Bug 1953521 - one of the rules [xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands] taking too long... Such scans via Compliance Operator were taking around 2 hours, even.
Summary: one of the rules [xccdf_org.ssgproject.content_rule_audit_rules_privileged_co...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Compliance Operator
Version: 4.6.z
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 4.6.z
Assignee: Jakub Hrozek
QA Contact: Prashant Dhamdhere
URL:
Whiteboard:
Depends On: 1942208 1953516
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-04-26 10:08 UTC by Jakub Hrozek
Modified: 2021-05-26 16:05 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1953516
Environment:
Last Closed: 2021-05-26 16:05:34 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:1348 0 None None None 2021-05-26 16:05:38 UTC

Comment 3 Prashant Dhamdhere 2021-04-28 11:46:19 UTC 
[Bug Verification]

This looks good. The rule 'rhcos4-audit-rules-privileged-commands' is not associated with RHCOS profiles 
now and the scan does not create compliancecheckresults objects for this rule.

Verified on:
4.6.0-0.nightly-2021-04-27-142853 + compliance-operator.v0.1.32


$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.6.0-0.nightly-2021-04-27-142853   True        False         6h33m   Cluster version is 4.6.0-0.nightly-2021-04-27-142853

$ oc get csv
NAME                          DISPLAY               VERSION   REPLACES   PHASE
compliance-operator.v0.1.32   Compliance Operator   0.1.32               Succeeded

$ oc get pods
NAME                                              READY   STATUS    RESTARTS   AGE
compliance-operator-595bbbb4c6-59528              1/1     Running   0          105m
ocp4-openshift-compliance-pp-76cb4ff5b5-8g7fs     1/1     Running   0          104m
rhcos4-openshift-compliance-pp-69b864fb65-chqcq   1/1     Running   0          104m

$ oc get profile.compliance
NAME              AGE
ocp4-cis          103m
ocp4-cis-node     103m
ocp4-e8           103m
ocp4-moderate     103m
rhcos4-e8         103m
rhcos4-moderate   103m

$ oc get rules | grep privileged
ocp4-scc-limit-privileged-containers                                                106m
rhcos4-audit-rules-privileged-commands                                              105m
rhcos4-audit-rules-privileged-commands-at                                           106m
rhcos4-audit-rules-privileged-commands-chage                                        105m
rhcos4-audit-rules-privileged-commands-chsh                                         105m
rhcos4-audit-rules-privileged-commands-crontab                                      106m
rhcos4-audit-rules-privileged-commands-gpasswd                                      106m
rhcos4-audit-rules-privileged-commands-mount                                        106m
rhcos4-audit-rules-privileged-commands-newgidmap                                    106m
rhcos4-audit-rules-privileged-commands-newgrp                                       106m
rhcos4-audit-rules-privileged-commands-newuidmap                                    106m
rhcos4-audit-rules-privileged-commands-pam-timestamp-check                          105m
rhcos4-audit-rules-privileged-commands-passwd                                       106m
rhcos4-audit-rules-privileged-commands-postdrop                                     106m
rhcos4-audit-rules-privileged-commands-postqueue                                    105m
rhcos4-audit-rules-privileged-commands-pt-chown                                     106m
rhcos4-audit-rules-privileged-commands-ssh-keysign                                  106m
rhcos4-audit-rules-privileged-commands-su                                           106m
rhcos4-audit-rules-privileged-commands-sudo                                         106m
rhcos4-audit-rules-privileged-commands-sudoedit                                     105m
rhcos4-audit-rules-privileged-commands-umount                                       106m
rhcos4-audit-rules-privileged-commands-unix-chkpwd                                  105m
rhcos4-audit-rules-privileged-commands-userhelper                                   105m
rhcos4-audit-rules-privileged-commands-usernetctl                                   106m
rhcos4-sysctl-kernel-unprivileged-bpf-disabled                                      105m

$ oc create -f - << EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSettingBinding
> metadata:
>   name: my-ssb-r
> profiles:
>   - name: rhcos4-moderate
>     kind: Profile
>     apiGroup: compliance.openshift.io/v1alpha1
> settingsRef:
>   name: default
>   kind: ScanSetting
>   apiGroup: compliance.openshift.io/v1alpha1
> EOF
scansettingbinding.compliance.openshift.io/my-ssb-r created


$ oc get suite
NAME       PHASE   RESULT
my-ssb-r   DONE    NON-COMPLIANT

$ oc get compliancecheckresults | grep audit-rules-privileged-commands
rhcos4-moderate-master-audit-rules-privileged-commands-at                                           FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-chage                                        FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-chsh                                         FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-crontab                                      FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-gpasswd                                      FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-mount                                        FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-newgidmap                                    FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-newgrp                                       FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-newuidmap                                    FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-pam-timestamp-check                          FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-passwd                                       FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-postdrop                                     FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-postqueue                                    FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-pt-chown                                     FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-ssh-keysign                                  FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-su                                           FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-sudo                                         FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-sudoedit                                     FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-umount                                       FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-unix-chkpwd                                  FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-userhelper                                   FAIL     medium
rhcos4-moderate-master-audit-rules-privileged-commands-usernetctl                                   FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-at                                           FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-chage                                        FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-chsh                                         FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-crontab                                      FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-gpasswd                                      FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-mount                                        FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-newgidmap                                    FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-newgrp                                       FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-newuidmap                                    FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-pam-timestamp-check                          FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-passwd                                       FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-postdrop                                     FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-postqueue                                    FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-pt-chown                                     FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-ssh-keysign                                  FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-su                                           FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-sudo                                         FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-sudoedit                                     FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-umount                                       FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-unix-chkpwd                                  FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-userhelper                                   FAIL     medium
rhcos4-moderate-worker-audit-rules-privileged-commands-usernetctl                                   FAIL     medium
Comment 5 errata-xmlrpc 2021-05-26 16:05:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Compliance Operator version 0.1.32 for OpenShift Container Platform 4.6), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1348
Note You need to log in before you can comment on or make changes to this bug.