OCPBUGS-26193: Fix missing OCP4 STIG selections #11423
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
yuumasato
changed the title
yuumasato
commented
Jan 5, 2024
| @@ -3,11 +3,12 @@ controls: | |||
| levels: | |||
| - medium | |||
| title: {{{ full_name }}} must be configured with only essential configurations. | |||
| related_rules: | |||
| rules: | |||
There was a problem hiding this comment.
One aspect of the usbgard rules is that at least two rounds of scan and remediations are needed for the rules to pass.
Because in the first round, the rule to install usbguard will be applied, but rules configuring it will result in not applicable.
In the second round, the rules configuring usbguard will fail, and their remediations will be applied.
rhmdnd
reviewed
Jan 18, 2024
|
/test |
|
@rhmdnd: The
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/test e2e-aws-ocp4-stig |
|
Looks good to me - just one question inline. |
|
/hold for test |
|
Verification failed with 4.15.0-0.nightly-2024-01-18-050837 + compliance-operator with compliance-operator code Please find the testing details below $ oc compliance bind -N test-ocp4 -S default-auto-apply profile/upstream-ocp4-stig profile/upstream-ocp4-stig-node Creating ScanSettingBinding test-ocp4 $ oc get suite -w NAME PHASE RESULT test-ocp4 LAUNCHING NOT-AVAILABLE test-ocp4 LAUNCHING NOT-AVAILABLE test-ocp4 LAUNCHING NOT-AVAILABLE test-ocp4 RUNNING NOT-AVAILABLE test-ocp4 RUNNING NOT-AVAILABLE test-ocp4 RUNNING NOT-AVAILABLE test-ocp4 AGGREGATING NOT-AVAILABLE test-ocp4 AGGREGATING NOT-AVAILABLE test-ocp4 AGGREGATING NOT-AVAILABLE test-ocp4 DONE NON-COMPLIANT test-ocp4 DONE NON-COMPLIANT $ oc get suite NAME PHASE RESULT test-ocp4 DONE NON-COMPLIANT $ oc get scan NAME PHASE RESULT upstream-ocp4-stig DONE NON-COMPLIANT upstream-ocp4-stig-node-master DONE NON-COMPLIANT upstream-ocp4-stig-node-worker DONE NON-COMPLIANT $ oc get cr NAME STATE upstream-ocp4-stig-api-server-encryption-provider-cipher Applied upstream-ocp4-stig-audit-profile-set Applied upstream-ocp4-stig-oauth-or-oauthclient-token-maxage Applied upstream-ocp4-stig-project-config-and-template-network-policy Applied upstream-ocp4-stig-project-config-and-template-network-policy-1 Applied upstream-ocp4-stig-project-config-and-template-resource-quota Applied upstream-ocp4-stig-project-config-and-template-resource-quota-1 Applied $ oc get ccr -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status=FAIL NAME STATUS SEVERITY upstream-ocp4-stig-api-server-encryption-provider-cipher FAIL medium upstream-ocp4-stig-audit-profile-set FAIL medium upstream-ocp4-stig-oauth-or-oauthclient-token-maxage FAIL medium upstream-ocp4-stig-project-config-and-template-network-policy FAIL medium upstream-ocp4-stig-project-config-and-template-resource-quota FAIL medium [bgudi@bgudi content]$ oc-compliance rerun-now scansettingbinding test-ocp4 Rerunning scans from 'test-ocp4': upstream-ocp4-stig, upstream-ocp4-stig-node-master, upstream-ocp4-stig-node-worker Re-running scan 'openshift-compliance/upstream-ocp4-stig' Re-running scan 'openshift-compliance/upstream-ocp4-stig-node-master' Re-running scan 'openshift-compliance/upstream-ocp4-stig-node-worker' $ oc get suite -w NAME PHASE RESULT test-ocp4 LAUNCHING NOT-AVAILABLE test-ocp4 LAUNCHING NOT-AVAILABLE test-ocp4 RUNNING NOT-AVAILABLE test-ocp4 RUNNING NOT-AVAILABLE test-ocp4 RUNNING NOT-AVAILABLE test-ocp4 RUNNING NOT-AVAILABLE test-ocp4 AGGREGATING NOT-AVAILABLE test-ocp4 AGGREGATING NOT-AVAILABLE test-ocp4 DONE NON-COMPLIANT test-ocp4 DONE NON-COMPLIANT $ oc get ccr -l compliance.openshift.io/automated-remediation= NAME STATUS SEVERITY upstream-ocp4-stig-api-server-encryption-provider-cipher PASS medium upstream-ocp4-stig-audit-error-alert-exists PASS high upstream-ocp4-stig-audit-profile-set PASS medium upstream-ocp4-stig-node-master-kubelet-configure-event-creation PASS medium upstream-ocp4-stig-node-master-kubelet-configure-tls-cipher-suites PASS medium upstream-ocp4-stig-node-master-kubelet-configure-tls-min-version PASS medium upstream-ocp4-stig-node-master-kubelet-enable-iptables-util-chains PASS medium upstream-ocp4-stig-node-master-kubelet-enable-protect-kernel-defaults PASS medium upstream-ocp4-stig-node-master-kubelet-enable-protect-kernel-sysctl PASS medium upstream-ocp4-stig-node-master-kubelet-enable-streaming-connections PASS medium upstream-ocp4-stig-node-master-kubelet-eviction-thresholds-set-hard-imagefs-available PASS medium upstream-ocp4-stig-node-master-kubelet-eviction-thresholds-set-hard-memory-available PASS medium upstream-ocp4-stig-node-master-kubelet-eviction-thresholds-set-hard-nodefs-available PASS medium upstream-ocp4-stig-node-master-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree PASS medium upstream-ocp4-stig-node-worker-kubelet-configure-event-creation PASS medium upstream-ocp4-stig-node-worker-kubelet-configure-tls-cipher-suites PASS medium upstream-ocp4-stig-node-worker-kubelet-configure-tls-min-version PASS medium upstream-ocp4-stig-node-worker-kubelet-enable-iptables-util-chains PASS medium upstream-ocp4-stig-node-worker-kubelet-enable-protect-kernel-defaults PASS medium upstream-ocp4-stig-node-worker-kubelet-enable-protect-kernel-sysctl PASS medium upstream-ocp4-stig-node-worker-kubelet-enable-streaming-connections PASS medium upstream-ocp4-stig-node-worker-kubelet-eviction-thresholds-set-hard-imagefs-available PASS medium upstream-ocp4-stig-node-worker-kubelet-eviction-thresholds-set-hard-memory-available PASS medium upstream-ocp4-stig-node-worker-kubelet-eviction-thresholds-set-hard-nodefs-available PASS medium upstream-ocp4-stig-node-worker-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree PASS medium upstream-ocp4-stig-oauth-or-oauthclient-token-maxage PASS medium upstream-ocp4-stig-project-config-and-template-network-policy PASS medium upstream-ocp4-stig-project-config-and-template-resource-quota PASS medium $ oc get ccr -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status=FAIL No resources found in openshift-compliance namespace. $ oc get cr NAME STATE upstream-ocp4-stig-api-server-encryption-provider-cipher Applied upstream-ocp4-stig-audit-profile-set Applied upstream-ocp4-stig-oauth-or-oauthclient-token-maxage Applied upstream-ocp4-stig-project-config-and-template-network-policy Applied upstream-ocp4-stig-project-config-and-template-network-policy-1 Applied upstream-ocp4-stig-project-config-and-template-resource-quota Applied upstream-ocp4-stig-project-config-and-template-resource-quota-1 Applied $ oc delete ssb test-ocp4 scansettingbinding.compliance.openshift.io "test-ocp4" deleted Scenario 2: rhcos4-stig profile -> FAIL $ oc compliance bind -N test-rhcos4 -S default-auto-apply profile/upstream-rhcos4-stig Creating ScanSettingBinding test-rhcos4 $ oc get suite -w NAME PHASE RESULT test-rhcos4 LAUNCHING NOT-AVAILABLE test-rhcos4 LAUNCHING NOT-AVAILABLE test-rhcos4 RUNNING NOT-AVAILABLE test-rhcos4 RUNNING NOT-AVAILABLE test-rhcos4 AGGREGATING NOT-AVAILABLE test-rhcos4 AGGREGATING NOT-AVAILABLE test-rhcos4 DONE NON-COMPLIANT test-rhcos4 DONE NON-COMPLIANT $ oc get scan NAME PHASE RESULT upstream-rhcos4-stig-master DONE NON-COMPLIANT upstream-rhcos4-stig-worker DONE NON-COMPLIANT $ oc get cr | grep MissingDependencies upstream-rhcos4-stig-master-service-usbguard-enabled MissingDependencies upstream-rhcos4-stig-master-usbguard-allow-hid-and-hub MissingDependencies upstream-rhcos4-stig-worker-service-usbguard-enabled MissingDependencies upstream-rhcos4-stig-worker-usbguard-allow-hid-and-hub MissingDependencies $ oc get ccr -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status=FAIL NAME STATUS SEVERITY upstream-rhcos4-stig-master-audit-access-failed FAIL medium upstream-rhcos4-stig-master-audit-create-failed FAIL medium upstream-rhcos4-stig-master-audit-delete-failed FAIL medium upstream-rhcos4-stig-master-audit-immutable-login-uids FAIL medium upstream-rhcos4-stig-master-audit-modify-failed FAIL medium upstream-rhcos4-stig-master-audit-rules-dac-modification-chmod FAIL medium upstream-rhcos4-stig-master-audit-rules-dac-modification-chown FAIL medium upstream-rhcos4-stig-master-audit-rules-dac-modification-fchmod FAIL medium upstream-rhcos4-stig-master-audit-rules-dac-modification-fchmodat FAIL medium upstream-rhcos4-stig-master-audit-rules-dac-modification-fchown FAIL medium upstream-rhcos4-stig-master-audit-rules-dac-modification-fchownat FAIL medium upstream-rhcos4-stig-master-audit-rules-dac-modification-fremovexattr FAIL medium upstream-rhcos4-stig-master-audit-rules-dac-modification-fsetxattr FAIL medium upstream-rhcos4-stig-master-audit-rules-dac-modification-lchown FAIL medium upstream-rhcos4-stig-master-audit-rules-dac-modification-lremovexattr FAIL medium upstream-rhcos4-stig-master-audit-rules-dac-modification-lsetxattr FAIL medium upstream-rhcos4-stig-master-audit-rules-dac-modification-removexattr FAIL medium upstream-rhcos4-stig-master-audit-rules-dac-modification-setxattr FAIL medium upstream-rhcos4-stig-master-audit-rules-dac-modification-umount FAIL medium upstream-rhcos4-stig-master-audit-rules-dac-modification-umount2 FAIL medium upstream-rhcos4-stig-master-audit-rules-execution-chcon FAIL medium upstream-rhcos4-stig-master-audit-rules-execution-semanage FAIL medium upstream-rhcos4-stig-master-audit-rules-execution-setfiles FAIL medium upstream-rhcos4-stig-master-audit-rules-execution-setsebool FAIL medium upstream-rhcos4-stig-master-audit-rules-file-deletion-events-rename FAIL medium upstream-rhcos4-stig-master-audit-rules-file-deletion-events-renameat FAIL medium upstream-rhcos4-stig-master-audit-rules-file-deletion-events-rmdir FAIL medium upstream-rhcos4-stig-master-audit-rules-file-deletion-events-unlink FAIL medium upstream-rhcos4-stig-master-audit-rules-file-deletion-events-unlinkat FAIL medium upstream-rhcos4-stig-master-audit-rules-immutable FAIL medium upstream-rhcos4-stig-master-audit-rules-kernel-module-loading-delete FAIL medium upstream-rhcos4-stig-master-audit-rules-kernel-module-loading-finit FAIL medium upstream-rhcos4-stig-master-audit-rules-kernel-module-loading-init FAIL medium upstream-rhcos4-stig-master-audit-rules-login-events-faillock FAIL medium upstream-rhcos4-stig-master-audit-rules-login-events-lastlog FAIL medium upstream-rhcos4-stig-master-audit-rules-login-events-tallylog FAIL medium upstream-rhcos4-stig-master-audit-rules-media-export FAIL medium upstream-rhcos4-stig-master-audit-rules-privileged-commands-chage FAIL medium upstream-rhcos4-stig-master-audit-rules-privileged-commands-chsh FAIL medium upstream-rhcos4-stig-master-audit-rules-privileged-commands-crontab FAIL medium upstream-rhcos4-stig-master-audit-rules-privileged-commands-dbus-daemon-launch-helper FAIL medium upstream-rhcos4-stig-master-audit-rules-privileged-commands-fusermount FAIL medium upstream-rhcos4-stig-master-audit-rules-privileged-commands-fusermount3 FAIL medium upstream-rhcos4-stig-master-audit-rules-privileged-commands-gpasswd FAIL medium upstream-rhcos4-stig-master-audit-rules-privileged-commands-grub2-set-bootflag FAIL medium upstream-rhcos4-stig-master-audit-rules-privileged-commands-mount FAIL medium upstream-rhcos4-stig-master-audit-rules-privileged-commands-mount-nfs FAIL medium upstream-rhcos4-stig-master-audit-rules-privileged-commands-newgrp FAIL medium upstream-rhcos4-stig-master-audit-rules-privileged-commands-pam-timestamp-check FAIL medium upstream-rhcos4-stig-master-audit-rules-privileged-commands-passwd FAIL medium upstream-rhcos4-stig-master-audit-rules-privileged-commands-pkexec FAIL medium upstream-rhcos4-stig-master-audit-rules-privileged-commands-polkit-helper FAIL medium upstream-rhcos4-stig-master-audit-rules-privileged-commands-postdrop FAIL medium upstream-rhcos4-stig-master-audit-rules-privileged-commands-postqueue FAIL medium upstream-rhcos4-stig-master-audit-rules-privileged-commands-pt-chown FAIL medium upstream-rhcos4-stig-master-audit-rules-privileged-commands-ssh-keysign FAIL medium upstream-rhcos4-stig-master-audit-rules-privileged-commands-sssd-krb5-child FAIL medium upstream-rhcos4-stig-master-audit-rules-privileged-commands-sssd-ldap-child FAIL medium upstream-rhcos4-stig-master-audit-rules-privileged-commands-sssd-proxy-child FAIL medium upstream-rhcos4-stig-master-audit-rules-privileged-commands-sssd-selinux-child FAIL medium upstream-rhcos4-stig-master-audit-rules-privileged-commands-su FAIL medium upstream-rhcos4-stig-master-audit-rules-privileged-commands-sudo FAIL medium upstream-rhcos4-stig-master-audit-rules-privileged-commands-sudoedit FAIL medium upstream-rhcos4-stig-master-audit-rules-privileged-commands-umount FAIL medium upstream-rhcos4-stig-master-audit-rules-privileged-commands-unix-chkpwd FAIL medium upstream-rhcos4-stig-master-audit-rules-privileged-commands-userhelper FAIL medium upstream-rhcos4-stig-master-audit-rules-privileged-commands-utempter FAIL medium upstream-rhcos4-stig-master-audit-rules-privileged-commands-write FAIL medium upstream-rhcos4-stig-master-audit-rules-session-events FAIL medium upstream-rhcos4-stig-master-audit-rules-sysadmin-actions FAIL medium upstream-rhcos4-stig-master-audit-rules-unsuccessful-file-modification-creat FAIL medium upstream-rhcos4-stig-master-audit-rules-unsuccessful-file-modification-ftruncate FAIL medium upstream-rhcos4-stig-master-audit-rules-unsuccessful-file-modification-open FAIL medium upstream-rhcos4-stig-master-audit-rules-unsuccessful-file-modification-open-by-handle-at FAIL medium upstream-rhcos4-stig-master-audit-rules-unsuccessful-file-modification-openat FAIL medium upstream-rhcos4-stig-master-audit-rules-unsuccessful-file-modification-rename FAIL medium upstream-rhcos4-stig-master-audit-rules-unsuccessful-file-modification-renameat FAIL medium upstream-rhcos4-stig-master-audit-rules-unsuccessful-file-modification-truncate FAIL medium upstream-rhcos4-stig-master-audit-rules-unsuccessful-file-modification-unlink FAIL medium upstream-rhcos4-stig-master-audit-rules-unsuccessful-file-modification-unlinkat FAIL