Bug 2117747
| Summary: | Compliance rules are failing after remediated automatically from scan setting successfully | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Shailendra Singh <shaising> |
| Component: | Compliance Operator | Assignee: | Vincent Shen <wenshen> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.10 | CC: | jhrozek, lbragsta, mrogers, shaising, wenshen, xiyuan |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
Cause: Rule evaluating modprobe configuration would fail even after applying remedations
Consequence: This was because the checks and remediations were using two different values for modprobe configuration
Fix: Upgrade to compliance-operator 0.1.55
Result: Newer content uses the same values for modprobe configuration in checks and remediations, ensuring consistent results.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-11-02 16:00:55 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Per https://bugzilla.redhat.com/show_bug.cgi?id=2117747#c5, move it to verified Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Compliance Operator bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:6657 |
Verification pass with 4.12.0-0.nightly-2022-09-20-095559 + compliance-operator.v0.1.55 $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.12.0-0.nightly-2022-09-20-095559 True False 5h6m Cluster version is 4.12.0-0.nightly-2022-09-20-095559 $ oc get csv NAME DISPLAY VERSION REPLACES PHASE compliance-operator.v0.1.55 Compliance Operator 0.1.55 Succeeded 1. Create a ssb with ocp4-high and ocp4-high-node profile: $ oc create -f - << EOF apiVersion: compliance.openshift.io/v1alpha1 kind: ScanSettingBinding metadata: name: fedr-high-test profiles: - name: ocp4-high kind: Profile apiGroup: compliance.openshift.io/v1alpha1 - name: ocp4-high-node kind: Profile apiGroup: compliance.openshift.io/v1alpha1 settingsRef: name: default-auto-apply kind: ScanSetting apiGroup: compliance.openshift.io/v1alpha1 EOF 2. after several rounds of remediation, all rules with auto remediation are in PASS status: $ oc get ccr -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status=FAIL No resources found in openshift-compliance namespace. $ oc get rule | grep module rhcos4-audit-module-load 4h16m rhcos4-audit-rules-kernel-module-loading 4h16m rhcos4-audit-rules-kernel-module-loading-delete 4h16m rhcos4-audit-rules-kernel-module-loading-finit 4h16m rhcos4-audit-rules-kernel-module-loading-init 4h16m rhcos4-enable-dracut-fips-module 4h16m rhcos4-kernel-config-module-sig 4h16m rhcos4-kernel-config-module-sig-all 4h16m rhcos4-kernel-config-module-sig-force 4h16m rhcos4-kernel-config-module-sig-hash 4h16m rhcos4-kernel-config-module-sig-key 4h16m rhcos4-kernel-config-module-sig-sha512 4h16m rhcos4-kernel-module-atm-disabled 4h16m rhcos4-kernel-module-bluetooth-disabled 4h16m rhcos4-kernel-module-can-disabled 4h16m rhcos4-kernel-module-cfg80211-disabled 4h16m rhcos4-kernel-module-cramfs-disabled 4h16m rhcos4-kernel-module-firewire-core-disabled 4h16m rhcos4-kernel-module-freevxfs-disabled 4h16m rhcos4-kernel-module-hfs-disabled 4h16m rhcos4-kernel-module-hfsplus-disabled 4h16m rhcos4-kernel-module-ipv6-option-disabled 4h16m rhcos4-kernel-module-iwlmvm-disabled 4h16m rhcos4-kernel-module-iwlwifi-disabled 4h16m rhcos4-kernel-module-jffs2-disabled 4h16m rhcos4-kernel-module-mac80211-disabled 4h16m rhcos4-kernel-module-rds-disabled 4h16m rhcos4-kernel-module-sctp-disabled 4h16m rhcos4-kernel-module-squashfs-disabled 4h16m rhcos4-kernel-module-tipc-disabled 4h16m rhcos4-kernel-module-udf-disabled 4h16m rhcos4-kernel-module-usb-storage-disabled 4h16m rhcos4-kernel-module-uvcvideo-disabled 4h16m rhcos4-kernel-module-vfat-disabled 4h16m $ oc get ccr | grep module