Bug 1940780

[Bug Verification]

Looks good. Now, the `ocp4-cis-audit-log-forwarding-enabled` rule scan returns result as PASS even though 
the audit inputRef adds in single pipeline.


Verified on:
4.7.0-0.nightly-2021-03-22-025559
compliance-operator.v0.1.29



# oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.7.0-0.nightly-2021-03-22-025559   True        False         4h28m   Cluster version is 4.7.0-0.nightly-2021-03-22-025559


# oc create -f 4.7_logging.yaml 
namespace/openshift-operators-redhat created
namespace/openshift-logging created
operatorgroup.operators.coreos.com/openshift-logging created
operatorgroup.operators.coreos.com/openshift-operators-redhat created
role.rbac.authorization.k8s.io/prometheus-k8s created
rolebinding.rbac.authorization.k8s.io/prometheus-k8s created
subscription.operators.coreos.com/cluster-logging created
subscription.operators.coreos.com/elasticsearch-operator created


# oc get csv -w -nopenshift-operators-redhat
NAME                              DISPLAY                            VERSION    REPLACES   PHASE
elasticsearch-operator.5.0.1-23   OpenShift Elasticsearch Operator   5.0.1-23              Succeeded


# oc get pods -nopenshift-operators-redhat
NAME                                      READY   STATUS    RESTARTS   AGE
elasticsearch-operator-5bdf74b947-m7kcn   1/1     Running   0          2m30s


# oc get csv -w -nopenshift-logging
NAME                              DISPLAY                            VERSION    REPLACES   PHASE
cluster-logging.5.0.1-23          Red Hat OpenShift Logging          5.0.1-23              Succeeded
elasticsearch-operator.5.0.1-23   OpenShift Elasticsearch Operator   5.0.1-23              Succeeded


# oc get pods -nopenshift-logging
NAME                                        READY   STATUS    RESTARTS   AGE
cluster-logging-operator-7dc66b4974-6frww   1/1     Running   0          50s


# oc project openshift-logging
Already on project "openshift-logging" on server "https://api.pdhamdhe-gcp4723.qe-shared-vpc.qe.gcp.devcluster.openshift.com:6443".


# oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/logging/clusterlogging/customresource-fluentd.yaml
clusterlogging.logging.openshift.io/instance created


# oc get pods
NAME                                           READY   STATUS      RESTARTS   AGE
cluster-logging-operator-7dc66b4974-6frww      1/1     Running     0          37m
curator-1616497800-pdtm6                       0/1     Completed   0          6m29s
elasticsearch-cdm-4d9g38k9-1-b5848cb94-vshtp   2/2     Running     0          32m
elasticsearch-im-app-1616498100-47ljt          0/1     Completed   0          87s
elasticsearch-im-audit-1616498100-mtnd8        0/1     Completed   0          87s
elasticsearch-im-infra-1616498100-nzpjz        0/1     Completed   0          87s
fluentd-6m2r5                                  1/1     Running     0          32m
fluentd-8rch5                                  1/1     Running     0          32m
fluentd-9q8dr                                  1/1     Running     0          32m
fluentd-sdkqf                                  1/1     Running     0          32m
fluentd-x45ws                                  1/1     Running     0          32m
kibana-5c798666b5-8cltn                        2/2     Running     0          32m
kibana-5c798666b5-tlsr5                        2/2     Running     0          32m


# oc create sa fluentdserver
serviceaccount/fluentdserver created


# oc adm policy add-scc-to-user  privileged system:serviceaccount:openshift-logging:fluentdserver
clusterrole.rbac.authorization.k8s.io/system:openshift:scc:privileged added: "fluentdserver"


# oc create -f https://raw.githubusercontent.com/openshift/verification-tests/master/testdata/logging/clusterlogforwarder/fluentd/insecure/configmap.yaml 
configmap/fluentdserver created


# oc create -f https://raw.githubusercontent.com/openshift/verification-tests/master/testdata/logging/clusterlogforwarder/fluentd/insecure/deployment.yaml 
deployment.apps/fluentdserver created


# oc expose deployment/fluentdserver
service/fluentdserver exposed


# oc create -f - <<EOF 
> apiVersion: logging.openshift.io/v1
> kind: ClusterLogForwarder
> metadata:
>   name: instance
>   namespace: openshift-logging
> spec:
>   outputs:
>     - name: fluentd-created-by-user
>       type: fluentdForward
>       url: 'tcp://fluentdserver.openshift-logging.svc:24224'
>   pipelines:
>    - name: audit-logs 
>      inputRefs: 
>      - audit
>      outputRefs:
>      - fluentd-created-by-user 
>    - name: infra-logs 
>      inputRefs:
>      - infrastructure
>      - application
>      outputRefs:
>      - default 
> EOF
clusterlogforwarder.logging.openshift.io/instance created


# oc project openshift-compliance
Now using project "openshift-compliance" on server "https://api.pdhamdhe-gcp4723.qe-shared-vpc.qe.gcp.devcluster.openshift.com:6443".


# oc get csv
NAME                              DISPLAY                            VERSION    REPLACES   PHASE
compliance-operator.v0.1.29       Compliance Operator                0.1.29                Succeeded
elasticsearch-operator.5.0.1-23   OpenShift Elasticsearch Operator   5.0.1-23              Succeeded


# oc get sub
NAME                            PACKAGE               SOURCE                CHANNEL
openshift-compliance-operator   compliance-operator   compliance-operator   4.7


# oc get sub openshift-compliance-operator -o jsonpath='{.spec.channel}'
4.7


# oc get pods
NAME                                              READY   STATUS    RESTARTS   AGE
compliance-operator-6877dbc759-hdmqv              1/1     Running   0          3m13s
ocp4-openshift-compliance-pp-8c488d66f-ls7bl      1/1     Running   0          2m15s
rhcos4-openshift-compliance-pp-6784854bdf-4rtcv   1/1     Running   0          2m15s


# oc create -f - << EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSettingBinding
> metadata:
>   name: my-ssb-r
> profiles:
>   - name: ocp4-cis
>     kind: Profile
>     apiGroup: compliance.openshift.io/v1alpha1
>   - name: ocp4-cis-node
>     kind: Profile
>     apiGroup: compliance.openshift.io/v1alpha1
> settingsRef:
>   name: default
>   kind: ScanSetting
>   apiGroup: compliance.openshift.io/v1alpha1
> EOF
scansettingbinding.compliance.openshift.io/my-ssb-r created


# oc get pods
NAME                                                    READY   STATUS      RESTARTS   AGE
aggregator-pod-ocp4-cis                                 0/1     Completed   0          39s
aggregator-pod-ocp4-cis-node-master                     0/1     Completed   0          29s
aggregator-pod-ocp4-cis-node-worker                     0/1     Completed   0          33s
compliance-operator-6877dbc759-hdmqv                    1/1     Running     0          5m13s
ocp4-cis-api-checks-pod                                 0/2     Completed   0          95s
ocp4-openshift-compliance-pp-8c488d66f-ls7bl            1/1     Running     0          4m15s
openscap-pod-569bc9da4dc6557d9e2f0c0441c2f755c740fae6   0/2     Completed   0          94s
openscap-pod-7bb2ab09e1fd264e53ea594402a9b245563dc37f   0/2     Completed   0          94s
openscap-pod-900a60fa76828200dc0a63a426191e71ba3d181f   0/2     Completed   0          94s
openscap-pod-f14e58f079a3156928e84cfbf04c1bc333419ea0   0/2     Completed   0          94s
openscap-pod-fca89aae361710ee067044bea58d957c683b121e   0/2     Completed   0          93s
rhcos4-openshift-compliance-pp-6784854bdf-4rtcv         1/1     Running     0          4m15s


# oc get suite
NAME       PHASE   RESULT
my-ssb-r   DONE    NON-COMPLIANT


# oc get compliancecheckresult ocp4-cis-audit-log-forwarding-enabled
NAME                                    STATUS   SEVERITY
ocp4-cis-audit-log-forwarding-enabled   PASS     medium


# oc project openshift-logging
Now using project "openshift-logging" on server "https://api.pdhamdhe-gcp4723.qe-shared-vpc.qe.gcp.devcluster.openshift.com:6443".


# oc get csv
NAME                              DISPLAY                            VERSION    REPLACES   PHASE
cluster-logging.5.0.1-23          Red Hat OpenShift Logging          5.0.1-23              Succeeded
elasticsearch-operator.5.0.1-23   OpenShift Elasticsearch Operator   5.0.1-23              Succeeded


# oc get pods
NAME                                           READY   STATUS      RESTARTS   AGE
cluster-logging-operator-7dc66b4974-6frww      1/1     Running     0          49m
curator-1616498400-ms44m                       0/1     Completed   0          8m32s
elasticsearch-cdm-4d9g38k9-1-b5848cb94-vshtp   2/2     Running     0          44m
elasticsearch-im-app-1616498100-47ljt          0/1     Completed   0          13m
elasticsearch-im-audit-1616498100-mtnd8        0/1     Completed   0          13m
elasticsearch-im-infra-1616498100-nzpjz        0/1     Completed   0          13m
fluentd-8snll                                  1/1     Running     0          9m46s
fluentd-dz522                                  1/1     Running     0          10m
fluentd-l8cfk                                  1/1     Running     0          8m56s
fluentd-v7sgb                                  1/1     Running     0          8m47s
fluentd-xgclf                                  1/1     Running     0          9m25s
fluentdserver-5fb6ffb5d-pvjhj                  1/1     Running     0          11m
kibana-5c798666b5-8cltn                        2/2     Running     0          44m
kibana-5c798666b5-tlsr5                        2/2     Running     0          44m


# oc rsh fluentdserver-5fb6ffb5d-pvjhj
/ # grep "compliance-operator.v0.1.29" /fluentd/log/audit.log |tail -2
2021-03-23T11:23:02+00:00	k8s-audit.log	{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"info","auditID":"f19692c1-ff28-4d8b-85c4-680d1d9d0f40","stage":"ResponseStarted","requestURI":"/api/v1/namespaces/openshift-compliance/configmaps?allowWatchBookmarks=true&resourceVersion=125501&timeoutSeconds=361&watch=true","verb":"watch","user":{"username":"system:serviceaccount:openshift-compliance:compliance-operator","uid":"10ec9c17-2f57-4ada-8721-93f60a5716c4","groups":["system:serviceaccounts","system:serviceaccounts:openshift-compliance","system:authenticated"]},"sourceIPs":["10.0.0.113"],"userAgent":"compliance-operator/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"configmaps","namespace":"openshift-compliance","apiVersion":"v1"},"responseStatus":{"status":"Success","message":"Connection closed early","code":200},"requestReceivedTimestamp":"2021-03-23T11:23:02.327969Z","stageTimestamp":"2021-03-23T11:29:03.328704Z","annotations":{"authentication.k8s.io/legacy-token":"system:serviceaccount:openshift-compliance:compliance-operator","authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by RoleBinding \"compliance-operator.v0.1.29-compliance-operator-df6bf598/openshift-compliance\" of Role \"compliance-operator.v0.1.29-compliance-operator-df6bf598\" to ServiceAccount \"compliance-operator/openshift-compliance\""},"k8s_audit_level":"Metadata","message":null,"hostname":"pdhamdhe-gcp4723-tddwd-m-2.c.openshift-qe.internal","pipeline_metadata":{"collector":{"ipaddr4":"10.0.0.111","inputname":"fluent-plugin-systemd","name":"fluentd","received_at":"2021-03-23T11:29:03.330355+00:00","version":"1.7.4 1.6.0"}},"@timestamp":"2021-03-23T11:23:02.327969+00:00","viaq_index_name":"audit-write","viaq_msg_id":"ZTYxNjFkYTQtNzdkZi00ZmEyLTlkMWQtM2IxZGFlNDgzODFm","kubernetes":{}}
2021-03-23T11:23:02+00:00	k8s-audit.log	{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"info","auditID":"f19692c1-ff28-4d8b-85c4-680d1d9d0f40","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/openshift-compliance/configmaps?allowWatchBookmarks=true&resourceVersion=125501&timeoutSeconds=361&watch=true","verb":"watch","user":{"username":"system:serviceaccount:openshift-compliance:compliance-operator","uid":"10ec9c17-2f57-4ada-8721-93f60a5716c4","groups":["system:serviceaccounts","system:serviceaccounts:openshift-compliance","system:authenticated"]},"sourceIPs":["10.0.0.113"],"userAgent":"compliance-operator/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"configmaps","namespace":"openshift-compliance","apiVersion":"v1"},"responseStatus":{"status":"Success","message":"Connection closed early","code":200},"requestReceivedTimestamp":"2021-03-23T11:23:02.327969Z","stageTimestamp":"2021-03-23T11:29:03.328833Z","annotations":{"authentication.k8s.io/legacy-token":"system:serviceaccount:openshift-compliance:compliance-operator","authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by RoleBinding \"compliance-operator.v0.1.29-compliance-operator-df6bf598/openshift-compliance\" of Role \"compliance-operator.v0.1.29-compliance-operator-df6bf598\" to ServiceAccount \"compliance-operator/openshift-compliance\""},"k8s_audit_level":"Metadata","message":null,"hostname":"pdhamdhe-gcp4723-tddwd-m-2.c.openshift-qe.internal","pipeline_metadata":{"collector":{"ipaddr4":"10.0.0.111","inputname":"fluent-plugin-systemd","name":"fluentd","received_at":"2021-03-23T11:29:03.330446+00:00","version":"1.7.4 1.6.0"}},"@timestamp":"2021-03-23T11:23:02.327969+00:00","viaq_index_name":"audit-write","viaq_msg_id":"NDhhMTA4NDgtZjVmYy00NGJlLTliMmYtMGYwMTY1YjEyZmVl","kubernetes":{}}
/ # exit


# oc get role compliance-operator.v0.1.29-compliance-operator-df6bf598 -nopenshift-compliance
NAME                                                       CREATED AT
compliance-operator.v0.1.29-compliance-operator-df6bf598   2021-03-23T11:22:01Z

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Compliance Operator version 0.1.29 for OpenShift Container Platform 4.7), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1022