Bug 2117747 - Compliance rules are failing after remediated automatically from scan setting successfully
Summary: Compliance rules are failing after remediated automatically from scan setting...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Compliance Operator
Version: 4.10
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: Vincent Shen
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2022-08-11 19:15 UTC by Shailendra Singh
Modified: 2022-11-02 16:01 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Rule evaluating modprobe configuration would fail even after applying remedations Consequence: This was because the checks and remediations were using two different values for modprobe configuration Fix: Upgrade to compliance-operator 0.1.55 Result: Newer content uses the same values for modprobe configuration in checks and remediations, ensuring consistent results.
Clone Of:
Last Closed: 2022-11-02 16:00:55 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github ComplianceAsCode content pull 9346 0 None Merged Fix kernel_module_disabled remediation template 2022-08-30 10:47:56 UTC
Red Hat Product Errata RHBA-2022:6657 0 None None None 2022-11-02 16:01:00 UTC

Comment 5 xiyuan 2022-09-21 07:11:01 UTC
Verification pass with 4.12.0-0.nightly-2022-09-20-095559 + compliance-operator.v0.1.55
$ oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.12.0-0.nightly-2022-09-20-095559   True        False         5h6m    Cluster version is 4.12.0-0.nightly-2022-09-20-095559
$ oc get csv
NAME                           DISPLAY                            VERSION   REPLACES                                    PHASE
compliance-operator.v0.1.55    Compliance Operator                0.1.55                                                Succeeded

1. Create a ssb with ocp4-high and ocp4-high-node profile:
$ oc create -f - << EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
  name: fedr-high-test
  - name: ocp4-high
    kind: Profile
    apiGroup: compliance.openshift.io/v1alpha1
  - name: ocp4-high-node
    kind: Profile
    apiGroup: compliance.openshift.io/v1alpha1    
  name: default-auto-apply
  kind: ScanSetting
  apiGroup: compliance.openshift.io/v1alpha1
2. after several rounds of remediation, all rules with auto remediation are in PASS status:
$ oc get ccr -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status=FAIL
No resources found in openshift-compliance namespace.
$ oc get rule | grep module
rhcos4-audit-module-load                                                            4h16m
rhcos4-audit-rules-kernel-module-loading                                            4h16m
rhcos4-audit-rules-kernel-module-loading-delete                                     4h16m
rhcos4-audit-rules-kernel-module-loading-finit                                      4h16m
rhcos4-audit-rules-kernel-module-loading-init                                       4h16m
rhcos4-enable-dracut-fips-module                                                    4h16m
rhcos4-kernel-config-module-sig                                                     4h16m
rhcos4-kernel-config-module-sig-all                                                 4h16m
rhcos4-kernel-config-module-sig-force                                               4h16m
rhcos4-kernel-config-module-sig-hash                                                4h16m
rhcos4-kernel-config-module-sig-key                                                 4h16m
rhcos4-kernel-config-module-sig-sha512                                              4h16m
rhcos4-kernel-module-atm-disabled                                                   4h16m
rhcos4-kernel-module-bluetooth-disabled                                             4h16m
rhcos4-kernel-module-can-disabled                                                   4h16m
rhcos4-kernel-module-cfg80211-disabled                                              4h16m
rhcos4-kernel-module-cramfs-disabled                                                4h16m
rhcos4-kernel-module-firewire-core-disabled                                         4h16m
rhcos4-kernel-module-freevxfs-disabled                                              4h16m
rhcos4-kernel-module-hfs-disabled                                                   4h16m
rhcos4-kernel-module-hfsplus-disabled                                               4h16m
rhcos4-kernel-module-ipv6-option-disabled                                           4h16m
rhcos4-kernel-module-iwlmvm-disabled                                                4h16m
rhcos4-kernel-module-iwlwifi-disabled                                               4h16m
rhcos4-kernel-module-jffs2-disabled                                                 4h16m
rhcos4-kernel-module-mac80211-disabled                                              4h16m
rhcos4-kernel-module-rds-disabled                                                   4h16m
rhcos4-kernel-module-sctp-disabled                                                  4h16m
rhcos4-kernel-module-squashfs-disabled                                              4h16m
rhcos4-kernel-module-tipc-disabled                                                  4h16m
rhcos4-kernel-module-udf-disabled                                                   4h16m
rhcos4-kernel-module-usb-storage-disabled                                           4h16m
rhcos4-kernel-module-uvcvideo-disabled                                              4h16m
rhcos4-kernel-module-vfat-disabled                                                  4h16m
$ oc get ccr | grep module

Comment 6 xiyuan 2022-09-21 09:21:52 UTC
Per https://bugzilla.redhat.com/show_bug.cgi?id=2117747#c5, move it to verified

Comment 10 errata-xmlrpc 2022-11-02 16:00:55 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Compliance Operator bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.