Bug 1936413
| Summary: | The instructions are missing for some rules those report status ‘MANUAL’ | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | xiyuan | |
| Component: | Compliance Operator | Assignee: | Jakub Hrozek <jhrozek> | |
| Status: | CLOSED ERRATA | QA Contact: | xiyuan | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 4.8 | CC: | josorior, mrogers, xiyuan | |
| Target Milestone: | --- | |||
| Target Release: | 4.8.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1953513 (view as bug list) | Environment: | ||
| Last Closed: | 2021-07-07 11:29:56 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1953513, 1953523 | |||
I think for the BIOS rules, there's not that much we can do, is it? I sent https://github.com/ComplianceAsCode/content/pull/6836 to cover the SSH rule anyway The PR was merged -> MODIFIED Per comment https://bugzilla.redhat.com/show_bug.cgi?id=1936413#c2,the instructions for bios is still empty. verified with 4.8.0-0.nightly-2021-04-25-195440 + latest compliance operator. # git log | head commit 513a2d1824de0713c0bf1ed6604dbed3be8d22d5 Merge: b0cd03e4 21b64971 Author: Juan Osorio Robles <jaosorior> Date: Sun Apr 25 08:36:27 2021 +0300 Merge pull request #629 from JAORMX/gosec-update Update gosec to v2.7.0 commit 21b649715394d96582ce09fedc247cf513435d1c # make deploy-local Creating 'openshift-compliance' namespace/project namespace/openshift-compliance created podman build -t quay.io/compliance-operator/compliance-operator:latest -f build/Dockerfile . STEP 1: FROM golang:1.15 AS builder STEP 2: WORKDIR /go/src/github.com/openshift/compliance-operator --> Using cache 66b795d4ea7c838ee1f6254ee3a39a9be0eacaaed50a24e57aa4d161857a8a3d STEP 3: ENV GOFLAGS=-mod=vendor --> Using cache ce07ab36554f20d89aa6ff7f4493d5edc9a43213be1e7314a38ceee365cc05cb STEP 4: COPY . . ... # make deploy-local Creating 'openshift-compliance' namespace/project namespace/openshift-compliance created podman build -t quay.io/compliance-operator/compliance-operator:latest -f build/Dockerfile . STEP 1: FROM golang:1.15 AS builder STEP 2: WORKDIR /go/src/github.com/openshift/compliance-operator --> Using cache 66b795d4ea7c838ee1f6254ee3a39a9be0eacaaed50a24e57aa4d161857a8a3d STEP 3: ENV GOFLAGS=-mod=vendor --> Using cache ce07ab36554f20d89aa6ff7f4493d5edc9a43213be1e7314a38ceee365cc05cb STEP 4: COPY . . # oc get pod NAME READY STATUS RESTARTS AGE compliance-operator-6fff49b5f6-fmkvk 1/1 Running 0 5m ocp4-openshift-compliance-pp-66fbbff4c6-pfstd 1/1 Running 0 4m rhcos4-openshift-compliance-pp-74bd6f7dbd-8kmfc 1/1 Running 0 4m # oc create -f - << EOF > apiVersion: compliance.openshift.io/v1alpha1 > kind: ScanSettingBinding > metadata: > name: instructions-check1 > profiles: > - apiGroup: compliance.openshift.io/v1alpha1 > kind: Profile > name: rhcos4-e8 > - apiGroup: compliance.openshift.io/v1alpha1 > kind: Profile > name: rhcos4-moderate > settingsRef: > apiGroup: compliance.openshift.io/v1alpha1 > kind: ScanSetting > name: default > EOF # oc get suite NAME PHASE RESULT instructions-check1 DONE NON-COMPLIANT # for i in `oc get compliancecheckresults -l compliance.openshift.io/check-status=MANUAL --no-headers | awk '{print $1}' `; do echo -e "******************Below is the instructions for rule $i"; oc get compliancecheckresults $i -o=jsonpath={.instructions}; echo -e "\n"; done ******************Below is the instructions for rule rhcos4-moderate-master-bios-disable-usb-boot ******************Below is the instructions for rule rhcos4-moderate-master-sshd-limit-user-access To ensure sshd limits the users who can log in, run the following: $ sudo grep AllowUsers /etc/ssh/sshd_config If properly configured, the output should be a list of usernames allowed to log in to this system. ******************Below is the instructions for rule rhcos4-moderate-master-wireless-disable-in-bios ******************Below is the instructions for rule rhcos4-moderate-worker-bios-disable-usb-boot ******************Below is the instructions for rule rhcos4-moderate-worker-sshd-limit-user-access To ensure sshd limits the users who can log in, run the following: $ sudo grep AllowUsers /etc/ssh/sshd_config If properly configured, the output should be a list of usernames allowed to log in to this system. ******************Below is the instructions for rule rhcos4-moderate-worker-wireless-disable-in-bios (In reply to xiyuan from comment #4) > Per comment https://bugzilla.redhat.com/show_bug.cgi?id=1936413#c2,the > instructions for bios is still empty. But are the instructions needed here? For one, in virtual environments this rule is just not applicable, for two, we can't really put anything really meaningful outside 'please check your BIOS per instructions from your vendor" ... setting needinfo to answer coment #5 Per comments below and https://bugzilla.redhat.com/show_bug.cgi?id=1936413#c5, verification pass with 4.8.0-0.nightly-2021-05-21-233425 and compliance-operator.v0.1.32 $ oc get ip install-smz94 compliance-operator.v0.1.32 Automatic true $ oc get csv NAME DISPLAY VERSION REPLACES PHASE compliance-operator.v0.1.32 Compliance Operator 0.1.32 Succeeded $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.8.0-0.nightly-2021-05-21-233425 True False 6h6m Cluster version is 4.8.0-0.nightly-2021-05-21-233425 $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS $ oc create -f - << EOF > apiVersion: compliance.openshift.io/v1alpha1 > kind: ScanSettingBinding > metadata: > name: instructions-check1 > profiles: > - apiGroup: compliance.openshift.io/v1alpha1 > kind: Profile > name: rhcos4-e8 > - apiGroup: compliance.openshift.io/v1alpha1 > kind: Profile > name: rhcos4-moderate > settingsRef: > apiGroup: compliance.openshift.io/v1alpha1 > kind: ScanSetting > name: default > EOF scansettingbinding.compliance.openshift.io/instructions-check1 created $ oc get suite NAME PHASE RESULT instructions-check1 DONE NON-COMPLIANT $ for i in `oc get compliancecheckresults -l compliance.openshift.io/check-status=MANUAL --no-headers | awk '{print $1}' `; do echo -e "******************Below is the instructions for rule $i"; oc get compliancecheckresults $i -o=jsonpath={.instructions}; echo -e "\n"; done ******************Below is the instructions for rule rhcos4-moderate-master-bios-disable-usb-boot ******************Below is the instructions for rule rhcos4-moderate-master-sshd-limit-user-access To ensure sshd limits the users who can log in, run the following: $ sudo grep AllowUsers /etc/ssh/sshd_config If properly configured, the output should be a list of usernames allowed to log in to this system. ******************Below is the instructions for rule rhcos4-moderate-master-wireless-disable-in-bios ******************Below is the instructions for rule rhcos4-moderate-worker-bios-disable-usb-boot ******************Below is the instructions for rule rhcos4-moderate-worker-sshd-limit-user-access To ensure sshd limits the users who can log in, run the following: $ sudo grep AllowUsers /etc/ssh/sshd_config If properly configured, the output should be a list of usernames allowed to log in to this system. ******************Below is the instructions for rule rhcos4-moderate-worker-wireless-disable-in-bios Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Compliance Operator version 0.1.35 for OpenShift Container Platform 4.6-4.8), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:2652 |
Description of problem: The instructions is missing for some rules in MANUAL check-status Version-Release number of selected component (if applicable): 4.8.0-0.nightly-2021-03-06-055252 + compliance-operator.v0.1.28 How reproducible: always Steps to Reproduce: Trigger a compliancesuite with rhcos4-e8 and rhcos4-moderate $ oc create -f - << EOF apiVersion: compliance.openshift.io/v1alpha1 kind: ScanSettingBinding metadata: name: instructions-check1 profiles: - apiGroup: compliance.openshift.io/v1alpha1 kind: Profile name: rhcos4-e8 - apiGroup: compliance.openshift.io/v1alpha1 kind: Profile name: rhcos4-moderate settingsRef: apiGroup: compliance.openshift.io/v1alpha1 kind: ScanSetting name: default EOF Check whether there is instructions for the rules in MANUAL check-status for the compliancecheckresults Actual results: The instructions is missing for some rules in MANUAL check-status $ oc get compliancecheckresults -l compliance.openshift.io/check-status=MANUAL NAME STATUS SEVERITY rhcos4-moderate-master-bios-disable-usb-boot MANUAL unknown rhcos4-moderate-master-sshd-limit-user-access MANUAL unknown rhcos4-moderate-master-wireless-disable-in-bios MANUAL unknown rhcos4-moderate-worker-bios-disable-usb-boot MANUAL unknown rhcos4-moderate-worker-sshd-limit-user-access MANUAL unknown rhcos4-moderate-worker-wireless-disable-in-bios MANUAL unknown $ for i in `oc get compliancecheckresults -l compliance.openshift.io/check-status=MANUAL | grep "rhcos4" | awk '{print $1}' `; do echo "******************Below is the instructions for rule $i"; oc get compliancecheckresults $i -o yaml | grep -v "f:instructions:" | grep -i "instructions:" -A3 ; done ******************Below is the instructions for rule rhcos4-moderate-master-bios-disable-usb-boot ******************Below is the instructions for rule rhcos4-moderate-master-sshd-limit-user-access ******************Below is the instructions for rule rhcos4-moderate-master-wireless-disable-in-bios ******************Below is the instructions for rule rhcos4-moderate-worker-bios-disable-usb-boot ******************Below is the instructions for rule rhcos4-moderate-worker-sshd-limit-user-access ******************Below is the instructions for rule rhcos4-moderate-worker-wireless-disable-in-bios Expected results: The instructions should be available for all rules in MANUAL check-status Additional info: Checked all other rules in other profiles.compliance in MANUAL check-status , all of them have instructions available $ oc create -f - << EOF apiVersion: compliance.openshift.io/v1alpha1 kind: ScanSettingBinding metadata: name: instructions-check profiles: - apiGroup: compliance.openshift.io/v1alpha1 kind: Profile name: ocp4-e8 - apiGroup: compliance.openshift.io/v1alpha1 kind: Profile name: ocp4-moderate - apiGroup: compliance.openshift.io/v1alpha1 kind: Profile name: ocp4-cis - apiGroup: compliance.openshift.io/v1alpha1 kind: Profile name: ocp4-cis-node settingsRef: apiGroup: compliance.openshift.io/v1alpha1 kind: ScanSetting name: default EOF $ oc get compliancesuite -w NAME PHASE RESULT instructions-check1 DONE NON-COMPLIANT instructions-check DONE NON-COMPLIANT $ for i in `oc get compliancecheckresults -l compliance.openshift.io/check-status=MANUAL | grep "ocp4" | awk '{print $1}' `; do echo "******************Below is the instructions for rule $i"; oc get compliancecheckresults $i -o yaml | grep -v "f:instructions:" | grep -i "instructions:" -A3 ; done ******************Below is the instructions for rule ocp4-cis-accounts-restrict-service-account-tokens instructions: |- For each pod in the cluster, review the pod specification and ensure that pods that do not need to explicitly communicate with the API server have automountServiceAccountToken ******************Below is the instructions for rule ocp4-cis-accounts-unique-service-account instructions: |- For each namespace in the cluster, review the rights assigned to the default service account. There should be no cluster or local roles assigned to the default other than the defaults. ******************Below is the instructions for rule ocp4-cis-api-server-oauth-https-serving-cert instructions: |- Run the following command: $ oc -n openshift-oauth-apiserver describe secret serving-cert Verify that the serving-cert for the openshift-apiserver is type ...