANT
^C$ oc get ccr
NAME STATUS SEVERITY
tp-node-master-configure-crypto-policy PASS high
tp-node-worker-configure-crypto-policy PASS high
##check on one node:
$ oc debug node/xiyuan28-1-jlfqz-worker-southcentralus1-kd9j9 -- chroot /host update-crypto-policies --show
Starting pod/xiyuan28-1-jlfqz-worker-southcentralus1-kd9j9-debug ...
To use host binaries, run `chroot /host`
FIPS:DISABLE-CBC
Removing debug pod ...
$ oc debug node/xiyuan28-1-jlfqz-worker-southcentralus1-kd9j9 -- chroot /host update-crypto-policies --is-applied
Starting pod/xiyuan28-1-jlfqz-worker-southcentralus1-kd9j9-debug ...
To use host binaries, run `chroot /host`
The configured policy is applied
Removing debug pod ...
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Compliance Operator bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:6657 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days |