-
Bug
-
Resolution: Done
-
Major
-
None
-
4.13.0
-
None
-
Moderate
-
No
-
3
-
CMP Sprint 61, CMP Sprint 62, CMP Sprint 63
-
3
-
Rejected
-
False
-
Description of problem:
After auto remediation applied, rule ocp4-api-server-audit-log-maxsize still getting FAIL
Version-Release number of selected component (if applicable):
4.13.0-0.nightly-2023-02-13-235211 + compliance-operator.v0.1.61
How reproducible:
Always
Steps to Reproduce:
1. Install Complaince Operator
2. Create a custom mcp wscan
3. Create a ss $ oc apply -f -<<EOF apiVersion: compliance.openshift.io/v1alpha1 kind: ScanSetting metadata: name: test namespace: openshift-compliance rawResultStorage: nodeSelector: node-role.kubernetes.io/master: "" pvAccessModes: - ReadWriteOnce rotation: 3 size: 1Gi tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master operator: Exists - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists tolerationSeconds: 300 - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists tolerationSeconds: 300 - effect: NoSchedule key: node.kubernetes.io/memory-pressure operator: Exists roles: wscan scanTolerations: operator: Exists schedule: 0 1 * * * showNotApplicable: false strictNodeScan: true scanLimits: { "cpu": "150m", "memory": "512Mi" } debug: true autoApplyRemediations: true autoUpdateRemediations: true EOF scansetting.compliance.openshift.io/test created 4. Create a ssb: create a ssb: $ oc apply -f -<<EOF apiVersion: compliance.openshift.io/v1alpha1 kind: ScanSettingBinding metadata: name: my-ssb-r profiles: - name: ocp4-cis-node kind: Profile apiGroup: compliance.openshift.io/v1alpha1 - name: cis-wscan-tp kind: TailoredProfile apiGroup: compliance.openshift.io/v1alpha1 settingsRef: name: test kind: ScanSetting apiGroup: compliance.openshift.io/v1alpha1 EOF 5. After several rounds of rescan, check result for below command: $ oc get ccr -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status=FAIL
Actual results:
After auto remediation applied, rule ocp4-api-server-audit-log-maxsize still getting FAIL$ $ oc get ccr -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status=FAIL NAME STATUS SEVERITY cis-wscan-tp-api-server-audit-log-maxsize FAIL medium $ oc get cr cis-wscan-tp-api-server-audit-log-maxsize -o yaml apiVersion: compliance.openshift.io/v1alpha1 kind: ComplianceRemediation metadata: creationTimestamp: "2023-02-15T11:35:40Z" generation: 2 labels: compliance.openshift.io/scan-name: cis-wscan-tp compliance.openshift.io/suite: my-ssb-r name: cis-wscan-tp-api-server-audit-log-maxsize namespace: openshift-compliance ownerReferences: - apiVersion: compliance.openshift.io/v1alpha1 blockOwnerDeletion: true controller: true kind: ComplianceCheckResult name: cis-wscan-tp-api-server-audit-log-maxsize uid: 3f2cc958-ce78-4562-a0d0-995961f1f26c resourceVersion: "274650" uid: a813c2ec-6fb8-448e-a94a-1c20edd63522 spec: apply: true current: object: apiVersion: config.openshift.io/v1 kind: APIServer metadata: name: cluster spec: maximumFileSizeMegabytes: 100 outdated: {} type: Configuration status: applicationState: Applied $ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["audit-log-maxsize"]' [ "200" ]
Expected results:
After auto remediation applied, all rules with auto remediations available should get PASS
Additional info:
- is cloned by
-
-
- Closed
-
- mentioned on
