1953522 – Instructions for some rules in Compliance Operator

Bug 1953522 - Instructions for some rules in Compliance Operator

Summary: Instructions for some rules in Compliance Operator

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Compliance Operator
Sub Component:
Version:	4.6.z
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	4.6.z
Assignee:	Jakub Hrozek
QA Contact:	Prashant Dhamdhere
Docs Contact:
URL:
Whiteboard:
Depends On:	1940483 1953514
Blocks:
TreeView+	depends on / blocked

Reported:	2021-04-26 10:08 UTC by Jakub Hrozek
Modified:	2021-05-26 16:05 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1953514
Environment:
Last Closed:	2021-05-26 16:05:34 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2021:1348	0	None	None	None	2021-05-26 16:05:38 UTC

Comment 4 Prashant Dhamdhere 2021-04-28 14:58:07 UTC

[Bug Verification]

Looks good now. The remediation for rule 'rhcos4-disable-ctrlaltdel-reboot' is successfully applied
and the rule is successfully configured on RHCOS nodes.  


Verified On:
4.6.0-0.nightly-2021-04-27-142853 + compliance-operator.v0.1.32


$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.6.0-0.nightly-2021-04-27-142853   True        False         9h      Cluster version is 4.6.0-0.nightly-2021-04-27-142853

$ oc get csv
NAME                          DISPLAY               VERSION   REPLACES   PHASE
compliance-operator.v0.1.32   Compliance Operator   0.1.32               Succeeded

$ oc get pods
NAME                                              READY   STATUS    RESTARTS   AGE
compliance-operator-595bbbb4c6-59528              1/1     Running   0          4h54m
ocp4-openshift-compliance-pp-76cb4ff5b5-8g7fs     1/1     Running   0          4h53m
rhcos4-openshift-compliance-pp-69b864fb65-chqcq   1/1     Running   0          4h53m

$ oc get scansettings
NAME                 AGE
default              4h53m
default-auto-apply   4h53m

$ oc create -f - << EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSettingBinding
> metadata:
>   name: my-ssb-r
> profiles:
>   - name: rhcos4-moderate
>     kind: Profile
>     apiGroup: compliance.openshift.io/v1alpha1
> settingsRef:
>   name: default-auto-apply
>   kind: ScanSetting
>   apiGroup: compliance.openshift.io/v1alpha1
> EOF
scansettingbinding.compliance.openshift.io/my-ssb-r created

$ oc get suite -w
NAME       PHASE     RESULT
my-ssb-r   RUNNING   NOT-AVAILABLE
my-ssb-r   RUNNING   NOT-AVAILABLE
my-ssb-r   AGGREGATING   NOT-AVAILABLE
my-ssb-r   AGGREGATING   NOT-AVAILABLE
my-ssb-r   DONE          NON-COMPLIANT
my-ssb-r   DONE          NON-COMPLIANT

$ oc get suite
NAME       PHASE   RESULT
my-ssb-r   DONE    NON-COMPLIANT


$ oc get pods
NAME                                                    READY   STATUS      RESTARTS   AGE
aggregator-pod-rhcos4-moderate-master                   0/1     Completed   0          6m1s
aggregator-pod-rhcos4-moderate-worker                   0/1     Completed   0          6m1s
compliance-operator-595bbbb4c6-59528                    1/1     Running     0          5h8m
ocp4-openshift-compliance-pp-76cb4ff5b5-8g7fs           1/1     Running     0          5h7m
openscap-pod-375485570a2936b890b2354346b8f169d8443eff   0/2     Completed   0          6m59s
openscap-pod-44e2af295531a6b18810c18d39d7372de44c1909   0/2     Completed   0          6m59s
openscap-pod-da389ef1ffe0a11adc6b5448c8a72d37a2ca8d34   0/2     Completed   0          7m
rhcos4-openshift-compliance-pp-69b864fb65-chqcq         1/1     Running     0          5h7m


$ oc get compliancecheckresults |grep reboot
rhcos4-moderate-master-disable-ctrlaltdel-reboot                                                    FAIL     high
rhcos4-moderate-worker-disable-ctrlaltdel-reboot                                                    FAIL     high


$ oc get complianceremediation rhcos4-moderate-worker-disable-ctrlaltdel-reboot 
NAME                                               STATE
rhcos4-moderate-worker-disable-ctrlaltdel-reboot   Applied

$ oc get complianceremediation rhcos4-moderate-master-disable-ctrlaltdel-reboot
NAME                                               STATE
rhcos4-moderate-master-disable-ctrlaltdel-reboot   Applied

$ oc get mc |grep reboot
75-rhcos4-moderate-master-disable-ctrlaltdel-reboot                                                                                               3.1.0             9m55s
75-rhcos4-moderate-worker-disable-ctrlaltdel-reboot                                                                                               3.1.0             10m

$ oc get mcp -w
NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
master   rendered-master-ca2451603585f8792498a51ad839ac52   False     True       False      3              0                   0                     0                      10h
worker   rendered-worker-a1b40305909a30529864238a35aed2c5   False     True       False      3              1                   1                     0                      10h 

$ oc get mcp -w
NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
master   rendered-master-4c84121cb6a002d3b740b5d3b4faccbd   True      False      False      3              3                   3                     0                      10h
worker   rendered-worker-a1b40305909a30529864238a35aed2c5   False     True       False      3              1                   1                     0                      10h
worker   rendered-worker-a1b40305909a30529864238a35aed2c5   False     True       False      3              2                   2                     0                      10h
worker   rendered-worker-84f6a3e16cd8a527498f8831a7276caf   True      False      False      3              3                   3                     0                      10h


$ oc get scan
NAME                     PHASE   RESULT
rhcos4-moderate-master   DONE    NON-COMPLIANT
rhcos4-moderate-worker   DONE    NON-COMPLIANT


$ oc annotate compliancescans/rhcos4-moderate-worker compliance.openshift.io/rescan=
compliancescan.compliance.openshift.io/rhcos4-moderate-worker annotated

$ oc get scan -w
NAME                     PHASE         RESULT
rhcos4-moderate-master   DONE          NON-COMPLIANT
rhcos4-moderate-worker   AGGREGATING   NOT-AVAILABLE
rhcos4-moderate-worker   DONE          NON-COMPLIANT

$ oc get compliancecheckresults |grep reboot
rhcos4-moderate-master-disable-ctrlaltdel-reboot                                                    FAIL     high
rhcos4-moderate-worker-disable-ctrlaltdel-reboot                                                    PASS     high  <<---


$ oc annotate compliancescans/rhcos4-moderate-master compliance.openshift.io/rescan=
compliancescan.compliance.openshift.io/rhcos4-moderate-master annotated


$ oc get scan -w
NAME                     PHASE     RESULT
rhcos4-moderate-master   RUNNING   NOT-AVAILABLE
rhcos4-moderate-worker   DONE      NON-COMPLIANT
rhcos4-moderate-master   AGGREGATING   NOT-AVAILABLE
rhcos4-moderate-master   DONE          NON-COMPLIANT

$ oc get compliancecheckresults |grep reboot
rhcos4-moderate-master-disable-ctrlaltdel-reboot                                                    PASS     high
rhcos4-moderate-worker-disable-ctrlaltdel-reboot                                                    PASS     high


$ oc get nodes
NAME                                         STATUS   ROLES    AGE   VERSION
ip-10-0-133-63.us-east-2.compute.internal    Ready    master   10h   v1.19.0+a5a0987
ip-10-0-141-37.us-east-2.compute.internal    Ready    worker   10h   v1.19.0+a5a0987
ip-10-0-160-171.us-east-2.compute.internal   Ready    master   10h   v1.19.0+a5a0987
ip-10-0-162-152.us-east-2.compute.internal   Ready    worker   10h   v1.19.0+a5a0987
ip-10-0-213-103.us-east-2.compute.internal   Ready    master   10h   v1.19.0+a5a0987
ip-10-0-223-248.us-east-2.compute.internal   Ready    worker   10h   v1.19.0+a5a0987


$ oc debug node/ip-10-0-223-248.us-east-2.compute.internal
Starting pod/ip-10-0-223-248us-east-2computeinternal-debug ...
To use host binaries, run `chroot /host`
Pod IP: 10.0.223.248
If you don't see a command prompt, try pressing enter.
sh-4.4# chroot /host
sh-4.4# systemctl status ctrl-alt-del.target
● ctrl-alt-del.target
   Loaded: masked (Reason: Unit ctrl-alt-del.target is masked.) <<-----
   Active: inactive (dead)    <<-----
sh-4.4# exit                                
sh-4.4# exit

$ oc debug node/ip-10-0-133-63.us-east-2.compute.internal
Starting pod/ip-10-0-133-63us-east-2computeinternal-debug ...
To use host binaries, run `chroot /host`
Pod IP: 10.0.133.63
If you don't see a command prompt, try pressing enter.
sh-4.4# chroot /host
sh-4.4# systemctl status ctrl-alt-del.target
● ctrl-alt-del.target
   Loaded: masked (Reason: Unit ctrl-alt-del.target is masked.) <<-----
   Active: inactive (dead)  <<-----
sh-4.4# exit
sh-4.4# exit

Removing debug pod ...

Comment 6 errata-xmlrpc 2021-05-26 16:05:34 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Compliance Operator version 0.1.32 for OpenShift Container Platform 4.6), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1348

Note You need to log in before you can comment on or make changes to this bug.