Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1940778

Summary: Compliance operator returns NON-COMPLIANT when no remediation found for profile ocp4-cis-node
Product: OpenShift Container Platform Reporter: Prashant Dhamdhere <pdhamdhe>
Component: Compliance OperatorAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Prashant Dhamdhere <pdhamdhe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.6CC: akaris, dcaspin, jhrozek, josorior, mrogers, nkinder, xiyuan
Target Milestone: ---   
Target Release: 4.7.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1919367
: 1940782 (view as bug list) Environment:
Last Closed: 2021-03-31 21:50:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1919367    
Bug Blocks: 1940782    

Comment 4 Prashant Dhamdhere 2021-03-22 04:43:18 UTC 
[Bug Verification]

Looks good to me. All CIS manual rules have instructions that can be followed to apply these rules manually


Verified on:
4.7.0-0.nightly-2021-03-21-181832
compliance-operator.v0.1.29


# oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.7.0-0.nightly-2021-03-21-181832   True        False         27m     Cluster version is 4.7.0-0.nightly-2021-03-21-181832


# oc get csv
NAME                          DISPLAY               VERSION   REPLACES   PHASE
compliance-operator.v0.1.29   Compliance Operator   0.1.29               Succeeded


# oc get sub openshift-compliance-operator -o jsonpath='{.spec.channel}'
4.7


# oc get pods 
NAME                                              READY   STATUS    RESTARTS   AGE
compliance-operator-7d89b4c589-hlzrh              1/1     Running   0          22m
ocp4-openshift-compliance-pp-7f7d49575c-m6872     1/1     Running   0          21m
rhcos4-openshift-compliance-pp-85b5bf6c69-fft57   1/1     Running   0          21m


# oc create -f - << EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSetting
> metadata:
>   name: myssr
> # Suite-specific settings
> autoApplyRemediations: true
> schedule: "0 1 * * *"
> # Scan-specific settings
> rawResultStorage:
>   size: "2Gi"
>   rotation: 5
> # For each role, a separate scan will be created pointing
> # to a node-role specified in roles
> roles:
>   - master
> EOF
scansetting.compliance.openshift.io/myssr created


# oc get scansetting
NAME                 AGE
default              23m
default-auto-apply   23m
myssr                38s


# oc create -f - << EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSettingBinding
> metadata:
>   name: my-ssb-r
> profiles:
>   - name: ocp4-cis
>     kind: Profile
>     apiGroup: compliance.openshift.io/v1alpha1
>   - name: ocp4-cis-node
>     kind: Profile
>     apiGroup: compliance.openshift.io/v1alpha1
> settingsRef:
>   name: myssr
>   kind: ScanSetting
>   apiGroup: compliance.openshift.io/v1alpha1
> EOF
scansettingbinding.compliance.openshift.io/my-ssb-r created


# oc get scansettingbinding
NAME       AGE
my-ssb-r   114s

# oc get suite
NAME       PHASE   RESULT
my-ssb-r   DONE    NON-COMPLIANT

# oc get pods
NAME                                                    READY   STATUS      RESTARTS   AGE
aggregator-pod-ocp4-cis                                 0/1     Completed   0          116s
aggregator-pod-ocp4-cis-node-master                     0/1     Completed   0          106s
compliance-operator-7d89b4c589-hlzrh                    1/1     Running     0          26m
ocp4-cis-api-checks-pod                                 0/2     Completed   0          2m17s
ocp4-openshift-compliance-pp-7f7d49575c-m6872           1/1     Running     0          25m
openscap-pod-087832379ed87df937ac87295297347504affdb4   0/2     Completed   0          2m17s
openscap-pod-2019d34accbdfa5e7515264555806cc933a11b45   0/2     Completed   0          2m17s
openscap-pod-c74301f4207e2b17c49e6e1197494e51333fd0d9   0/2     Completed   0          2m17s
rhcos4-openshift-compliance-pp-85b5bf6c69-fft57         1/1     Running     0          25m


# oc get compliancecheckresults.compliance.openshift.io -l 'compliance.openshift.io/suite=my-ssb-r,!compliance.openshift.io/automated-remediation' | grep -v "NAME" | wc -l
190

# oc get compliancecheckresults.compliance.openshift.io -l 'compliance.openshift.io/suite=my-ssb-r,compliance.openshift.io/automated-remediation' | grep -v "NAME" | wc -l
3

# oc get compliancecheckresults.compliance.openshift.io -l 'compliance.openshift.io/suite=my-ssb-r' | grep -v "NAME" | wc -l 
193


