Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-28242

Rule rhcos4-service-debug-shell-disabled show as FAIL after auto-remediation applied

XMLWordPrintable

      Description of problem:

       

      With PR https://github.com/ComplianceAsCode/compliance-operator/pull/489, create a ssb with all moderate profiles. After auto-remediations get applied, check whether there are rules FAIL after auto-remediations applied:
      $ oc get ccr -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status!=PASS
      NAME                                                                   STATUS   SEVERITY
      rhcos4-moderate-master-service-debug-shell-disabled                    FAIL     medium
      rhcos4-moderate-master-sysctl-net-core-bpf-jit-harden                  FAIL     medium
      rhcos4-moderate-master-sysctl-net-ipv6-conf-all-accept-ra              FAIL     medium
      rhcos4-moderate-master-sysctl-net-ipv6-conf-all-accept-redirects       FAIL     medium
      rhcos4-moderate-master-sysctl-net-ipv6-conf-default-accept-ra          FAIL     medium
      rhcos4-moderate-master-sysctl-net-ipv6-conf-default-accept-redirects   FAIL     medium
      rhcos4-moderate-worker-service-debug-shell-disabled                    FAIL     medium
      rhcos4-moderate-worker-sysctl-net-core-bpf-jit-harden                  FAIL     medium
      rhcos4-moderate-worker-sysctl-net-ipv6-conf-all-accept-ra              FAIL     medium
      rhcos4-moderate-worker-sysctl-net-ipv6-conf-all-accept-redirects       FAIL     medium
      rhcos4-moderate-worker-sysctl-net-ipv6-conf-default-accept-ra          FAIL     medium
      rhcos4-moderate-worker-sysctl-net-ipv6-conf-default-accept-redirects   FAIL     medium    
      

      Version-Release number of selected component (if applicable):

          

      How reproducible:

      Always    

      Steps to Reproduce:

       

      1. Deploy Compliance Operator with https://github.com/ComplianceAsCode/compliance-operator/pull/489 
      2. $ oc compliance bind -N test -S default-auto-apply profile/ocp4-moderate profile/ocp4-moderate-node profile/rhcos4-moderate 
      3.  When mcp and co is back, execute below command for a second round scan: $ oc compliance rerun-now scansettingbinding test
      4.When mcp and co is back, execute below command for a third round scan:
      $ oc compliance rerun-now scansettingbinding test 

       

      Actual results:

       

      After auto-remediations get applied, check whether there are rules FAIL after auto-remediations applied. The creationTimestamp won't be changed after rerun, or after auto-remediation applied.
      $ oc get ccr -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status!=PASS
      NAME                                                                   STATUS   SEVERITY
      rhcos4-moderate-master-service-debug-shell-disabled                    FAIL     medium
      rhcos4-moderate-master-sysctl-net-core-bpf-jit-harden                  FAIL     medium
      rhcos4-moderate-master-sysctl-net-ipv6-conf-all-accept-ra              FAIL     medium
      rhcos4-moderate-master-sysctl-net-ipv6-conf-all-accept-redirects       FAIL     medium
      rhcos4-moderate-master-sysctl-net-ipv6-conf-default-accept-ra          FAIL     medium
      rhcos4-moderate-master-sysctl-net-ipv6-conf-default-accept-redirects   FAIL     medium
      rhcos4-moderate-worker-service-debug-shell-disabled                    FAIL     medium
      rhcos4-moderate-worker-sysctl-net-core-bpf-jit-harden                  FAIL     medium
      rhcos4-moderate-worker-sysctl-net-ipv6-conf-all-accept-ra              FAIL     medium
      rhcos4-moderate-worker-sysctl-net-ipv6-conf-all-accept-redirects       FAIL     medium
      rhcos4-moderate-worker-sysctl-net-ipv6-conf-default-accept-ra          FAIL     medium
      rhcos4-moderate-worker-sysctl-net-ipv6-conf-default-accept-redirects   FAIL     medium
      $ oc get ccr rhcos4-moderate-master-service-debug-shell-disabled -o yaml -o=jsonpath={.metadata.creationTimestamp}
      2024-01-26T06:17:06Z    
      

      Expected results:

      Rule rhcos4-service-debug-shell-disabled should PASS after auto-remediation applied  

      Additional info:

       log is available at https://drive.google.com/drive/folders/1_SJwAYjhRVMhP0KqSUA9I0YHWnwnC2jT

            wenshen@redhat.com Vincent Shen
            xiyuan@redhat.com Xiaojie Yuan
            Bhargavi Gudi Bhargavi Gudi
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: