Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1936413

Summary: The instructions are missing for some rules those report status ‘MANUAL’
Product: OpenShift Container Platform Reporter: xiyuan
Component: Compliance OperatorAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: xiyuan
Severity: medium Docs Contact:
Priority: medium    
Version: 4.8CC: josorior, mrogers, xiyuan
Target Milestone: ---   
Target Release: 4.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1953513 (view as bug list) Environment:
Last Closed: 2021-07-07 11:29:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1953513, 1953523    

Description xiyuan 2021-03-08 12:47:36 UTC
Description of problem:
The instructions is missing for some rules in MANUAL check-status

Version-Release number of selected component (if applicable):
4.8.0-0.nightly-2021-03-06-055252 + compliance-operator.v0.1.28

How reproducible:
always

Steps to Reproduce:
Trigger a compliancesuite with rhcos4-e8 and rhcos4-moderate
$ oc create -f - << EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
  name: instructions-check1
profiles:
- apiGroup: compliance.openshift.io/v1alpha1
  kind: Profile
  name: rhcos4-e8
- apiGroup: compliance.openshift.io/v1alpha1
  kind: Profile
  name: rhcos4-moderate
settingsRef:
  apiGroup: compliance.openshift.io/v1alpha1
  kind: ScanSetting
  name: default
EOF
Check whether there is instructions for the rules in MANUAL check-status for the compliancecheckresults


Actual results:
The instructions is missing for some rules in MANUAL check-status
$ oc get compliancecheckresults -l compliance.openshift.io/check-status=MANUAL
NAME                                              STATUS   SEVERITY
rhcos4-moderate-master-bios-disable-usb-boot      MANUAL   unknown
rhcos4-moderate-master-sshd-limit-user-access     MANUAL   unknown
rhcos4-moderate-master-wireless-disable-in-bios   MANUAL   unknown
rhcos4-moderate-worker-bios-disable-usb-boot      MANUAL   unknown
rhcos4-moderate-worker-sshd-limit-user-access     MANUAL   unknown
rhcos4-moderate-worker-wireless-disable-in-bios   MANUAL   unknown
$  for i in `oc get compliancecheckresults -l compliance.openshift.io/check-status=MANUAL |  grep  "rhcos4" | awk '{print $1}' `; do echo "******************Below is the instructions for rule $i"; oc get compliancecheckresults $i -o yaml  | grep -v "f:instructions:" | grep -i "instructions:" -A3 ; done
******************Below is the instructions for rule rhcos4-moderate-master-bios-disable-usb-boot
******************Below is the instructions for rule rhcos4-moderate-master-sshd-limit-user-access
******************Below is the instructions for rule rhcos4-moderate-master-wireless-disable-in-bios
******************Below is the instructions for rule rhcos4-moderate-worker-bios-disable-usb-boot
******************Below is the instructions for rule rhcos4-moderate-worker-sshd-limit-user-access
******************Below is the instructions for rule rhcos4-moderate-worker-wireless-disable-in-bios


Expected results:
The instructions should be available for all rules in MANUAL check-status


Additional info:
Checked all other rules in other profiles.compliance in MANUAL check-status
, all of them have instructions available 
$ oc create -f - << EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
  name: instructions-check
profiles:
- apiGroup: compliance.openshift.io/v1alpha1
  kind: Profile
  name: ocp4-e8
- apiGroup: compliance.openshift.io/v1alpha1
  kind: Profile
  name: ocp4-moderate
- apiGroup: compliance.openshift.io/v1alpha1
  kind: Profile
  name: ocp4-cis
- apiGroup: compliance.openshift.io/v1alpha1
  kind: Profile
  name: ocp4-cis-node
settingsRef:
  apiGroup: compliance.openshift.io/v1alpha1
  kind: ScanSetting
  name: default
EOF
$ oc get compliancesuite -w
NAME                  PHASE     RESULT
instructions-check1   DONE      NON-COMPLIANT
instructions-check    DONE          NON-COMPLIANT
$ for i in `oc get compliancecheckresults -l compliance.openshift.io/check-status=MANUAL |  grep  "ocp4" | awk '{print $1}' `; do echo "******************Below is the instructions for rule $i"; oc get compliancecheckresults $i -o yaml  | grep -v "f:instructions:" | grep -i "instructions:" -A3 ; done
******************Below is the instructions for rule ocp4-cis-accounts-restrict-service-account-tokens
instructions: |-
  For each pod in the cluster, review the pod specification and
  ensure that pods that do not need to explicitly communicate with
  the API server have automountServiceAccountToken
******************Below is the instructions for rule ocp4-cis-accounts-unique-service-account
instructions: |-
  For each namespace in the cluster, review the rights assigned
  to the default service account. There should be no cluster or local roles
  assigned to the default other than the defaults.
******************Below is the instructions for rule ocp4-cis-api-server-oauth-https-serving-cert
instructions: |-
  Run the following command:
  $ oc -n openshift-oauth-apiserver describe secret serving-cert
  Verify that the serving-cert for the openshift-apiserver is type
...

Comment 2 Jakub Hrozek 2021-04-14 12:23:25 UTC
I think for the BIOS rules, there's not that much we can do, is it? I sent https://github.com/ComplianceAsCode/content/pull/6836 to cover the SSH rule anyway

Comment 3 Jakub Hrozek 2021-04-19 10:34:15 UTC
The PR was merged -> MODIFIED

Comment 4 xiyuan 2021-04-26 11:05:28 UTC
Per comment https://bugzilla.redhat.com/show_bug.cgi?id=1936413#c2,the instructions for bios is still empty. 
verified with 4.8.0-0.nightly-2021-04-25-195440 + latest compliance operator.
# git log | head
commit 513a2d1824de0713c0bf1ed6604dbed3be8d22d5
Merge: b0cd03e4 21b64971
Author: Juan Osorio Robles <jaosorior>
Date:   Sun Apr 25 08:36:27 2021 +0300

    Merge pull request #629 from JAORMX/gosec-update
    
    Update gosec to v2.7.0

commit 21b649715394d96582ce09fedc247cf513435d1c

# make deploy-local
Creating 'openshift-compliance' namespace/project
namespace/openshift-compliance created
podman build -t quay.io/compliance-operator/compliance-operator:latest -f build/Dockerfile .
STEP 1: FROM golang:1.15 AS builder
STEP 2: WORKDIR /go/src/github.com/openshift/compliance-operator
--> Using cache 66b795d4ea7c838ee1f6254ee3a39a9be0eacaaed50a24e57aa4d161857a8a3d
STEP 3: ENV GOFLAGS=-mod=vendor
--> Using cache ce07ab36554f20d89aa6ff7f4493d5edc9a43213be1e7314a38ceee365cc05cb
STEP 4: COPY . . 
...
# make deploy-local
Creating 'openshift-compliance' namespace/project
namespace/openshift-compliance created
podman build -t quay.io/compliance-operator/compliance-operator:latest -f build/Dockerfile .
STEP 1: FROM golang:1.15 AS builder
STEP 2: WORKDIR /go/src/github.com/openshift/compliance-operator
--> Using cache 66b795d4ea7c838ee1f6254ee3a39a9be0eacaaed50a24e57aa4d161857a8a3d
STEP 3: ENV GOFLAGS=-mod=vendor
--> Using cache ce07ab36554f20d89aa6ff7f4493d5edc9a43213be1e7314a38ceee365cc05cb
STEP 4: COPY . . 

# oc get pod
NAME                                                    READY   STATUS      RESTARTS   AGE
compliance-operator-6fff49b5f6-fmkvk                    1/1     Running     0          5m
ocp4-openshift-compliance-pp-66fbbff4c6-pfstd           1/1     Running     0          4m
rhcos4-openshift-compliance-pp-74bd6f7dbd-8kmfc         1/1     Running     0          4m

# oc create -f - << EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSettingBinding
> metadata:
>   name: instructions-check1
> profiles:
> - apiGroup: compliance.openshift.io/v1alpha1
>   kind: Profile
>   name: rhcos4-e8
> - apiGroup: compliance.openshift.io/v1alpha1
>   kind: Profile
>   name: rhcos4-moderate
> settingsRef:
>   apiGroup: compliance.openshift.io/v1alpha1
>   kind: ScanSetting
>   name: default
> EOF
# oc get suite
NAME                  PHASE   RESULT
instructions-check1   DONE    NON-COMPLIANT
# for i in `oc get compliancecheckresults -l compliance.openshift.io/check-status=MANUAL --no-headers | awk '{print $1}' `; do echo -e "******************Below is the instructions for rule $i"; oc get compliancecheckresults $i -o=jsonpath={.instructions}; echo -e "\n"; done
******************Below is the instructions for rule rhcos4-moderate-master-bios-disable-usb-boot


******************Below is the instructions for rule rhcos4-moderate-master-sshd-limit-user-access
To ensure sshd limits the users who can log in, run the following:
$ sudo grep AllowUsers /etc/ssh/sshd_config
If properly configured, the output should be a list of usernames allowed to log in
to this system.

******************Below is the instructions for rule rhcos4-moderate-master-wireless-disable-in-bios


******************Below is the instructions for rule rhcos4-moderate-worker-bios-disable-usb-boot


******************Below is the instructions for rule rhcos4-moderate-worker-sshd-limit-user-access
To ensure sshd limits the users who can log in, run the following:
$ sudo grep AllowUsers /etc/ssh/sshd_config
If properly configured, the output should be a list of usernames allowed to log in
to this system.

******************Below is the instructions for rule rhcos4-moderate-worker-wireless-disable-in-bios

Comment 5 Jakub Hrozek 2021-04-28 08:09:26 UTC
(In reply to xiyuan from comment #4)
> Per comment https://bugzilla.redhat.com/show_bug.cgi?id=1936413#c2,the
> instructions for bios is still empty. 

But are the instructions needed here? For one, in virtual environments this rule is just not applicable, for two, we can't really put anything really meaningful outside 'please check your BIOS per instructions from your vendor" ...

Comment 6 Jakub Hrozek 2021-04-30 16:01:26 UTC
setting needinfo to answer coment #5

Comment 10 xiyuan 2021-05-24 08:44:31 UTC
Per comments below and https://bugzilla.redhat.com/show_bug.cgi?id=1936413#c5, verification pass with 4.8.0-0.nightly-2021-05-21-233425 and compliance-operator.v0.1.32 
$ oc get ip
install-smz94   compliance-operator.v0.1.32   Automatic   true
$ oc get csv
NAME                          DISPLAY               VERSION   REPLACES   PHASE
compliance-operator.v0.1.32   Compliance Operator   0.1.32               Succeeded
$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.8.0-0.nightly-2021-05-21-233425   True        False         6h6m    Cluster version is 4.8.0-0.nightly-2021-05-21-233425
$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
$  oc create -f - << EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSettingBinding
> metadata:
>   name: instructions-check1
> profiles:
> - apiGroup: compliance.openshift.io/v1alpha1
>   kind: Profile
>   name: rhcos4-e8
> - apiGroup: compliance.openshift.io/v1alpha1
>   kind: Profile
>   name: rhcos4-moderate
> settingsRef:
>   apiGroup: compliance.openshift.io/v1alpha1
>   kind: ScanSetting
>   name: default
> EOF
scansettingbinding.compliance.openshift.io/instructions-check1 created
$ oc get suite
NAME                  PHASE   RESULT
instructions-check1   DONE    NON-COMPLIANT
$ for i in `oc get compliancecheckresults -l compliance.openshift.io/check-status=MANUAL --no-headers | awk '{print $1}' `; do echo -e "******************Below is the instructions for rule $i"; oc get compliancecheckresults $i -o=jsonpath={.instructions}; echo -e "\n"; done
******************Below is the instructions for rule rhcos4-moderate-master-bios-disable-usb-boot


******************Below is the instructions for rule rhcos4-moderate-master-sshd-limit-user-access
To ensure sshd limits the users who can log in, run the following:
$ sudo grep AllowUsers /etc/ssh/sshd_config
If properly configured, the output should be a list of usernames allowed to log in
to this system.

******************Below is the instructions for rule rhcos4-moderate-master-wireless-disable-in-bios


******************Below is the instructions for rule rhcos4-moderate-worker-bios-disable-usb-boot


******************Below is the instructions for rule rhcos4-moderate-worker-sshd-limit-user-access
To ensure sshd limits the users who can log in, run the following:
$ sudo grep AllowUsers /etc/ssh/sshd_config
If properly configured, the output should be a list of usernames allowed to log in
to this system.

******************Below is the instructions for rule rhcos4-moderate-worker-wireless-disable-in-bios

Comment 14 errata-xmlrpc 2021-07-07 11:29:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Compliance Operator version 0.1.35 for OpenShift Container Platform 4.6-4.8), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:2652