Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1940783

Summary: [4.6.z] Provide better visibility into 'SKIP' scan result status as well as into OpenSCAP 'not applicable'
Product: OpenShift Container Platform Reporter: Prashant Dhamdhere <pdhamdhe>
Component: Compliance OperatorAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Prashant Dhamdhere <pdhamdhe>
Severity: low Docs Contact:
Priority: unspecified    
Version: 4.6CC: akaris, jhrozek, josorior, mrogers, nkinder, xiyuan
Target Milestone: ---   
Target Release: 4.6.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1940779 Environment:
Last Closed: 2021-03-31 06:39:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1920577, 1940779    
Bug Blocks:    

Comment 3 Prashant Dhamdhere 2021-03-19 11:32:05 UTC 
[Bug Verification]

Looks good. Now for the non-applicable rules, the user-visible status also shows NOT-APPLICABLE instead of SKIP

Verified on:
4.6.0-0.nightly-2021-03-15-233043
compliance-operator.v0.1.29

$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.6.0-0.nightly-2021-03-15-233043   True        False         3h13m   Cluster version is 4.6.0-0.nightly-2021-03-15-233043

$ oc get csv -nopenshift-compliance
NAME                                           DISPLAY                            VERSION                 REPLACES   PHASE
compliance-operator.v0.1.29                    Compliance Operator                0.1.29                             Succeeded
elasticsearch-operator.4.6.0-202103130248.p0   OpenShift Elasticsearch Operator   4.6.0-202103130248.p0              Succeeded

$ oc get pods -nopenshift-compliance
NAME                                              READY   STATUS    RESTARTS   AGE
compliance-operator-6db55ffc8d-p2cxx              1/1     Running   0          48m
ocp4-openshift-compliance-pp-dbdccf4cc-q4s87      1/1     Running   0          47m
rhcos4-openshift-compliance-pp-75476879b9-f2lrj   1/1     Running   0          47m


$ oc patch scansetting default -p '{"debug":true}' --type='merge'
scansetting.compliance.openshift.io/default patched


$ oc get -oyaml scansetting default |grep debug
debug: true
      f:debug: {}


$ oc create -f - <<EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSettingBinding 
> metadata:
>   name: my-companys-compliance-requirements
> profiles:
>   # Node checks
>   - name: ocp4-cis-node
>     kind: Profile
>     apiGroup: compliance.openshift.io/v1alpha1
>   # Cluster checks
>   - name: ocp4-cis
>     kind: Profile
>     apiGroup: compliance.openshift.io/v1alpha1
> settingsRef:
>   name: default
>   kind: ScanSetting
>   apiGroup: compliance.openshift.io/v1alpha1
> EOF
scansettingbinding.compliance.openshift.io/my-companys-compliance-requirements created

$ oc get suite
NAME                                  PHASE   RESULT
my-companys-compliance-requirements   DONE    NON-COMPLIANT

$ oc get pods
NAME                                                    READY   STATUS      RESTARTS   AGE
aggregator-pod-ocp4-cis                                 0/1     Completed   0          73s
aggregator-pod-ocp4-cis-node-master                     0/1     Completed   0          69s
aggregator-pod-ocp4-cis-node-worker                     0/1     Completed   0          63s
compliance-operator-6db55ffc8d-p2cxx                    1/1     Running     0          50m
ocp4-cis-api-checks-pod                                 0/2     Completed   0          100s
ocp4-openshift-compliance-pp-dbdccf4cc-q4s87            1/1     Running     0          49m
openscap-pod-022c1f95aa46e139f54442258b1a3c81a5e101e8   0/2     Completed   0          101s
openscap-pod-0c11e04b020bcee143664d182b8789bebb95382e   0/2     Completed   0          101s
openscap-pod-197148999ff8c59b213b2ecebdf0ec44238d97b9   0/2     Completed   0          101s
openscap-pod-39b687ea4e42a9fb2fc9ea0584eefddcd02a69d9   0/2     Completed   0          99s
openscap-pod-6bf3db46d1695456399789af99e6ae3ef5275359   0/2     Completed   0          100s
openscap-pod-ac4241592a0d6f23ee50a6e05b0f6e72b24a17ec   0/2     Completed   0          99s
rhcos4-openshift-compliance-pp-75476879b9-f2lrj         1/1     Running     0          49m


$ oc logs openscap-pod-0c11e04b020bcee143664d182b8789bebb95382e -c scanner | grep -A 15 "unique_ca"
Rule    xccdf_org.ssgproject.content_rule_etcd_unique_ca
I: oscap: Evaluating XCCDF rule 'xccdf_org.ssgproject.content_rule_etcd_unique_ca'.
I: oscap: Started new OVAL agent ssg-ocp4-cpe-oval.xml.
I: oscap: Querying system information.
I: oscap: Starting probe on URI 'queue://system_info'.
I: oscap: Switching probe to PROBE_OFFLINE_OWN mode.
I: oscap: I will run system_info_probe_main:
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4:def:1': Red Hat OpenShift Container Platform.
I: oscap:   Evaluating yamlfilecontent test 'oval:ssg-test_ocp4:tst:1': Find one match.
I: oscap:     Querying yamlfilecontent object 'oval:ssg-object_ocp4:obj:1', flags: 0.
I: oscap:     Creating new syschar for yamlfilecontent_object 'oval:ssg-object_ocp4:obj:1'.
I: oscap:     Starting probe on URI 'queue://yamlfilecontent'.
I: oscap:     Object 'oval:ssg-object_ocp4:obj:1' references variable 'oval:ssg-ocp4_dump_location:var:1' in 'filepath' field.
I: oscap:     Querying variable 'oval:ssg-ocp4_dump_location:var:1'.
I: oscap:     Variable 'oval:ssg-ocp4_dump_location:var:1' has values "/kubernetes-api-resources/apis/config.openshift.io/v1/clusteroperators/openshift-apiserver".
I: oscap:     Switching probe to PROBE_OFFLINE_OWN mode.
I: oscap:     I will run yamlfilecontent_probe_main:
--
I: oscap: Rule 'xccdf_org.ssgproject.content_rule_etcd_unique_ca' is not applicable.
Result  notapplicable


$ oc get compliancecheckresult |grep "NAME\|ocp4-cis-node-worker-etcd-unique-ca"
NAME                                                                           STATUS           SEVERITY
ocp4-cis-node-worker-etcd-unique-ca                                            NOT-APPLICABLE   medium


$ oc get compliancecheckresult -l compliance.openshift.io/check-status=NOT-APPLICABLE |head -5
NAME                                                                  STATUS           SEVERITY
ocp4-cis-node-worker-etcd-unique-ca                                   NOT-APPLICABLE   medium
ocp4-cis-node-worker-file-groupowner-controller-manager-kubeconfig    NOT-APPLICABLE   medium
ocp4-cis-node-worker-file-groupowner-etcd-data-dir                    NOT-APPLICABLE   medium
ocp4-cis-node-worker-file-groupowner-etcd-data-files                  NOT-APPLICABLE   medium

$ oc get compliancecheckresult -l compliance.openshift.io/check-status=SKIP
No resources found in openshift-compliance namespace.
Comment 5 errata-xmlrpc 2021-03-31 06:39:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Compliance Operator version 0.1.29 for OpenShift 4.6), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1008