Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Undefined
Fix Version/s: None
Affects Version/s: 4.14
Component/s: Compliance Operator
Labels:
- pre-merge-tested
- pre-merge-verified

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
None
Regression:
No
Epic Link:
co-1.4.1-bugs

Target Backport Versions:
None
Target Version:

4.14.z
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Test Coverage:

-

PX Priority Data:
PX Impact Score:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

    The STIG profile is missing rules from CaC/content that fulfill requirements on the published STIG for OCP4.
List of rules missing in the profile:
 - ocp4-oauth-or-oauthclient-token-maxage
 - rhcos4-audit-delete-failed
 - rhcos4-audit-immutable-login-uids
 - rhcos4-audit-rules-privileged-commands-pt-chown
 - rhcos4-audit-rules-privileged-commands-write
 - rhcos4-audit-rules-unsuccessful-file-modification-rename
 - rhcos4-audit-rules-unsuccessful-file-modification-renameat
 - rhcos4-audit-rules-unsuccessful-file-modification-unlink
 - rhcos4-audit-rules-unsuccessful-file-modification-unlinkat
 - rhcos4-configure-usbguard-auditbackend
 - rhcos4-coreos-audit-backlog-limit-kernel-argument
 - rhcos4-kernel-module-usb-storage
 - rhcos4-kernel-module-usb-storage-disabled
 - rhcos4-package-usbguard-installed
 - rhcos4-service-sshd-disabled
 - rhcos4-service-usbguard-enabled
 - rhcos4-usbguard-allow-hid-and-hub

Version-Release number of selected component (if applicable):

    v1.3.1

How reproducible:

    Always

Steps to Reproduce:

    1. Install Compliance Operator
    2. Create a SSB with auto-remediation using STIG profile

Actual results:

    The cluster doesn't satisfy some of STIG's requirements for which automation already exists.

Expected results:

    The cluster satisfies STIG requirements that can be remediated via automation.

Additional info:

is related to

CMP-2252 CNTR-OS-001010 - rule disable_SSHD_service is not included in the STIG profile

Closed

links to

fix

RHBA-2024:129828 openshift-compliance-operator bug fix and/or enhancement update

The OCP4 STIG profile is missing existing rules

mentioned on

Merge request - Updated US source to: 18cf4d8 Merge pull request #11638 from Vincent056/debug-shell

Assignee:: Watson Sato

Reporter:: Watson Sato

Need Info From:: None

Contributors:: None

QA Contact:: Xiaojie Yuan

Doc Contact:: None

Votes:: 4 Vote for this issue

Watchers:: 15 Start watching this issue

Created:: 2024/01/04 5:47 PM

Updated:: 2025/09/13 11:17 PM

Resolved:: 2024/05/15 1:27 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates