Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1953516

Summary: one of the rules [xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands] taking too long... Such scans via Compliance Operator were taking around 2 hours, even.
Product: OpenShift Container Platform Reporter: Jakub Hrozek <jhrozek>
Component: Compliance OperatorAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: xiyuan
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.6.zCC: josorior, mleonard, mrogers, obockows, pdhamdhe, xiyuan
Target Milestone: ---   
Target Release: 4.7.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1942208
: 1953521 (view as bug list) Environment:
Last Closed: 2021-05-10 12:42:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1942208    
Bug Blocks: 1953521    

Comment 4 xiyuan 2021-04-28 13:17:01 UTC
Verification pass with 4.7.0-0.nightly-2021-04-25-102429 and compliance-operator.v0.1.32
$ oc get ip
NAME            CSV                           APPROVAL    APPROVED
install-m8bz5   compliance-operator.v0.1.32   Automatic   true
install-plvlm   compliance-operator.v0.1.32   Automatic   true
$ oc get csv
NAME                          DISPLAY               VERSION   REPLACES   PHASE
compliance-operator.v0.1.32   Compliance Operator   0.1.32               Succeeded

$ oc get profile.compliance
NAME              AGE
ocp4-cis          24m
ocp4-cis-node     24m
ocp4-e8           24m
ocp4-moderate     24m
rhcos4-e8         24m
rhcos4-moderate   24m

# Since ncp is not exposed, only moderate profile is tested.
$ oc create -f - << EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
  name: my-ssb-r
profiles:
  - name: ocp4-moderate
    kind: Profile
    apiGroup: compliance.openshift.io/v1alpha1
  - name: rhcos4-moderate
    apiGroup: compliance.openshift.io/v1alpha1
settingsRef:
  name: default
  kind: ScanSetting
  apiGroup: compliance.openshift.io/v1alpha1
EOF
scansettingbinding.compliance.openshift.io/my-ssb-r created

$ oc get rules | grep privileged
ocp4-scc-limit-privileged-containers                                                11m
rhcos4-audit-rules-privileged-commands                                              10m
rhcos4-audit-rules-privileged-commands-at                                           10m
rhcos4-audit-rules-privileged-commands-chage                                        10m
rhcos4-audit-rules-privileged-commands-chsh                                         10m
rhcos4-audit-rules-privileged-commands-crontab                                      10m
rhcos4-audit-rules-privileged-commands-gpasswd                                      10m
rhcos4-audit-rules-privileged-commands-mount                                        10m
rhcos4-audit-rules-privileged-commands-newgidmap                                    10m
rhcos4-audit-rules-privileged-commands-newgrp                                       10m
rhcos4-audit-rules-privileged-commands-newuidmap                                    10m
rhcos4-audit-rules-privileged-commands-pam-timestamp-check                          10m
rhcos4-audit-rules-privileged-commands-passwd                                       10m
rhcos4-audit-rules-privileged-commands-postdrop                                     10m
rhcos4-audit-rules-privileged-commands-postqueue                                    10m
rhcos4-audit-rules-privileged-commands-pt-chown                                     10m
rhcos4-audit-rules-privileged-commands-ssh-keysign                                  10m
rhcos4-audit-rules-privileged-commands-su                                           10m
rhcos4-audit-rules-privileged-commands-sudo                                         10m
rhcos4-audit-rules-privileged-commands-sudoedit                                     10m
rhcos4-audit-rules-privileged-commands-umount                                       10m
rhcos4-audit-rules-privileged-commands-unix-chkpwd                                  10m
rhcos4-audit-rules-privileged-commands-userhelper                                   10m
rhcos4-audit-rules-privileged-commands-usernetctl                                   10m
rhcos4-sysctl-kernel-unprivileged-bpf-disabled                                      10m

$ oc get suite
NAME       PHASE   RESULT
my-ssb-r   DONE    NON-COMPLIANT

#Seen from below, there is no compliancecheckresults for rhcos4-moderate-master-audit-rules-privileged-commands, rhcos4-moderate-worker-audit-rules-privileged-commands
$  oc get compliancecheckresults | grep audit-rules-privileged-commands
rhcos4-moderate-master-audit-rules-privileged-commands-at                                           FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-chage                                        FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-chsh                                         FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-crontab                                      FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-gpasswd                                      FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-mount                                        FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-newgidmap                                    FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-newgrp                                       FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-newuidmap                                    FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-pam-timestamp-check                          FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-passwd                                       FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-postdrop                                     FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-postqueue                                    FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-pt-chown                                     FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-ssh-keysign                                  FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-su                                           FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-sudo                                         FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-sudoedit                                     FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-umount                                       FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-unix-chkpwd                                  FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-userhelper                                   FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-usernetctl                                   FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-at                                           FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-chage                                        FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-chsh                                         FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-crontab                                      FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-gpasswd                                      FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-mount                                        FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-newgidmap                                    FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-newgrp                                       FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-newuidmap                                    FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-pam-timestamp-check                          FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-passwd                                       FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-postdrop                                     FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-postqueue                                    FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-pt-chown                                     FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-ssh-keysign                                  FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-su                                           FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-sudo                                         FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-sudoedit                                     FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-umount                                       FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-unix-chkpwd                                  FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-userhelper                                   FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-usernetctl                                   FAIL     medium

Comment 5 xiyuan 2021-04-28 13:18:53 UTC
Per https://bugzilla.redhat.com/show_bug.cgi?id=1953516#c4, move it to Verified.

Comment 7 errata-xmlrpc 2021-05-10 12:42:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Compliance Operator version 0.1.32 for OpenShift Container Platform 4.7), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1347