Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 2101353

Summary: False positive in rules content_rule_sysctl_kernel_core_pattern content_rule_sysctl_kernel_yama_ptrace_scope
Product: OpenShift Container Platform Reporter: German Parente <gparente>
Component: Compliance OperatorAssignee: Vincent Shen <wenshen>
Status: CLOSED DUPLICATE QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.10CC: jhrozek, lbragsta, mrogers, suprs, wenshen, xiyuan
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-06-28 14:45:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description German Parente 2022-06-27 09:31:42 UTC 
Description of problem:

Customer is showing this commands in the nodes:

sh-4.4# chroot /host
sh-4.4# grep -r '^\s*kernel.core_pattern\s*=' /etc/sysctl.conf /etc/sysctl.d
/etc/sysctl.d/75-sysctl_kernel_core_pattern.conf:kernel.core_pattern = |/bin/false
sh-4.4# cat /etc/sysctl.d/75-sysctl_kernel_yama_ptrace_scope.conf 
kernel.yama.ptrace_scope=1

These rules are failing:


Title^M Disable storing core dumps
Rule^M  xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern
Ident^M CCE-82527-3
W: oscap:       Requested offline mode is not supported by sysctl probe.
Result^M        fail

Title^M Restrict usage of ptrace to descendant processes
Rule^M  xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope
Ident^M CCE-82501-8
W: oscap:       Requested offline mode is not supported by sysctl probe.
Result^M        fail


When we check the rules:

oc get -n openshift-compliance -oyaml rules.compliance rhcos4-sysctl-kernel-core-pattern
description: |-
  To set the runtime status of the kernel.core_pattern kernel parameter, run the following command:

  $ sudo sysctl -w kernel.core_pattern=|/bin/false

  To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d :

  kernel.core_pattern = |/bin/false

  If any assignments other than
  kernel.core_pattern = |/bin/false
  are found, or the correct assignment is duplicated, remove those offending lines from respective files,
  and make sure that exactly one file in
  /etc/sysctl.d contains kernel.core_pattern = |/bin/false, and that one assignment
  is returned when
  $ grep -r kernel.core_pattern /etc/sysctl.conf /etc/sysctl.d
  is executed.

 oc get -n openshift-compliance -oyaml rules.compliance rhcos4-sysctl-kernel-yama-ptrace-scope

description: |-
  To set the runtime status of the kernel.yama.ptrace_scope kernel parameter, run the following command:

  $ sudo sysctl -w kernel.yama.ptrace_scope=1

  To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d :

  kernel.yama.ptrace_scope = 1

So, it seems the rules are failing where at customer site we have the right lines/values.
Comment 1 Jakub Hrozek 2022-06-27 10:23:20 UTC 
Vincent, can you check if this is the same issue as you fixed recently (and I think tracked as https://bugzilla.redhat.com/show_bug.cgi?id=2094382) ?
Comment 2 Vincent Shen 2022-06-28 14:45:32 UTC 

*** This bug has been marked as a duplicate of bug 2094382 ***
Comment 3 Red Hat Bugzilla 2023-09-15 01:56:21 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 365 days