Bug 1953516
| Summary: | one of the rules [xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands] taking too long... Such scans via Compliance Operator were taking around 2 hours, even. | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Jakub Hrozek <jhrozek> | |
| Component: | Compliance Operator | Assignee: | Jakub Hrozek <jhrozek> | |
| Status: | CLOSED ERRATA | QA Contact: | xiyuan | |
| Severity: | high | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 4.6.z | CC: | josorior, mleonard, mrogers, obockows, pdhamdhe, xiyuan | |
| Target Milestone: | --- | |||
| Target Release: | 4.7.z | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | 1942208 | |||
| : | 1953521 (view as bug list) | Environment: | ||
| Last Closed: | 2021-05-10 12:42:47 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1942208 | |||
| Bug Blocks: | 1953521 | |||
Per https://bugzilla.redhat.com/show_bug.cgi?id=1953516#c4, move it to Verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Compliance Operator version 0.1.32 for OpenShift Container Platform 4.7), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1347 |
Verification pass with 4.7.0-0.nightly-2021-04-25-102429 and compliance-operator.v0.1.32 $ oc get ip NAME CSV APPROVAL APPROVED install-m8bz5 compliance-operator.v0.1.32 Automatic true install-plvlm compliance-operator.v0.1.32 Automatic true $ oc get csv NAME DISPLAY VERSION REPLACES PHASE compliance-operator.v0.1.32 Compliance Operator 0.1.32 Succeeded $ oc get profile.compliance NAME AGE ocp4-cis 24m ocp4-cis-node 24m ocp4-e8 24m ocp4-moderate 24m rhcos4-e8 24m rhcos4-moderate 24m # Since ncp is not exposed, only moderate profile is tested. $ oc create -f - << EOF apiVersion: compliance.openshift.io/v1alpha1 kind: ScanSettingBinding metadata: name: my-ssb-r profiles: - name: ocp4-moderate kind: Profile apiGroup: compliance.openshift.io/v1alpha1 - name: rhcos4-moderate apiGroup: compliance.openshift.io/v1alpha1 settingsRef: name: default kind: ScanSetting apiGroup: compliance.openshift.io/v1alpha1 EOF scansettingbinding.compliance.openshift.io/my-ssb-r created $ oc get rules | grep privileged ocp4-scc-limit-privileged-containers 11m rhcos4-audit-rules-privileged-commands 10m rhcos4-audit-rules-privileged-commands-at 10m rhcos4-audit-rules-privileged-commands-chage 10m rhcos4-audit-rules-privileged-commands-chsh 10m rhcos4-audit-rules-privileged-commands-crontab 10m rhcos4-audit-rules-privileged-commands-gpasswd 10m rhcos4-audit-rules-privileged-commands-mount 10m rhcos4-audit-rules-privileged-commands-newgidmap 10m rhcos4-audit-rules-privileged-commands-newgrp 10m rhcos4-audit-rules-privileged-commands-newuidmap 10m rhcos4-audit-rules-privileged-commands-pam-timestamp-check 10m rhcos4-audit-rules-privileged-commands-passwd 10m rhcos4-audit-rules-privileged-commands-postdrop 10m rhcos4-audit-rules-privileged-commands-postqueue 10m rhcos4-audit-rules-privileged-commands-pt-chown 10m rhcos4-audit-rules-privileged-commands-ssh-keysign 10m rhcos4-audit-rules-privileged-commands-su 10m rhcos4-audit-rules-privileged-commands-sudo 10m rhcos4-audit-rules-privileged-commands-sudoedit 10m rhcos4-audit-rules-privileged-commands-umount 10m rhcos4-audit-rules-privileged-commands-unix-chkpwd 10m rhcos4-audit-rules-privileged-commands-userhelper 10m rhcos4-audit-rules-privileged-commands-usernetctl 10m rhcos4-sysctl-kernel-unprivileged-bpf-disabled 10m $ oc get suite NAME PHASE RESULT my-ssb-r DONE NON-COMPLIANT #Seen from below, there is no compliancecheckresults for rhcos4-moderate-master-audit-rules-privileged-commands, rhcos4-moderate-worker-audit-rules-privileged-commands $ oc get compliancecheckresults | grep audit-rules-privileged-commands rhcos4-moderate-master-audit-rules-privileged-commands-at FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-chage FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-chsh FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-crontab FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-gpasswd FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-mount FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-newgidmap FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-newgrp FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-newuidmap FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-pam-timestamp-check FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-passwd FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-postdrop FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-postqueue FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-pt-chown FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-ssh-keysign FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-su FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-sudo FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-sudoedit FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-umount FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-unix-chkpwd FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-userhelper FAIL medium rhcos4-moderate-master-audit-rules-privileged-commands-usernetctl FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-at FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-chage FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-chsh FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-crontab FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-gpasswd FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-mount FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-newgidmap FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-newgrp FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-newuidmap FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-pam-timestamp-check FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-passwd FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-postdrop FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-postqueue FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-pt-chown FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-ssh-keysign FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-su FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-sudo FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-sudoedit FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-umount FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-unix-chkpwd FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-userhelper FAIL medium rhcos4-moderate-worker-audit-rules-privileged-commands-usernetctl FAIL medium