Hide Forgot
Description of problem: Some rhcos rules have no scan type, all the rhcos rules should be marked as 'node' Version-Release number of selected component (if applicable): OCP: 4.10.0-0.nightly-2022-01-11-065245 Compliance Operator: compliance-operator.v0.1.47 How reproducible: Always Steps to Reproduce: 1. Get all the rules name with checkType % rulesWithCheckType=$(oc get rules.compliance -ojsonpath='{range .items[?(@.checkType)]}{.metadata.name}{"|"}{end}') 2. Find rules without checkType % oc get rules.compliance -ojsonpath='{range .items[*]}{.metadata.name}{"\n"}{end}'|grep -Ev ${rulesWithCheckType%?} ocp4-accounts-restrict-service-account-tokens ocp4-accounts-unique-service-account ocp4-api-server-oauth-https-serving-cert ocp4-api-server-openshift-https-serving-cert ocp4-banner-or-login-template-set ocp4-configure-network-policies ocp4-controller-terminated-pod-gc-threshhold ocp4-file-groupowner-kubeconfig ocp4-file-groupowner-proxy-kubeconfig ocp4-file-owner-kubeconfig ocp4-file-owner-proxy-kubeconfig ocp4-file-permissions-kube-scheduler ocp4-file-permissions-kubeconfig ocp4-general-apply-scc ocp4-general-configure-imagepolicywebhook ocp4-general-default-namespace-use ocp4-general-default-seccomp-profile ocp4-general-namespaces-in-use ocp4-kubelet-disable-hostname-override ocp4-kubelet-enable-protect-kernel-sysctl ocp4-machine-volume-encrypted ocp4-oauth-or-oauthclient-inactivity-timeout ocp4-oauth-or-oauthclient-token-maxage ocp4-partition-for-var-log-kube-apiserver ocp4-partition-for-var-log-oauth-apiserver ocp4-partition-for-var-log-openshift-apiserver ocp4-rbac-limit-cluster-admin ocp4-rbac-limit-secrets-access ocp4-rbac-pod-creation-access ocp4-rbac-wildcard-use ocp4-resource-requests-quota ocp4-scc-drop-container-capabilities ocp4-scc-limit-ipc-namespace ocp4-scc-limit-net-raw-capability ocp4-scc-limit-network-namespace ocp4-scc-limit-privilege-escalation ocp4-scc-limit-privileged-containers ocp4-scc-limit-process-id-namespace ocp4-scc-limit-root-containers ocp4-secrets-consider-external-storage ocp4-secrets-no-environment-variables rhcos4-account-use-centralized-automated-auth rhcos4-audit-rules-file-deletion-events rhcos4-audit-rules-kernel-module-loading rhcos4-audit-rules-login-events rhcos4-audit-rules-unsuccessful-file-modification rhcos4-auditd-audispd-disk-full-action rhcos4-auditd-audispd-network-failure-action rhcos4-avahi-disable-publishing rhcos4-bios-disable-usb-boot rhcos4-chronyd-or-ntpd-specify-multiple-servers rhcos4-chronyd-or-ntpd-specify-remote-server rhcos4-configure-user-data-backups rhcos4-dhcp-client-restrict-options rhcos4-dhcp-server-minimize-served-info rhcos4-encrypt-partitions rhcos4-ftp-configure-firewall rhcos4-ftp-limit-users rhcos4-installed-os-is-fips-certified rhcos4-iptables-sshd-disabled rhcos4-kernel-disable-entropy-contribution-for-solid-state-drives rhcos4-no-all-squash-exports rhcos4-no-password-auth-for-systemaccounts rhcos4-postfix-client-configure-relayhost rhcos4-rsyslog-accept-remote-messages-tcp rhcos4-rsyslog-accept-remote-messages-udp rhcos4-service-chronyd-or-ntpd-enabled rhcos4-set-ip6tables-default-rule rhcos4-set-iptables-default-rule rhcos4-set-iptables-default-rule-forward rhcos4-sshd-limit-user-access rhcos4-sudo-require-authentication rhcos4-sysctl-crypto-fips-enabled rhcos4-sysctl-fs-protected-hardlinks rhcos4-sysctl-fs-protected-symlinks rhcos4-sysctl-fs-suid-dumpable rhcos4-sysctl-kernel-core-pattern rhcos4-sysctl-kernel-dmesg-restrict rhcos4-sysctl-kernel-kexec-load-disabled rhcos4-sysctl-kernel-kptr-restrict rhcos4-sysctl-kernel-perf-event-paranoid rhcos4-sysctl-kernel-randomize-va-space rhcos4-sysctl-kernel-unprivileged-bpf-disabled rhcos4-sysctl-kernel-yama-ptrace-scope rhcos4-sysctl-net-core-bpf-jit-harden rhcos4-sysctl-net-ipv4-conf-all-accept-redirects rhcos4-sysctl-net-ipv4-conf-all-accept-source-route rhcos4-sysctl-net-ipv4-conf-all-log-martians rhcos4-sysctl-net-ipv4-conf-all-rp-filter rhcos4-sysctl-net-ipv4-conf-all-secure-redirects rhcos4-sysctl-net-ipv4-conf-all-send-redirects rhcos4-sysctl-net-ipv4-conf-default-accept-redirects rhcos4-sysctl-net-ipv4-conf-default-accept-source-route rhcos4-sysctl-net-ipv4-conf-default-log-martians rhcos4-sysctl-net-ipv4-conf-default-rp-filter rhcos4-sysctl-net-ipv4-conf-default-secure-redirects rhcos4-sysctl-net-ipv4-conf-default-send-redirects rhcos4-sysctl-net-ipv4-icmp-echo-ignore-broadcasts rhcos4-sysctl-net-ipv4-icmp-ignore-bogus-error-responses rhcos4-sysctl-net-ipv4-ip-forward rhcos4-sysctl-net-ipv4-tcp-invalid-ratelimit rhcos4-sysctl-net-ipv4-tcp-syncookies rhcos4-sysctl-net-ipv6-conf-all-accept-ra rhcos4-sysctl-net-ipv6-conf-all-accept-redirects rhcos4-sysctl-net-ipv6-conf-all-accept-source-route rhcos4-sysctl-net-ipv6-conf-all-disable-ipv6 rhcos4-sysctl-net-ipv6-conf-default-accept-ra rhcos4-sysctl-net-ipv6-conf-default-accept-redirects rhcos4-sysctl-net-ipv6-conf-default-accept-source-route rhcos4-sysctl-net-ipv6-conf-default-disable-ipv6 rhcos4-sysctl-user-max-user-namespaces rhcos4-usbguard-allow-hid rhcos4-usbguard-allow-hid-and-hub rhcos4-usbguard-allow-hub rhcos4-wireless-disable-in-bios rhcos4-zipl-enable-selinux 3. Check checkType of specific rule % oc get rule rhcos4-zipl-enable-selinux -ojsonpath={.checkType} No result % oc get rule rhcos4-sysctl-user-max-user-namespaces -ojsonpath={.checkType} No result Actual results: Many rhcos rules have no scan type Expected results: In general the algorithm is as follows: - does the rule have an OVAL check (automated check)? no: type = None yes: - does the rule check a kube object? no: node rule yes: platform rule so all the rhcos rules should be marked as 'node' not 'none'. Additional info:
Related fix PR: https://github.com/openshift/compliance-operator/pull/774
[Bug_Verification] Looks good. The rules without checkType are reduced to 60 now, it was around 116 before the fix. Verified on: 4.10.0-0.nightly-2022-01-31-012936 + compliance-operator.v0.1.48 $ oc get csv NAME DISPLAY VERSION REPLACES PHASE compliance-operator.v0.1.48 Compliance Operator 0.1.48 Succeeded elasticsearch-operator.5.3.4-13 OpenShift Elasticsearch Operator 5.3.4-13 Succeeded $ oc get pods NAME READY STATUS RESTARTS AGE compliance-operator-bddd85dfd-xx8ns 1/1 Running 1 (3h16m ago) 3h17m ocp4-openshift-compliance-pp-7785bff67c-6dw4q 1/1 Running 0 3h16m rhcos4-openshift-compliance-pp-c84d79c7-jgzvm 1/1 Running 0 3h16m $ oc get profile.compliance NAME AGE ocp4-cis 3h16m ocp4-cis-node 3h16m ocp4-e8 3h16m ocp4-moderate 3h16m ocp4-moderate-node 3h16m ocp4-nerc-cip 3h16m ocp4-nerc-cip-node 3h16m ocp4-pci-dss 3h16m ocp4-pci-dss-node 3h16m rhcos4-e8 3h16m rhcos4-moderate 3h16m rhcos4-nerc-cip 3h16m $ oc get rules.compliance -ojsonpath='{range .items[?(@.checkType=="Platform")]}{.metadata.name}{"\n"}{end}'|wc -l 116 $ oc get rules.compliance -ojsonpath='{range .items[?(@.checkType=="Platform")]}{.metadata.name}{"\n"}{end}' |head ocp4-api-server-admission-control-plugin-alwaysadmit ocp4-api-server-admission-control-plugin-alwayspullimages ocp4-api-server-admission-control-plugin-namespacelifecycle ocp4-api-server-admission-control-plugin-noderestriction ocp4-api-server-admission-control-plugin-scc ocp4-api-server-admission-control-plugin-securitycontextdeny ocp4-api-server-admission-control-plugin-serviceaccount ocp4-api-server-anonymous-auth ocp4-api-server-api-priority-flowschema-catch-all ocp4-api-server-api-priority-gate-enabled $ oc get rule ocp4-api-server-admission-control-plugin-alwaysadmit -ojsonpath={.checkType} Platform $ oc get rule ocp4-api-server-api-priority-gate-enabled -ojsonpath={.checkType} Platform $ oc get rules.compliance -ojsonpath='{range .items[?(@.checkType=="Node")]}{.metadata.name}{"\n"}{end}'| wc -l 647 $ oc get rules.compliance -ojsonpath='{range .items[?(@.checkType=="Node")]}{.metadata.name}{"\n"}{end}'| tail -15 rhcos4-sysctl-net-ipv6-conf-default-accept-redirects rhcos4-sysctl-net-ipv6-conf-default-accept-source-route rhcos4-sysctl-net-ipv6-conf-default-disable-ipv6 rhcos4-sysctl-user-max-user-namespaces rhcos4-usbguard-allow-hid rhcos4-usbguard-allow-hid-and-hub rhcos4-usbguard-allow-hub rhcos4-wireless-disable-interfaces rhcos4-zipl-audit-argument rhcos4-zipl-audit-backlog-limit-argument rhcos4-zipl-bls-entries-only rhcos4-zipl-bootmap-is-up-to-date rhcos4-zipl-page-poison-argument rhcos4-zipl-slub-debug-argument rhcos4-zipl-vsyscall-argument $ oc get rule rhcos4-sysctl-user-max-user-namespaces -ojsonpath={.checkType} Node $ oc get rule rhcos4-zipl-vsyscall-argument -ojsonpath={.checkType} Node $ rulesWithCheckType=$(oc get rules.compliance -ojsonpath='{range .items[?(@.checkType)]}{.metadata.name}{"|"}{end}') $ oc get rules.compliance -ojsonpath='{range .items[*]}{.metadata.name}{"\n"}{end}'|grep -Ev ${rulesWithCheckType%?} |wc -l 60 $ oc get rules.compliance -ojsonpath='{range .items[*]}{.metadata.name}{"\n"}{end}'|grep -Ev ${rulesWithCheckType%?} |tail rhcos4-postfix-client-configure-relayhost rhcos4-rsyslog-accept-remote-messages-tcp rhcos4-rsyslog-accept-remote-messages-udp rhcos4-set-ip6tables-default-rule rhcos4-set-iptables-default-rule rhcos4-set-iptables-default-rule-forward rhcos4-sshd-limit-user-access rhcos4-sysctl-crypto-fips-enabled rhcos4-wireless-disable-in-bios rhcos4-zipl-enable-selinux $ oc get rule rhcos4-zipl-enable-selinux -ojsonpath={.checkType} No result
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Compliance Operator bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:0416