Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-3252

Multiarch Support for PCI Profiles not showing correctly

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Done
    • 4.11.0
    • None
    • None
    • CMP Sprint 55, CMP Sprint 56, CMP Sprint 57
    • 2
    • Proposed
    • Hide

      None

      Show
      None

    Description

      Description of problem:

      The Compliance Operator uses ssg-ocp4-ds.xml which has two different sets of profiles enabled for the architecture. I tried configuring pci-dss and pci-dss-node and the profiles did not work on ppc64le.
      
      When I extracted the configuration on ppc64le it showed that only two profiles were enabled. I imagine the same for s390x.

      Version-Release number of selected component (if applicable):

      4.11

      How reproducible:

      Every time

      Steps to Reproduce:

      1. Create the ScanSettingBinding
      
      apiVersion: compliance.openshift.io/v1alpha1 
      kind: ScanSettingBinding 
      metadata:   
      name: pci-compliance   
      namespace: openshift-compliance 
      profiles:
         - name: ocp4-pci-dss     
           kind: Profile     
           apiGroup: compliance.openshift.io/v1alpha1   
         - name: ocp4-pci-dss-node    
           kind: Profile     
           apiGroup: compliance.openshift.io/v1alpha1
      settingsRef:   
         name: default  
         kind: ScanSetting   
         apiGroup: compliance.openshift.io/v1alpha1 
      
      **Note, copy and paste did not do the above justice, it mangled the formatting, apologies, ping me if there are issues**
      
      2. Create the ScanSettingBinding
      
      $ oc apply -f ssb-pci.yaml
      scansettingbinding.compliance.openshift.io/pci-compliance configured
      
      The pci-dss and pci-dss-node scan never start.
      
      3. Checking the profiles shows cis and cis-node are the only ones enabled. 
      
      $ oc get -n openshift-compliance profiles.compliance
      NAME            AGE
      ocp4-cis        160m
      ocp4-cis-node   160m
      
      Checking the arch specific content reveals that CIS is the only one included
      

      Actual results:

      $ oc get -n openshift-compliance profiles.compliance
      NAME AGE
      ocp4-cis 160m
      ocp4-cis-node 160m
      
      arch: amd64$ sha256sum ssg-ocp4-ds.xmlc8907ad1da141642064606036f6a7b0d2e1d21995ef9184089ec16a372814382  ssg-ocp4-ds.xml
      $ oscap info --profiles ssg-ocp4-ds.xmlxccdf_org.ssgproject.content_profile_cis-node:CIS Red Hat OpenShift Container Platform 4 Benchmarkxccdf_org.ssgproject.content_profile_cis:CIS Red Hat OpenShift Container Platform 4 Benchmarkxccdf_org.ssgproject.content_profile_e8:Australian Cyber Security Centre (ACSC) Essential Eightxccdf_org.ssgproject.content_profile_high-node:NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Node levelxccdf_org.ssgproject.content_profile_high:NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Platform levelxccdf_org.ssgproject.content_profile_moderate-node:NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Node levelxccdf_org.ssgproject.content_profile_moderate:NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Platform levelxccdf_org.ssgproject.content_profile_nerc-cip-node:North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for the  Red Hat OpenShift Container Platform - Node levelxccdf_org.ssgproject.content_profile_nerc-cip:North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for the  Red Hat OpenShift Container Platform - Platform levelxccdf_org.ssgproject.content_profile_pci-dss-node:PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Platform 4xccdf_org.ssgproject.content_profile_pci-dss:PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Platform 4
      
      arch: ppc64le$ sha256sum ssg-ocp4-ds.xml 6caa43c184bd3ae3dbca604db77053cbba62447ea643e023893c7d1937822b53  ssg-ocp4-ds.xml
      $ oscap info --profiles ssg-ocp4-ds.xmlxccdf_org.ssgproject.content_profile_cis-node:CIS Red Hat OpenShift Container Platform 4 Benchmarkxccdf_org.ssgproject.content_profile_cis:CIS Red Hat OpenShift Container Platform 4 Benchmark

      Expected results:

      PCI and PCI node should be shown along with CIS and CIS node

      Additional info:

       

      Attachments

        Activity

          People

            lbragsta@redhat.com Lance Bragstad
            pbastide_rh Paul Bastide
            Gaurav Bankar (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: