Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1940784

Summary: [4.6.z] ocp4-cis scan reports FAIL for audit logforward check
Product: OpenShift Container Platform Reporter: Prashant Dhamdhere <pdhamdhe>
Component: Compliance OperatorAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Prashant Dhamdhere <pdhamdhe>
Severity: low Docs Contact:
Priority: unspecified    
Version: 4.6CC: dtarabor, jhrozek, josorior, mrogers, xiyuan
Target Milestone: ---   
Target Release: 4.6.z   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1940780 Environment:
Last Closed: 2021-03-31 06:39:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1937472, 1940780    
Bug Blocks:    

Comment 4 Prashant Dhamdhere 2021-03-23 08:21:11 UTC 
[Bug Verification]

Looks good. Now, the ocp4-cis-audit-log-forwarding-enabled rule scan returns result as PASS even though 
the audit inputRef adds in single pipeline.


Verified on:
4.6.0-0.nightly-2021-03-21-131139
compliance-operator.v0.1.29


$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.6.0-0.nightly-2021-03-21-131139   True        False         19m     Cluster version is 4.6.0-0.nightly-2021-03-21-131139


$ oc project openshift-logging
Now using project "openshift-logging" on server "https://api.pdhamdhe-aws23.qe.devcluster.openshift.com:6443".


$ oc get csv
NAME                                           DISPLAY                            VERSION                 REPLACES   PHASE
clusterlogging.4.6.0-202103202154.p0           Cluster Logging                    4.6.0-202103202154.p0              Succeeded
elasticsearch-operator.4.6.0-202103202154.p0   OpenShift Elasticsearch Operator   4.6.0-202103202154.p0              Succeeded


$ oc get pods
NAME                                       READY   STATUS    RESTARTS   AGE
cluster-logging-operator-d9fdd69b7-tn8lc   1/1     Running   0          15m

$ oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/logging/clusterlogging/customresource-fluentd.yaml
clusterlogging.logging.openshift.io/instance created


$ oc get pods -w
NAME                                            READY   STATUS      RESTARTS   AGE
cluster-logging-operator-d9fdd69b7-tn8lc        1/1     Running     0          36m
curator-1616483400-lxqfk                        0/1     Completed   0          48s
elasticsearch-cdm-w0xw6gz2-1-7dd4bb75cd-59bdc   2/2     Running     0          19m
elasticsearch-im-app-1616482800-d4gx4           0/1     Completed   0          10m
elasticsearch-im-audit-1616482800-rjtcx         0/1     Completed   0          10m
elasticsearch-im-infra-1616482800-bb5th         0/1     Completed   0          10m
fluentd-2lrsc                                   1/1     Running     0          19m
fluentd-98xs7                                   1/1     Running     0          19m
fluentd-9pnbf                                   1/1     Running     0          19m
fluentd-h499b                                   1/1     Running     0          19m
fluentd-rgkvq                                   1/1     Running     0          19m
fluentd-ttgjq                                   1/1     Running     0          19m
kibana-84d8f68869-rtflx                         2/2     Running     0          19m
kibana-84d8f68869-z7dr7                         2/2     Running     0          19m


$ oc create sa fluentdserver
serviceaccount/fluentdserver created

$ oc adm policy add-scc-to-user  privileged system:serviceaccount:openshift-logging:fluentdserver
clusterrole.rbac.authorization.k8s.io/system:openshift:scc:privileged added: "fluentdserver"

$ oc create -f https://raw.githubusercontent.com/openshift/verification-tests/master/testdata/logging/clusterlogforwarder/fluentd/insecure/configmap.yaml 
configmap/fluentdserver created

$ oc create -f https://raw.githubusercontent.com/openshift/verification-tests/master/testdata/logging/clusterlogforwarder/fluentd/insecure/deployment.yaml 
deployment.apps/fluentdserver created

$ oc expose deployment/fluentdserver
service/fluentdserver exposed


$ oc create -f - <<EOF 
> apiVersion: logging.openshift.io/v1
> kind: ClusterLogForwarder
> metadata:
>   name: instance
>   namespace: openshift-logging
> spec:
>   outputs:
>     - name: fluentd-created-by-user
>       type: fluentdForward
>       url: 'tcp://fluentdserver.openshift-logging.svc:24224'
>   pipelines:
>    - name: audit-logs 
>      inputRefs: 
>      - audit
>      outputRefs:
>      - fluentd-created-by-user 
>    - name: infra-logs 
>      inputRefs:
>      - infrastructure
>      - application
>      outputRefs:
>      - default 
> EOF
clusterlogforwarder.logging.openshift.io/instance created


oc get pods
NAME                                            READY   STATUS      RESTARTS   AGE
cluster-logging-operator-d9fdd69b7-tn8lc        1/1     Running     0          79m
curator-1616485800-dfzvk                        0/1     Completed   0          3m53s
elasticsearch-cdm-w0xw6gz2-1-7dd4bb75cd-59bdc   2/2     Running     0          62m
elasticsearch-im-app-1616485500-jt8f6           0/1     Completed   0          8m56s
elasticsearch-im-audit-1616485500-xskn4         0/1     Completed   0          8m56s
elasticsearch-im-infra-1616485500-6fjd9         0/1     Completed   0          8m55s
fluentd-5rg5l                                   1/1     Running     0          116s
fluentd-8nzh9                                   1/1     Running     0          100s
fluentd-bj82s                                   1/1     Running     0          2m18s
fluentd-c9mt2                                   1/1     Running     0          81s
fluentd-qmlr2                                   1/1     Running     0          2m7s
fluentd-qs4xn                                   1/1     Running     0          62s
fluentdserver-5fb6ffb5d-9zdh6                   1/1     Running     0          4m4s
kibana-84d8f68869-rtflx                         2/2     Running     0          62m
kibana-84d8f68869-z7dr7                         2/2     Running     0          62m



$ oc project openshift-compliance
Now using project "openshift-compliance" on server "https://api.pdhamdhe-aws23.qe.devcluster.openshift.com:6443".

$ oc get csv
NAME                                           DISPLAY                            VERSION                 REPLACES   PHASE
compliance-operator.v0.1.29                    Compliance Operator                0.1.29                             Succeeded
elasticsearch-operator.4.6.0-202103202154.p0   OpenShift Elasticsearch Operator   4.6.0-202103202154.p0              Succeeded

$ oc get ip
NAME            CSV                           APPROVAL    APPROVED
install-cqfds   compliance-operator.v0.1.29   Automatic   true

$ oc get sub
NAME                            PACKAGE               SOURCE                CHANNEL
openshift-compliance-operator   compliance-operator   compliance-operator   4.6

$ oc get sub openshift-compliance-operator -o jsonpath='{.spec.channel}'
4.6


$ oc get pods
NAME                                              READY   STATUS    RESTARTS   AGE
compliance-operator-6db55ffc8d-4hkq9              1/1     Running   0          13m
ocp4-openshift-compliance-pp-dbdccf4cc-wkf2v      1/1     Running   0          12m
rhcos4-openshift-compliance-pp-75476879b9-bm4qq   1/1     Running   0          12m


$ oc create -f - << EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSettingBinding
> metadata:
>   name: my-ssb-r
> profiles:
>   - name: ocp4-cis
>     kind: Profile
>     apiGroup: compliance.openshift.io/v1alpha1
>   - name: ocp4-cis-node
>     kind: Profile
>     apiGroup: compliance.openshift.io/v1alpha1
> settingsRef:
>   name: default
>   kind: ScanSetting
>   apiGroup: compliance.openshift.io/v1alpha1
> EOF
scansettingbinding.compliance.openshift.io/my-ssb-r created


$ oc get pods
NAME                                                    READY   STATUS      RESTARTS   AGE
aggregator-pod-ocp4-cis                                 0/1     Completed   0          55s
aggregator-pod-ocp4-cis-node-master                     0/1     Completed   0          35s
aggregator-pod-ocp4-cis-node-worker                     0/1     Completed   0          50s
compliance-operator-6db55ffc8d-4hkq9                    1/1     Running     0          47m
ocp4-cis-api-checks-pod                                 0/2     Completed   0          76s
ocp4-openshift-compliance-pp-dbdccf4cc-wkf2v            1/1     Running     0          46m
openscap-pod-01f7f9226017536b34d07f176c03fd79e28470b1   0/2     Completed   0          76s
openscap-pod-65ab389cee569301c289c3f26734f830ecf26151   0/2     Completed   0          76s
openscap-pod-77627cabed817850bcd1d6ae4c60e752501954f7   0/2     Completed   0          75s
openscap-pod-8e5876eb934e3106c9bb52acd50857740927b851   0/2     Completed   0          76s
openscap-pod-d607580a5d849a5740d12486bdfc22f1afacf212   0/2     Completed   0          75s
openscap-pod-e3bba533d803d066d762a37f55b6a61294f09bba   0/2     Completed   0          76s
rhcos4-openshift-compliance-pp-75476879b9-bm4qq         1/1     Running     0          46m

$ oc get suite
NAME       PHASE   RESULT
my-ssb-r   DONE    NON-COMPLIANT


$  oc get compliancecheckresult ocp4-cis-audit-log-forwarding-enabled
NAME                                    STATUS   SEVERITY
ocp4-cis-audit-log-forwarding-enabled   PASS     medium


$ oc project openshift-logging
Now using project "openshift-logging" on server "https://api.pdhamdhe-aws23.qe.devcluster.openshift.com:6443".

$ oc get csv
NAME                                           DISPLAY                            VERSION                 REPLACES   PHASE
clusterlogging.4.6.0-202103202154.p0           Cluster Logging                    4.6.0-202103202154.p0              Succeeded
elasticsearch-operator.4.6.0-202103202154.p0   OpenShift Elasticsearch Operator   4.6.0-202103202154.p0              Succeeded


$ oc get pods
NAME                                            READY   STATUS      RESTARTS   AGE
cluster-logging-operator-d9fdd69b7-tn8lc        1/1     Running     0          91m
curator-1616486400-wftv2                        0/1     Completed   0          6m19s
elasticsearch-cdm-w0xw6gz2-1-7dd4bb75cd-59bdc   2/2     Running     0          75m
elasticsearch-im-app-1616486400-whhmx           0/1     Completed   0          6m19s
elasticsearch-im-audit-1616486400-tnw9s         0/1     Completed   0          6m19s
elasticsearch-im-infra-1616486400-kdhls         0/1     Completed   0          6m19s
fluentd-5rg5l                                   1/1     Running     0          14m
fluentd-8nzh9                                   1/1     Running     0          14m
fluentd-bj82s                                   1/1     Running     0          14m
fluentd-c9mt2                                   1/1     Running     0          13m
fluentd-qmlr2                                   1/1     Running     0          14m
fluentd-qs4xn                                   1/1     Running     0          13m
fluentdserver-5fb6ffb5d-9zdh6                   1/1     Running     0          16m
kibana-84d8f68869-rtflx                         2/2     Running     0          75m
kibana-84d8f68869-z7dr7                         2/2     Running     0          75m


$ oc rsh fluentdserver-5fb6ffb5d-9zdh6

/ # grep "compliance-operator.v0.1.29" /fluentd/log/audit.
audit.b5be2f75f89cbf17f65281ec362f31a19.log       audit.b5be2f75f89cbf17f65281ec362f31a19.log.meta  audit.log

/ # grep "compliance-operator.v0.1.29" /fluentd/log/audit.log |tail -2
2021-03-23T08:04:29+00:00	k8s-audit.log	{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"info","auditID":"f95008f8-b5fb-4fdd-a69b-41b7fe35ca12","stage":"ResponseStarted","requestURI":"/apis/compliance.openshift.io/v1alpha1/namespaces/openshift-compliance/profiles?allowWatchBookmarks=true&resourceVersion=51491&timeoutSeconds=350&watch=true","verb":"watch","user":{"username":"system:serviceaccount:openshift-compliance:compliance-operator","uid":"572d4602-cd77-44fd-a803-68fb74e72df7","groups":["system:serviceaccounts","system:serviceaccounts:openshift-compliance","system:authenticated"]},"sourceIPs":["10.129.0.10"],"userAgent":"compliance-operator/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"profiles","namespace":"openshift-compliance","apiGroup":"compliance.openshift.io","apiVersion":"v1alpha1"},"responseStatus":{"status":"Success","message":"Connection closed early","code":200},"requestReceivedTimestamp":"2021-03-23T08:04:29.376861Z","stageTimestamp":"2021-03-23T08:10:19.377479Z","annotations":{"authentication.k8s.io/legacy-token":"system:serviceaccount:openshift-compliance:compliance-operator","authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by RoleBinding \"compliance-operator.v0.1.29-compliance-operator-df6bf598/openshift-compliance\" of Role \"compliance-operator.v0.1.29-compliance-operator-df6bf598\" to ServiceAccount \"compliance-operator/openshift-compliance\""},"k8s_audit_level":"Metadata","message":null,"hostname":"ip-10-0-131-220.us-east-2.compute.internal","pipeline_metadata":{"collector":{"ipaddr4":"10.0.131.220","inputname":"fluent-plugin-systemd","name":"fluentd","received_at":"2021-03-23T08:10:19.378809+00:00","version":"1.7.4 1.6.0"}},"@timestamp":"2021-03-23T08:04:29.376861+00:00","viaq_index_name":"audit-write","viaq_msg_id":"OTAxNGYxZDMtNmFjNS00MGI1LThlNWUtZGIxZmExYTZmODQ1","kubernetes":{}}
2021-03-23T08:04:29+00:00	k8s-audit.log	{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"info","auditID":"f95008f8-b5fb-4fdd-a69b-41b7fe35ca12","stage":"ResponseComplete","requestURI":"/apis/compliance.openshift.io/v1alpha1/namespaces/openshift-compliance/profiles?allowWatchBookmarks=true&resourceVersion=51491&timeoutSeconds=350&watch=true","verb":"watch","user":{"username":"system:serviceaccount:openshift-compliance:compliance-operator","uid":"572d4602-cd77-44fd-a803-68fb74e72df7","groups":["system:serviceaccounts","system:serviceaccounts:openshift-compliance","system:authenticated"]},"sourceIPs":["10.129.0.10"],"userAgent":"compliance-operator/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"profiles","namespace":"openshift-compliance","apiGroup":"compliance.openshift.io","apiVersion":"v1alpha1"},"responseStatus":{"status":"Success","message":"Connection closed early","code":200},"requestReceivedTimestamp":"2021-03-23T08:04:29.376861Z","stageTimestamp":"2021-03-23T08:10:19.377585Z","annotations":{"authentication.k8s.io/legacy-token":"system:serviceaccount:openshift-compliance:compliance-operator","authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by RoleBinding \"compliance-operator.v0.1.29-compliance-operator-df6bf598/openshift-compliance\" of Role \"compliance-operator.v0.1.29-compliance-operator-df6bf598\" to ServiceAccount \"compliance-operator/openshift-compliance\""},"k8s_audit_level":"Metadata","message":null,"hostname":"ip-10-0-131-220.us-east-2.compute.internal","pipeline_metadata":{"collector":{"ipaddr4":"10.0.131.220","inputname":"fluent-plugin-systemd","name":"fluentd","received_at":"2021-03-23T08:10:19.378887+00:00","version":"1.7.4 1.6.0"}},"@timestamp":"2021-03-23T08:04:29.376861+00:00","viaq_index_name":"audit-write","viaq_msg_id":"NGVhZWMzM2EtZmFmYS00ZmQ5LWE1NjktNjVkMGIyNzk4OWRl","kubernetes":{}}
/ # exit


$ oc get role compliance-operator.v0.1.29-compliance-operator-df6bf598 -nopenshift-compliance
NAME                                                       CREATED AT
compliance-operator.v0.1.29-compliance-operator-df6bf598   2021-03-23T07:13:43Z
Comment 6 errata-xmlrpc 2021-03-31 06:39:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Compliance Operator version 0.1.29 for OpenShift 4.6), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1008