Bug 2040282
| Summary: | Some rhcos rules have no scan type, all the rhcos rules should be marked as 'node' | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | hongyan li <hongyli> |
| Component: | Compliance Operator | Assignee: | Vincent Shen <wenshen> |
| Status: | CLOSED ERRATA | QA Contact: | Prashant Dhamdhere <pdhamdhe> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.10 | CC: | jhrozek, lbragsta, mrogers, stevsmit, wenshen, xiyuan |
| Target Milestone: | --- | ||
| Target Release: | 4.10.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
* Previously, some rules associated with extended Open Vulnerability and Assessment Language (OVAL) definitions had a `checkType` of `None`. This was because the compliance Operator was not processing extended OVAL definitions when parsing rules. With this update, content from extended OVAL definitions is parsed so that these rules now have a `checkType` of either `Node` or `Platform`. (link:https://bugzilla.redhat.com/show_bug.cgi?id=2040282[*BZ#2040282*])
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-02-07 05:46:25 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Related fix PR: https://github.com/openshift/compliance-operator/pull/774 [Bug_Verification]
Looks good. The rules without checkType are reduced to 60 now, it was around 116 before the fix.
Verified on:
4.10.0-0.nightly-2022-01-31-012936 + compliance-operator.v0.1.48
$ oc get csv
NAME DISPLAY VERSION REPLACES PHASE
compliance-operator.v0.1.48 Compliance Operator 0.1.48 Succeeded
elasticsearch-operator.5.3.4-13 OpenShift Elasticsearch Operator 5.3.4-13 Succeeded
$ oc get pods
NAME READY STATUS RESTARTS AGE
compliance-operator-bddd85dfd-xx8ns 1/1 Running 1 (3h16m ago) 3h17m
ocp4-openshift-compliance-pp-7785bff67c-6dw4q 1/1 Running 0 3h16m
rhcos4-openshift-compliance-pp-c84d79c7-jgzvm 1/1 Running 0 3h16m
$ oc get profile.compliance
NAME AGE
ocp4-cis 3h16m
ocp4-cis-node 3h16m
ocp4-e8 3h16m
ocp4-moderate 3h16m
ocp4-moderate-node 3h16m
ocp4-nerc-cip 3h16m
ocp4-nerc-cip-node 3h16m
ocp4-pci-dss 3h16m
ocp4-pci-dss-node 3h16m
rhcos4-e8 3h16m
rhcos4-moderate 3h16m
rhcos4-nerc-cip 3h16m
$ oc get rules.compliance -ojsonpath='{range .items[?(@.checkType=="Platform")]}{.metadata.name}{"\n"}{end}'|wc -l
116
$ oc get rules.compliance -ojsonpath='{range .items[?(@.checkType=="Platform")]}{.metadata.name}{"\n"}{end}' |head
ocp4-api-server-admission-control-plugin-alwaysadmit
ocp4-api-server-admission-control-plugin-alwayspullimages
ocp4-api-server-admission-control-plugin-namespacelifecycle
ocp4-api-server-admission-control-plugin-noderestriction
ocp4-api-server-admission-control-plugin-scc
ocp4-api-server-admission-control-plugin-securitycontextdeny
ocp4-api-server-admission-control-plugin-serviceaccount
ocp4-api-server-anonymous-auth
ocp4-api-server-api-priority-flowschema-catch-all
ocp4-api-server-api-priority-gate-enabled
$ oc get rule ocp4-api-server-admission-control-plugin-alwaysadmit -ojsonpath={.checkType}
Platform
$ oc get rule ocp4-api-server-api-priority-gate-enabled -ojsonpath={.checkType}
Platform
$ oc get rules.compliance -ojsonpath='{range .items[?(@.checkType=="Node")]}{.metadata.name}{"\n"}{end}'| wc -l
647
$ oc get rules.compliance -ojsonpath='{range .items[?(@.checkType=="Node")]}{.metadata.name}{"\n"}{end}'| tail -15
rhcos4-sysctl-net-ipv6-conf-default-accept-redirects
rhcos4-sysctl-net-ipv6-conf-default-accept-source-route
rhcos4-sysctl-net-ipv6-conf-default-disable-ipv6
rhcos4-sysctl-user-max-user-namespaces
rhcos4-usbguard-allow-hid
rhcos4-usbguard-allow-hid-and-hub
rhcos4-usbguard-allow-hub
rhcos4-wireless-disable-interfaces
rhcos4-zipl-audit-argument
rhcos4-zipl-audit-backlog-limit-argument
rhcos4-zipl-bls-entries-only
rhcos4-zipl-bootmap-is-up-to-date
rhcos4-zipl-page-poison-argument
rhcos4-zipl-slub-debug-argument
rhcos4-zipl-vsyscall-argument
$ oc get rule rhcos4-sysctl-user-max-user-namespaces -ojsonpath={.checkType}
Node
$ oc get rule rhcos4-zipl-vsyscall-argument -ojsonpath={.checkType}
Node
$ rulesWithCheckType=$(oc get rules.compliance -ojsonpath='{range .items[?(@.checkType)]}{.metadata.name}{"|"}{end}')
$ oc get rules.compliance -ojsonpath='{range .items[*]}{.metadata.name}{"\n"}{end}'|grep -Ev ${rulesWithCheckType%?} |wc -l
60
$ oc get rules.compliance -ojsonpath='{range .items[*]}{.metadata.name}{"\n"}{end}'|grep -Ev ${rulesWithCheckType%?} |tail
rhcos4-postfix-client-configure-relayhost
rhcos4-rsyslog-accept-remote-messages-tcp
rhcos4-rsyslog-accept-remote-messages-udp
rhcos4-set-ip6tables-default-rule
rhcos4-set-iptables-default-rule
rhcos4-set-iptables-default-rule-forward
rhcos4-sshd-limit-user-access
rhcos4-sysctl-crypto-fips-enabled
rhcos4-wireless-disable-in-bios
rhcos4-zipl-enable-selinux
$ oc get rule rhcos4-zipl-enable-selinux -ojsonpath={.checkType}
No result
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Compliance Operator bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:0416 |
Description of problem: Some rhcos rules have no scan type, all the rhcos rules should be marked as 'node' Version-Release number of selected component (if applicable): OCP: 4.10.0-0.nightly-2022-01-11-065245 Compliance Operator: compliance-operator.v0.1.47 How reproducible: Always Steps to Reproduce: 1. Get all the rules name with checkType % rulesWithCheckType=$(oc get rules.compliance -ojsonpath='{range .items[?(@.checkType)]}{.metadata.name}{"|"}{end}') 2. Find rules without checkType % oc get rules.compliance -ojsonpath='{range .items[*]}{.metadata.name}{"\n"}{end}'|grep -Ev ${rulesWithCheckType%?} ocp4-accounts-restrict-service-account-tokens ocp4-accounts-unique-service-account ocp4-api-server-oauth-https-serving-cert ocp4-api-server-openshift-https-serving-cert ocp4-banner-or-login-template-set ocp4-configure-network-policies ocp4-controller-terminated-pod-gc-threshhold ocp4-file-groupowner-kubeconfig ocp4-file-groupowner-proxy-kubeconfig ocp4-file-owner-kubeconfig ocp4-file-owner-proxy-kubeconfig ocp4-file-permissions-kube-scheduler ocp4-file-permissions-kubeconfig ocp4-general-apply-scc ocp4-general-configure-imagepolicywebhook ocp4-general-default-namespace-use ocp4-general-default-seccomp-profile ocp4-general-namespaces-in-use ocp4-kubelet-disable-hostname-override ocp4-kubelet-enable-protect-kernel-sysctl ocp4-machine-volume-encrypted ocp4-oauth-or-oauthclient-inactivity-timeout ocp4-oauth-or-oauthclient-token-maxage ocp4-partition-for-var-log-kube-apiserver ocp4-partition-for-var-log-oauth-apiserver ocp4-partition-for-var-log-openshift-apiserver ocp4-rbac-limit-cluster-admin ocp4-rbac-limit-secrets-access ocp4-rbac-pod-creation-access ocp4-rbac-wildcard-use ocp4-resource-requests-quota ocp4-scc-drop-container-capabilities ocp4-scc-limit-ipc-namespace ocp4-scc-limit-net-raw-capability ocp4-scc-limit-network-namespace ocp4-scc-limit-privilege-escalation ocp4-scc-limit-privileged-containers ocp4-scc-limit-process-id-namespace ocp4-scc-limit-root-containers ocp4-secrets-consider-external-storage ocp4-secrets-no-environment-variables rhcos4-account-use-centralized-automated-auth rhcos4-audit-rules-file-deletion-events rhcos4-audit-rules-kernel-module-loading rhcos4-audit-rules-login-events rhcos4-audit-rules-unsuccessful-file-modification rhcos4-auditd-audispd-disk-full-action rhcos4-auditd-audispd-network-failure-action rhcos4-avahi-disable-publishing rhcos4-bios-disable-usb-boot rhcos4-chronyd-or-ntpd-specify-multiple-servers rhcos4-chronyd-or-ntpd-specify-remote-server rhcos4-configure-user-data-backups rhcos4-dhcp-client-restrict-options rhcos4-dhcp-server-minimize-served-info rhcos4-encrypt-partitions rhcos4-ftp-configure-firewall rhcos4-ftp-limit-users rhcos4-installed-os-is-fips-certified rhcos4-iptables-sshd-disabled rhcos4-kernel-disable-entropy-contribution-for-solid-state-drives rhcos4-no-all-squash-exports rhcos4-no-password-auth-for-systemaccounts rhcos4-postfix-client-configure-relayhost rhcos4-rsyslog-accept-remote-messages-tcp rhcos4-rsyslog-accept-remote-messages-udp rhcos4-service-chronyd-or-ntpd-enabled rhcos4-set-ip6tables-default-rule rhcos4-set-iptables-default-rule rhcos4-set-iptables-default-rule-forward rhcos4-sshd-limit-user-access rhcos4-sudo-require-authentication rhcos4-sysctl-crypto-fips-enabled rhcos4-sysctl-fs-protected-hardlinks rhcos4-sysctl-fs-protected-symlinks rhcos4-sysctl-fs-suid-dumpable rhcos4-sysctl-kernel-core-pattern rhcos4-sysctl-kernel-dmesg-restrict rhcos4-sysctl-kernel-kexec-load-disabled rhcos4-sysctl-kernel-kptr-restrict rhcos4-sysctl-kernel-perf-event-paranoid rhcos4-sysctl-kernel-randomize-va-space rhcos4-sysctl-kernel-unprivileged-bpf-disabled rhcos4-sysctl-kernel-yama-ptrace-scope rhcos4-sysctl-net-core-bpf-jit-harden rhcos4-sysctl-net-ipv4-conf-all-accept-redirects rhcos4-sysctl-net-ipv4-conf-all-accept-source-route rhcos4-sysctl-net-ipv4-conf-all-log-martians rhcos4-sysctl-net-ipv4-conf-all-rp-filter rhcos4-sysctl-net-ipv4-conf-all-secure-redirects rhcos4-sysctl-net-ipv4-conf-all-send-redirects rhcos4-sysctl-net-ipv4-conf-default-accept-redirects rhcos4-sysctl-net-ipv4-conf-default-accept-source-route rhcos4-sysctl-net-ipv4-conf-default-log-martians rhcos4-sysctl-net-ipv4-conf-default-rp-filter rhcos4-sysctl-net-ipv4-conf-default-secure-redirects rhcos4-sysctl-net-ipv4-conf-default-send-redirects rhcos4-sysctl-net-ipv4-icmp-echo-ignore-broadcasts rhcos4-sysctl-net-ipv4-icmp-ignore-bogus-error-responses rhcos4-sysctl-net-ipv4-ip-forward rhcos4-sysctl-net-ipv4-tcp-invalid-ratelimit rhcos4-sysctl-net-ipv4-tcp-syncookies rhcos4-sysctl-net-ipv6-conf-all-accept-ra rhcos4-sysctl-net-ipv6-conf-all-accept-redirects rhcos4-sysctl-net-ipv6-conf-all-accept-source-route rhcos4-sysctl-net-ipv6-conf-all-disable-ipv6 rhcos4-sysctl-net-ipv6-conf-default-accept-ra rhcos4-sysctl-net-ipv6-conf-default-accept-redirects rhcos4-sysctl-net-ipv6-conf-default-accept-source-route rhcos4-sysctl-net-ipv6-conf-default-disable-ipv6 rhcos4-sysctl-user-max-user-namespaces rhcos4-usbguard-allow-hid rhcos4-usbguard-allow-hid-and-hub rhcos4-usbguard-allow-hub rhcos4-wireless-disable-in-bios rhcos4-zipl-enable-selinux 3. Check checkType of specific rule % oc get rule rhcos4-zipl-enable-selinux -ojsonpath={.checkType} No result % oc get rule rhcos4-sysctl-user-max-user-namespaces -ojsonpath={.checkType} No result Actual results: Many rhcos rules have no scan type Expected results: In general the algorithm is as follows: - does the rule have an OVAL check (automated check)? no: type = None yes: - does the rule check a kube object? no: node rule yes: platform rule so all the rhcos rules should be marked as 'node' not 'none'. Additional info: