2062530 – CU found ocp4-var-oauth-inactivity-timeout and other compliance-operator variables are having an issue

Bug 2062530 - CU found ocp4-var-oauth-inactivity-timeout and other compliance-operator variables are having an issue

Summary: CU found ocp4-var-oauth-inactivity-timeout and other compliance-operator vari...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Compliance Operator
Sub Component:
Version:	4.8
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Vincent Shen
QA Contact:	xiyuan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-03-10 05:07 UTC by Mithilesh Kaur Bagga
Modified:	2023-09-18 04:33 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:	Feature: Added a remediation to set policies for various cryptographic back-ends on infrastructure through Machine Config settings. Reason: Allows users the flexibility to update cryptographic back-end policies and apply that remediation through the compliance operator. Result: Users can apply this remediation using the compliance operator and adjust it using a variable.
Clone Of:
Environment:
Last Closed:	2022-11-02 16:00:53 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	ComplianceAsCode content pull 9266	0	None	open	Add Kubernetes remediation for rule configure_crypto_policy	2022-08-05 19:58:03 UTC
Red Hat Product Errata	RHBA-2022:6657	0	None	None	None	2022-11-02 16:01:09 UTC

Comment 5 Vincent Shen 2022-03-28 16:10:30 UTC

@mbagga Hi Mithilesh, it looks like we are missing auto-remediation for this rule `configure_crypto_policy`/`enable_fips_mode`. As for now, you would need to create the Machine Config manually; we will add the auto-remediation for this rule in the future release. The var `rhcos4-configure-crypto-policy` is used by the rule to check the configuration for now.

Comment 11 xiyuan 2022-09-26 07:18:13 UTC

Hi Vicent, 
The auto remediation works. The crypto policy will be updated after auto-remediation applied.
However, just found one issue about this auto fix(sorry I didn't realize this issue earlier):
When the cluster has enabled fips, the auto-remediation will update the crypto policy to DEFAULT, which is not a FIPS policy.
Then the rules rhcos4-enable-fips-mode will fail. I don't think it is the expected result we would like to see. 

Details seen from below:
####################apply auto-remediation for rule rhcos4-configure-crypto-policy:
$ oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
  name: tp-node
  namespace: openshift-compliance
spec:
  description: test
  title: test
  enableRules:
  - name: rhcos4-configure-crypto-policy
    rationale: Node
EOF
tailoredprofile.compliance.openshift.io/tp-node created
$ oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
  name: my-ssb1
profiles:
  - apiGroup: compliance.openshift.io/v1alpha1
    kind: TailoredProfile
    name: tp-node
settingsRef:
  apiGroup: compliance.openshift.io/v1alpha1
  kind: ScanSetting
  name: default-auto-apply
EOF
scansettingbinding.compliance.openshift.io/my-ssb1 configured
$ oc get suite -w
NAME      PHASE       RESULT
my-ssb1   LAUNCHING   NOT-AVAILABLE
my-ssb1   LAUNCHING   NOT-AVAILABLE
my-ssb1   RUNNING     NOT-AVAILABLE
my-ssb1   RUNNING     NOT-AVAILABLE
my-ssb1   AGGREGATING   NOT-AVAILABLE
my-ssb1   AGGREGATING   NOT-AVAILABLE
my-ssb1   DONE          NON-COMPLIANT
my-ssb1   DONE          NON-COMPLIANT
^C$ oc get ccr
NAME                                     STATUS   SEVERITY
tp-node-master-configure-crypto-policy   FAIL     high
tp-node-worker-configure-crypto-policy   FAIL     high
$ oc get mc -l compliance.openshift.io/suite=my-ssb1
NAME                                        GENERATEDBYCONTROLLER   IGNITIONVERSION   AGE
75-tp-node-master-configure-crypto-policy                           3.1.0             25s
75-tp-node-worker-configure-crypto-policy                           3.1.0             25s
$ oc get mc 75-tp-node-master-configure-crypto-policy -o yaml
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  annotations:
    compliance.openshift.io/remediation: ""
  creationTimestamp: "2022-09-26T05:25:08Z"
  generation: 1
  labels:
    compliance.openshift.io/scan-name: tp-node-master
    compliance.openshift.io/suite: my-ssb1
    machineconfiguration.openshift.io/role: master
  name: 75-tp-node-master-configure-crypto-policy
  resourceVersion: "122961"
  uid: 3e4f1481-c298-40cd-989e-fd64f5d4f028
spec:
  config:
    ignition:
      version: 3.1.0
    systemd:
      units:
      - contents: |
          [Unit]
          Before=kubelet.service
          [Service]
          Type=oneshot
          ExecStart=update-crypto-policies --set DEFAULT
          RemainAfterExit=yes
          [Install]
          WantedBy=multi-user.target
        enabled: true
        name: configure-crypto-policy.service
$ oc get mcp -w
NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
master   rendered-master-5397c0bc55850dbe459f93d781252766   False     True       False      3              0                   0                     0                      3h40m
worker   rendered-worker-f4308d81441e68d03b3310a6de94de9e   False     True       False      3              0                   0                     0                      3h40m
...
master   rendered-master-5397c0bc55850dbe459f93d781252766   False     True       False      3              1                   1                     0                      3h49m
worker   rendered-worker-f4308d81441e68d03b3310a6de94de9e   False     True       False      3              1                   1                     0                      3h49m
worker   rendered-worker-f4308d81441e68d03b3310a6de94de9e   False     True       False      3              1                   2                     0                      3h51m
worker   rendered-worker-f4308d81441e68d03b3310a6de94de9e   False     True       False      3              2                   2                     0                      3h51m
worker   rendered-worker-f4308d81441e68d03b3310a6de94de9e   False     True       False      3              2                   2                     0                      3h51m
master   rendered-master-5397c0bc55850dbe459f93d781252766   False     True       False      3              2                   2                     0                      3h53m
...
master   rendered-master-35afa1d4a71fb092809d421452dea4e4   True      False      False      3              3                   3                     0                      4h5m
worker   rendered-worker-f78c78960d277733dc4d87c428f10ba8   True      False      False      3              3                   3                     0                      4h5m


$ oc get node
NAME                                            STATUS   ROLES                  AGE     VERSION
xiyuan26-1-nmfmx-master-0                       Ready    control-plane,master   4h9m    v1.24.0+8c7c967
xiyuan26-1-nmfmx-master-1                       Ready    control-plane,master   4h10m   v1.24.0+8c7c967
xiyuan26-1-nmfmx-master-2                       Ready    control-plane,master   4h10m   v1.24.0+8c7c967
xiyuan26-1-nmfmx-worker-southcentralus1-5sq9n   Ready    worker                 3h53m   v1.24.0+8c7c967
xiyuan26-1-nmfmx-worker-southcentralus2-nc9lt   Ready    worker                 3h49m   v1.24.0+8c7c967
xiyuan26-1-nmfmx-worker-southcentralus3-k4cdm   Ready    worker                 3h53m   v1.24.0+8c7c967


#################Fips mode checking after auto-remediation
$ oc debug node/xiyuan26-1-nmfmx-master-0  -- chroot /host fips-mode-setup --check
Starting pod/xiyuan26-1-nmfmx-master-0-debug ...
To use host binaries, run `chroot /host`
FIPS mode is enabled.
The current crypto policy (DEFAULT) is not a FIPS policy.

Removing debug pod ...

##################Rule rhcos4-enable-fips-mode check:
$ oc create -f - << EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
  name: my-ssb-fips
profiles:
  - name: rhcos4-moderate
    kind: Profile
    apiGroup: compliance.openshift.io/v1alpha1
settingsRef:
  name: default
  kind: ScanSetting
  apiGroup: compliance.openshift.io/v1alpha1
EOF
scansettingbinding.compliance.openshift.io/my-ssb-fips created
$ oc get suite 
NAME          PHASE   RESULT
my-ssb-fips   DONE    NON-COMPLIANT
my-ssb1       DONE    NON-COMPLIANT
$ oc get ccr | grep fips
rhcos4-moderate-master-enable-fips-mode                                                             FAIL     high
rhcos4-moderate-worker-enable-fips-mode                                                             FAIL     high

Comment 12 xiyuan 2022-09-26 09:42:33 UTC

Add one more point, if the 'update-crypto-policies --set FIPS:DISABLE-CBC' command not supported on node, the auto remediation will fail:

$ oc debug node/xiyuan26-1-nmfmx-master-0
Starting pod/xiyuan26-1-nmfmx-master-0-debug ...
To use host binaries, run `chroot /host`
Pod IP: 10.0.0.7
If you don't see a command prompt, try pressing enter.
sh-4.4# chroot /host
sh-4.4# update-crypto-policies --set FIPS:DISABLE-CBC
Unknown policy `DISABLE-CBC`: file `DISABLE-CBC.pmod` not found in (., policies/modules, /etc/crypto-policies/policies/modules, /usr/share/crypto-policies/policies/modules)
sh-4.4# update-crypto-policies --show
FIPS
sh-4.4# exit
exit
sh-4.4# exit
exit

Removing debug pod ...

Comment 13 Jakub Hrozek 2022-09-26 10:53:29 UTC

(In reply to xiyuan from comment #12)
> Add one more point, if the 'update-crypto-policies --set FIPS:DISABLE-CBC'
> command not supported on node, the auto remediation will fail:
> 
> $ oc debug node/xiyuan26-1-nmfmx-master-0
> Starting pod/xiyuan26-1-nmfmx-master-0-debug ...
> To use host binaries, run `chroot /host`
> Pod IP: 10.0.0.7
> If you don't see a command prompt, try pressing enter.
> sh-4.4# chroot /host
> sh-4.4# update-crypto-policies --set FIPS:DISABLE-CBC
> Unknown policy `DISABLE-CBC`: file `DISABLE-CBC.pmod` not found in (.,
> policies/modules, /etc/crypto-policies/policies/modules,
> /usr/share/crypto-policies/policies/modules)
> sh-4.4# update-crypto-policies --show
> FIPS
> sh-4.4# exit
> exit
> sh-4.4# exit
> exit
> 
> Removing debug pod ...

Where are you seeing DISABLE-CBC? We had a different bug open with a customer case (OCPBUGS-510) where the customer tried to set the same policy, but that policy does not exist. So I think we should find where do we suggest that policy name and change the reference to something that does exist.

Nice catch!

Comment 14 Vincent Shen 2022-09-26 15:49:18 UTC

@xiyuan This is expected behavior, the default value for var_system_crypto_policy is different based on the profile, if you use the rule without the profile, the default value is DEFAULT, but when you use it in the profile ex. in moderate, it will set var_system_crypto_policy to fips.

Comment 15 xiyuan 2022-09-27 15:46:38 UTC

Hi vincent,
I tried to test with 4.12.0-0.nightly-2022-09-26-111919 and compliance-operator.v0.1.55, create a ssb with moderate profiles. When the scan done, there is no related ccr for rule rhcos4-configure-crypto-policy. Not sure where goes wrong. Could you please help to check? Thanks.

$ oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
  name: test
profiles:
  - apiGroup: compliance.openshift.io/v1alpha1
    kind: Profile
    name: ocp4-moderate
  - apiGroup: compliance.openshift.io/v1alpha1
    kind: Profile
    name: ocp4-moderate-node
settingsRef:
  apiGroup: compliance.openshift.io/v1alpha1
  kind: ScanSetting
  name: default-auto-apply
> EOF
scansettingbinding.compliance.openshift.io/test created

$ oc get ccr | grep policy
ocp4-moderate-general-configure-imagepolicywebhook                         MANUAL         medium

Comment 16 Vincent Shen 2022-09-27 17:00:05 UTC

@xiyuan rhcos4-configure-crypto-policy is in rhcos4-moderate profile, I think you need to test it use that profile

Comment 17 xiyuan 2022-09-28 06:35:40 UTC

Verification pass with 4.12.0-0.nightly-2022-09-26-111919  and compliance-operator.v0.1.55.

