[Bug Verification]

Looks good to me. All CIS manual rules have instructions that can be followed to apply these rules manually


Verified on:
4.6.0-0.nightly-2021-03-15-233043
compliance-operator.v0.1.29 


$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.6.0-0.nightly-2021-03-15-233043   True        False         5h35m   Cluster version is 4.6.0-0.nightly-2021-03-15-233043

$ oc get csv
NAME                                           DISPLAY                            VERSION                 REPLACES   PHASE
compliance-operator.v0.1.29                    Compliance Operator                0.1.29                             Succeeded
elasticsearch-operator.4.6.0-202103130248.p0   OpenShift Elasticsearch Operator   4.6.0-202103130248.p0              Succeeded

$ oc get sub openshift-compliance-operator -o jsonpath='{.spec.channel}'
4.6

$ oc get pod
NAME                                              READY   STATUS    RESTARTS   AGE
compliance-operator-6db55ffc8d-p2cxx              1/1     Running   0          3h10m
ocp4-openshift-compliance-pp-dbdccf4cc-q4s87      1/1     Running   0          3h9m
rhcos4-openshift-compliance-pp-75476879b9-f2lrj   1/1     Running   0          3h9m

$ oc create -f - << EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSetting
> metadata:
>   name: myssr
> # Suite-specific settings
> autoApplyRemediations: true
> schedule: "0 1 * * *"
> # Scan-specific settings
> rawResultStorage:
>   size: "2Gi"
>   rotation: 5
> # For each role, a separate scan will be created pointing
> # to a node-role specified in roles
> roles:
>   - master
> EOF
scansetting.compliance.openshift.io/myssr created

$ oc create -f - << EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSettingBinding
> metadata:
>   name: my-ssb-r
> profiles:
>   - name: ocp4-cis
>     kind: Profile
>     apiGroup: compliance.openshift.io/v1alpha1
>   - name: ocp4-cis-node
>     kind: Profile
>     apiGroup: compliance.openshift.io/v1alpha1
> settingsRef:
>   name: myssr
>   kind: ScanSetting
>   apiGroup: compliance.openshift.io/v1alpha1
> EOF
scansettingbinding.compliance.openshift.io/my-ssb-r created

$ oc get compliancesuite
NAME       PHASE   RESULT
my-ssb-r   DONE    NON-COMPLIANT


$ oc get pods
NAME                                                    READY   STATUS      RESTARTS   AGE
aggregator-pod-ocp4-cis                                 0/1     Completed   0          73s
aggregator-pod-ocp4-cis-node-master                     0/1     Completed   0          75s
compliance-operator-6db55ffc8d-p2cxx                    1/1     Running     0          3h13m
ocp4-cis-api-checks-pod                                 0/2     Completed   0          103s
ocp4-openshift-compliance-pp-dbdccf4cc-q4s87            1/1     Running     0          3h12m
openscap-pod-39b687ea4e42a9fb2fc9ea0584eefddcd02a69d9   0/2     Completed   0          103s
openscap-pod-6bf3db46d1695456399789af99e6ae3ef5275359   0/2     Completed   0          103s
openscap-pod-ac4241592a0d6f23ee50a6e05b0f6e72b24a17ec   0/2     Completed   0          103s
rhcos4-openshift-compliance-pp-75476879b9-f2lrj         1/1     Running     0          3h12m


$ oc get compliancecheckresults.compliance.openshift.io -l 'compliance.openshift.io/suite=my-ssb-r,!compliance.openshift.io/automated-remediation' | grep -v "NAME" | wc -l
191

$ oc get compliancecheckresults.compliance.openshift.io -l 'compliance.openshift.io/suite=my-ssb-r,compliance.openshift.io/automated-remediation' | grep -v "NAME" | wc -l
3

$ oc get compliancecheckresults.compliance.openshift.io -l 'compliance.openshift.io/suite=my-ssb-r' | grep -v "NAME" | wc -l 
194

$ for i in `oc get compliancecheckresults -l compliance.openshift.io/check-status=MANUAL | awk '{print $1}' | grep ocp4`;do echo $i; done
ocp4-cis-accounts-restrict-service-account-tokens
ocp4-cis-accounts-unique-service-account
ocp4-cis-api-server-oauth-https-serving-cert
ocp4-cis-api-server-openshift-https-serving-cert
ocp4-cis-configure-network-policies
ocp4-cis-configure-network-policies-namespaces
ocp4-cis-file-groupowner-proxy-kubeconfig
ocp4-cis-file-owner-proxy-kubeconfig
ocp4-cis-general-apply-scc
ocp4-cis-general-configure-imagepolicywebhook
ocp4-cis-general-default-namespace-use
ocp4-cis-general-default-seccomp-profile
ocp4-cis-general-namespaces-in-use
ocp4-cis-rbac-limit-cluster-admin
ocp4-cis-rbac-limit-secrets-access
ocp4-cis-rbac-pod-creation-access
ocp4-cis-rbac-wildcard-use
ocp4-cis-scc-drop-container-capabilities
ocp4-cis-scc-limit-container-allowed-capabilities
ocp4-cis-scc-limit-ipc-namespace
ocp4-cis-scc-limit-net-raw-capability
ocp4-cis-scc-limit-network-namespace
ocp4-cis-scc-limit-privilege-escalation
ocp4-cis-scc-limit-privileged-containers
ocp4-cis-scc-limit-process-id-namespace
ocp4-cis-scc-limit-root-containers
ocp4-cis-secrets-consider-external-storage
ocp4-cis-secrets-no-environment-variables

$  for i in `oc get compliancecheckresults -l compliance.openshift.io/check-status=MANUAL | awk '{print $1}' | grep ocp4`; do echo "******************Below is the instructions for rule $i"; oc get compliancecheckresults $i -o yaml  | grep -v "f:instructions:" | grep -i "instructions:" -A3 ; done
******************Below is the instructions for rule ocp4-cis-accounts-restrict-service-account-tokens
instructions: |-
  For each pod in the cluster, review the pod specification and
  ensure that pods that do not need to explicitly communicate with
  the API server have automountServiceAccountToken
******************Below is the instructions for rule ocp4-cis-accounts-unique-service-account
instructions: |-
  For each namespace in the cluster, review the rights assigned
  to the default service account. There should be no cluster or local roles
  assigned to the default other than the defaults.
******************Below is the instructions for rule ocp4-cis-api-server-oauth-https-serving-cert
instructions: |-
  Run the following command:
  $ oc -n openshift-oauth-apiserver describe secret serving-cert
  Verify that the serving-cert for the openshift-apiserver is type
******************Below is the instructions for rule ocp4-cis-api-server-openshift-https-serving-cert
instructions: |-
  Run the following command:
  $ oc -n openshift-apiserver describe secret serving-cert
  Verify that the serving-cert for the openshift-apiserver is type
******************Below is the instructions for rule ocp4-cis-configure-network-policies
instructions: |-
  Verify on OpenShift that the NetworkPolicy plugin is being used:
  $ oc explain networkpolicy
  The resulting output should be an explanation of the NetworkPolicy resource.
******************Below is the instructions for rule ocp4-cis-configure-network-policies-namespaces
instructions: |-
  Verify on OpenShift namespaces that network policies are in use:
  $ oc get networkpolicy --all-namespaces
  Ensure that each namespace defined in the cluster has at least one NetworkPolicy.
******************Below is the instructions for rule ocp4-cis-file-groupowner-proxy-kubeconfig
instructions: 'To check the group ownership of /config/kube-proxy-config.yaml, run the command: $ ls -lL /config/kube-proxy-config.yaml If properly configured, the output should indicate the following group-owner: root'
kind: ComplianceCheckResult
metadata:
  annotations:
******************Below is the instructions for rule ocp4-cis-file-owner-proxy-kubeconfig
instructions: 'To check the ownership of /config/kube-proxy-config.yaml, run the command: $ ls -lL /config/kube-proxy-config.yaml If properly configured, the output should indicate the following owner: root'
kind: ComplianceCheckResult
metadata:
  annotations:
******************Below is the instructions for rule ocp4-cis-general-apply-scc
instructions: |-
  Review the pod definitions in your cluster and verify that you have security
  contexts defined as appropriate.  OpenShift's Security Context Constraint
  feature is on by default in OpenShift 4 and applied to all pods deployed. SCC
******************Below is the instructions for rule ocp4-cis-general-configure-imagepolicywebhook
instructions: |-
  To ensure that an image policy is configured, review the output
  returned from the following command:
  $ oc get image.config.openshift.io/cluster -o yaml
******************Below is the instructions for rule ocp4-cis-general-default-namespace-use
instructions: |-
  Run the following command to list objects in the default namespace:
  $ oc get all -n default
  The only entries there should be system-managed resources such as the
******************Below is the instructions for rule ocp4-cis-general-default-seccomp-profile
instructions: |-
  In OpenShift 4, CRI-O is the supported runtime. CRI-O runs unconfined by
  default in order to meet CRI conformance criteria.  On RHEL CoreOS, the
  default seccomp policy is associated with CRI-O and stored in
******************Below is the instructions for rule ocp4-cis-general-namespaces-in-use
instructions: |-
  OpenShift projects wrap Kubernetes namespaces and are used by default in
  OpenShift 4.  Run the following command and review the namespaces created in
  the cluster.  $ oc get namespaces Ensure that the namespaces are
******************Below is the instructions for rule ocp4-cis-rbac-limit-cluster-admin
instructions: |-
  Review users and groups bound to cluster-admin and decide whether they
  require such access. Consider creating least-privilege roles for users and
  service accounts. Obtain a list of the users who have access to the
******************Below is the instructions for rule ocp4-cis-rbac-limit-secrets-access
instructions: |-
  To review the policy rules assigned to roles in all namespaces, run
  the following command:
  $ for ns in $(oc get projects -ojsonpath='{.items[*].metadata.name}'); do oc describe roles -n$ns; done
******************Below is the instructions for rule ocp4-cis-rbac-pod-creation-access
instructions: |-
  To review the pod creation privileges in roles, run the following commands:
  $ oc describe roles --all-namespaces
  $ oc describe clusterroles
******************Below is the instructions for rule ocp4-cis-rbac-wildcard-use
instructions: |-
  To review the wildcard usage in roles, run the following commands:
  $ oc describe roles --all-namespaces
  $ oc describe clusterroles
******************Below is the instructions for rule ocp4-cis-scc-drop-container-capabilities
instructions: |-
  Inspect each SCC returned from running the following command:
  $ oc get scc
  Next, examine the outputs of the following commands:
******************Below is the instructions for rule ocp4-cis-scc-limit-container-allowed-capabilities
instructions: |-
  Inspect each SCC returned from running the following command:
  $ oc get scc
  Next, examine the outputs of the following commands:
******************Below is the instructions for rule ocp4-cis-scc-limit-ipc-namespace
instructions: |-
  Inspect each SCC returned from running the following command:
  $ oc get scc
  Review each SCC for those that have allowHostIPC set to true.
******************Below is the instructions for rule ocp4-cis-scc-limit-net-raw-capability
instructions: |-
  Inspect each SCC returned from running the following command:
  $ oc get scc
  Review each SCC for those that do not have NET_RAW or ALL set under requiredDropCapabilities.
******************Below is the instructions for rule ocp4-cis-scc-limit-network-namespace
instructions: |-
  Inspect each SCC returned from running the following command:
  $ oc get scc
  Review each SCC for those that have allowHostNetwork set to true.
******************Below is the instructions for rule ocp4-cis-scc-limit-privilege-escalation
instructions: |-
  Inspect each SCC returned from running the following command:
  $ oc get scc
  Review each SCC for those that have allowPrivilegeEscalation set to true.
******************Below is the instructions for rule ocp4-cis-scc-limit-privileged-containers
instructions: |-
  Inspect each SCC returned from running the following command:
  $ oc get scc
  Review each SCC for those that have allowPrivilegedContainer set to true.
******************Below is the instructions for rule ocp4-cis-scc-limit-process-id-namespace
instructions: |-
  Inspect each SCC returned from running the following command:
  $ oc get scc
  Review each SCC for those that have allowHostPID set to true.
******************Below is the instructions for rule ocp4-cis-scc-limit-root-containers
instructions: |-
  Inspect each SCC returned from running the following command:
  $ oc get scc
  Review each SCC for those that have allowPrivilegedContainer set to true.
******************Below is the instructions for rule ocp4-cis-secrets-consider-external-storage
instructions: |-
  Review the cluster configuration and determine if an appropriate secrets
  manager has been configured.
kind: ComplianceCheckResult
******************Below is the instructions for rule ocp4-cis-secrets-no-environment-variables
instructions: |-
  To find workloads that use environment variables for secrets, run the following:
  $ oc get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.namespace} {.metadata.name} {"\n"}{end}' -A
  Review the output and ensure that workloads that can mount secrets as data

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Compliance Operator version 0.1.29 for OpenShift 4.6), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1008