escription of problem: The oc-compliance build does not available for OCP4.8 Version-Release number of selected component (if applicable): 4.8.0-0.nightly-2021-04-26-151924 Steps to Reproduce: 1. The 4.8 Epic https://issues.redhat.com/browse/CMP-819 is mean to ship oc-compliance plugin in 4.8. However, the oc-compliance build does not available for OCP4.8 Actual results: The oc-compliance build does not available for OCP4.8 Expected results: The oc-compliance build should be available for OCP4.8 Additional info:
Verified with oc-compliance build https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=1636982 with payload 4.8.0-0.nightly-2021-06-17-002034 1. extract to get the oc-compliance binary. # mkdir oc-compliance $ oc image extract registry-proxy.engineering.redhat.com/rh-osbs/openshift-oc-compliance@sha256:8bc020fd665463759409dfbd17ad78771c4f161a2ebd2640b70eab8bbf4246b5 --path /:oc-compliance W0617 16:58:47.362673 21646 manifest.go:442] Chose linux/amd64 manifest from the manifest list. # cp ./oc-compliance/bin/oc-compliance ~/func/ 2. Test with oc-compliance #cd ~/func # $ oc project openshift-compliance Now using project "openshift-compliance" on server "https://api.xiyuan0617.qe.devcluster.openshift.com:6443". $ oc get ip NAME CSV APPROVAL APPROVED install-cl6xl compliance-operator.v0.1.35 Automatic true $ oc get csv NAME DISPLAY VERSION REPLACES PHASE compliance-operator.v0.1.35 Compliance Operator 0.1.35 Succeeded ##bind ./oc-compliance bind -N mybinding profile/ocp4-cis profile/ocp4-cis-node Creating ScanSettingBinding mybinding $ oc get suite -w NAME PHASE RESULT mybinding RUNNING NOT-AVAILABLE mybinding RUNNING NOT-AVAILABLE mybinding RUNNING NOT-AVAILABLE mybinding AGGREGATING NOT-AVAILABLE mybinding AGGREGATING NOT-AVAILABLE mybinding AGGREGATING NOT-AVAILABLE mybinding DONE NON-COMPLIANT mybinding DONE NON-COMPLIANT ##fetch-raw $ ./oc-compliance fetch-raw scansettingbindings mybinding -o ./test1 Fetching results for mybinding scans: ocp4-cis, ocp4-cis-node-worker, ocp4-cis-node-master Fetching raw compliance results for scan 'ocp4-cis'................ The raw compliance results are avaliable in the following directory: test1/ocp4-cis Fetching raw compliance results for scan 'ocp4-cis-node-worker'........... The raw compliance results are avaliable in the following directory: test1/ocp4-cis-node-worker Fetching raw compliance results for scan 'ocp4-cis-node-master'............... The raw compliance results are avaliable in the following directory: test1/ocp4-cis-node-master $ bunzip2 -c ./test1/ocp4-cis/ocp4-cis-api-checks-pod.xml.bzip2 > ./test1/ocp4-cis/ocp4-cis-api-checks-pod.xml ]$ cat ./test1/ocp4-cis/ocp4-cis-api-checks-pod.xml | head <?xml version="1.0" encoding="UTF-8"?> <arf:asset-report-collection xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" xmlns:core="http://scap.nist.gov/schema/reporting-core/1.1" xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1"> <core:relationships xmlns:arfvocab="http://scap.nist.gov/specifications/arf/vocabulary/relationships/1.0#"> <core:relationship type="arfvocab:createdFor" subject="xccdf1"> <core:ref>collection1</core:ref> </core:relationship> <core:relationship type="arfvocab:isAbout" subject="xccdf1"> <core:ref>asset0</core:ref> </core:relationship> </core:relationships> ##controls $ ./oc-compliance controls profile ocp4-cis | head +-------------+----------+ | FRAMEWORK | CONTROLS | +-------------+----------+ | NIST-800-53 | AC-2 | + +----------+ | | AC-2(1) | + +----------+ | | AC-2(12) | + +----------+ | | AC-2(2) | ##fetch-fixes $ mkdir cis $ ./oc-compliance fetch-fixes profile ocp4-cis -o cis No fixes to persist for rule 'ocp4-accounts-restrict-service-account-tokens' No fixes to persist for rule 'ocp4-accounts-unique-service-account' No fixes to persist for rule 'ocp4-api-server-admission-control-plugin-alwaysadmit' No fixes to persist for rule 'ocp4-api-server-admission-control-plugin-alwayspullimages' No fixes to persist for rule 'ocp4-api-server-admission-control-plugin-namespacelifecycle' No fixes to persist for rule 'ocp4-api-server-admission-control-plugin-noderestriction' No fixes to persist for rule 'ocp4-api-server-admission-control-plugin-scc' No fixes to persist for rule 'ocp4-api-server-admission-control-plugin-securitycontextdeny' No fixes to persist for rule 'ocp4-api-server-admission-control-plugin-serviceaccount' No fixes to persist for rule 'ocp4-api-server-anonymous-auth' No fixes to persist for rule 'ocp4-api-server-api-priority-flowschema-catch-all' No fixes to persist for rule 'ocp4-api-server-api-priority-gate-enabled' No fixes to persist for rule 'ocp4-api-server-api-priority-v1alpha1-flowschema-catch-all' No fixes to persist for rule 'ocp4-api-server-audit-log-maxbackup' Persisted rule fix to cis/ocp4-api-server-audit-log-maxsize.yaml No fixes to persist for rule 'ocp4-api-server-audit-log-path' No fixes to persist for rule 'ocp4-api-server-auth-mode-no-aa' No fixes to persist for rule 'ocp4-api-server-auth-mode-node' No fixes to persist for rule 'ocp4-api-server-auth-mode-rbac' No fixes to persist for rule 'ocp4-api-server-basic-auth' No fixes to persist for rule 'ocp4-api-server-bind-address' No fixes to persist for rule 'ocp4-api-server-client-ca' Persisted rule fix to cis/ocp4-api-server-encryption-provider-cipher.yaml Persisted rule fix to cis/ocp4-api-server-encryption-provider-config.yaml No fixes to persist for rule 'ocp4-api-server-etcd-ca' ... ##rerun-now $ ./oc-compliance rerun-now compliancescan ocp4-cis Re-running scan 'openshift-compliance/ocp4-cis' $ oc get compliancesuite NAME PHASE RESULT mybinding RUNNING NOT-AVAILABLE $ oc get scans -w NAME PHASE RESULT ocp4-cis RUNNING NOT-AVAILABLE ocp4-cis-node-master DONE NON-COMPLIANT ocp4-cis-node-worker DONE NON-COMPLIANT ocp4-cis AGGREGATING NOT-AVAILABLE ocp4-cis DONE NON-COMPLIANT ##view-result $ oc get compliancecheckresults | head NAME STATUS SEVERITY ocp4-cis-accounts-restrict-service-account-tokens MANUAL medium ocp4-cis-accounts-unique-service-account MANUAL medium ocp4-cis-api-server-admission-control-plugin-alwaysadmit PASS medium ocp4-cis-api-server-admission-control-plugin-alwayspullimages PASS high ocp4-cis-api-server-admission-control-plugin-namespacelifecycle PASS medium ocp4-cis-api-server-admission-control-plugin-noderestriction PASS medium ocp4-cis-api-server-admission-control-plugin-scc PASS medium ocp4-cis-api-server-admission-control-plugin-securitycontextdeny PASS medium ocp4-cis-api-server-admission-control-plugin-serviceaccount PASS medium $ ./oc-compliance view-result ocp4-cis-accounts-restrict-service-account-tokens +----------------------+---------------------------------------------------+ | KEY | VALUE | +----------------------+---------------------------------------------------+ | Title | Restrict Automounting of | | | Service Account Tokens | +----------------------+---------------------------------------------------+ | Status | MANUAL | +----------------------+---------------------------------------------------+ | Severity | medium | +----------------------+---------------------------------------------------+ | Description | Service accounts tokens | | | should not be mounted in pods | | | except where the workload | | | running in the pod explicitly | | | needs to communicate with | | | the API server. To ensure | | | pods do not automatically | | | mount tokens, set | | | automountServiceAccountToken | | | to false. | +----------------------+---------------------------------------------------+ | Rationale | Mounting service account | | | tokens inside pods can provide | | | an avenue for privilege | | | escalation attacks where an | | | attacker is able to compromise | | | a single pod in the cluster. | +----------------------+---------------------------------------------------+ | Instructions | For each pod in the cluster, | | | review the pod specification | | | and | | | | | | ensure that pods that do not | | | need to explicitly communicate | | | with | | | | | | the API server have | | | automountServiceAccountToken | | | | | | configured to false. | +----------------------+---------------------------------------------------+ | CIS-OCP Controls | 5.1.6 | +----------------------+---------------------------------------------------+ | NIST-800-53 Controls | CM-6, CM-6(1) | +----------------------+---------------------------------------------------+ | Available Fix | No | +----------------------+---------------------------------------------------+ | Result Object Name | ocp4-cis-accounts-restrict-service-account-tokens | +----------------------+---------------------------------------------------+ | Rule Object Name | ocp4-accounts-restrict-service-account-tokens | +----------------------+---------------------------------------------------+ | Remediation Created | No | +----------------------+---------------------------------------------------+
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Initial release of the oc-compliance plug-in), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2021:2489