For fips enabled cluster, by default rule check pass for rhcos4-configure-crypto-policy; for FIPS:DISABLE-CBC crypto policy, need to apply sub policy DISABLE-CBC first, then apply auto-remediation with tailoredprofile.
$ oc get ccr
NAME                                     STATUS   SEVERITY
tp-node-master-configure-crypto-policy   PASS     high
tp-node-worker-configure-crypto-policy   PASS     high
$ oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.12.0-0.nightly-2022-09-26-111919   True        False         4h28m   Cluster version is 4.12.0-0.nightly-2022-09-26-111919
$ oc get csv
NAME                            DISPLAY                            VERSION   REPLACES                       PHASE
compliance-operator.v0.1.55     Compliance Operator                0.1.55                                   Succeeded
elasticsearch-operator.v5.6.0   OpenShift Elasticsearch Operator   5.6.0     elasticsearch-operator.5.5.2   Succeeded
loki-operator.v5.6.0            Loki Operator                      5.6.0     loki-operator.5.5.2            Succeeded

##########For a fips enabled cluster,the rule rhcos4-configure-crypto-policy will PASS:
$ oc debug node/xiyuan28-1-jlfqz-master-0  -- chroot /host fips-mode-setup --check
Starting pod/xiyuan28-1-jlfqz-master-0-debug ...
To use host binaries, run `chroot /host`
FIPS mode is enabled.

Removing debug pod ...
$  oc debug node/xiyuan28-1-jlfqz-master-0  -- chroot /host update-crypto-policies --show
Starting pod/xiyuan28-1-jlfqz-master-0-debug ...
To use host binaries, run `chroot /host`
FIPS

Removing debug pod ...

$ oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
  name: test
profiles:
  - apiGroup: compliance.openshift.io/v1alpha1
    kind: Profile
    name: rhcos4-moderate
settingsRef:
  apiGroup: compliance.openshift.io/v1alpha1
  kind: ScanSetting
  name: default
EOF
scansettingbinding.compliance.openshift.io/test created
$ oc get ccr | grep configure-crypto-policy
rhcos4-moderate-master-configure-crypto-policy                                                      PASS     high
rhcos4-moderate-worker-configure-crypto-policy                                                      PASS     high

###############################apply FIPS:DISABLE-CBC policy
Per https://www.redhat.com/en/blog/configuring-rhel-8-compliance-crypto-policy-related-cipher-block-chaining,
create sub policy DISABLE-CBC through below mc:
$ oc apply -f -<<EOF
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  generation: 1
  labels:
    machineconfiguration.openshift.io/role: worker
  name: disable-cbc-worker
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,cipher%20%3D%20AES-256-CBC%20%20AES-128-CBC%0Acipher%40TLS%20%3D%20AES-256-CBC%20AES-128-CBC
        mode: 0644
        overwrite: true
        path: /etc/crypto-policies/policies/modules/DISABLE-CBC.pmod
---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  generation: 1
  labels:
    machineconfiguration.openshift.io/role: master
  name: disable-cbc-master
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,cipher%20%3D%20AES-256-CBC%20%20AES-128-CBC%0Acipher%40TLS%20%3D%20AES-256-CBC%20AES-128-CBC
        mode: 0644
        overwrite: true
        path: /etc/crypto-policies/policies/modules/DISABLE-CBC.pmod
EOF
machineconfig.machineconfiguration.openshift.io/disable-cbc-worker created
machineconfig.machineconfiguration.openshift.io/disable-cbc-master created
###########wait until cluster reboot finish, 
oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
  name: tp-node
  namespace: openshift-compliance
spec:
  description: test
  title: test
  enableRules:
  - name: rhcos4-configure-crypto-policy
    rationale: Node
  setValues:
  - name: rhcos4-var-system-crypto-policy
    value: "FIPS:DISABLE-CBC"
    rationale: test
EOF

$ oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
  name: my-ssb1
profiles:
  - apiGroup: compliance.openshift.io/v1alpha1
    kind: TailoredProfile
    name: tp-node
settingsRef:
  apiGroup: compliance.openshift.io/v1alpha1
  kind: ScanSetting
  name: default-auto-apply
EOF
scansettingbinding.compliance.openshift.io/my-ssb1 created

$ oc get ccr
NAME                                     STATUS   SEVERITY
tp-node-master-configure-crypto-policy   FAIL     high
tp-node-worker-configure-crypto-policy   FAIL     high
$ oc get cr
NAME                                     STATE
tp-node-master-configure-crypto-policy   Applied
tp-node-worker-configure-crypto-policy   Applied

$ oc get mc 75-tp-node-master-configure-crypto-policy -o yaml
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  annotations:
    compliance.openshift.io/remediation: ""
  creationTimestamp: "2022-09-28T05:53:56Z"
  generation: 1
  labels:
    compliance.openshift.io/scan-name: tp-node-master
    compliance.openshift.io/suite: my-ssb1
    machineconfiguration.openshift.io/role: master
  name: 75-tp-node-master-configure-crypto-policy
  resourceVersion: "257732"
  uid: fef33759-4f87-4574-9758-5cb357dd1d62
spec:
  config:
    ignition:
      version: 3.1.0
    systemd:
      units:
      - contents: |
          [Unit]
          Before=kubelet.service
          [Service]
          Type=oneshot
          ExecStart=update-crypto-policies --set FIPS:DISABLE-CBC
          RemainAfterExit=yes
          [Install]
          WantedBy=multi-user.target
        enabled: true
        name: configure-crypto-policy.service
$ oc get mcp -w
NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
master   rendered-master-a4cd02a77daf2e4b1c8e8ee29a03a1f2   False     True       False      3              2                   2                     0                      4h51m
worker   rendered-worker-0075f8531ee9f6b9666f167aa063c99b   False     True       False      3              2                   2                     0                      4h51m
worker   rendered-worker-0075f8531ee9f6b9666f167aa063c99b   False     True       False      3              2                   3                     0                      4h51m
worker   rendered-worker-ffbeaedc398d860bde1ebb5c0022d3f1   True      False      False      3              3                   3                     0                      4h51m
master   rendered-master-a4cd02a77daf2e4b1c8e8ee29a03a1f2   False     True       False      3              2                   3                     0                      4h54m
master   rendered-master-0bdb10a513a8a2588f41f9949844d9db   True      False      False      3              3                   3                     0                      4h54m
^C[xiyuan@MiWiFi-RA69-srv func]$ oc get ssb
NAME      AGE
my-ssb1   25m
$ oc compliance rerun-now scansettingbinding my-ssb1
Rerunning scans from 'my-ssb1': tp-node-master, tp-node-worker
Re-running scan 'openshift-compliance/tp-node-master'
Re-running scan 'openshift-compliance/tp-node-worker'
[xiyuan@MiWiFi-RA69-srv func]$ oc get suite -w
NAME      PHASE       RESULT
my-ssb1   LAUNCHING   NOT-AVAILABLE
my-ssb1   RUNNING     NOT-AVAILABLE
my-ssb1   RUNNING     NOT-AVAILABLE
my-ssb1   AGGREGATING   NOT-AVAILABLE
my-ssb1   AGGREGATING   NOT-AVAILABLE
my-ssb1   DONE          COMPLIANT
my-ssb1   DONE          COMPLIANT
^C$ oc get ccr
NAME                                     STATUS   SEVERITY
tp-node-master-configure-crypto-policy   PASS     high
tp-node-worker-configure-crypto-policy   PASS     high
##check on one node:
$ oc debug node/xiyuan28-1-jlfqz-worker-southcentralus1-kd9j9 -- chroot /host update-crypto-policies --show
Starting pod/xiyuan28-1-jlfqz-worker-southcentralus1-kd9j9-debug ...
To use host binaries, run `chroot /host`
FIPS:DISABLE-CBC

Removing debug pod ...
$ oc debug node/xiyuan28-1-jlfqz-worker-southcentralus1-kd9j9 -- chroot /host update-crypto-policies --is-applied
Starting pod/xiyuan28-1-jlfqz-worker-southcentralus1-kd9j9-debug ...
To use host binaries, run `chroot /host`
The configured policy is applied

Removing debug pod ...

Comment 19 errata-xmlrpc 2022-11-02 16:00:53 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Compliance Operator bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:6657

Comment 20 Red Hat Bugzilla 2023-09-18 04:33:18 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days

Note You need to log in before you can comment on or make changes to this bug.