Hi jakub, For scenario 1, is it result FAIL is expected? Thanks. # oc get compliancecheckresults | grep disable-ctrlaltdel-reboot rhcos4-moderate-master-disable-ctrlaltdel-reboot FAIL high rhcos4-moderate-worker-disable-ctrlaltdel-reboot FAIL high And also for scenario 2, seems ocp4-cis-file-permissions-proxy-kubeconfig should FAIL instead of PASS. Right? Details could seen from below: Payload version: 4.7.0-0.nightly-2021-04-25-102429 Operator version: compliance-operator.v0.1.31 Note: As there is no plan to add instructions for bios related rules, mark it as pass. # oc get ip NAME CSV APPROVAL APPROVED install-qj96g compliance-operator.v0.1.31 Automatic true # oc get csv NAME DISPLAY VERSION REPLACES PHASE compliance-operator.v0.1.31 Compliance Operator 0.1.31 Succeeded elasticsearch-operator.5.0.3-1 OpenShift Elasticsearch Operator 5.0.3-1 Succeeded 1. check the instructions for the two rules: # oc get compliancecheckresults | grep disable-ctrlaltdel-reboot rhcos4-moderate-master-disable-ctrlaltdel-reboot FAIL high rhcos4-moderate-worker-disable-ctrlaltdel-reboot FAIL high # oc get compliancecheckresults rhcos4-moderate-master-disable-ctrlaltdel-reboot -o=jsonpath={.instructions} To ensure the system is configured to mask the Ctrl-Alt-Del sequence, Check that the ctrl-alt-del.target is masked and not active with the following command: sudo systemctl status ctrl-alt-del.target The output should indicate that the target is masked and not active. It might resemble following output: ctrl-alt-del.target Loaded: masked (/dev/null; bad) Active: inactive (dead) # oc get node NAME STATUS ROLES AGE VERSION xiyuan272-04270141-master-0 Ready master 12h v1.20.0+7d0a2b2 xiyuan272-04270141-master-1 Ready master 12h v1.20.0+7d0a2b2 xiyuan272-04270141-master-2 Ready master 12h v1.20.0+7d0a2b2 xiyuan272-04270141-worker-centralus-1 Ready worker 11h v1.20.0+7d0a2b2 xiyuan272-04270141-worker-centralus-2 Ready worker 11h v1.20.0+7d0a2b2 xiyuan272-04270141-worker-centralus-3 Ready worker 11h v1.20.0+7d0a2b2 # oc debug node/xiyuan272-04270141-master-0 -- chroot /host sudo systemctl status ctrl-alt-del.target Starting pod/xiyuan272-04270141-master-0-debug ... To use host binaries, run `chroot /host` ● reboot.target - Reboot Loaded: loaded (/usr/lib/systemd/system/reboot.target; enabled; vendor preset: enabled) Active: inactive (dead) Docs: man:systemd.special(7) Removing debug pod ... # oc get compliancecheckresults rhcos4-moderate-worker-disable-ctrlaltdel-reboot -o=jsonpath={.instructions} To ensure the system is configured to mask the Ctrl-Alt-Del sequence, Check that the ctrl-alt-del.target is masked and not active with the following command: sudo systemctl status ctrl-alt-del.target The output should indicate that the target is masked and not active. It might resemble following output: ctrl-alt-del.target Loaded: masked (/dev/null; bad) # oc debug no/xiyuan272-04270141-worker-centralus-1 -- chroot /host sudo systemctl status ctrl-alt-del.target Starting pod/xiyuan272-04270141-worker-centralus-1-debug ... To use host binaries, run `chroot /host` ● reboot.target - Reboot Loaded: loaded (/usr/lib/systemd/system/reboot.target; enabled; vendor preset: enabled) Active: inactive (dead) Docs: man:systemd.special(7) Removing debug pod ... 2. Checked the instrucaitons for below proxy-kubeconfig related rules: # oc get compliancecheckresults.compliance.openshift.io | grep proxy-kubeconfig ocp4-cis-file-groupowner-proxy-kubeconfig MANUAL medium ocp4-cis-file-owner-proxy-kubeconfig MANUAL medium ocp4-cis-file-permissions-proxy-kubeconfig PASS medium # oc get compliancecheckresults ocp4-cis-file-groupowner-proxy-kubeconfig -o=jsonpath={.instructions} To check the group ownership of /config/kube-proxy-config.yaml, you'll need to log into a node in the cluster. As a user with administrator privileges, log into a node in the relevant pool: $ oc debug node/$NODE_NAME At the sh-4.4# prompt, run: # chroot /host Then,run the command: $ ls -lL /config/kube-proxy-config.yaml If properly configured, the output should indicate the following group-owner: root # oc get compliancecheckresults ocp4-cis-file-owner-proxy-kubeconfig -o=jsonpath={.instructions} To check the ownership of /config/kube-proxy-config.yaml, you'll need to log into a node in the cluster. As a user with administrator privileges, log into a node in the relevant pool: $ oc debug node/$NODE_NAME At the sh-4.4# prompt, run: # chroot /host Then,run the command: $ ls -lL /config/kube-proxy-config.yaml If properly configured, the output should indicate the following owner: # oc get compliancecheckresults ocp4-cis-file-permissions-proxy-kubeconfig -o=jsonpath={.instructions} To check the permissions of /config/kube-proxy-config.yaml, you'll need to log into a node in the cluster. As a user with administrator privileges, log into a node in the relevant pool: $ oc debug node/$NODE_NAME At the