Bug 1942208
| Summary: | one of the rules [xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands] taking too long... Such scans via Compliance Operator were taking around 2 hours, even. | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | milti leonard <mleonard> | |
| Component: | Compliance Operator | Assignee: | Juan Antonio Osorio <josorior> | |
| Status: | CLOSED ERRATA | QA Contact: | xiyuan | |
| Severity: | high | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 4.6.z | CC: | josorior, mrogers, obockows, xiyuan | |
| Target Milestone: | --- | |||
| Target Release: | 4.8.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | No Doc Update | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1953516 (view as bug list) | Environment: | ||
| Last Closed: | 2021-07-07 11:29:56 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1953516, 1953521 | |||
|
Description
milti leonard
2021-03-23 20:53:45 UTC
@jaosorior @xiyuan which namespace were you requesting an inspection of? the compliance CO namespace? Yep, we'd use the info from compliance operator's namespace Relevant logs have been provided, the RHEL compliance team is aware of the issue and investigating. It has been identified by the RHEL compliance team that this is an issue with how the content is written, and there are other rules affected. A fix is on the works. Hi Osorio,
One question, what about all other privileged related rules? Such as rhcos4-audit-rules-privileged-commands-at.
Will they be applicable to RHCOS? Thanks.
verified with 4.8.0-0.nightly-2021-04-25-195440 + latest compliance operator.
# git log | head
commit 513a2d1824de0713c0bf1ed6604dbed3be8d22d5
Merge: b0cd03e4 21b64971
Author: Juan Osorio Robles <jaosorior>
Date: Sun Apr 25 08:36:27 2021 +0300
Merge pull request #629 from JAORMX/gosec-update
Update gosec to v2.7.0
commit 21b649715394d96582ce09fedc247cf513435d1c
# make deploy-local
Creating 'openshift-compliance' namespace/project
namespace/openshift-compliance created
podman build -t quay.io/compliance-operator/compliance-operator:latest -f build/Dockerfile .
STEP 1: FROM golang:1.15 AS builder
STEP 2: WORKDIR /go/src/github.com/openshift/compliance-operator
--> Using cache 66b795d4ea7c838ee1f6254ee3a39a9be0eacaaed50a24e57aa4d161857a8a3d
STEP 3: ENV GOFLAGS=-mod=vendor
--> Using cache ce07ab36554f20d89aa6ff7f4493d5edc9a43213be1e7314a38ceee365cc05cb
STEP 4: COPY . .
...
# make deploy-local
Creating 'openshift-compliance' namespace/project
namespace/openshift-compliance created
podman build -t quay.io/compliance-operator/compliance-operator:latest -f build/Dockerfile .
STEP 1: FROM golang:1.15 AS builder
STEP 2: WORKDIR /go/src/github.com/openshift/compliance-operator
--> Using cache 66b795d4ea7c838ee1f6254ee3a39a9be0eacaaed50a24e57aa4d161857a8a3d
STEP 3: ENV GOFLAGS=-mod=vendor
--> Using cache ce07ab36554f20d89aa6ff7f4493d5edc9a43213be1e7314a38ceee365cc05cb
STEP 4: COPY . .
# oc get pod
NAME READY STATUS RESTARTS AGE
compliance-operator-6fff49b5f6-fmkvk 1/1 Running 0 5m
ocp4-openshift-compliance-pp-66fbbff4c6-pfstd 1/1 Running 0 4m
rhcos4-openshift-compliance-pp-74bd6f7dbd-8kmfc 1/1 Running 0 4m
# oc get rules | grep privileged
ocp4-scc-limit-privileged-containers 5h54m
rhcos4-audit-rules-privileged-commands 5h54m
rhcos4-audit-rules-privileged-commands-at 5h54m
rhcos4-audit-rules-privileged-commands-chage 5h54m
rhcos4-audit-rules-privileged-commands-chsh 5h54m
rhcos4-audit-rules-privileged-commands-crontab 5h54m
rhcos4-audit-rules-privileged-commands-gpasswd 5h54m
rhcos4-audit-rules-privileged-commands-mount 5h54m
rhcos4-audit-rules-privileged-commands-newgidmap 5h54m
rhcos4-audit-rules-privileged-commands-newgrp 5h54m
rhcos4-audit-rules-privileged-commands-newuidmap 5h54m
rhcos4-audit-rules-privileged-commands-pam-timestamp-check 5h54m
rhcos4-audit-rules-privileged-commands-passwd 5h54m
rhcos4-audit-rules-privileged-commands-postdrop 5h54m
rhcos4-audit-rules-privileged-commands-postqueue 5h54m
rhcos4-audit-rules-privileged-commands-pt-chown 5h54m
rhcos4-audit-rules-privileged-commands-ssh-keysign 5h54m
rhcos4-audit-rules-privileged-commands-su 5h54m
rhcos4-audit-rules-privileged-commands-sudo 5h54m
rhcos4-audit-rules-privileged-commands-sudoedit 5h54m
rhcos4-audit-rules-privileged-commands-umount 5h54m
rhcos4-audit-rules-privileged-commands-unix-chkpwd 5h54m
rhcos4-audit-rules-privileged-commands-userhelper 5h54m
rhcos4-audit-rules-privileged-commands-usernetctl 5h54m
rhcos4-sysctl-kernel-unprivileged-bpf-disabled 5h54m
# oc get rules | grep privileged
ocp4-scc-limit-privileged-containers 5h54m
rhcos4-audit-rules-privileged-commands 5h54m
rhcos4-audit-rules-privileged-commands-at 5h54m
rhcos4-audit-rules-privileged-commands-chage 5h54m
rhcos4-audit-rules-privileged-commands-chsh 5h54m
rhcos4-audit-rules-privileged-commands-crontab 5h54m
rhcos4-audit-rules-privileged-commands-gpasswd 5h54m
rhcos4-audit-rules-privileged-commands-mount 5h54m
rhcos4-audit-rules-privileged-commands-newgidmap 5h54m
rhcos4-audit-rules-privileged-commands-newgrp 5h54m
rhcos4-audit-rules-privileged-commands-newuidmap 5h54m
rhcos4-audit-rules-privileged-commands-pam-timestamp-check 5h54m
rhcos4-audit-rules-privileged-commands-passwd 5h54m
rhcos4-audit-rules-privileged-commands-postdrop 5h54m
rhcos4-audit-rules-privileged-commands-postqueue 5h54m
rhcos4-audit-rules-privileged-commands-pt-chown 5h54m
rhcos4-audit-rules-privileged-commands-ssh-keysign 5h54m
rhcos4-audit-rules-privileged-commands-su 5h54m
rhcos4-audit-rules-privileged-commands-sudo 5h54m
rhcos4-audit-rules-privileged-commands-sudoedit 5h54m
rhcos4-audit-rules-privileged-commands-umount 5h54m
rhcos4-audit-rules-privileged-commands-unix-chkpwd 5h54m
rhcos4-audit-rules-privileged-commands-userhelper 5h54m
rhcos4-audit-rules-privileged-commands-usernetctl 5h54m
rhcos4-sysctl-kernel-unprivileged-bpf-disabled 5h54m
# oc get suite
NAME PHASE RESULT
instructions-check1 DONE NON-COMPLIANT
#Seen from below, there is no compliancecheckresults for rhcos4-moderate-master-audit-rules-privileged-commands, rhcos4-moderate-worker-audit-rules-privileged-commands, rhcos4-ncp-master-audit-rules-privileged-commands, and rhcos4-ncp-worker-audit-rules-privileged-commands
# oc get compliancecheckresults | grep audit-rules-privileged-commands
rhcos4-moderate-master-audit-rules-privileged-commands-at FAIL medium
rhcos4-moderate-master-audit-rules-privileged-commands-chage FAIL medium
rhcos4-moderate-master-audit-rules-privileged-commands-chsh FAIL medium
rhcos4-moderate-master-audit-rules-privileged-commands-crontab FAIL medium
rhcos4-moderate-master-audit-rules-privileged-commands-gpasswd FAIL medium
rhcos4-moderate-master-audit-rules-privileged-commands-mount FAIL medium
rhcos4-moderate-master-audit-rules-privileged-commands-newgidmap FAIL medium
rhcos4-moderate-master-audit-rules-privileged-commands-newgrp FAIL medium
rhcos4-moderate-master-audit-rules-privileged-commands-newuidmap FAIL medium
rhcos4-moderate-master-audit-rules-privileged-commands-pam-timestamp-check FAIL medium
rhcos4-moderate-master-audit-rules-privileged-commands-passwd FAIL medium
rhcos4-moderate-master-audit-rules-privileged-commands-postdrop FAIL medium
rhcos4-moderate-master-audit-rules-privileged-commands-postqueue FAIL medium
rhcos4-moderate-master-audit-rules-privileged-commands-pt-chown FAIL medium
rhcos4-moderate-master-audit-rules-privileged-commands-ssh-keysign FAIL medium
rhcos4-moderate-master-audit-rules-privileged-commands-su FAIL medium
rhcos4-moderate-master-audit-rules-privileged-commands-sudo FAIL medium
rhcos4-moderate-master-audit-rules-privileged-commands-sudoedit FAIL medium
rhcos4-moderate-master-audit-rules-privileged-commands-umount FAIL medium
rhcos4-moderate-master-audit-rules-privileged-commands-unix-chkpwd FAIL medium
rhcos4-moderate-master-audit-rules-privileged-commands-userhelper FAIL medium
rhcos4-moderate-master-audit-rules-privileged-commands-usernetctl FAIL medium
rhcos4-moderate-worker-audit-rules-privileged-commands-at FAIL medium
rhcos4-moderate-worker-audit-rules-privileged-commands-chage FAIL medium
rhcos4-moderate-worker-audit-rules-privileged-commands-chsh FAIL medium
rhcos4-moderate-worker-audit-rules-privileged-commands-crontab FAIL medium
rhcos4-moderate-worker-audit-rules-privileged-commands-gpasswd FAIL medium
rhcos4-moderate-worker-audit-rules-privileged-commands-mount FAIL medium
rhcos4-moderate-worker-audit-rules-privileged-commands-newgidmap FAIL medium
rhcos4-moderate-worker-audit-rules-privileged-commands-newgrp FAIL medium
rhcos4-moderate-worker-audit-rules-privileged-commands-newuidmap FAIL medium
rhcos4-moderate-worker-audit-rules-privileged-commands-pam-timestamp-check FAIL medium
rhcos4-moderate-worker-audit-rules-privileged-commands-passwd FAIL medium
rhcos4-moderate-worker-audit-rules-privileged-commands-postdrop FAIL medium
rhcos4-moderate-worker-audit-rules-privileged-commands-postqueue FAIL medium
rhcos4-moderate-worker-audit-rules-privileged-commands-pt-chown FAIL medium
rhcos4-moderate-worker-audit-rules-privileged-commands-ssh-keysign FAIL medium
rhcos4-moderate-worker-audit-rules-privileged-commands-su FAIL medium
rhcos4-moderate-worker-audit-rules-privileged-commands-sudo FAIL medium
rhcos4-moderate-worker-audit-rules-privileged-commands-sudoedit FAIL medium
rhcos4-moderate-worker-audit-rules-privileged-commands-umount FAIL medium
rhcos4-moderate-worker-audit-rules-privileged-commands-unix-chkpwd FAIL medium
rhcos4-moderate-worker-audit-rules-privileged-commands-userhelper FAIL medium
rhcos4-moderate-worker-audit-rules-privileged-commands-usernetctl FAIL medium
rhcos4-ncp-master-audit-rules-privileged-commands-at FAIL medium
rhcos4-ncp-master-audit-rules-privileged-commands-chage FAIL medium
rhcos4-ncp-master-audit-rules-privileged-commands-chsh FAIL medium
rhcos4-ncp-master-audit-rules-privileged-commands-crontab FAIL medium
rhcos4-ncp-master-audit-rules-privileged-commands-gpasswd FAIL medium
rhcos4-ncp-master-audit-rules-privileged-commands-mount FAIL medium
rhcos4-ncp-master-audit-rules-privileged-commands-newgidmap FAIL medium
rhcos4-ncp-master-audit-rules-privileged-commands-newgrp FAIL medium
rhcos4-ncp-master-audit-rules-privileged-commands-newuidmap FAIL medium
rhcos4-ncp-master-audit-rules-privileged-commands-pam-timestamp-check FAIL medium
rhcos4-ncp-master-audit-rules-privileged-commands-passwd FAIL medium
rhcos4-ncp-master-audit-rules-privileged-commands-postdrop FAIL medium
rhcos4-ncp-master-audit-rules-privileged-commands-postqueue FAIL medium
rhcos4-ncp-master-audit-rules-privileged-commands-pt-chown FAIL medium
rhcos4-ncp-master-audit-rules-privileged-commands-ssh-keysign FAIL medium
rhcos4-ncp-master-audit-rules-privileged-commands-su FAIL medium
rhcos4-ncp-master-audit-rules-privileged-commands-sudo FAIL medium
rhcos4-ncp-master-audit-rules-privileged-commands-sudoedit FAIL medium
rhcos4-ncp-master-audit-rules-privileged-commands-umount FAIL medium
rhcos4-ncp-master-audit-rules-privileged-commands-unix-chkpwd FAIL medium
rhcos4-ncp-master-audit-rules-privileged-commands-userhelper FAIL medium
rhcos4-ncp-master-audit-rules-privileged-commands-usernetctl FAIL medium
rhcos4-ncp-worker-audit-rules-privileged-commands-at FAIL medium
rhcos4-ncp-worker-audit-rules-privileged-commands-chage FAIL medium
rhcos4-ncp-worker-audit-rules-privileged-commands-chsh FAIL medium
rhcos4-ncp-worker-audit-rules-privileged-commands-crontab FAIL medium
rhcos4-ncp-worker-audit-rules-privileged-commands-gpasswd FAIL medium
rhcos4-ncp-worker-audit-rules-privileged-commands-mount FAIL medium
rhcos4-ncp-worker-audit-rules-privileged-commands-newgidmap FAIL medium
rhcos4-ncp-worker-audit-rules-privileged-commands-newgrp FAIL medium
rhcos4-ncp-worker-audit-rules-privileged-commands-newuidmap FAIL medium
rhcos4-ncp-worker-audit-rules-privileged-commands-pam-timestamp-check FAIL medium
rhcos4-ncp-worker-audit-rules-privileged-commands-passwd FAIL medium
rhcos4-ncp-worker-audit-rules-privileged-commands-postdrop FAIL medium
rhcos4-ncp-worker-audit-rules-privileged-commands-postqueue FAIL medium
rhcos4-ncp-worker-audit-rules-privileged-commands-pt-chown FAIL medium
rhcos4-ncp-worker-audit-rules-privileged-commands-ssh-keysign FAIL medium
rhcos4-ncp-worker-audit-rules-privileged-commands-su FAIL medium
rhcos4-ncp-worker-audit-rules-privileged-commands-sudo FAIL medium
rhcos4-ncp-worker-audit-rules-privileged-commands-sudoedit FAIL medium
rhcos4-ncp-worker-audit-rules-privileged-commands-umount FAIL medium
rhcos4-ncp-worker-audit-rules-privileged-commands-unix-chkpwd FAIL medium
rhcos4-ncp-worker-audit-rules-privileged-commands-userhelper FAIL medium
rhcos4-ncp-worker-audit-rules-privileged-commands-usernetctl FAIL medium
Yes, they're applicable to RHCOS. They all should have automated remediations too. Verification pass with 4.8.0-0.nightly-2021-05-21-233425 and compliance-operator.v0.1.32:
Althought the rule rhcos4-audit-rules-privileged-commands still available through `$ oc get rules | grep audit | grep privileged`, it won't show when you execute `compliancecheckresults`
$ oc get ip
install-smz94 compliance-operator.v0.1.32 Automatic true
$ oc get csv
NAME DISPLAY VERSION REPLACES PHASE
compliance-operator.v0.1.32 Compliance Operator 0.1.32 Succeeded
$ oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.8.0-0.nightly-2021-05-21-233425 True False 6h6m Cluster version is 4.8.0-0.nightly-2021-05-21-233425
$ oc create -f - <<EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSettingBinding
> metadata:
> name: my-ssb-r
> profiles:
> - name: ocp4-moderate
> kind: Profile
> apiGroup: compliance.openshift.io/v1alpha1
> - name: rhcos4-moderate
> kind: Profile
> apiGroup: compliance.openshift.io/v1alpha1
> settingsRef:
> name: default-auto-apply
> kind: ScanSetting
> apiGroup: compliance.openshift.io/v1alpha1
> EOF
scansettingbinding.compliance.openshift.io/my-ssb-r created
$ oc get rules | grep audit | grep privileged
rhcos4-audit-rules-privileged-commands 3h10m
rhcos4-audit-rules-privileged-commands-at 3h10m
rhcos4-audit-rules-privileged-commands-chage 3h10m
rhcos4-audit-rules-privileged-commands-chsh 3h10m
rhcos4-audit-rules-privileged-commands-crontab 3h10m
rhcos4-audit-rules-privileged-commands-gpasswd 3h10m
rhcos4-audit-rules-privileged-commands-mount 3h10m
rhcos4-audit-rules-privileged-commands-newgidmap 3h10m
rhcos4-audit-rules-privileged-commands-newgrp 3h10m
rhcos4-audit-rules-privileged-commands-newuidmap 3h10m
rhcos4-audit-rules-privileged-commands-pam-timestamp-check 3h10m
rhcos4-audit-rules-privileged-commands-passwd 3h10m
rhcos4-audit-rules-privileged-commands-postdrop 3h10m
rhcos4-audit-rules-privileged-commands-postqueue 3h10m
rhcos4-audit-rules-privileged-commands-pt-chown 3h10m
rhcos4-audit-rules-privileged-commands-ssh-keysign 3h10m
rhcos4-audit-rules-privileged-commands-su 3h10m
rhcos4-audit-rules-privileged-commands-sudo 3h10m
rhcos4-audit-rules-privileged-commands-sudoedit 3h10m
rhcos4-audit-rules-privileged-commands-umount 3h10m
rhcos4-audit-rules-privileged-commands-unix-chkpwd 3h10m
rhcos4-audit-rules-privileged-commands-userhelper 3h10m
rhcos4-audit-rules-privileged-commands-usernetctl 3h10m
$ oc get compliancecheckresults --show-labels | grep privileged
rhcos4-moderate-master-audit-rules-privileged-commands-at FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-master-audit-rules-privileged-commands-chage FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-master-audit-rules-privileged-commands-chsh FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-master-audit-rules-privileged-commands-crontab FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-master-audit-rules-privileged-commands-gpasswd FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-master-audit-rules-privileged-commands-mount FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-master-audit-rules-privileged-commands-newgidmap FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-master-audit-rules-privileged-commands-newgrp FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-master-audit-rules-privileged-commands-newuidmap FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-master-audit-rules-privileged-commands-pam-timestamp-check FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-master-audit-rules-privileged-commands-passwd FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-master-audit-rules-privileged-commands-postdrop FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-master-audit-rules-privileged-commands-postqueue FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-master-audit-rules-privileged-commands-pt-chown FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-master-audit-rules-privileged-commands-ssh-keysign FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-master-audit-rules-privileged-commands-su FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-master-audit-rules-privileged-commands-sudo FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-master-audit-rules-privileged-commands-sudoedit FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-master-audit-rules-privileged-commands-umount FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-master-audit-rules-privileged-commands-unix-chkpwd FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-master-audit-rules-privileged-commands-userhelper FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-master-audit-rules-privileged-commands-usernetctl FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-master-sysctl-kernel-unprivileged-bpf-disabled FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-worker-audit-rules-privileged-commands-at FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-worker-audit-rules-privileged-commands-chage FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-worker-audit-rules-privileged-commands-chsh FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-worker-audit-rules-privileged-commands-crontab FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-worker-audit-rules-privileged-commands-gpasswd FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-worker-audit-rules-privileged-commands-mount FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-worker-audit-rules-privileged-commands-newgidmap FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-worker-audit-rules-privileged-commands-newgrp FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-worker-audit-rules-privileged-commands-newuidmap FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-worker-audit-rules-privileged-commands-pam-timestamp-check FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-worker-audit-rules-privileged-commands-passwd FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-worker-audit-rules-privileged-commands-postdrop FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-worker-audit-rules-privileged-commands-postqueue FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-worker-audit-rules-privileged-commands-pt-chown FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-worker-audit-rules-privileged-commands-ssh-keysign FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-worker-audit-rules-privileged-commands-su FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-worker-audit-rules-privileged-commands-sudo FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-worker-audit-rules-privileged-commands-sudoedit FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-worker-audit-rules-privileged-commands-umount FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-worker-audit-rules-privileged-commands-unix-chkpwd FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-worker-audit-rules-privileged-commands-userhelper FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-worker-audit-rules-privileged-commands-usernetctl FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r
rhcos4-moderate-worker-sysctl-kernel-unprivileged-bpf-disabled FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r
scansettingbinding.compliance.openshift.io/my-ssb-r created
After remediation applied, patch the scansettingbinding and rerun:
$ oc patch ScanSettingBinding my-ssb-r -p '{"settingsRef":{"name":"default"}}' --type='merge'
scansettingbinding.compliance.openshift.io/my-ssb-r patched
$ ./oc-compliance rerun-now scansettingbindings my-ssb-r
Rerunning scans from 'my-ssb-r': ocp4-moderate, rhcos4-moderate-worker, rhcos4-moderate-master
Re-running scan 'openshift-compliance/ocp4-moderate'
Re-running scan 'openshift-compliance/rhcos4-moderate-worker'
Re-running scan 'openshift-compliance/rhcos4-moderate-master'
$ oget compliancecheckresults | grep privileged
rhcos4-moderate-master-audit-rules-privileged-commands-at PASS medium
rhcos4-moderate-master-audit-rules-privileged-commands-chage PASS medium
rhcos4-moderate-master-audit-rules-privileged-commands-chsh PASS medium
rhcos4-moderate-master-audit-rules-privileged-commands-crontab PASS medium
rhcos4-moderate-master-audit-rules-privileged-commands-gpasswd PASS medium
rhcos4-moderate-master-audit-rules-privileged-commands-mount PASS medium
rhcos4-moderate-master-audit-rules-privileged-commands-newgidmap PASS medium
rhcos4-moderate-master-audit-rules-privileged-commands-newgrp PASS medium
rhcos4-moderate-master-audit-rules-privileged-commands-newuidmap PASS medium
rhcos4-moderate-master-audit-rules-privileged-commands-pam-timestamp-check PASS medium
rhcos4-moderate-master-audit-rules-privileged-commands-passwd PASS medium
rhcos4-moderate-master-audit-rules-privileged-commands-postdrop PASS medium
rhcos4-moderate-master-audit-rules-privileged-commands-postqueue PASS medium
rhcos4-moderate-master-audit-rules-privileged-commands-pt-chown PASS medium
rhcos4-moderate-master-audit-rules-privileged-commands-ssh-keysign PASS medium
rhcos4-moderate-master-audit-rules-privileged-commands-su PASS medium
rhcos4-moderate-master-audit-rules-privileged-commands-sudo PASS medium
rhcos4-moderate-master-audit-rules-privileged-commands-sudoedit PASS medium
rhcos4-moderate-master-audit-rules-privileged-commands-umount PASS medium
rhcos4-moderate-master-audit-rules-privileged-commands-unix-chkpwd PASS medium
rhcos4-moderate-master-audit-rules-privileged-commands-userhelper PASS medium
rhcos4-moderate-master-audit-rules-privileged-commands-usernetctl PASS medium
rhcos4-moderate-master-sysctl-kernel-unprivileged-bpf-disabled PASS medium
rhcos4-moderate-worker-audit-rules-privileged-commands-at PASS medium
rhcos4-moderate-worker-audit-rules-privileged-commands-chage PASS medium
rhcos4-moderate-worker-audit-rules-privileged-commands-chsh PASS medium
rhcos4-moderate-worker-audit-rules-privileged-commands-crontab PASS medium
rhcos4-moderate-worker-audit-rules-privileged-commands-gpasswd PASS medium
rhcos4-moderate-worker-audit-rules-privileged-commands-mount PASS medium
rhcos4-moderate-worker-audit-rules-privileged-commands-newgidmap PASS medium
rhcos4-moderate-worker-audit-rules-privileged-commands-newgrp PASS medium
rhcos4-moderate-worker-audit-rules-privileged-commands-newuidmap PASS medium
rhcos4-moderate-worker-audit-rules-privileged-commands-pam-timestamp-check PASS medium
rhcos4-moderate-worker-audit-rules-privileged-commands-passwd PASS medium
rhcos4-moderate-worker-audit-rules-privileged-commands-postdrop PASS medium
rhcos4-moderate-worker-audit-rules-privileged-commands-postqueue PASS medium
rhcos4-moderate-worker-audit-rules-privileged-commands-pt-chown PASS medium
rhcos4-moderate-worker-audit-rules-privileged-commands-ssh-keysign PASS medium
rhcos4-moderate-worker-audit-rules-privileged-commands-su PASS medium
rhcos4-moderate-worker-audit-rules-privileged-commands-sudo PASS medium
rhcos4-moderate-worker-audit-rules-privileged-commands-sudoedit PASS medium
rhcos4-moderate-worker-audit-rules-privileged-commands-umount PASS medium
rhcos4-moderate-worker-audit-rules-privileged-commands-unix-chkpwd PASS medium
rhcos4-moderate-worker-audit-rules-privileged-commands-userhelper PASS medium
rhcos4-moderate-worker-audit-rules-privileged-commands-usernetctl PASS medium
rhcos4-moderate-worker-sysctl-kernel-unprivileged-bpf-disabled PASS medium
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Compliance Operator version 0.1.35 for OpenShift Container Platform 4.6-4.8), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:2652 |