Description of problem: one of the rules [xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands] taking too long... Such scans via Compliance Operator were taking around 2 hours, even. even in custom scanSettingBinding, same result; removing the rule, same scans complete w/n 30m Version-Release number of selected component (if applicable): OCP 4.6 How reproducible: unsure Steps to Reproduce: 1. 2. 3. Actual results: scans are taking too long Expected results: scans complete w/n 10m Additional info:
@jaosorior @xiyuan which namespace were you requesting an inspection of? the compliance CO namespace?
Yep, we'd use the info from compliance operator's namespace
Relevant logs have been provided, the RHEL compliance team is aware of the issue and investigating.
It has been identified by the RHEL compliance team that this is an issue with how the content is written, and there are other rules affected. A fix is on the works.
Hi Osorio, One question, what about all other privileged related rules? Such as rhcos4-audit-rules-privileged-commands-at. Will they be applicable to RHCOS? Thanks. verified with 4.8.0-0.nightly-2021-04-25-195440 + latest compliance operator. # git log | head commit 513a2d1824de0713c0bf1ed6604dbed3be8d22d5 Merge: b0cd03e4 21b64971 Author: Juan Osorio Robles <jaosorior> Date: Sun Apr 25 08:36:27 2021 +0300 Merge pull request #629 from JAORMX/gosec-update Update gosec to v2.7.0 commit 21b649715394d96582ce09fedc247cf513435d1c # make deploy-local Creating 'openshift-compliance' namespace/project namespace/openshift-compliance created podman build -t quay.io/compliance-operator/compliance-operator:latest -f build/Dockerfile . STEP 1: FROM golang:1.15 AS builder STEP 2: WORKDIR /go/src/github.com/openshift/compliance-operator --> Using cache 66b795d4ea7c838ee1f6254ee3a39a9be0eacaaed50a24e57aa4d161857a8a3d STEP 3: ENV GOFLAGS=-mod=vendor --> Using cache ce07ab36554f20d89aa6ff7f4493d5edc9a43213be1e7314a38ceee365cc05cb STEP 4: COPY . . ... # make deploy-local Creating 'openshift-compliance' namespace/project namespace/openshift-compliance created podman build -t quay.io/compliance-operator/compliance-operator:latest -f build/Dockerfile . STEP 1: FROM golang:1.15 AS builder STEP 2: WORKDIR /go/src/github.com/openshift/compliance-operator --> Using cache 66b795d4ea7c838ee1f6254ee3a39a9be0eacaaed50a24e57aa4d161857a8a3d STEP 3: ENV GOFLAGS=-mod=vendor --> Using cache ce07ab36554f20d89aa6ff7f4493d5edc9a43213be1e7314a38ceee365cc05cb STEP 4: COPY . . # oc get pod NAME READY STATUS RESTARTS AGE compliance-operator-6fff49b5f6-fmkvk 1/1 Running 0 5m ocp4-openshift-compliance-pp-66fbbff4c6-pfstd 1/1 Running 0 4m rhcos4-openshift-compliance-pp-74bd6f7dbd-8kmfc 1/1 Running 0 4m # oc get rules | grep privileged ocp4-scc-limit-privileged-containers 5h54m rhcos4-audit-rules-privileged-commands 5h54m rhcos4-audit-rules-privileged-commands-at 5h54m rhcos4-audit-rules-privileged-commands-chage 5h54m rhcos4-audit-rules-privileged-commands-chsh 5h54m rhcos4-audit-rules-privileged-commands-crontab 5h54m rhcos4-audit-rules-privileged-commands-gpasswd 5h54m rhcos4-audit-rules-privileged-commands-mount 5h54m rhcos4-audit-rules-privileged-commands-newgidmap 5h54m rhcos4-audit-rules-privileged-commands-newgrp 5h54m rhcos4-audit-rules-privileged-commands-newuidmap 5h54m rhcos4-audit-rules-privileged-commands-pam-timestamp-check 5h54m rhcos4-audit-rules-privileged-commands-passwd 5h54m rhcos4-audit-rules-privileged-commands-postdrop 5h54m rhcos4-audit-rules-privileged-commands-postqueue 5h54m rhcos4-audit-rules-privileged-commands-pt-chown 5h54m rhcos4-audit-rules-privileged-commands-ssh-keysign 5h54m rhcos4-audit-rules-privileged-commands-su 5h54m rhcos4-audit-rules-privileged-commands-sudo 5h54m rhcos4-audit-rules-privileged-commands-sudoedit 5h54m rhcos4-audit-rules-privileged-commands-umount 5h54m rhcos4-audit-rules-privileged-commands-unix-chkpwd 5h54m rhcos4-audit-rules-privileged-commands-userhelper 5h54m rhcos4-audit-rules-privileged-commands-usernetctl 5h54m rhcos4-sysctl-kernel-unprivileged-bpf-disabled 5h54m # oc get rules | grep privileged ocp4-scc-limit-privileged-containers 5h54m rhcos4-audit-rules-privileged-commands 5h54m rhcos4-audit-rules-privileged-commands-at 5h54m rhcos4-audit-rules-privileged-commands-chage 5h54m rhcos4-audit-rules-privileged-commands-chsh 5h54m rhcos4-audit-rules-privileged-commands-crontab 5h54m rhcos4-audit-rules-privileged-commands-gpasswd 5h54m rhcos4-audit-rules-privileged-commands-mount 5h54m rhcos4-audit-rules-privileged-commands-newgidmap 5h54m rhcos4-audit-rules-privileged-commands-newgrp 5h54m rhcos4-audit-rules-privileged-commands-newuidmap 5h54m rhcos4-audit-rules-privileged-commands-pam-timestamp-check 5h54m rhcos4-audit-rules-privileged-commands-passwd 5h54m rhcos4-audit-rules-privileged-commands-postdrop 5h54m rhcos4-audit-rules-privileged-commands-postqueue 5h54m rhcos4-audit-rules-privileged-commands-pt-chown 5h54m rhcos4-audit-rules-privileged-commands-ssh-keysign 5h54m rhcos4-audit-rules-privileged-commands-su 5h54m rhcos4-audit-rules-privileged-commands-sudo 5h54m rhcos4-audit-rules-privileged-commands-sudoedit 5h54m rhcos4-audit-rules-privileged-commands-umount 5h54m rhcos4-audit-rules-privileged-commands-unix-chkpwd 5h54m rhcos4-audit-rules-privileged-commands-userhelper 5h54m rhcos4-audit-rules-privileged-commands-usernetctl 5h54m rhcos4-sysctl-kernel-unprivileged-bpf-disabled 5h54m # oc get suite NAME PHASE RESULT instructions-check1 DONE NON-COMPLIANT #Seen from below, there is no compliancecheckresults for rhcos4-moderate-master-audit-rules-privileged-commands, rhcos4-moderate-worker-audit-rules-privileged-commands, rhcos4-ncp-master-audit-rules-privileged-commands, and rhcos4-ncp-worker-audit-rules-privileged-commands # oc get compliancecheckresults | grep audit-rules-privileged-commands rhcos4-moderate-master-audit-rules-privileged-commands-at FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-chage FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-chsh FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-crontab FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-gpasswd FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-mount FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-newgidmap FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-newgrp FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-newuidmap FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-pam-timestamp-check FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-passwd FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-postdrop FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-postqueue FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-pt-chown FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-ssh-keysign FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-su FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-sudo FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-sudoedit FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-umount FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-unix-chkpwd FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-userhelper FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-usernetctl FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-at FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-chage FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-chsh FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-crontab FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-gpasswd FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-mount FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-newgidmap FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-newgrp FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-newuidmap FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-pam-timestamp-check FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-passwd FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-postdrop FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-postqueue FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-pt-chown FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-ssh-keysign FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-su FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-sudo FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-sudoedit FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-umount FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-unix-chkpwd FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-userhelper FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-usernetctl FAIL medium rhcos4-ncp-master-audit-rules-privileged-commands-at FAIL medium rhcos4-ncp-master-audit-rules-privileged-commands-chage FAIL medium rhcos4-ncp-master-audit-rules-privileged-commands-chsh FAIL medium rhcos4-ncp-master-audit-rules-privileged-commands-crontab FAIL medium rhcos4-ncp-master-audit-rules-privileged-commands-gpasswd FAIL medium rhcos4-ncp-master-audit-rules-privileged-commands-mount FAIL medium rhcos4-ncp-master-audit-rules-privileged-commands-newgidmap FAIL medium rhcos4-ncp-master-audit-rules-privileged-commands-newgrp FAIL medium rhcos4-ncp-master-audit-rules-privileged-commands-newuidmap FAIL medium rhcos4-ncp-master-audit-rules-privileged-commands-pam-timestamp-check FAIL medium rhcos4-ncp-master-audit-rules-privileged-commands-passwd FAIL medium rhcos4-ncp-master-audit-rules-privileged-commands-postdrop FAIL medium rhcos4-ncp-master-audit-rules-privileged-commands-postqueue FAIL medium rhcos4-ncp-master-audit-rules-privileged-commands-pt-chown FAIL medium rhcos4-ncp-master-audit-rules-privileged-commands-ssh-keysign FAIL medium rhcos4-ncp-master-audit-rules-privileged-commands-su FAIL medium rhcos4-ncp-master-audit-rules-privileged-commands-sudo FAIL medium rhcos4-ncp-master-audit-rules-privileged-commands-sudoedit FAIL medium rhcos4-ncp-master-audit-rules-privileged-commands-umount FAIL medium rhcos4-ncp-master-audit-rules-privileged-commands-unix-chkpwd FAIL medium rhcos4-ncp-master-audit-rules-privileged-commands-userhelper FAIL medium rhcos4-ncp-master-audit-rules-privileged-commands-usernetctl FAIL medium rhcos4-ncp-worker-audit-rules-privileged-commands-at FAIL medium rhcos4-ncp-worker-audit-rules-privileged-commands-chage FAIL medium rhcos4-ncp-worker-audit-rules-privileged-commands-chsh FAIL medium rhcos4-ncp-worker-audit-rules-privileged-commands-crontab FAIL medium rhcos4-ncp-worker-audit-rules-privileged-commands-gpasswd FAIL medium rhcos4-ncp-worker-audit-rules-privileged-commands-mount FAIL medium rhcos4-ncp-worker-audit-rules-privileged-commands-newgidmap FAIL medium rhcos4-ncp-worker-audit-rules-privileged-commands-newgrp FAIL medium rhcos4-ncp-worker-audit-rules-privileged-commands-newuidmap FAIL medium rhcos4-ncp-worker-audit-rules-privileged-commands-pam-timestamp-check FAIL medium rhcos4-ncp-worker-audit-rules-privileged-commands-passwd FAIL medium rhcos4-ncp-worker-audit-rules-privileged-commands-postdrop FAIL medium rhcos4-ncp-worker-audit-rules-privileged-commands-postqueue FAIL medium rhcos4-ncp-worker-audit-rules-privileged-commands-pt-chown FAIL medium rhcos4-ncp-worker-audit-rules-privileged-commands-ssh-keysign FAIL medium rhcos4-ncp-worker-audit-rules-privileged-commands-su FAIL medium rhcos4-ncp-worker-audit-rules-privileged-commands-sudo FAIL medium rhcos4-ncp-worker-audit-rules-privileged-commands-sudoedit FAIL medium rhcos4-ncp-worker-audit-rules-privileged-commands-umount FAIL medium rhcos4-ncp-worker-audit-rules-privileged-commands-unix-chkpwd FAIL medium rhcos4-ncp-worker-audit-rules-privileged-commands-userhelper FAIL medium rhcos4-ncp-worker-audit-rules-privileged-commands-usernetctl FAIL medium
Yes, they're applicable to RHCOS. They all should have automated remediations too.
Verification pass with 4.8.0-0.nightly-2021-05-21-233425 and compliance-operator.v0.1.32: Althought the rule rhcos4-audit-rules-privileged-commands still available through `$ oc get rules | grep audit | grep privileged`, it won't show when you execute `compliancecheckresults` $ oc get ip install-smz94 compliance-operator.v0.1.32 Automatic true $ oc get csv NAME DISPLAY VERSION REPLACES PHASE compliance-operator.v0.1.32 Compliance Operator 0.1.32 Succeeded $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.8.0-0.nightly-2021-05-21-233425 True False 6h6m Cluster version is 4.8.0-0.nightly-2021-05-21-233425 $ oc create -f - <<EOF > apiVersion: compliance.openshift.io/v1alpha1 > kind: ScanSettingBinding > metadata: > name: my-ssb-r > profiles: > - name: ocp4-moderate > kind: Profile > apiGroup: compliance.openshift.io/v1alpha1 > - name: rhcos4-moderate > kind: Profile > apiGroup: compliance.openshift.io/v1alpha1 > settingsRef: > name: default-auto-apply > kind: ScanSetting > apiGroup: compliance.openshift.io/v1alpha1 > EOF scansettingbinding.compliance.openshift.io/my-ssb-r created $ oc get rules | grep audit | grep privileged rhcos4-audit-rules-privileged-commands 3h10m rhcos4-audit-rules-privileged-commands-at 3h10m rhcos4-audit-rules-privileged-commands-chage 3h10m rhcos4-audit-rules-privileged-commands-chsh 3h10m rhcos4-audit-rules-privileged-commands-crontab 3h10m rhcos4-audit-rules-privileged-commands-gpasswd 3h10m rhcos4-audit-rules-privileged-commands-mount 3h10m rhcos4-audit-rules-privileged-commands-newgidmap 3h10m rhcos4-audit-rules-privileged-commands-newgrp 3h10m rhcos4-audit-rules-privileged-commands-newuidmap 3h10m rhcos4-audit-rules-privileged-commands-pam-timestamp-check 3h10m rhcos4-audit-rules-privileged-commands-passwd 3h10m rhcos4-audit-rules-privileged-commands-postdrop 3h10m rhcos4-audit-rules-privileged-commands-postqueue 3h10m rhcos4-audit-rules-privileged-commands-pt-chown 3h10m rhcos4-audit-rules-privileged-commands-ssh-keysign 3h10m rhcos4-audit-rules-privileged-commands-su 3h10m rhcos4-audit-rules-privileged-commands-sudo 3h10m rhcos4-audit-rules-privileged-commands-sudoedit 3h10m rhcos4-audit-rules-privileged-commands-umount 3h10m rhcos4-audit-rules-privileged-commands-unix-chkpwd 3h10m rhcos4-audit-rules-privileged-commands-userhelper 3h10m rhcos4-audit-rules-privileged-commands-usernetctl 3h10m $ oc get compliancecheckresults --show-labels | grep privileged rhcos4-moderate-master-audit-rules-privileged-commands-at FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-master-audit-rules-privileged-commands-chage FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-master-audit-rules-privileged-commands-chsh FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-master-audit-rules-privileged-commands-crontab FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-master-audit-rules-privileged-commands-gpasswd FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-master-audit-rules-privileged-commands-mount FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-master-audit-rules-privileged-commands-newgidmap FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-master-audit-rules-privileged-commands-newgrp FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-master-audit-rules-privileged-commands-newuidmap FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-master-audit-rules-privileged-commands-pam-timestamp-check FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-master-audit-rules-privileged-commands-passwd FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-master-audit-rules-privileged-commands-postdrop FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-master-audit-rules-privileged-commands-postqueue FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-master-audit-rules-privileged-commands-pt-chown FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-master-audit-rules-privileged-commands-ssh-keysign FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-master-audit-rules-privileged-commands-su FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-master-audit-rules-privileged-commands-sudo FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-master-audit-rules-privileged-commands-sudoedit FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-master-audit-rules-privileged-commands-umount FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-master-audit-rules-privileged-commands-unix-chkpwd FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-master-audit-rules-privileged-commands-userhelper FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-master-audit-rules-privileged-commands-usernetctl FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-master-sysctl-kernel-unprivileged-bpf-disabled FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-worker-audit-rules-privileged-commands-at FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-worker-audit-rules-privileged-commands-chage FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-worker-audit-rules-privileged-commands-chsh FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-worker-audit-rules-privileged-commands-crontab FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-worker-audit-rules-privileged-commands-gpasswd FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-worker-audit-rules-privileged-commands-mount FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-worker-audit-rules-privileged-commands-newgidmap FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-worker-audit-rules-privileged-commands-newgrp FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-worker-audit-rules-privileged-commands-newuidmap FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-worker-audit-rules-privileged-commands-pam-timestamp-check FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-worker-audit-rules-privileged-commands-passwd FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-worker-audit-rules-privileged-commands-postdrop FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-worker-audit-rules-privileged-commands-postqueue FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-worker-audit-rules-privileged-commands-pt-chown FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-worker-audit-rules-privileged-commands-ssh-keysign FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-worker-audit-rules-privileged-commands-su FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-worker-audit-rules-privileged-commands-sudo FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-worker-audit-rules-privileged-commands-sudoedit FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-worker-audit-rules-privileged-commands-umount FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-worker-audit-rules-privileged-commands-unix-chkpwd FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-worker-audit-rules-privileged-commands-userhelper FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-worker-audit-rules-privileged-commands-usernetctl FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-worker-sysctl-kernel-unprivileged-bpf-disabled FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r scansettingbinding.compliance.openshift.io/my-ssb-r created After remediation applied, patch the scansettingbinding and rerun: $ oc patch ScanSettingBinding my-ssb-r -p '{"settingsRef":{"name":"default"}}' --type='merge' scansettingbinding.compliance.openshift.io/my-ssb-r patched $ ./oc-compliance rerun-now scansettingbindings my-ssb-r Rerunning scans from 'my-ssb-r': ocp4-moderate, rhcos4-moderate-worker, rhcos4-moderate-master Re-running scan 'openshift-compliance/ocp4-moderate' Re-running scan 'openshift-compliance/rhcos4-moderate-worker' Re-running scan 'openshift-compliance/rhcos4-moderate-master' $ oget compliancecheckresults | grep privileged rhcos4-moderate-master-audit-rules-privileged-commands-at PASS medium rhcos4-moderate-master-audit-rules-privileged-commands-chage PASS medium rhcos4-moderate-master-audit-rules-privileged-commands-chsh PASS medium rhcos4-moderate-master-audit-rules-privileged-commands-crontab PASS medium rhcos4-moderate-master-audit-rules-privileged-commands-gpasswd PASS medium rhcos4-moderate-master-audit-rules-privileged-commands-mount PASS medium rhcos4-moderate-master-audit-rules-privileged-commands-newgidmap PASS medium rhcos4-moderate-master-audit-rules-privileged-commands-newgrp PASS medium rhcos4-moderate-master-audit-rules-privileged-commands-newuidmap PASS medium rhcos4-moderate-master-audit-rules-privileged-commands-pam-timestamp-check PASS medium rhcos4-moderate-master-audit-rules-privileged-commands-passwd PASS medium rhcos4-moderate-master-audit-rules-privileged-commands-postdrop PASS medium rhcos4-moderate-master-audit-rules-privileged-commands-postqueue PASS medium rhcos4-moderate-master-audit-rules-privileged-commands-pt-chown PASS medium rhcos4-moderate-master-audit-rules-privileged-commands-ssh-keysign PASS medium rhcos4-moderate-master-audit-rules-privileged-commands-su PASS medium rhcos4-moderate-master-audit-rules-privileged-commands-sudo PASS medium rhcos4-moderate-master-audit-rules-privileged-commands-sudoedit PASS medium rhcos4-moderate-master-audit-rules-privileged-commands-umount PASS medium rhcos4-moderate-master-audit-rules-privileged-commands-unix-chkpwd PASS medium rhcos4-moderate-master-audit-rules-privileged-commands-userhelper PASS medium rhcos4-moderate-master-audit-rules-privileged-commands-usernetctl PASS medium rhcos4-moderate-master-sysctl-kernel-unprivileged-bpf-disabled PASS medium rhcos4-moderate-worker-audit-rules-privileged-commands-at PASS medium rhcos4-moderate-worker-audit-rules-privileged-commands-chage PASS medium rhcos4-moderate-worker-audit-rules-privileged-commands-chsh PASS medium rhcos4-moderate-worker-audit-rules-privileged-commands-crontab PASS medium rhcos4-moderate-worker-audit-rules-privileged-commands-gpasswd PASS medium rhcos4-moderate-worker-audit-rules-privileged-commands-mount PASS medium rhcos4-moderate-worker-audit-rules-privileged-commands-newgidmap PASS medium rhcos4-moderate-worker-audit-rules-privileged-commands-newgrp PASS medium rhcos4-moderate-worker-audit-rules-privileged-commands-newuidmap PASS medium rhcos4-moderate-worker-audit-rules-privileged-commands-pam-timestamp-check PASS medium rhcos4-moderate-worker-audit-rules-privileged-commands-passwd PASS medium rhcos4-moderate-worker-audit-rules-privileged-commands-postdrop PASS medium rhcos4-moderate-worker-audit-rules-privileged-commands-postqueue PASS medium rhcos4-moderate-worker-audit-rules-privileged-commands-pt-chown PASS medium rhcos4-moderate-worker-audit-rules-privileged-commands-ssh-keysign PASS medium rhcos4-moderate-worker-audit-rules-privileged-commands-su PASS medium rhcos4-moderate-worker-audit-rules-privileged-commands-sudo PASS medium rhcos4-moderate-worker-audit-rules-privileged-commands-sudoedit PASS medium rhcos4-moderate-worker-audit-rules-privileged-commands-umount PASS medium rhcos4-moderate-worker-audit-rules-privileged-commands-unix-chkpwd PASS medium rhcos4-moderate-worker-audit-rules-privileged-commands-userhelper PASS medium rhcos4-moderate-worker-audit-rules-privileged-commands-usernetctl PASS medium rhcos4-moderate-worker-sysctl-kernel-unprivileged-bpf-disabled PASS medium
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Compliance Operator version 0.1.35 for OpenShift Container Platform 4.6-4.8), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:2652