Details
-
Bug
-
Resolution: Won't Do
-
None
-
4.10
-
None
-
False
-
None
-
False
-
NEW
-
NEW
Description
Description of problem:
One of Compliance operator (CO) rule "ocp4-cis-node-worker-file-groupowner-ovs-conf-db" reports groupowner permissions not properly set for OVS conf file
The remediation on rule suggest:
Rule description: |-
To properly set the group owner of /etc/openvswitch/conf.db , run the command:
$ sudo chgrp hugetlbfs /etc/openvswitch/conf.db
id: xccdf_org.ssgproject.content_rule_file_groupowner_ovs_conf_db
This issue is not seen on System P.
Version-Release number of selected component (if applicable):
OCP 4.10 and Compliance Operator 0.1.49
How reproducible:
Consistently reproducible.
Steps to Reproduce:
1.On a 4.10 OCP cluster
2. login to any of node and check for user and group ownership of /etc/openvswitch/conf.db - it shows as below
$ ll /etc/openvswitch/conf.db
rw-r----. 1 openvswitch openvswitch 24930 Apr 6 14:22 /etc/openvswitch/conf.db
Actual results:
$ ll /etc/openvswitch/conf.db
rw-r----. 1 openvswitch openvswitch 24930 Apr 6 14:22 /etc/openvswitch/conf.db
Expected results:
groupownership should be "hugetlbfs"
$ ll /etc/openvswitch/conf.db
rw-r----. 1 openvswitch hugetlbfs 24930 Apr 6 14:22 /etc/openvswitch/conf.db
Additional info:
This issue was found during the testing of compliance operator that the group ownership is incorrect. Once the groupownserhip is set to "hugetlbfs" the compliance scan passes the rule.
Attachments
Issue Links
- external trackers