1940783 – [4.6.z] Provide better visibility into 'SKIP' scan result status as well as into OpenSCAP 'not applicable'

Bug 1940783 - [4.6.z] Provide better visibility into 'SKIP' scan result status as well as into OpenSCAP 'not applicable'

Summary: [4.6.z] Provide better visibility into 'SKIP' scan result status as well as i...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Compliance Operator
Sub Component:
Version:	4.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	low
Target Milestone:	---
Target Release:	4.6.z
Assignee:	Jakub Hrozek
QA Contact:	Prashant Dhamdhere
Docs Contact:
URL:
Whiteboard:
Depends On:	1920577 1940779
Blocks:
TreeView+	depends on / blocked

Reported:	2021-03-19 07:03 UTC by Prashant Dhamdhere
Modified:	2021-03-31 06:39 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1940779
Environment:
Last Closed:	2021-03-31 06:39:33 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2021:1008	0	None	None	None	2021-03-31 06:39:36 UTC

Comment 3 Prashant Dhamdhere 2021-03-19 11:32:05 UTC

[Bug Verification]

Looks good. Now for the non-applicable rules, the user-visible status also shows NOT-APPLICABLE instead of SKIP

Verified on:
4.6.0-0.nightly-2021-03-15-233043
compliance-operator.v0.1.29

$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.6.0-0.nightly-2021-03-15-233043   True        False         3h13m   Cluster version is 4.6.0-0.nightly-2021-03-15-233043

$ oc get csv -nopenshift-compliance
NAME                                           DISPLAY                            VERSION                 REPLACES   PHASE
compliance-operator.v0.1.29                    Compliance Operator                0.1.29                             Succeeded
elasticsearch-operator.4.6.0-202103130248.p0   OpenShift Elasticsearch Operator   4.6.0-202103130248.p0              Succeeded

$ oc get pods -nopenshift-compliance
NAME                                              READY   STATUS    RESTARTS   AGE
compliance-operator-6db55ffc8d-p2cxx              1/1     Running   0          48m
ocp4-openshift-compliance-pp-dbdccf4cc-q4s87      1/1     Running   0          47m
rhcos4-openshift-compliance-pp-75476879b9-f2lrj   1/1     Running   0          47m


$ oc patch scansetting default -p '{"debug":true}' --type='merge'
scansetting.compliance.openshift.io/default patched


$ oc get -oyaml scansetting default |grep debug
debug: true
      f:debug: {}


$ oc create -f - <<EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSettingBinding 
> metadata:
>   name: my-companys-compliance-requirements
> profiles:
>   # Node checks
>   - name: ocp4-cis-node
>     kind: Profile
>     apiGroup: compliance.openshift.io/v1alpha1
>   # Cluster checks
>   - name: ocp4-cis
>     kind: Profile
>     apiGroup: compliance.openshift.io/v1alpha1
> settingsRef:
>   name: default
>   kind: ScanSetting
>   apiGroup: compliance.openshift.io/v1alpha1
> EOF
scansettingbinding.compliance.openshift.io/my-companys-compliance-requirements created

$ oc get suite
NAME                                  PHASE   RESULT
my-companys-compliance-requirements   DONE    NON-COMPLIANT

$ oc get pods
NAME                                                    READY   STATUS      RESTARTS   AGE
aggregator-pod-ocp4-cis                                 0/1     Completed   0          73s
aggregator-pod-ocp4-cis-node-master                     0/1     Completed   0          69s
aggregator-pod-ocp4-cis-node-worker                     0/1     Completed   0          63s
compliance-operator-6db55ffc8d-p2cxx                    1/1     Running     0          50m
ocp4-cis-api-checks-pod                                 0/2     Completed   0          100s
ocp4-openshift-compliance-pp-dbdccf4cc-q4s87            1/1     Running     0          49m
openscap-pod-022c1f95aa46e139f54442258b1a3c81a5e101e8   0/2     Completed   0          101s
openscap-pod-0c11e04b020bcee143664d182b8789bebb95382e   0/2     Completed   0          101s
openscap-pod-197148999ff8c59b213b2ecebdf0ec44238d97b9   0/2     Completed   0          101s
openscap-pod-39b687ea4e42a9fb2fc9ea0584eefddcd02a69d9   0/2     Completed   0          99s
openscap-pod-6bf3db46d1695456399789af99e6ae3ef5275359   0/2     Completed   0          100s
openscap-pod-ac4241592a0d6f23ee50a6e05b0f6e72b24a17ec   0/2     Completed   0          99s
rhcos4-openshift-compliance-pp-75476879b9-f2lrj         1/1     Running     0          49m


$ oc logs openscap-pod-0c11e04b020bcee143664d182b8789bebb95382e -c scanner | grep -A 15 "unique_ca"
Rule    xccdf_org.ssgproject.content_rule_etcd_unique_ca
I: oscap: Evaluating XCCDF rule 'xccdf_org.ssgproject.content_rule_etcd_unique_ca'.
I: oscap: Started new OVAL agent ssg-ocp4-cpe-oval.xml.
I: oscap: Querying system information.
I: oscap: Starting probe on URI 'queue://system_info'.
I: oscap: Switching probe to PROBE_OFFLINE_OWN mode.
I: oscap: I will run system_info_probe_main:
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4:def:1': Red Hat OpenShift Container Platform.
I: oscap:   Evaluating yamlfilecontent test 'oval:ssg-test_ocp4:tst:1': Find one match.
I: oscap:     Querying yamlfilecontent object 'oval:ssg-object_ocp4:obj:1', flags: 0.
I: oscap:     Creating new syschar for yamlfilecontent_object 'oval:ssg-object_ocp4:obj:1'.
I: oscap:     Starting probe on URI 'queue://yamlfilecontent'.
I: oscap:     Object 'oval:ssg-object_ocp4:obj:1' references variable 'oval:ssg-ocp4_dump_location:var:1' in 'filepath' field.
I: oscap:     Querying variable 'oval:ssg-ocp4_dump_location:var:1'.
I: oscap:     Variable 'oval:ssg-ocp4_dump_location:var:1' has values "/kubernetes-api-resources/apis/config.openshift.io/v1/clusteroperators/openshift-apiserver".
I: oscap:     Switching probe to PROBE_OFFLINE_OWN mode.
I: oscap:     I will run yamlfilecontent_probe_main:
--
I: oscap: Rule 'xccdf_org.ssgproject.content_rule_etcd_unique_ca' is not applicable.
Result  notapplicable


$ oc get compliancecheckresult |grep "NAME\|ocp4-cis-node-worker-etcd-unique-ca"
NAME                                                                           STATUS           SEVERITY
ocp4-cis-node-worker-etcd-unique-ca                                            NOT-APPLICABLE   medium


$ oc get compliancecheckresult -l compliance.openshift.io/check-status=NOT-APPLICABLE |head -5
NAME                                                                  STATUS           SEVERITY
ocp4-cis-node-worker-etcd-unique-ca                                   NOT-APPLICABLE   medium
ocp4-cis-node-worker-file-groupowner-controller-manager-kubeconfig    NOT-APPLICABLE   medium
ocp4-cis-node-worker-file-groupowner-etcd-data-dir                    NOT-APPLICABLE   medium
ocp4-cis-node-worker-file-groupowner-etcd-data-files                  NOT-APPLICABLE   medium

$ oc get compliancecheckresult -l compliance.openshift.io/check-status=SKIP
No resources found in openshift-compliance namespace.

Comment 5 errata-xmlrpc 2021-03-31 06:39:33 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Compliance Operator version 0.1.29 for OpenShift 4.6), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1008

Note You need to log in before you can comment on or make changes to this bug.