-
Bug
-
Resolution: Done-Errata
-
Undefined
-
None
-
4.13.z, 4.15.0
-
Moderate
-
No
-
False
-
Description of problem:
With PR https://github.com/ComplianceAsCode/compliance-operator/pull/489, create a ssb with all moderate profiles. After auto-remediations get applied, check whether there are rules FAIL after auto-remediations applied: $ oc get ccr -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status!=PASS NAME STATUS SEVERITY rhcos4-moderate-master-service-debug-shell-disabled FAIL medium rhcos4-moderate-master-sysctl-net-core-bpf-jit-harden FAIL medium rhcos4-moderate-master-sysctl-net-ipv6-conf-all-accept-ra FAIL medium rhcos4-moderate-master-sysctl-net-ipv6-conf-all-accept-redirects FAIL medium rhcos4-moderate-master-sysctl-net-ipv6-conf-default-accept-ra FAIL medium rhcos4-moderate-master-sysctl-net-ipv6-conf-default-accept-redirects FAIL medium rhcos4-moderate-worker-service-debug-shell-disabled FAIL medium rhcos4-moderate-worker-sysctl-net-core-bpf-jit-harden FAIL medium rhcos4-moderate-worker-sysctl-net-ipv6-conf-all-accept-ra FAIL medium rhcos4-moderate-worker-sysctl-net-ipv6-conf-all-accept-redirects FAIL medium rhcos4-moderate-worker-sysctl-net-ipv6-conf-default-accept-ra FAIL medium rhcos4-moderate-worker-sysctl-net-ipv6-conf-default-accept-redirects FAIL medium
Version-Release number of selected component (if applicable):
How reproducible:
Always
Steps to Reproduce:
1. Deploy Compliance Operator with https://github.com/ComplianceAsCode/compliance-operator/pull/489 2. $ oc compliance bind -N test -S default-auto-apply profile/ocp4-moderate profile/ocp4-moderate-node profile/rhcos4-moderate 3. When mcp and co is back, execute below command for a second round scan: $ oc compliance rerun-now scansettingbinding test 4.When mcp and co is back, execute below command for a third round scan: $ oc compliance rerun-now scansettingbinding test
Actual results:
After auto-remediations get applied, check whether there are rules FAIL after auto-remediations applied. The creationTimestamp won't be changed after rerun, or after auto-remediation applied. $ oc get ccr -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status!=PASS NAME STATUS SEVERITY rhcos4-moderate-master-service-debug-shell-disabled FAIL medium rhcos4-moderate-master-sysctl-net-core-bpf-jit-harden FAIL medium rhcos4-moderate-master-sysctl-net-ipv6-conf-all-accept-ra FAIL medium rhcos4-moderate-master-sysctl-net-ipv6-conf-all-accept-redirects FAIL medium rhcos4-moderate-master-sysctl-net-ipv6-conf-default-accept-ra FAIL medium rhcos4-moderate-master-sysctl-net-ipv6-conf-default-accept-redirects FAIL medium rhcos4-moderate-worker-service-debug-shell-disabled FAIL medium rhcos4-moderate-worker-sysctl-net-core-bpf-jit-harden FAIL medium rhcos4-moderate-worker-sysctl-net-ipv6-conf-all-accept-ra FAIL medium rhcos4-moderate-worker-sysctl-net-ipv6-conf-all-accept-redirects FAIL medium rhcos4-moderate-worker-sysctl-net-ipv6-conf-default-accept-ra FAIL medium rhcos4-moderate-worker-sysctl-net-ipv6-conf-default-accept-redirects FAIL medium $ oc get ccr rhcos4-moderate-master-service-debug-shell-disabled -o yaml -o=jsonpath={.metadata.creationTimestamp} 2024-01-26T06:17:06Z
Expected results:
Rule rhcos4-service-debug-shell-disabled should PASS after auto-remediation applied
Additional info:
log is available at https://drive.google.com/drive/folders/1_SJwAYjhRVMhP0KqSUA9I0YHWnwnC2jT
- links to
-
RHBA-2024:129828
openshift-compliance-operator bug fix and/or enhancement update
- mentioned on