sh-4.4# prompt, run: # chroot /host Then,run the command: $ ls -l /config/kube-proxy-config.yaml If properly configured, the output should indicate the following permissions: -rw-r--r--[ # oc get node NAME STATUS ROLES AGE VERSION xiyuan272-04270141-master-0 Ready master 12h v1.20.0+7d0a2b2 xiyuan272-04270141-master-1 Ready master 12h v1.20.0+7d0a2b2 xiyuan272-04270141-master-2 Ready master 12h v1.20.0+7d0a2b2 xiyuan272-04270141-worker-centralus-1 Ready worker 11h v1.20.0+7d0a2b2 xiyuan272-04270141-worker-centralus-2 Ready worker 11h v1.20.0+7d0a2b2 xiyuan272-04270141-worker-centralus-3 Ready worker 11h v1.20.0+7d0a2b2 # oc debug no/xiyuan272-04270141-master-0 -- chroot /host ls -l /config/kube-proxy-config.yaml Starting pod/xiyuan272-04270141-master-0-debug ... To use host binaries, run `chroot /host` ls: cannot access '/config/kube-proxy-config.yaml': No such file or directory Removing debug pod ... error: non-zero exit code from debug container
@xiyuan failure of rhcos4-moderate-master-disable-ctrlaltdel-reboot is expected. If you view it with the `oc compliance view-result` command, you'll notice that it has an appropriate remediation: +----------------------+-------------------------------------------------------------------------------------------------------------------------------+ | KEY | VALUE | +----------------------+-------------------------------------------------------------------------------------------------------------------------------+ | Title | Disable Ctrl-Alt-Del Reboot | | | Activation | +----------------------+-------------------------------------------------------------------------------------------------------------------------------+ | Status | FAIL | +----------------------+-------------------------------------------------------------------------------------------------------------------------------+ | Severity | high | +----------------------+-------------------------------------------------------------------------------------------------------------------------------+ | Description | By default,<html:code>SystemD</html:code>will reboot the system if the<html:code>Ctrl-Alt-Del</html:code>key sequence is | | | pressed.<html:br></html:br><html:br></html:br>To configure the system to ignore the<html:code>Ctrl-Alt-Del</html:code>key | | | sequence from the

command line instead of rebooting the system, create a<html:code>MachineConfig</html:code>similar | | | to the following:<html:pre>apiVersion: machineconfiguration.openshift.io/v1
kind: | | | MachineConfig
metadata:
 labels:
 machineconfiguration.openshift.io/role: master
 name: | | | 75-master-disable-ctrlaltdel-reboot
spec:
 config:
 ignition:
 version: 3.1.0
 systemd:
 | | | units:
 - name: ctrl-alt-del.target
 mask: true
EOF</html:pre><html:p>This will mask | | | the<html:code>ctrl-alt-del.target</html:code>systemd target for all the
nodes labeled with the "master" | | | role.</html:p><html:p>Note that this needs to be done for each<html:code>MachineConfigPool</html:code></html:p><html:p>For | | | more information on how to configure nodes with the Machine Config
Operator see<html:a | | | href="https://docs.openshift.com/container-platform/4.6/post_installation_configuration/machine-configuration-tasks.html">the | | | relevant documentation</html:a>.</html:p> | +----------------------+-------------------------------------------------------------------------------------------------------------------------------+ | Rationale | A locally logged-in user | | | who presses Ctrl-Alt-Del, | | | when at the console,
can | | | reboot the system. If | | | accidentally pressed, as | | | could happen in
the case | | | of mixed OS environment, | | | this can create the risk | | | of short-term
loss of | | | availability of systems due to | | | unintentional reboot. | +----------------------+-------------------------------------------------------------------------------------------------------------------------------+ | Instructions | To ensure the system is | | | configured to mask the | | | Ctrl-Alt-Del sequence, Check | | | | | | that the ctrl-alt-del.target | | | is masked and not active with | | | the following | | | | | | command: | | | | | | sudo systemctl status | | | ctrl-alt-del.target | | | | | | The output should indicate | | | that the target is masked and | | | not active. It | | | | | | might resemble following | | | output: | | | | | | ctrl-alt-del.target | | | | | | Loaded: masked (/dev/null; | | | bad) | | | | | | Active: inactive (dead) | +----------------------+-------------------------------------------------------------------------------------------------------------------------------+ | NIST-800-53 Controls | CM-6(a), AC-6(1) | +----------------------+-------------------------------------------------------------------------------------------------------------------------------+ | Available Fix | Yes | +----------------------+-------------------------------------------------------------------------------------------------------------------------------+ | Fix Object | --- | | | | | | apiVersion: | | | machineconfiguration.openshift.io/v1 | | | | | | kind: MachineConfig | | | | | | spec: | | | | | | config: | | | | | | ignition: | | | | | | version: 3.1.0 | | | | | | systemd: | | | | | | units: | | | | | | - mask: true | | | | | | name: | | | ctrl-alt-del.target | | | | | | | +----------------------+-------------------------------------------------------------------------------------------------------------------------------+ | Result Object Name | rhcos4-moderate-master-disable-ctrlaltdel-reboot | +----------------------+-------------------------------------------------------------------------------------------------------------------------------+ | Rule Object Name | rhcos4-disable-ctrlaltdel-reboot | +----------------------+-------------------------------------------------------------------------------------------------------------------------------+ | Remediation Created | Yes | +----------------------+-------------------------------------------------------------------------------------------------------------------------------+ | Remediation Name | rhcos4-moderate-master-disable-ctrlaltdel-reboot | +----------------------+-------------------------------------------------------------------------------------------------------------------------------+ | Remediation Status | Applied | +----------------------+-------------------------------------------------------------------------------------------------------------------------------+ After applying it, and running another scan it should pass.
Verified pass with Cluster version is 4.7.0-0.nightly-2021-04-25-102429 and compliance-operator.v0.1.32 for rule rhcos4-moderate-master-disable-ctrlaltdel-reboot and rhcos4-moderate-worker-disable-ctrlaltdel-reboot , there are auto-remediation for them and working as expected. The instructions also works as expected. # oc get complianceremediations --show-labels | grep disable-ctrlaltdel-reboot rhcos4-moderate-master-disable-ctrlaltdel-reboot Applied compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-worker-disable-ctrlaltdel-reboot Applied compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r # oc compliance fetch-fixes complianceremediation rhcos4-moderate-master-disable-ctrlaltdel-reboot Persisted compliance remediation fix to rhcos4-moderate-master-disable-ctrlaltdel-reboot.yaml [root@MiWiFi-RA69-srv compliance-operator]# cat rhcos4-moderate-master-disable-ctrlaltdel-reboot.yaml --- apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig metadata: name: rhcos4-moderate-master-disable-ctrlaltdel-reboot spec: config: ignition: version: 3.1.0 systemd: units: - mask: true name: ctrl-alt-del.target # oc compliance fetch-fixes complianceremediation rhcos4-moderate-worker-disable-ctrlaltdel-reboot Persisted compliance remediation fix to rhcos4-moderate-worker-disable-ctrlaltdel-reboot.yaml # cat rhcos4-moderate-worker-disable-ctrlaltdel-reboot.yaml --- apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig metadata: name: rhcos4-moderate-worker-disable-ctrlaltdel-reboot spec: config: ignition: version: 3.1.0 systemd: units: - mask: true name: ctrl-alt-del.target # oc get compliancecheckresults --show-labels | grep disable-ctrlaltdel-reboot rhcos4-moderate-master-disable-ctrlaltdel-reboot PASS high compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=high,compliance.openshift.io/check-status=PASS,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=my-ssb-r rhcos4-moderate-worker-disable-ctrlaltdel-reboot PASS high compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=high,compliance.openshift.io/check-status=PASS,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=my-ssb-r # oc get compliancecheckresults rhcos4-moderate-worker-disable-ctrlaltdel-reboot -o=jsonpath={.instructions} To ensure the system is configured to mask the Ctrl-Alt-Del sequence, Check that the ctrl-alt-del.target is masked and not active with the following command: sudo systemctl status ctrl-alt-del.target The output should indicate that the target is masked and not active. It might resemble following output: ctrl-alt-del.target Loaded: masked (/dev/null; bad) Active: inactive (dead) $ oc debug node/xiyuan281-l5klq-worker-northcentralus-9f2qz -- chroot /host sudo systemctl status ctrl-alt-del.target Starting pod/xiyuan281-l5klq-worker-northcentralus-9f2qz-debug ... To use host binaries, run `chroot /host` ● ctrl-alt-del.target Loaded: masked (Reason: Unit ctrl-alt-del.target is masked.) Active: inactive (dead) Removing debug pod ...
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Compliance Operator version 0.1.32 for OpenShift Container Platform 4.7), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1347
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days