Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-24594

Rule rhcos4-audit-rules-login-events-faillock will fail even after auto-remediation applied

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done-Errata
    • Critical
    • None
    • 4.11.z
    • Compliance Operator
    • Moderate
    • No
    • CMP Sprint 74, CMP Sprint 75
    • 2
    • False
    • Hide

      None

      Show
      None

    Description

      Description of problem:
       
      Rule rhcos4-audit-rules-login-events-faillock will fail even after auto-remediation applied
       
      Version-Release number of selected component (if applicable):
       
      4.11.54 + compliance-operator.v1.4.0
      How reproducible:
      Always
       
      Steps to Reproduce:
        
      1. Install Compliance operator
2. Create a ssb:
$ oc compliance bind -N test -S default-auto-apply profile/rhcos4-stig
3. Rerun the ssb when auto-remediations applied
$ oc compliance rerun-now scansettingbinding test 

      Actual results:
       

      Rule rhcos4-audit-rules-login-events-faillock will fail even after auto-remediation applied

$ oc debug node/xiyuan-411-snkwc-worker-westus-1
Warning: would violate PodSecurity "restricted:latest": host namespaces (hostNetwork=true, hostPID=true, hostIPC=true), privileged (container "container-00" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "container-00" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "container-00" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "host" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "container-00" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "container-00" must not set runAsUser=0), seccompProfile (pod or container "container-00" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Starting pod/xiyuan-411-snkwc-worker-westus-1-debug ...
To use host binaries, run `chroot /host`
Pod IP: 10.0.1.5
If you don't see a command prompt, try pressing enter.
sh-4.4# chroot /host
sh-4.4# cat /etc/audit/rules.d/75-var_accounts_passwords_pam_faillock_dir_login_events.rules
-w var_accounts_passwords_pam_faillock_dir -p wa -k logins
# cat /etc/audit/rules.d/audit.rules 
## First rule - delete all

       
       

        1. Increase the buffers to survive stress events.
        2. Make this bigger for busy systems
          -b 8192
           
        3. This determine how long to wait in burst of events
          --backlog_wait_time 60000
           
        4. Set failure mode to syslog
           
          Expected results:
           
          All rules with auto-remediation available should PASS after auto-remediation get applied   {code}
           

      Attachments

        Activity

          People

            lbragsta@redhat.com Lance Bragstad
            xiyuan@redhat.com Xiaojie Yuan
            Bhargavi Gudi Bhargavi Gudi
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: