Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-7520

The ocp4-api-server-audit-log-maxsize rule fails even though audit-log-maxsize is 200 Mb

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • None
    • 4.13.0
    • Compliance Operator
    • None
    • Moderate
    • No
    • 3
    • CMP Sprint 61, CMP Sprint 62, CMP Sprint 63
    • 3
    • Rejected
    • False
    • Hide

      None

      Show
      None

    Description

      Description of problem:

      After auto remediation applied, rule ocp4-api-server-audit-log-maxsize still getting FAIL

      Version-Release number of selected component (if applicable):

      4.13.0-0.nightly-2023-02-13-235211 + compliance-operator.v0.1.61

      How reproducible:

      Always

      Steps to Reproduce:

      1. Install Complaince Operator 
      2. Create a custom mcp wscan 
      3. Create a ss
      $ oc apply -f -<<EOF
      apiVersion: compliance.openshift.io/v1alpha1
      kind: ScanSetting
      metadata:
        name: test
        namespace: openshift-compliance
      rawResultStorage:
        nodeSelector:
          node-role.kubernetes.io/master: ""
        pvAccessModes:
        - ReadWriteOnce
        rotation: 3
        size: 1Gi
        tolerations:
        - effect: NoSchedule
          key: node-role.kubernetes.io/master
          operator: Exists
        - effect: NoExecute
          key: node.kubernetes.io/not-ready
          operator: Exists
          tolerationSeconds: 300
        - effect: NoExecute
          key: node.kubernetes.io/unreachable
          operator: Exists
          tolerationSeconds: 300
        - effect: NoSchedule
          key: node.kubernetes.io/memory-pressure
          operator: Exists
      roles:
      wscan
      scanTolerations:
      
      operator: Exists
      schedule: 0 1 * * *
      showNotApplicable: false
      strictNodeScan: true
      scanLimits:
      {   "cpu": "150m",   "memory": "512Mi" }
      debug: true
      autoApplyRemediations: true
      autoUpdateRemediations: true
      EOF
      scansetting.compliance.openshift.io/test created
      4. Create a ssb:
      create a ssb:
      $ oc apply -f -<<EOF
      apiVersion: compliance.openshift.io/v1alpha1
      kind: ScanSettingBinding
      metadata:
        name: my-ssb-r
      profiles:
        - name: ocp4-cis-node
          kind: Profile
          apiGroup: compliance.openshift.io/v1alpha1
        - name: cis-wscan-tp
          kind: TailoredProfile
          apiGroup: compliance.openshift.io/v1alpha1
      settingsRef:
        name: test
        kind: ScanSetting
        apiGroup: compliance.openshift.io/v1alpha1
      EOF
      5. After several rounds of rescan, check result for below command:
      $  oc get ccr  -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status=FAIL
      

       

      Actual results:

      After auto remediation applied, rule ocp4-api-server-audit-log-maxsize still getting FAIL$  $ oc get ccr  -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status=FAIL
      NAME                                        STATUS   SEVERITY
      cis-wscan-tp-api-server-audit-log-maxsize   FAIL     medium
      $ oc get cr cis-wscan-tp-api-server-audit-log-maxsize -o yaml
      apiVersion: compliance.openshift.io/v1alpha1
      kind: ComplianceRemediation
      metadata:
        creationTimestamp: "2023-02-15T11:35:40Z"
        generation: 2
        labels:
          compliance.openshift.io/scan-name: cis-wscan-tp
          compliance.openshift.io/suite: my-ssb-r
        name: cis-wscan-tp-api-server-audit-log-maxsize
        namespace: openshift-compliance
        ownerReferences:
        - apiVersion: compliance.openshift.io/v1alpha1
          blockOwnerDeletion: true
          controller: true
          kind: ComplianceCheckResult
          name: cis-wscan-tp-api-server-audit-log-maxsize
          uid: 3f2cc958-ce78-4562-a0d0-995961f1f26c
        resourceVersion: "274650"
        uid: a813c2ec-6fb8-448e-a94a-1c20edd63522
      spec:
        apply: true
        current:
          object:
            apiVersion: config.openshift.io/v1
            kind: APIServer
            metadata:
              name: cluster
            spec:
              maximumFileSizeMegabytes: 100
        outdated: {}
        type: Configuration
      status:
        applicationState: Applied
      $ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["audit-log-maxsize"]'
      [
        "200"
      ]
      

       

      Expected results:

      After auto remediation applied, all rules with auto remediations available should get PASS

      Additional info:

       

      Attachments

        Issue Links

          Activity

            People

              lbragsta@redhat.com Lance Bragstad
              xiyuan@redhat.com Xiaojie Yuan
              Xiaojie Yuan Xiaojie Yuan
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: