Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-7816

After auto remediation applied, rule rhcos4-sshd-set-loglevel-info still getting FAIL for rhcos4-e8 profile

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Normal Normal
    • None
    • 4.13.0
    • Compliance Operator
    • None
    • Moderate
    • No
    • 1
    • False
    • Hide

      None

      Show
      None
    • The remediation for sshd-set-loglevel-info was updated to apply the correct configuration changes, allowing subsequent scans to pass after the remediation is applied.

      Description of problem:

      After auto remediation applied, rule rhcos4-sshd-set-loglevel-info still getting FAIL for rhcos4-e8 profile

      Version-Release number of selected component (if applicable):

      4.13.0-0.nightly-2023-02-17-090603 + compliance-operator.v0.1.61

      How reproducible:

      Always

      Steps to Reproduce:

       

      1. Install Complaince Operator 
      2. Create a ssb:
      $ oc compliance bind -N test -S default-auto-apply profile/rhcos4-e8
      3. After several rounds of rescan, check result for below command:
      $  oc get ccr  -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status=FAIL
      

      Actual results:
      After auto remediation applied, rule rhcos4-sshd-set-loglevel-info still getting FAIL for rhcos4-e8 profile

      $ oc get ccr -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status=FAIL
      NAME                                      STATUS   SEVERITY
      rhcos4-e8-master-sshd-set-loglevel-info   FAIL     low
      rhcos4-e8-worker-sshd-set-loglevel-info   FAIL     low
      

       

      $ oc get rule rhcos4-sshd-set-loglevel-info -o=jsonpath={.instructions}
      To determine how the SSH daemon's LogLevel option is set, run the following command:
       
      $ sudo grep -i LogLevel /etc/ssh/sshd_config
       
      If a line indicating INFO is returned, then the required value is set.
       
      $ oc debug node/ip-10-0-150-47.us-east-2.compute.internal -- chroot /host sudo grep -i LogLevel /etc/ssh/sshd_config -5
      Warning: would violate PodSecurity "restricted:latest": host namespaces (hostNetwork=true, hostPID=true, hostIPC=true), privileged (container "container-00" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "container-00" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "container-00" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "host" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "container-00" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "container-00" must not set runAsUser=0), seccompProfile (pod or container "container-00" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
      Starting pod/ip-10-0-150-47us-east-2computeinternal-debug ...
      To use host binaries, run `chroot /host`
      # For more information, see manual page for update-crypto-policies(8).
       
      # Logging
      #SyslogFacility AUTH
      SyslogFacility AUTHPRIV
      #LogLevel INFO
       
      # Authentication:
       
      #LoginGraceTime 60
      PermitRootLogin no
       
      Removing debug pod ...
      
      $ oc get cr rhcos4-e8-master-sshd-set-loglevel-info -o yaml
      apiVersion: compliance.openshift.io/v1alpha1
      kind: ComplianceRemediation
      metadata:
        annotations:
          compliance.openshift.io/xccdf-value-used: var-rekey-limit-size,var-rekey-limit-time,var-sshd-set-login-grace-time,var-sshd-disable-compression,sshd-idle-timeout-value,var-sshd-set-keepalive,var-sshd-priv-separation
        creationTimestamp: "2023-02-21T07:49:31Z"
        generation: 2
        labels:
          compliance.openshift.io/scan-name: rhcos4-e8-master
          compliance.openshift.io/suite: test
        name: rhcos4-e8-master-sshd-set-loglevel-info
        namespace: openshift-compliance
        ownerReferences:
        - apiVersion: compliance.openshift.io/v1alpha1
          blockOwnerDeletion: true
          controller: true
          kind: ComplianceCheckResult
          name: rhcos4-e8-master-sshd-set-loglevel-info
          uid: 72704c80-d81e-48ae-a59a-204f7ad9ded7
        resourceVersion: "188686"
        uid: af0f7d5e-bbe5-479b-8abf-58386a9624cd
      spec:
        apply: true
        current:
          object:
            apiVersion: machineconfiguration.openshift.io/v1
            kind: MachineConfig
            spec:
              config:
                ignition:
                  version: 3.1.0
                storage:
                  files:
                  - contents:
                      source: data:,%0A%23%09$OpenBSD:%20sshd_config%2Cv%201.103%202018%2F04%2F09%2020:41:22%20tj%20Exp%20$%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH=%2Fusr%2Flocal%2Fbin:%2Fusr%2Fbin:%2Fusr%2Flocal%2Fsbin:%2Fusr%2Fsbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20::%0A%0AHostKey%20%2Fetc%2Fssh%2Fssh_host_rsa_key%0AHostKey%20%2Fetc%2Fssh%2Fssh_host_ecdsa_key%0AHostKey%20%2Fetc%2Fssh%2Fssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20512M%201h%0A%0A%23%20System-wide%20Crypto%20policy:%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY=%0A%23%20variable%20in%20%20%2Fetc%2Fsysconfig%2Fsshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication:%0A%0A%23LoginGraceTime%2060%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh%2Fauthorized_keys%20and%20.ssh%2Fauthorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh%2Fauthorized_keys%0AAuthorizedKeysFile%09.ssh%2Fauthorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20%2Fetc%2Fssh%2Fssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~%2F.ssh%2Fknown_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~%2F.rhosts%20and%20~%2F.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s%2Fkey%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING:%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20%2Fetc%2Fpam.d%2Fsshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20no%0AClientAliveInterval%20300%0AClientAliveCountMax%200%0A%23UseDNS%20no%0A%23PidFile%20%2Fvar%2Frun%2Fsshd.pid%0A%23MaxStartups%2010:30:100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20%2Fetc%2Fissue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09%2Fusr%2Flibexec%2Fopenssh%2Fsftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20sandbox
                    mode: 384
                    overwrite: true
                    path: /etc/ssh/sshd_config
        outdated: {}
        type: Configuration
      status:
        applicationState: Applied
      

      Expected results:

      All rules with auto remediation available ready should PASS after auto remediation applied.

      Additional info:

       

              wenshen@redhat.com Vincent Shen
              xiyuan@redhat.com Xiaojie Yuan
              Xiaojie Yuan Xiaojie Yuan
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: