Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Critical
Fix Version/s: None
Affects Version/s: 4.11.z
Component/s: Compliance Operator
Labels:
- regression

Severity:
Moderate
Regression:
No
Epic Link:
co-1.4.0-bugs
Sprint:
CMP Sprint 74, CMP Sprint 75
sprint_count:
2
Blocked:
False
Blocked Reason:

Hide

None

Show
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Description of problem:

Rule rhcos4-audit-rules-login-events-faillock will fail even after auto-remediation applied

Version-Release number of selected component (if applicable):

4.11.54 + compliance-operator.v1.4.0
How reproducible:
Always

Steps to Reproduce:

1. Install Compliance operator
2. Create a ssb:
$ oc compliance bind -N test -S default-auto-apply profile/rhcos4-stig
3. Rerun the ssb when auto-remediations applied
$ oc compliance rerun-now scansettingbinding test

Actual results:

Rule rhcos4-audit-rules-login-events-faillock will fail even after auto-remediation applied

$ oc debug node/xiyuan-411-snkwc-worker-westus-1
Warning: would violate PodSecurity "restricted:latest": host namespaces (hostNetwork=true, hostPID=true, hostIPC=true), privileged (container "container-00" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "container-00" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "container-00" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "host" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "container-00" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "container-00" must not set runAsUser=0), seccompProfile (pod or container "container-00" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Starting pod/xiyuan-411-snkwc-worker-westus-1-debug ...
To use host binaries, run `chroot /host`
Pod IP: 10.0.1.5
If you don't see a command prompt, try pressing enter.
sh-4.4# chroot /host
sh-4.4# cat /etc/audit/rules.d/75-var_accounts_passwords_pam_faillock_dir_login_events.rules
-w var_accounts_passwords_pam_faillock_dir -p wa -k logins
# cat /etc/audit/rules.d/audit.rules 
## First rule - delete all

1. Increase the buffers to survive stress events.
2. Make this bigger for busy systems
  -b 8192
3. This determine how long to wait in burst of events
  --backlog_wait_time 60000
4. Set failure mode to syslog
  
  Expected results:
  
  All rules with auto-remediation available should PASS after auto-remediation get applied {code}

links to

fix

RHBA-2023:7658 OpenShift Compliance Operator bug fix and enhancement update

mentioned on

Merge request - Updated US source to: 18cf4d8 Merge pull request #11638 from Vincent056/debug-shell

Merge request - Updated US source to: 68a4f72 Merge pull request #11358 from yuumasato/audit_rules_login_tempate_kubernetes_path_is_variable

Assignee:: Lance Bragstad

Reporter:: Xiaojie Yuan

QA Contact:: Bhargavi Gudi

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2023/12/07 3:24 PM

Updated:: 2024/03/06 2:24 PM

Resolved:: 2024/01/04 1:08 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates