# oc get csv NAME DISPLAY VERSION REPLACES PHASE compliance-operator.v0.1.59 Compliance Operator 0.1.59 Succeeded # oc get pods NAME READY STATUS RESTARTS AGE compliance-operator-564f48ff44-4zg4w 1/1 Running 1 (22m ago) 23m ocp4-openshift-compliance-pp-659c98c7c4-4lnp5 1/1 Running 0 22m rhcos4-openshift-compliance-pp-78b468bc6b-7r6m7 1/1 Running 0 22m # oc get prof NAME AGE ocp4-cis 22m ocp4-cis-node 22m ocp4-pci-dss 22m ocp4-pci-dss-node 22m 2. Set label 1 rhcos worker nodes out of all workers # oc get nodes|grep worker lon06-worker-0.rdr-vard-ocp-411l-upi.ibm.com Ready worker 55m v1.24.6+5157800 lon06-worker-1.rdr-vard-ocp-411l-upi.ibm.com Ready worker 53m v1.24.6+5157800 lon06-worker-2.rdr-vard-ocp-411l-upi.ibm.com Ready worker 52m v1.24.6+5157800 # oc label node lon06-worker-1.rdr-vard-ocp-411l-upi.ibm.com node-role.kubernetes.io/wrscan= node/lon06-worker-1.rdr-vard-ocp-411l-upi.ibm.com labeled # oc get nodes|grep wrscan lon06-worker-1.rdr-vard-ocp-411l-upi.ibm.com Ready worker,wrscan 54m v1.24.6+5157800 3. Create a custom MachineConfigPool to bring them in wrscan pool # oc get mcp NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE master rendered-master-c1c455214140fa66544e3f2c980c2204 True False False 3 3 3 0 71m worker rendered-worker-dcc3c3af144edfd832f6d1de57db43af True False False 3 3 3 0 71m # oc create -f - < apiVersion: machineconfiguration.openshift.io/v1 > kind: MachineConfigPool > metadata: > name: wrscan > labels: machineConfigSelector: matchExpressions: - {key: machineconfiguration.openshift.io/role, operator: In, values: [worker,wrscan]} nodeSelector: > pools.operator.machineconfiguration.openshift.io/wrscan: '' > spec: > machineConfigSelector: > matchExpressions: > - {key: machineconfiguration.openshift.io/role, operator: In, values: [worker,wrscan]} > nodeSelector: > matchLabels: > node-role.kubernetes.io/wrscan: "" > EOF machineconfigpool.machineconfiguration.openshift.io/wrscan created # oc get mcp -w NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE master rendered-master-c1c455214140fa66544e3f2c980c2204 True False False 3 3 3 0 71m worker rendered-worker-dcc3c3af144edfd832f6d1de57db43af True False False 3 3 3 0 71m wrscan 6s wrscan 0 0 0 0 6s wrscan False True False 1 0 0 0 11s worker rendered-worker-dcc3c3af144edfd832f6d1de57db43af True False False 2 2 2 0 71m wrscan rendered-wrscan-dcc3c3af144edfd832f6d1de57db43af True False False 1 1 1 0 16s # oc get mcp NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE master rendered-master-c1c455214140fa66544e3f2c980c2204 True False False 3 3 3 0 72m worker rendered-worker-dcc3c3af144edfd832f6d1de57db43af True False False 2 2 2 0 72m wrscan rendered-wrscan-dcc3c3af144edfd832f6d1de57db43af True False False 1 1 1 0 47s # oc get mcp --show-labels |grep wrscan wrscan rendered-wrscan-dcc3c3af144edfd832f6d1de57db43af True False False 1 1 1 0 83s pools.operator.machineconfiguration.openshift.io/wrscan= 4. Create ScanSetting auto-apply with remediations enable # oc create -f - << EOF name: auto-apply namespace: openshift-compliance rawResultStorage: nodeSelector: node-role.kubernetes.io/master: "" pvAccessModes: - ReadWriteOnce rotation: 3 size: 1Gi tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master operator: Exists > apiVersion: compliance.openshift.io/v1alpha1 > autoApplyRemediations: true > autoUpdateRemediations: true > kind: ScanSetting > metadata: > name: auto-apply > namespace: openshift-compliance > rawResultStorage: > nodeSelector: > node-role.kubernetes.io/master: "" > pvAccessModes: > - ReadWriteOnce > rotation: 3 > size: 1Gi > tolerations: > - effect: NoSchedule > key: node-role.kubernetes.io/master > operator: Exists > roles: > - wrscan > scanTolerations: > - operator: Exists > schedule: 0 1 * * * > strictNodeScan: true > EOF scansetting.compliance.openshift.io/auto-apply created # oc get ss NAME AGE auto-apply 9s default 27m default-auto-apply 27m 5. Create ScanSettingBinding using auto-apply scansetting # oc create -f - << EOF > apiVersion: compliance.openshift.io/v1alpha1 > kind: ScanSettingBinding > metadata: > name: pci-test > profiles: > - name: ocp4-pci-dss > kind: Profile > apiGroup: compliance.openshift.io/v1alpha1 > - name: ocp4-pci-dss-node > kind: Profile apiGroup: compliance.openshift.io/v1alpha1 EOF> apiGroup: compliance.openshift.io/v1alpha1 > settingsRef: > name: auto-apply > kind: ScanSetting > apiGroup: compliance.openshift.io/v1alpha1 > EOF scansettingbinding.compliance.openshift.io/pci-test created # oc get pods -w NAME READY STATUS RESTARTS AGE compliance-operator-564f48ff44-4zg4w 1/1 Running 1 (28m ago) 28m ocp4-openshift-compliance-pp-659c98c7c4-4lnp5 1/1 Running 0 28m ocp4-pci-dss-api-checks-pod 0/2 Init:1/2 0 7s ocp4-pci-dss-node-wrscan-rs-66956b96dc-5296d 1/1 Running 0 7s ocp4-pci-dss-rs-7fbf899885-tpl8w 0/1 ContainerCreating 0 7s openscap-pod-b00ab9ca70ffdf0c44e606144ed5db7cf363807c 0/2 Init:0/1 0 7s rhcos4-openshift-compliance-pp-78b468bc6b-7r6m7 1/1 Running 0 28m ocp4-pci-dss-api-checks-pod 0/2 Init:1/2 0 8s openscap-pod-b00ab9ca70ffdf0c44e606144ed5db7cf363807c 0/2 Init:0/1 0 11s openscap-pod-b00ab9ca70ffdf0c44e606144ed5db7cf363807c 0/2 PodInitializing 0 12s ocp4-pci-dss-rs-7fbf899885-tpl8w 1/1 Running 0 13s ^C # oc get pods NAME READY STATUS RESTARTS AGE compliance-operator-564f48ff44-lmljs 1/1 Running 0 8m49s ocp4-openshift-compliance-pp-659c98c7c4-46qph 1/1 Running 0 8m49s rhcos4-openshift-compliance-pp-78b468bc6b-z2t5n 1/1 Running 0 8m49s # oc get scan NAME PHASE RESULT ocp4-pci-dss DONE NON-COMPLIANT ocp4-pci-dss-node-wrscan DONE NON-COMPLIANT # oc get suite NAME PHASE RESULT pci-test DONE NON-COMPLIANT 6. Check all failed rules through compliancecheckresult object # oc get ccr -lcompliance.openshift.io/check-status=FAIL NAME STATUS SEVERITY ocp4-pci-dss-api-server-encryption-provider-cipher FAIL medium ocp4-pci-dss-api-server-encryption-provider-config FAIL medium ocp4-pci-dss-audit-log-forwarding-enabled FAIL medium ocp4-pci-dss-configure-network-policies-namespaces FAIL high ocp4-pci-dss-file-integrity-exists FAIL medium ocp4-pci-dss-file-integrity-notification-enabled FAIL medium ocp4-pci-dss-idp-is-configured FAIL medium ocp4-pci-dss-kubeadmin-removed FAIL medium ocp4-pci-dss-kubelet-enable-streaming-connections FAIL medium ocp4-pci-dss-kubelet-eviction-thresholds-set-hard-imagefs-available FAIL medium ocp4-pci-dss-kubelet-eviction-thresholds-set-hard-imagefs-inodesfree FAIL medium ocp4-pci-dss-kubelet-eviction-thresholds-set-hard-memory-available FAIL medium ocp4-pci-dss-kubelet-eviction-thresholds-set-hard-nodefs-available FAIL medium ocp4-pci-dss-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree FAIL medium ocp4-pci-dss-kubelet-eviction-thresholds-set-soft-imagefs-available FAIL medium ocp4-pci-dss-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree FAIL medium ocp4-pci-dss-kubelet-eviction-thresholds-set-soft-memory-available FAIL medium ocp4-pci-dss-kubelet-eviction-thresholds-set-soft-nodefs-available FAIL medium ocp4-pci-dss-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree FAIL medium ocp4-pci-dss-machine-volume-encrypted FAIL high ocp4-pci-dss-node-wrscan-kubelet-enable-protect-kernel-defaults FAIL medium ocp4-pci-dss-node-wrscan-kubelet-enable-protect-kernel-sysctl FAIL medium 7. check all rules are applied remediations except ocp4-pci-dss-node-kubelet-enable-protect-kernel-defaults. # oc get complianceremediations NAME STATE ocp4-pci-dss-api-server-encryption-provider-cipher Applied ocp4-pci-dss-api-server-encryption-provider-config Applied ocp4-pci-dss-kubelet-enable-streaming-connections Applied ocp4-pci-dss-kubelet-enable-streaming-connections-1 Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-hard-imagefs-available Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-hard-imagefs-available-1 Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-hard-imagefs-available-2 Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-hard-imagefs-available-3 Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-hard-imagefs-inodesfree Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-hard-imagefs-inodesfree-1 Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-hard-imagefs-inodesfree-2 Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-hard-imagefs-inodesfree-3 Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-hard-memory-available Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-hard-memory-available-1 Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-hard-memory-available-2 Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-hard-memory-available-3 Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-hard-nodefs-available Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-hard-nodefs-available-1 Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-hard-nodefs-available-2 Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-hard-nodefs-available-3 Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree-1 Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree-2 Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree-3 Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-soft-imagefs-available Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-soft-imagefs-available-1 Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-soft-imagefs-available-2 Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-soft-imagefs-available-3 Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-soft-imagefs-available-4 Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-soft-imagefs-available-5 Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree-1 Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree-2 Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree-3 Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree-4 Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree-5 Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-soft-memory-available Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-soft-memory-available-1 Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-soft-memory-available-2 Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-soft-memory-available-3 Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-soft-memory-available-4 Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-soft-memory-available-5 Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-soft-nodefs-available Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-soft-nodefs-available-1 Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-soft-nodefs-available-2 Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-soft-nodefs-available-3 Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-soft-nodefs-available-4 Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-soft-nodefs-available-5 Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-1 Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-2 Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-3 Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-4 Applied ocp4-pci-dss-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-5 Applied ocp4-pci-dss-node-wrscan-kubelet-enable-protect-kernel-defaults MissingDependencies ocp4-pci-dss-node-wrscan-kubelet-enable-protect-kernel-sysctl Applied 8. Verify kubeletconfigs are created for compliance operator and machineConfigs are created for ocp4-kubelet-enable-protect-kernel-sysctl rule to apply remediation # oc get kubeletconfig --all-namespaces NAME AGE compliance-operator-kubelet-master 16m compliance-operator-kubelet-worker 16m # oc get mc -lcompliance.openshift.io/suite=pci-test NAME GENERATEDBYCONTROLLER IGNITIONVERSION AGE 75-ocp4-pci-dss-node-wrscan-kubelet-enable-protect-kernel-sysctl 3.1.0 17m # oc get mcp NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE master rendered-master-7db0bc2d0d2023b1ea18079c86220edc True False False 3 3 3 0 93m worker rendered-worker-0a178a44beebe95c2f912f3868bc1bad True False False 2 2 2 0 93m wrscan rendered-wrscan-b61128e35293baa992468398c3f7035a True False False 1 1 1 0 22m 9. Rerun scan # oc-compliance rerun-now compliancesuite/pci-test Rerunning scans from 'pci-test': ocp4-pci-dss, ocp4-pci-dss-node-wrscan Re-running scan 'openshift-compliance/ocp4-pci-dss' Re-running scan 'openshift-compliance/ocp4-pci-dss-node-wrscan' # oc get scan NAME PHASE RESULT ocp4-pci-dss DONE NON-COMPLIANT ocp4-pci-dss-node-wrscan DONE NON-COMPLIANT # oc get suite NAME PHASE RESULT pci-test DONE NON-COMPLIANT # oc get pods -w NAME READY STATUS RESTARTS AGE compliance-operator-564f48ff44-lmljs 1/1 Running 0 15m ocp4-openshift-compliance-pp-659c98c7c4-46qph 1/1 Running 0 15m ocp4-pci-dss-api-checks-pod 0/2 Init:1/2 0 14s ocp4-pci-dss-rs-55494b74c8-jswr4 1/1 Running 0 14s rhcos4-openshift-compliance-pp-78b468bc6b-z2t5n 1/1 Running 0 15m ocp4-pci-dss-node-wrscan-rs-7d89c8585b-wpkzh 0/1 Pending 0 0s ocp4-pci-dss-node-wrscan-rs-7d89c8585b-wpkzh 0/1 Pending 0 0s ^C 10. Check rule ocp4-kubelet-enable-protect-kernel-defaults status and Confirm machineConfigPool has been updated after rescan # oc get complianceremediations ocp4-pci-dss-node-wrscan-kubelet-enable-protect-kernel-defaults NAME STATE ocp4-pci-dss-node-wrscan-kubelet-enable-protect-kernel-defaults Applied # oc get mcp -w NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE master rendered-master-7db0bc2d0d2023b1ea18079c86220edc True False False 3 3 3 0 99m worker rendered-worker-0a178a44beebe95c2f912f3868bc1bad False False False 2 0 0 0 99m wrscan rendered-wrscan-b61128e35293baa992468398c3f7035a False False False 1 0 0 0 27m master rendered-master-7db0bc2d0d2023b1ea18079c86220edc True False False 3 3 3 0 99m worker rendered-worker-0a178a44beebe95c2f912f3868bc1bad False False False 2 0 0 0 99m wrscan rendered-wrscan-b61128e35293baa992468398c3f7035a False False False 1 0 0 0 27m master rendered-master-7db0bc2d0d2023b1ea18079c86220edc True False False 3 3 3 0 99m worker rendered-worker-0a178a44beebe95c2f912f3868bc1bad False False False 2 0 0 0 99m # oc get ccr | grep wrscan-kubelet-enable-protect ocp4-pci-dss-node-wrscan-kubelet-enable-protect-kernel-defaults FAIL medium ocp4-pci-dss-node-wrscan-kubelet-enable-protect-kernel-sysctl PASS medium # oc get mcp NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE master rendered-master-7db0bc2d0d2023b1ea18079c86220edc True False False 3 3 3 0 128m worker rendered-worker-0a178a44beebe95c2f912f3868bc1bad False True False 2 0 0 0 128m wrscan rendered-wrscan-f8e480d30438d642bd4c6792b4e48f1b True False False 1 1 1 0 56m # oc get node NAME STATUS ROLES AGE VERSION lon06-master-0.rdr-vard-ocp-411l-upi.ibm.com Ready master 136m v1.24.6+5157800 lon06-master-1.rdr-vard-ocp-411l-upi.ibm.com Ready master 136m v1.24.6+5157800 lon06-master-2.rdr-vard-ocp-411l-upi.ibm.com Ready master 130m v1.24.6+5157800 lon06-worker-0.rdr-vard-ocp-411l-upi.ibm.com NotReady,SchedulingDisabled worker 113m v1.24.6+5157800 lon06-worker-1.rdr-vard-ocp-411l-upi.ibm.com Ready worker,wrscan 111m v1.24.6+5157800 lon06-worker-2.rdr-vard-ocp-411l-upi.ibm.com Ready worker 110m v1.24.6+5157800