-
Bug
-
Resolution: Done
-
Normal
-
None
-
4.13.0
-
None
-
No
-
1
-
CMP Sprint 62, CMP Sprint 63, CMP Sprint 64
-
3
-
False
-
-
Description of problem:
The scan result for rule ocp4-kubelet-enable-protect-kernel-sysctl does not align with the instructions
Version-Release number of selected component (if applicable):
4.13.0-0.nightly-2023-04-01-062001 + compliance-operator-1.0.0-6
How reproducible:
Always
Steps to Reproduce:
1. Install compliance operator
2. Create a ssb with below command:
$ oc compliance bind -N test profile/ocp4-cis profile/ocp4-cis-node
Actual results:
By default, the rule ocp4-kubelet-enable-protect-kernel-sysctl PASS. However, per the instructions, it should FAIL. $ oc get ccr | grep enable-protect-kernel-sysctl ocp4-cis-node-master-kubelet-enable-protect-kernel-sysctl PASS medium ocp4-cis-node-worker-kubelet-enable-protect-kernel-sysctl PASS medium $ oc get ccr ocp4-cis-node-master-kubelet-enable-protect-kernel-sysctl -o=jsonpath={.instructions} Run the following command on the kubelet node to check if sysctl configuration file exist(s): $ sudo [ -f /etc/sysctl.d/90-kubelet.conf ] || echo Not Exists The output should not return Not Exists. Run the following command on the kubelet node(s) to check parameter vm.panic_on_oom: $ sudo grep vm.panic_on_oom /etc/sysctl.d/90-kubelet.conf The output should return a value. Run the following command on the kubelet node(s) to check parameter kernel.keys.root_maxbytes: $ sudo grep kernel.keys.root_maxbytes /etc/sysctl.d/90-kubelet.conf The output should return a value. Run the following command on the kubelet node(s) to check parameter kernel.keys.root_maxkeys: $ sudo grep kernel.keys.root_maxkeys /etc/sysctl.d/90-kubelet.conf The output should return a value. Run the following command on the kubelet node(s) to check parameter kernel.panic: $ sudo grep kernel.panic /etc/sysctl.d/90-kubelet.conf The output should return a value. Run the following command on the kubelet node(s) to check parameter kernel.panic_on_oops: $ sudo grep kernel.panic_on_oops /etc/sysctl.d/90-kubelet.conf The output should return a value. Run the following command on the kubelet node(s) to check parameter vm.overcommit_memory: $ sudo grep vm.overcommit_memory /etc/sysctl.d/90-kubelet.conf The output should return a value. Run the following command on the kubelet node(s) to check parameter kernel.panic: $ sudo grep kernel.panic /etc/sysctl.d/90-kubelet.conf The output should return a value. $ oc debug node/XX -- chroot /host ls -ltr /etc/sysctl.d/90-kubelet.conf Starting pod/ip-10-0-155-119us-east-2computeinternal-debug ... To use host binaries, run `chroot /host` ls: cannot access '/etc/sysctl.d/90-kubelet.conf': No such file or directory Removing debug pod ... error: non-zero exit code from debug container
Expected results:
The scan result for rule ocp4-kubelet-enable-protect-kernel-sysctl should align with the instructions
Additional info:
This issue for for ocp 4.13 and 4.13 above versions only
