Bug 1940483 - Instructions for some rules in Compliance Operator
Summary: Instructions for some rules in Compliance Operator
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Compliance Operator
Version: 4.6
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.8.0
Assignee: Juan Antonio Osorio
QA Contact: xiyuan
URL:
Whiteboard:
Depends On:
Blocks: 1953514 1953522
TreeView+ depends on / blocked
 
Reported: 2021-03-18 14:17 UTC by Nelson Lombo Paez
Modified: 2024-06-14 00:53 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 1953514 (view as bug list)
Environment:
Last Closed: 2021-07-07 11:29:56 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github ComplianceAsCode content pull 6796 0 None open RHCOS4: Enhance instructions to better reflect how to work with the platform 2021-04-06 12:07:25 UTC
Github ComplianceAsCode content pull 6838 0 None open RHCOS/OCP: Add more detailed instructions for more OCIL instances 2021-04-15 07:36:57 UTC
Red Hat Product Errata RHBA-2021:2652 0 None None None 2021-07-07 11:31:09 UTC

Description Nelson Lombo Paez 2021-03-18 14:17:40 UTC 
Description of problem:

There are some rules like Rule ID: xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot that need to be configurable to a OS level, as the RHCOS is inmutable, is not possible to configure it.

Version-Release number of selected component (if applicable): 4.6


Additional info:

In this rule for example the customer need to run the following:

~~~
Instructions from the rule on fixiig it 

To configure the system to ignore the Ctrl-Alt-Del key sequence from the command line instead of rebooting the system, do either of the following:
ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
or
systemctl mask ctrl-alt-del.target

~~~
Comment 2 Matt Rogers 2021-04-05 14:22:54 UTC 
We've just recently added a remediation for this rule upstream: https://github.com/ComplianceAsCode/content/pull/6787

commit 6335473924b67891e57189d5636fc0a1af0533ff
Author: Juan Antonio Osorio Robles <jaosorior>
Date:   Thu Apr 1 13:39:14 2021 +0300

    RHCOS4: Remediation and e2e test for `disable_ctrlaltdel_reboot`
    
    It was missing.
    
    Signed-off-by: Juan Antonio Osorio Robles <jaosorior>


With this remediation added, a remediation object will be generated and it applies through the MCO, so there's no need to follow the text in the description. 

In the meanwhile you can use the MC remediation directly:

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    systemd:
      units:
      - name: ctrl-alt-del.target
        mask: true
Comment 3 Juan Antonio Osorio 2021-04-06 08:34:33 UTC 
Even though the rules that this refers to are being addressed. I'd like to fix this issue in general by adding MachineConfig-specific instructions to the content. This will mean doing additions to the ComplianceAsCode templates that build the rule descriptions.
Comment 4 Juan Antonio Osorio 2021-04-09 05:51:18 UTC 
With the latest changes to ComplianceAsCode, we should now have more relevant instructions for most of the RHCOS content. It points users to how they should create MachineConfig objects to remediate the issues.
Comment 5 xiyuan 2021-04-14 14:13:12 UTC 
Add more rules don't have clear instructions:
# oc get compliancecheckresults.compliance.openshift.io  | grep proxy-kubeconfig
ocp4-cis-file-groupowner-proxy-kubeconfig                                      MANUAL           medium
ocp4-cis-file-owner-proxy-kubeconfig                                           MANUAL           medium
ocp4-cis-file-permissions-proxy-kubeconfig                                     PASS             medium

# oc get compliancecheckresults ocp4-cis-file-permissions-proxy-kubeconfig -o=jsonpath={.instructions} 
To check the permissions of /config/kube-proxy-config.yaml, run the command:
  $ ls -l /config/kube-proxy-config.yaml
  If properly configured, the output should indicate the following permissions:
  -rw-r--r--
# oc get compliancecheckresults ocp4-cis-file-owner-proxy-kubeconfig -o=jsonpath={.instructions} 
To check the ownership of /config/kube-proxy-config.yaml, run the command: $ ls -lL /config/kube-proxy-config.yaml If properly configured, the output should indicate the following owner: root

# oc get compliancecheckresults ocp4-cis-file-permissions-proxy-kubeconfig -o=jsonpath={.instructions} 
To check the permissions of /config/kube-proxy-config.yaml, run the command:
  $ ls -l /config/kube-proxy-config.yaml
  If properly configured, the output should indicate the following permissions:
  -rw-r--r--
Comment 6 xiyuan 2021-04-28 14:46:26 UTC 
Verified pass with Cluster version is 4.8.0-0.nightly-2021-04-26-151924 and compliance-operator 

# oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.8.0-0.nightly-2021-04-26-151924   True        False         134m    Cluster version is 4.8.0-0.nightly-2021-04-26-151924
# make deploy-local
Creating 'openshift-compliance' namespace/project
namespace/openshift-compliance created
podman build -t quay.io/compliance-operator/compliance-operator:latest -f build/Dockerfile .
STEP 1: FROM golang:1.15 AS builder
STEP 2: WORKDIR /go/src/github.com/openshift/compliance-operator
--> Using cache 66b795d4ea7c838ee1f6254ee3a39a9be0eacaaed50a24e57aa4d161857a8a3d
STEP 3: ENV GOFLAGS=-mod=vendor
--> Using cache ce07ab36554f20d89aa6ff7f4493d5edc9a43213be1e7314a38ceee365cc05cb
STEP 4: COPY . . 
7c7e46d497603eddcc5bf33a40ff0a9e297ead894050bca67fba2845a1db35e0
STEP 5: RUN make manager
GOFLAGS=-mod=vendor GO111MODULE=auto go build -o /go/src/github.com/openshift/compliance-operator/build/_output/bin/compliance-operator github.com/openshift/compliance-operator/cmd/manager
233e397f48bba88a3abd1c0b79655b6d83d4746d4218bb753ed5e5fea17f6640
STEP 6: FROM registry.access.redhat.com/ubi8/ubi-minimal:latest
STEP 7: ENV OPERATOR=/usr/local/bin/compliance-operator     USER_UID=1001     USER_NAME=compliance-operator
--> Using cache d54b05b0da9a0f1bd656c2d993052f900ea9e55220503ba7f364db8b71f33aa7
STEP 8: COPY --from=builder /go/src/github.com/openshift/compliance-operator/build/_output/bin/compliance-operator ${OPERATOR}
138e8ba1b02509045ad22dc125c3d3cd59cd96cffb589a8efb341298a8d4ce9b
...
# oc create -f -<<EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSettingBinding
> metadata:
>   name: my-ssb-r
> profiles:
>   - name: ocp4-moderate
>     kind: Profile
>     apiGroup: compliance.openshift.io/v1alpha1
>   - name: rhcos4-moderate
>     kind: Profile
>     apiGroup: compliance.openshift.io/v1alpha1
> settingsRef:                                  
>   name: default-auto-apply
>   kind: ScanSetting
>   apiGroup: compliance.openshift.io/v1alpha1
> EOF
scansettingbinding.compliance.openshift.io/my-ssb-r created

for rule rhcos4-moderate-master-disable-ctrlaltdel-reboot and rhcos4-moderate-worker-disable-ctrlaltdel-reboot , there are auto-remediation for them and working as expected. The instructions also works as expected.
# oc get complianceremediations --show-labels | grep disable-ctrlaltdel-reboot
rhcos4-moderate-master-disable-ctrlaltdel-reboot                                                    Applied               compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-worker-disable-ctrlaltdel-reboot                                                    Applied               compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r

# oc compliance fetch-fixes complianceremediation rhcos4-moderate-master-disable-ctrlaltdel-reboot
Persisted compliance remediation fix to rhcos4-moderate-master-disable-ctrlaltdel-reboot.yaml
[root@MiWiFi-RA69-srv compliance-operator]# cat rhcos4-moderate-master-disable-ctrlaltdel-reboot.yaml
---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  name: rhcos4-moderate-master-disable-ctrlaltdel-reboot
spec:
  config:
    ignition:
      version: 3.1.0
    systemd:
      units:
      - mask: true
        name: ctrl-alt-del.target
# oc compliance fetch-fixes complianceremediation rhcos4-moderate-worker-disable-ctrlaltdel-reboot
Persisted compliance remediation fix to rhcos4-moderate-worker-disable-ctrlaltdel-reboot.yaml
# cat rhcos4-moderate-worker-disable-ctrlaltdel-reboot.yaml
---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  name: rhcos4-moderate-worker-disable-ctrlaltdel-reboot
spec:
  config:
    ignition:
      version: 3.1.0
    systemd:
      units:
      - mask: true
        name: ctrl-alt-del.target
 oc compliance rerun-now compliancesuite my-ssb-r
Rerunning scans from 'my-ssb-r': ocp4-moderate, rhcos4-moderate-worker, rhcos4-moderate-master
Re-running scan 'openshift-compliance/ocp4-moderate'
Re-running scan 'openshift-compliance/rhcos4-moderate-worker'
Re-running scan 'openshift-compliance/rhcos4-moderate-master'

After rescan finished, could check whether auto remediations is working as expected, whether the instructions is working as expected.
# oc get compliancecheckresults --show-labels | grep disable-ctrlaltdel-reboot
rhcos4-moderate-master-disable-ctrlaltdel-reboot                                                    PASS     high       compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=high,compliance.openshift.io/check-status=PASS,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-worker-disable-ctrlaltdel-reboot                                                    PASS     high       compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=high,compliance.openshift.io/check-status=PASS,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r
# oc get compliancecheckresults rhcos4-moderate-worker-disable-ctrlaltdel-reboot -o=jsonpath={.instructions}
To ensure the system is configured to mask the Ctrl-Alt-Del sequence, Check
that the ctrl-alt-del.target is masked and not active with the following
command:
sudo systemctl status ctrl-alt-del.target
The output should indicate that the target is masked and not active. It
might resemble following output:
ctrl-alt-del.target
Loaded: masked (/dev/null; bad)
Active: inactive (dead)

# oc debug node/xiyuan282-b7m5x-w-a-0.c.openshift-qe.internal -- chroot /host sudo systemctl status ctrl-alt-del.target
Starting pod/xiyuan282-b7m5x-w-a-0copenshift-qeinternal-debug ...
To use host binaries, run `chroot /host`
● ctrl-alt-del.target
   Loaded: masked (Reason: Unit ctrl-alt-del.target is masked.)
   Active: inactive (dead)

Removing debug pod ...


For the proxy-kubeconfig related cis rules, there is bug https://bugzilla.redhat.com/show_bug.cgi?id=1954572 created to track.
Comment 9 xiyuan 2021-05-24 10:03:40 UTC 
per https://bugzilla.redhat.com/show_bug.cgi?id=1940483#c6, verificaiton pass
Comment 14 errata-xmlrpc 2021-07-07 11:29:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Compliance Operator version 0.1.35 for OpenShift Container Platform 4.6-4.8), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:2652
Note You need to log in before you can comment on or make changes to this bug.