-
Bug
-
Resolution: Done
-
Major
-
None
-
4.11.0
-
None
-
None
-
2
-
CMP Sprint 55, CMP Sprint 56, CMP Sprint 57
-
3
-
Proposed
-
False
-
Description of problem:
The Compliance Operator uses ssg-ocp4-ds.xml which has two different sets of profiles enabled for the architecture. I tried configuring pci-dss and pci-dss-node and the profiles did not work on ppc64le. When I extracted the configuration on ppc64le it showed that only two profiles were enabled. I imagine the same for s390x.
Version-Release number of selected component (if applicable):
4.11
How reproducible:
Every time
Steps to Reproduce:
1. Create the ScanSettingBinding
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
name: pci-compliance
namespace: openshift-compliance
profiles:
- name: ocp4-pci-dss
kind: Profile
apiGroup: compliance.openshift.io/v1alpha1
- name: ocp4-pci-dss-node
kind: Profile
apiGroup: compliance.openshift.io/v1alpha1
settingsRef:
name: default
kind: ScanSetting
apiGroup: compliance.openshift.io/v1alpha1
**Note, copy and paste did not do the above justice, it mangled the formatting, apologies, ping me if there are issues**
2. Create the ScanSettingBinding
$ oc apply -f ssb-pci.yaml
scansettingbinding.compliance.openshift.io/pci-compliance configured
The pci-dss and pci-dss-node scan never start.
3. Checking the profiles shows cis and cis-node are the only ones enabled.
$ oc get -n openshift-compliance profiles.compliance
NAME AGE
ocp4-cis 160m
ocp4-cis-node 160m
Checking the arch specific content reveals that CIS is the only one included
Actual results:
$ oc get -n openshift-compliance profiles.compliance NAME AGE ocp4-cis 160m ocp4-cis-node 160m arch: amd64$ sha256sum ssg-ocp4-ds.xmlc8907ad1da141642064606036f6a7b0d2e1d21995ef9184089ec16a372814382 ssg-ocp4-ds.xml $ oscap info --profiles ssg-ocp4-ds.xmlxccdf_org.ssgproject.content_profile_cis-node:CIS Red Hat OpenShift Container Platform 4 Benchmarkxccdf_org.ssgproject.content_profile_cis:CIS Red Hat OpenShift Container Platform 4 Benchmarkxccdf_org.ssgproject.content_profile_e8:Australian Cyber Security Centre (ACSC) Essential Eightxccdf_org.ssgproject.content_profile_high-node:NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Node levelxccdf_org.ssgproject.content_profile_high:NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Platform levelxccdf_org.ssgproject.content_profile_moderate-node:NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Node levelxccdf_org.ssgproject.content_profile_moderate:NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Platform levelxccdf_org.ssgproject.content_profile_nerc-cip-node:North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for the Red Hat OpenShift Container Platform - Node levelxccdf_org.ssgproject.content_profile_nerc-cip:North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for the Red Hat OpenShift Container Platform - Platform levelxccdf_org.ssgproject.content_profile_pci-dss-node:PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Platform 4xccdf_org.ssgproject.content_profile_pci-dss:PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Platform 4 arch: ppc64le$ sha256sum ssg-ocp4-ds.xml 6caa43c184bd3ae3dbca604db77053cbba62447ea643e023893c7d1937822b53 ssg-ocp4-ds.xml $ oscap info --profiles ssg-ocp4-ds.xmlxccdf_org.ssgproject.content_profile_cis-node:CIS Red Hat OpenShift Container Platform 4 Benchmarkxccdf_org.ssgproject.content_profile_cis:CIS Red Hat OpenShift Container Platform 4 Benchmark
Expected results:
PCI and PCI node should be shown along with CIS and CIS node
Additional info:
