Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-24475

Challenges Persist: PCI Automated Test Results Still Inaccurate Despite Autoremediation

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Major
    • None
    • 4.14.0
    • Compliance Operator
    • None
    • Moderate
    • No
    • False
    • Hide

      None

      Show
      None

    Description

      Description of problem:

          even after auto remediation steps the test cases returned fail

      Version-Release number of selected component (if applicable):

         How reproducible:

      Steps to Reproduce:

          1.oc get ccr |grep FAIL 


[root@m1326001 content]# oc get ccr|grep FAIL 

ocp4-pci-dss-api-server-api-priority-gate-enabled                                 FAIL     medium
ocp4-pci-dss-audit-log-forwarding-enabled                                         FAIL     medium
ocp4-pci-dss-idp-is-configured                                                    FAIL     medium
ocp4-pci-dss-kubeadmin-removed                                                    FAIL     medium
ocp4-pci-dss-node-master-file-groupowner-ovs-conf-db-lock                         FAIL     medium
ocp4-pci-dss-node-master-file-groupowner-ovs-sys-id-conf                          FAIL     medium
ocp4-pci-dss-node-master-file-permissions-cni-conf                                FAIL     medium
ocp4-pci-dss-node-master-kubelet-anonymous-auth                                   FAIL     medium
ocp4-pci-dss-node-master-kubelet-authorization-mode                               FAIL     medium
ocp4-pci-dss-node-master-kubelet-configure-client-ca                              FAIL     medium
ocp4-pci-dss-node-master-kubelet-configure-event-creation                         FAIL     medium
ocp4-pci-dss-node-master-kubelet-configure-tls-cipher-suites                      FAIL     medium
ocp4-pci-dss-node-master-kubelet-enable-cert-rotation                             FAIL     medium
ocp4-pci-dss-node-master-kubelet-enable-iptables-util-chains                      FAIL     medium
ocp4-pci-dss-node-master-kubelet-enable-server-cert-rotation                      FAIL     medium
ocp4-pci-dss-node-master-kubelet-enable-streaming-connections                     FAIL     medium
ocp4-pci-dss-node-master-kubelet-eviction-thresholds-set-hard-imagefs-available   FAIL     medium
ocp4-pci-dss-node-master-kubelet-eviction-thresholds-set-hard-memory-available    FAIL     medium
ocp4-pci-dss-node-master-kubelet-eviction-thresholds-set-hard-nodefs-available    FAIL     medium
ocp4-pci-dss-node-master-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree   FAIL     medium
ocp4-pci-dss-node-worker-file-groupowner-ovs-conf-db-lock                         FAIL     medium
ocp4-pci-dss-node-worker-file-groupowner-ovs-sys-id-conf                          FAIL     medium
ocp4-pci-dss-node-worker-file-permissions-cni-conf                                FAIL     medium
ocp4-pci-dss-node-worker-kubelet-anonymous-auth                                   FAIL     medium
ocp4-pci-dss-node-worker-kubelet-authorization-mode                               FAIL     medium
ocp4-pci-dss-node-worker-kubelet-configure-client-ca                              FAIL     medium
ocp4-pci-dss-node-worker-kubelet-configure-event-creation                         FAIL     medium
ocp4-pci-dss-node-worker-kubelet-configure-tls-cipher-suites                      FAIL     medium
ocp4-pci-dss-node-worker-kubelet-enable-cert-rotation                             FAIL     medium
ocp4-pci-dss-node-worker-kubelet-enable-iptables-util-chains                      FAIL     medium
ocp4-pci-dss-node-worker-kubelet-enable-server-cert-rotation                      FAIL     medium
ocp4-pci-dss-node-worker-kubelet-enable-streaming-connections                     FAIL     medium
ocp4-pci-dss-node-worker-kubelet-eviction-thresholds-set-hard-imagefs-available   FAIL     medium
ocp4-pci-dss-node-worker-kubelet-eviction-thresholds-set-hard-memory-available    FAIL     medium
ocp4-pci-dss-node-worker-kubelet-eviction-thresholds-set-hard-nodefs-available    FAIL     medium
ocp4-pci-dss-node-worker-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree   FAIL     medium
ocp4-pci-dss-ocp-allowed-registries                                               FAIL     medium
ocp4-pci-dss-ocp-allowed-registries-for-import                                    FAIL     medium

[root@m1326001 content]# oc get cr
NAME                                                                                STATE
ocp4-pci-dss-node-master-kubelet-configure-event-creation                           Applied
ocp4-pci-dss-node-master-kubelet-configure-tls-cipher-suites                        Applied
ocp4-pci-dss-node-master-kubelet-enable-iptables-util-chains                        Applied
ocp4-pci-dss-node-master-kubelet-enable-streaming-connections                       Applied
ocp4-pci-dss-node-master-kubelet-eviction-thresholds-set-hard-imagefs-available     Applied
ocp4-pci-dss-node-master-kubelet-eviction-thresholds-set-hard-imagefs-available-1   Applied
ocp4-pci-dss-node-master-kubelet-eviction-thresholds-set-hard-memory-available      Applied
ocp4-pci-dss-node-master-kubelet-eviction-thresholds-set-hard-memory-available-1    Applied
ocp4-pci-dss-node-master-kubelet-eviction-thresholds-set-hard-nodefs-available      Applied
ocp4-pci-dss-node-master-kubelet-eviction-thresholds-set-hard-nodefs-available-1    Applied
ocp4-pci-dss-node-master-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree     Applied
ocp4-pci-dss-node-master-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree-1   Applied
ocp4-pci-dss-node-worker-kubelet-configure-event-creation                           Applied
ocp4-pci-dss-node-worker-kubelet-configure-tls-cipher-suites                        Applied
ocp4-pci-dss-node-worker-kubelet-enable-iptables-util-chains                        Applied
ocp4-pci-dss-node-worker-kubelet-enable-streaming-connections                       Applied
ocp4-pci-dss-node-worker-kubelet-eviction-thresholds-set-hard-imagefs-available     Applied
ocp4-pci-dss-node-worker-kubelet-eviction-thresholds-set-hard-imagefs-available-1   Applied
ocp4-pci-dss-node-worker-kubelet-eviction-thresholds-set-hard-memory-available      Applied
ocp4-pci-dss-node-worker-kubelet-eviction-thresholds-set-hard-memory-available-1    Applied
ocp4-pci-dss-node-worker-kubelet-eviction-thresholds-set-hard-nodefs-available      Applied
ocp4-pci-dss-node-worker-kubelet-eviction-thresholds-set-hard-nodefs-available-1    Applied
ocp4-pci-dss-node-worker-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree     Applied
ocp4-pci-dss-node-worker-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree-1   Applied

one example test case for reference 
[root@m1326001 content]# oc describe cr/ocp4-pci-dss-node-master-kubelet-configure-event-creation 
Name:         ocp4-pci-dss-node-master-kubelet-configure-event-creation
Namespace:    openshift-compliance
Labels:       compliance.openshift.io/scan-name=ocp4-pci-dss-node-master
              compliance.openshift.io/suite=pci-compliance
Annotations:  compliance.openshift.io/xccdf-value-used: var-event-record-qps
API Version:  compliance.openshift.io/v1alpha1
Kind:         ComplianceRemediation
Metadata:
  Creation Timestamp:  2023-11-28T07:35:30Z
  Generation:          2
  Owner References:
    API Version:           compliance.openshift.io/v1alpha1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  ComplianceCheckResult
    Name:                  ocp4-pci-dss-node-master-kubelet-configure-event-creation
    UID:                   4ef8ebd9-c2e6-4fe7-8d88-a43ad75abc88
  Resource Version:        4161533
  UID:                     4cd345e8-c907-4589-b5aa-fbfd07234aeb
Spec:
  Apply:  true
  Current:
    Object:
      API Version:  machineconfiguration.openshift.io/v1
      Kind:         KubeletConfig
      Spec:
        Kubelet Config:
          Event Record QPS:  50
  Outdated:
  Type:  Configuration
Status:
  Application State:  Applied
Events:               <none>



 [root@m1326001 content]# oc get ccr|grep FAIL 
ocp4-pci-dss-api-server-api-priority-gate-enabled                                 FAIL     medium
ocp4-pci-dss-audit-log-forwarding-enabled                                         FAIL     medium
ocp4-pci-dss-idp-is-configured                                                    FAIL     medium
ocp4-pci-dss-kubeadmin-removed                                                    FAIL     medium
ocp4-pci-dss-node-master-file-groupowner-ovs-conf-db-lock                         FAIL     medium
ocp4-pci-dss-node-master-file-groupowner-ovs-sys-id-conf                          FAIL     medium
ocp4-pci-dss-node-master-file-permissions-cni-conf                                FAIL     medium
ocp4-pci-dss-node-master-kubelet-anonymous-auth                                   FAIL     medium
ocp4-pci-dss-node-master-kubelet-authorization-mode                               FAIL     medium
ocp4-pci-dss-node-master-kubelet-configure-client-ca                              FAIL     medium
ocp4-pci-dss-node-master-kubelet-configure-event-creation                         FAIL     medium
ocp4-pci-dss-node-master-kubelet-configure-tls-cipher-suites                      FAIL     medium
ocp4-pci-dss-node-master-kubelet-enable-cert-rotation                             FAIL     medium
ocp4-pci-dss-node-master-kubelet-enable-iptables-util-chains                      FAIL     medium
ocp4-pci-dss-node-master-kubelet-enable-server-cert-rotation                      FAIL     medium
ocp4-pci-dss-node-master-kubelet-enable-streaming-connections                     FAIL     medium
ocp4-pci-dss-node-master-kubelet-eviction-thresholds-set-hard-imagefs-available   FAIL     medium
ocp4-pci-dss-node-master-kubelet-eviction-thresholds-set-hard-memory-available    FAIL     medium
ocp4-pci-dss-node-master-kubelet-eviction-thresholds-set-hard-nodefs-available    FAIL     medium
ocp4-pci-dss-node-master-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree   FAIL     medium
ocp4-pci-dss-node-worker-file-groupowner-ovs-conf-db-lock                         FAIL     medium
ocp4-pci-dss-node-worker-file-groupowner-ovs-sys-id-conf                          FAIL     medium
ocp4-pci-dss-node-worker-file-permissions-cni-conf                                FAIL     medium
ocp4-pci-dss-node-worker-kubelet-anonymous-auth                                   FAIL     medium
ocp4-pci-dss-node-worker-kubelet-authorization-mode                               FAIL     medium
ocp4-pci-dss-node-worker-kubelet-configure-client-ca                              FAIL     medium
ocp4-pci-dss-node-worker-kubelet-configure-event-creation                         FAIL     medium
ocp4-pci-dss-node-worker-kubelet-configure-tls-cipher-suites                      FAIL     medium
ocp4-pci-dss-node-worker-kubelet-enable-cert-rotation                             FAIL     medium
ocp4-pci-dss-node-worker-kubelet-enable-iptables-util-chains                      FAIL     medium
ocp4-pci-dss-node-worker-kubelet-enable-server-cert-rotation                      FAIL     medium
ocp4-pci-dss-node-worker-kubelet-enable-streaming-connections                     FAIL     medium
ocp4-pci-dss-node-worker-kubelet-eviction-thresholds-set-hard-imagefs-available   FAIL     medium
ocp4-pci-dss-node-worker-kubelet-eviction-thresholds-set-hard-memory-available    FAIL     medium
ocp4-pci-dss-node-worker-kubelet-eviction-thresholds-set-hard-nodefs-available    FAIL     medium
ocp4-pci-dss-node-worker-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree   FAIL     medium
ocp4-pci-dss-ocp-allowed-registries                                               FAIL     medium
ocp4-pci-dss-ocp-allowed-registries-for-import                                    FAIL     medium


[root@m1326001 content]# oc get csv 
NAME                             DISPLAY                   VERSION   REPLACES   PHASE
compliance-operator.v1.3.1       Compliance Operator       1.3.1                Succeeded
file-integrity-operator.v1.3.3   File Integrity Operator   1.3.3                Succeeded    

      Actual results:

          returns fail after [oc get ccr]

      Expected results:

          it should able to pass after autoremediation [oc get ccr]

      Additional info:

          even oc describe <.....> for each and every test suite applied.

      Attachments

        Activity

          People

            lbragsta@redhat.com Lance Bragstad
            nganesan@redhat.com NIthya Ganesan
            Xiaojie Yuan Xiaojie Yuan
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: