Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: None
Affects Version/s: 4.13.z
Component/s: Compliance Operator
Labels:

Regression:
No
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Target Version:

4.15.0

SFDC Cases Counter:
SFDC Cases Links:

Description

Description of problem:

Some rules with auto-remediations available get failed after auto-remediation have been applied for rhcos4-high profile

Version-Release number of selected component (if applicable):

compliance-operator.v1.3.0

How reproducible:

Always

Steps to Reproduce:

1. Install compliance operator 
2. Create a custom mcp wrscan 
3. Create a ss auto-rem-ss to scan wrscan mcp rule only:

$ oc get ss auto-rem-ss -o yaml
apiVersion: compliance.openshift.io/v1alpha1
autoApplyRemediations: true
autoUpdateRemediations: true
kind: ScanSetting
maxRetryOnTimeout: 3
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"compliance.openshift.io/v1alpha1","autoApplyRemediations":true,"autoUpdateRemediations":true,"kind":"ScanSetting","metadata":{"annotations":{},"name":"auto-rem-ss","namespace":"openshift-compliance"},"rawResultStorage":{"rotation":5,"size":"2Gi"},"roles":["wrscan"],"schedule":"0 1 * * *","strictNodeScan":false}
  creationTimestamp: "2023-09-25T02:05:43Z"
  generation: 1
  name: auto-rem-ss
  namespace: openshift-compliance
  resourceVersion: "43973"
  uid: 29426481-7cd1-48f0-a3cf-934c96f651eb
rawResultStorage:
  pvAccessModes:
  - ReadWriteOnce
  rotation: 5
  size: 2Gi
roles:
- wrscan
scanTolerations:
- operator: Exists
schedule: 0 1 * * *
showNotApplicable: false
strictNodeScan: false
timeout: 30m

4. Create a ssb for rhcos4-high profile with auto-remediation set to true
$ oc compliance bind -N rhcos4-high-7xu7h0tvom -s auto-rem-ss profile/rhcos4-high

Actual results:

After 2 rounds of cluster reboot, all remediations get applied, rerun the scansettingbinding.

$ oc get cr --no-headers| grep -Ev Applied
$ oc compliance rerun-now scansettingbinding rhcos4-high-7xu7h0tvom
Rerunning scans from 'rhcos4-high-7xu7h0tvom': rhcos4-high-wrscan
Re-running scan 'openshift-compliance/rhcos4-high-wrscan'
$ oc get suite -w
NAME                     PHASE     RESULT
rhcos4-high-7xu7h0tvom   RUNNING   NOT-AVAILABLE
rhcos4-high-7xu7h0tvom   AGGREGATING   NOT-AVAILABLE
rhcos4-high-7xu7h0tvom   DONE          NON-COMPLIANT
rhcos4-high-7xu7h0tvom   DONE          NON-COMPLIAN


$ oc get ccr -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status=FAIL
NAME                                                               STATUS   SEVERITY
rhcos4-high-wrscan-sysctl-net-core-bpf-jit-harden                  FAIL     medium
rhcos4-high-wrscan-sysctl-net-ipv6-conf-all-accept-ra              FAIL     medium
rhcos4-high-wrscan-sysctl-net-ipv6-conf-all-accept-redirects       FAIL     medium
rhcos4-high-wrscan-sysctl-net-ipv6-conf-default-accept-ra          FAIL     medium
rhcos4-high-wrscan-sysctl-net-ipv6-conf-default-accept-redirects   FAIL     medium

Expected results:

All rules with auto-remediations ready should get PASS after all auto-remediations applied.

Additional info:

Attachments

Issue Links

is blocked by

RHEL-24685 Probes for sysctl don't fetch expected data from OCP node

Closed

links to

ComplianceAsCode/compliance-operator#497: OCPBUGS-19690: Enable host network to access host sysctls

Activity

People

Assignee:: Watson Sato

Reporter:: Xiaojie Yuan

QA Contact:: Xiaojie Yuan

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2023/09/25 4:48 AM

Updated:: 2024/04/22 10:48 AM