# for i in `oc get compliancecheckresults -l compliance.openshift.io/check-status=MANUAL | awk '{print $1}' | grep ocp4`;do echo $i; done
ocp4-cis-accounts-restrict-service-account-tokens
ocp4-cis-accounts-unique-service-account
ocp4-cis-api-server-oauth-https-serving-cert
ocp4-cis-api-server-openshift-https-serving-cert
ocp4-cis-configure-network-policies
ocp4-cis-configure-network-policies-namespaces
ocp4-cis-file-groupowner-proxy-kubeconfig
ocp4-cis-file-owner-proxy-kubeconfig
ocp4-cis-general-apply-scc
ocp4-cis-general-configure-imagepolicywebhook
ocp4-cis-general-default-namespace-use
ocp4-cis-general-default-seccomp-profile
ocp4-cis-general-namespaces-in-use
ocp4-cis-rbac-limit-cluster-admin
ocp4-cis-rbac-limit-secrets-access
ocp4-cis-rbac-pod-creation-access
ocp4-cis-rbac-wildcard-use
ocp4-cis-scc-drop-container-capabilities
ocp4-cis-scc-limit-container-allowed-capabilities
ocp4-cis-scc-limit-ipc-namespace
ocp4-cis-scc-limit-net-raw-capability
ocp4-cis-scc-limit-network-namespace
ocp4-cis-scc-limit-privilege-escalation
ocp4-cis-scc-limit-privileged-containers
ocp4-cis-scc-limit-process-id-namespace
ocp4-cis-scc-limit-root-containers
ocp4-cis-secrets-consider-external-storage
ocp4-cis-secrets-no-environment-variables


# for i in `oc get compliancecheckresults -l compliance.openshift.io/check-status=MANUAL | awk '{print $1}' | grep ocp4`; do echo "******************Below is the instructions for rule $i"; oc get compliancecheckresults $i -o yaml  | grep -v "f:instructions:" | grep -i "instructions:" -A3 ; done
******************Below is the instructions for rule ocp4-cis-accounts-restrict-service-account-tokens
instructions: |-
  For each pod in the cluster, review the pod specification and
  ensure that pods that do not need to explicitly communicate with
  the API server have automountServiceAccountToken
******************Below is the instructions for rule ocp4-cis-accounts-unique-service-account
instructions: |-
  For each namespace in the cluster, review the rights assigned
  to the default service account. There should be no cluster or local roles
  assigned to the default other than the defaults.
******************Below is the instructions for rule ocp4-cis-api-server-oauth-https-serving-cert
instructions: |-
  Run the following command:
  $ oc -n openshift-oauth-apiserver describe secret serving-cert
  Verify that the serving-cert for the openshift-apiserver is type
******************Below is the instructions for rule ocp4-cis-api-server-openshift-https-serving-cert
instructions: |-
  Run the following command:
  $ oc -n openshift-apiserver describe secret serving-cert
  Verify that the serving-cert for the openshift-apiserver is type
******************Below is the instructions for rule ocp4-cis-configure-network-policies
instructions: |-
  Verify on OpenShift that the NetworkPolicy plugin is being used:
  $ oc explain networkpolicy
  The resulting output should be an explanation of the NetworkPolicy resource.
******************Below is the instructions for rule ocp4-cis-configure-network-policies-namespaces
instructions: |-
  Verify on OpenShift namespaces that network policies are in use:
  $ oc get networkpolicy --all-namespaces
  Ensure that each namespace defined in the cluster has at least one NetworkPolicy.
******************Below is the instructions for rule ocp4-cis-file-groupowner-proxy-kubeconfig
instructions: 'To check the group ownership of /config/kube-proxy-config.yaml, run the command: $ ls -lL /config/kube-proxy-config.yaml If properly configured, the output should indicate the following group-owner: root'
kind: ComplianceCheckResult
metadata:
  annotations:
******************Below is the instructions for rule ocp4-cis-file-owner-proxy-kubeconfig
instructions: 'To check the ownership of /config/kube-proxy-config.yaml, run the command: $ ls -lL /config/kube-proxy-config.yaml If properly configured, the output should indicate the following owner: root'
kind: ComplianceCheckResult
metadata:
  annotations:
******************Below is the instructions for rule ocp4-cis-general-apply-scc
instructions: |-
  Review the pod definitions in your cluster and verify that you have security
  contexts defined as appropriate.  OpenShift's Security Context Constraint
  feature is on by default in OpenShift 4 and applied to all pods deployed. SCC
******************Below is the instructions for rule ocp4-cis-general-configure-imagepolicywebhook
instructions: |-
  To ensure that an image policy is configured, review the output
  returned from the following command:
  $ oc get image.config.openshift.io/cluster -o yaml
******************Below is the instructions for rule ocp4-cis-general-default-namespace-use
instructions: |-
  Run the following command to list objects in the default namespace:
  $ oc get all -n default
  The only entries there should be system-managed resources such as the
******************Below is the instructions for rule ocp4-cis-general-default-seccomp-profile
instructions: |-
  In OpenShift 4, CRI-O is the supported runtime. CRI-O runs unconfined by
  default in order to meet CRI conformance criteria.  On RHEL CoreOS, the
  default seccomp policy is associated with CRI-O and stored in
******************Below is the instructions for rule ocp4-cis-general-namespaces-in-use
instructions: |-
  OpenShift projects wrap Kubernetes namespaces and are used by default in
  OpenShift 4.  Run the following command and review the namespaces created in
  the cluster.  $ oc get namespaces Ensure that the namespaces are
******************Below is the instructions for rule ocp4-cis-rbac-limit-cluster-admin
instructions: |-
  Review users and groups bound to cluster-admin and decide whether they
  require such access. Consider creating least-privilege roles for users and
  service accounts. Obtain a list of the users who have access to the
******************Below is the instructions for rule ocp4-cis-rbac-limit-secrets-access
instructions: |-
  To review the policy rules assigned to roles in all namespaces, run
  the following command:
  $ for ns in $(oc get projects -ojsonpath='{.items[*].metadata.name}'); do oc describe roles -n$ns; done
******************Below is the instructions for rule ocp4-cis-rbac-pod-creation-access
instructions: |-
  To review the pod creation privileges in roles, run the following commands:
  $ oc describe roles --all-namespaces
  $ oc describe clusterroles
******************Below is the instructions for rule ocp4-cis-rbac-wildcard-use
instructions: |-
  To review the wildcard usage in roles, run the following commands:
  $ oc describe roles --all-namespaces
  $ oc describe clusterroles
******************Below is the instructions for rule ocp4-cis-scc-drop-container-capabilities
instructions: |-
  Inspect each SCC returned from running the following command:
  $ oc get scc
  Next, examine the outputs of the following commands:
******************Below is the instructions for rule ocp4-cis-scc-limit-container-allowed-capabilities
instructions: |-
  Inspect each SCC returned from running the following command:
  $ oc get scc
  Next, examine the outputs of the following commands:
******************Below is the instructions for rule ocp4-cis-scc-limit-ipc-namespace
instructions: |-
  Inspect each SCC returned from running the following command:
  $ oc get scc
  Review each SCC for those that have allowHostIPC set to true.
******************Below is the instructions for rule ocp4-cis-scc-limit-net-raw-capability
instructions: |-
  Inspect each SCC returned from running the following command:
  $ oc get scc
  Review each SCC for those that do not have NET_RAW or ALL set under requiredDropCapabilities.
******************Below is the instructions for rule ocp4-cis-scc-limit-network-namespace
instructions: |-
  Inspect each SCC returned from running the following command:
  $ oc get scc
  Review each SCC for those that have allowHostNetwork set to true.
******************Below is the instructions for rule ocp4-cis-scc-limit-privilege-escalation
instructions: |-
  Inspect each SCC returned from running the following command:
  $ oc get scc
  Review each SCC for those that have allowPrivilegeEscalation set to true.
******************Below is the instructions for rule ocp4-cis-scc-limit-privileged-containers
instructions: |-
  Inspect each SCC returned from running the following command:
  $ oc get scc
  Review each SCC for those that have allowPrivilegedContainer set to true.
******************Below is the instructions for rule ocp4-cis-scc-limit-process-id-namespace
instructions: |-
  Inspect each SCC returned from running the following command:
  $ oc get scc
  Review each SCC for those that have allowHostPID set to true.
******************Below is the instructions for rule ocp4-cis-scc-limit-root-containers
instructions: |-
  Inspect each SCC returned from running the following command:
  $ oc get scc
  Review each SCC for those that have allowPrivilegedContainer set to true.
******************Below is the instructions for rule ocp4-cis-secrets-consider-external-storage
instructions: |-
  Review the cluster configuration and determine if an appropriate secrets
  manager has been configured.
kind: ComplianceCheckResult
******************Below is the instructions for rule ocp4-cis-secrets-no-environment-variables
instructions: |-
  To find workloads that use environment variables for secrets, run the following:
  $ oc get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.namespace} {.metadata.name} {"\n"}{end}' -A
  Review the output and ensure that workloads that can mount secrets as data
Comment 5 Prashant Dhamdhere 2021-03-22 08:49:38 UTC 
The latest 4.7 build has missing rule and it looks good to me so moving
status of this bug to VERIFIED

https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=1544518


# oc get compliancecheckresults.compliance.openshift.io -l 'compliance.openshift.io/suite=my-ssb-r,!compliance.openshift.io/automated-remediation' | grep -v "NAME" | wc -l
191

# oc get compliancecheckresults.compliance.openshift.io -l 'compliance.openshift.io/suite=my-ssb-r,compliance.openshift.io/automated-remediation' | grep -v "NAME" | wc -l
3

# oc get compliancecheckresults.compliance.openshift.io -l 'compliance.openshift.io/suite=my-ssb-r' | grep -v "NAME" | wc -l 
194

# oc get compliancecheckresults.compliance.openshift.io ocp4-cis-api-server-admission-control-plugin-alwayspullimages
NAME                                                            STATUS   SEVERITY
ocp4-cis-api-server-admission-control-plugin-alwayspullimages   PASS     high
Comment 7 errata-xmlrpc 2021-03-31 21:50:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Compliance Operator version 0.1.29 for OpenShift Container Platform 4.7), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1022