medium upstream-rhcos4-stig-master-audit-rules-usergroup-modification FAIL medium upstream-rhcos4-stig-master-audit-rules-usergroup-modification-group FAIL medium upstream-rhcos4-stig-master-audit-rules-usergroup-modification-gshadow FAIL medium upstream-rhcos4-stig-master-audit-rules-usergroup-modification-opasswd FAIL medium upstream-rhcos4-stig-master-audit-rules-usergroup-modification-passwd FAIL medium upstream-rhcos4-stig-master-audit-rules-usergroup-modification-shadow FAIL medium upstream-rhcos4-stig-master-auditd-data-disk-error-action FAIL medium upstream-rhcos4-stig-master-coreos-audit-backlog-limit-kernel-argument FAIL medium upstream-rhcos4-stig-master-coreos-audit-option FAIL medium upstream-rhcos4-stig-master-coreos-page-poison-kernel-argument FAIL medium upstream-rhcos4-stig-master-coreos-slub-debug-kernel-argument FAIL medium upstream-rhcos4-stig-master-kernel-module-usb-storage-disabled FAIL medium upstream-rhcos4-stig-master-package-usbguard-installed FAIL medium upstream-rhcos4-stig-master-service-sshd-disabled FAIL high upstream-rhcos4-stig-master-service-usbguard-enabled FAIL medium upstream-rhcos4-stig-master-sshd-disable-root-login FAIL medium upstream-rhcos4-stig-master-sysctl-kernel-dmesg-restrict FAIL low upstream-rhcos4-stig-master-sysctl-kernel-perf-event-paranoid FAIL low upstream-rhcos4-stig-master-sysctl-kernel-randomize-va-space FAIL medium upstream-rhcos4-stig-master-usbguard-allow-hid-and-hub FAIL medium upstream-rhcos4-stig-worker-audit-access-failed FAIL medium upstream-rhcos4-stig-worker-audit-create-failed FAIL medium upstream-rhcos4-stig-worker-audit-delete-failed FAIL medium upstream-rhcos4-stig-worker-audit-immutable-login-uids FAIL medium upstream-rhcos4-stig-worker-audit-modify-failed FAIL medium upstream-rhcos4-stig-worker-audit-rules-dac-modification-chmod FAIL medium upstream-rhcos4-stig-worker-audit-rules-dac-modification-chown FAIL medium upstream-rhcos4-stig-worker-audit-rules-dac-modification-fchmod FAIL medium upstream-rhcos4-stig-worker-audit-rules-dac-modification-fchmodat FAIL medium upstream-rhcos4-stig-worker-audit-rules-dac-modification-fchown FAIL medium upstream-rhcos4-stig-worker-audit-rules-dac-modification-fchownat FAIL medium upstream-rhcos4-stig-worker-audit-rules-dac-modification-fremovexattr FAIL medium upstream-rhcos4-stig-worker-audit-rules-dac-modification-fsetxattr FAIL medium upstream-rhcos4-stig-worker-audit-rules-dac-modification-lchown FAIL medium upstream-rhcos4-stig-worker-audit-rules-dac-modification-lremovexattr FAIL medium upstream-rhcos4-stig-worker-audit-rules-dac-modification-lsetxattr FAIL medium upstream-rhcos4-stig-worker-audit-rules-dac-modification-removexattr FAIL medium upstream-rhcos4-stig-worker-audit-rules-dac-modification-setxattr FAIL medium upstream-rhcos4-stig-worker-audit-rules-dac-modification-umount FAIL medium upstream-rhcos4-stig-worker-audit-rules-dac-modification-umount2 FAIL medium upstream-rhcos4-stig-worker-audit-rules-execution-chcon FAIL medium upstream-rhcos4-stig-worker-audit-rules-execution-semanage FAIL medium upstream-rhcos4-stig-worker-audit-rules-execution-setfiles FAIL medium upstream-rhcos4-stig-worker-audit-rules-execution-setsebool FAIL medium upstream-rhcos4-stig-worker-audit-rules-file-deletion-events-rename FAIL medium upstream-rhcos4-stig-worker-audit-rules-file-deletion-events-renameat FAIL medium upstream-rhcos4-stig-worker-audit-rules-file-deletion-events-rmdir FAIL medium upstream-rhcos4-stig-worker-audit-rules-file-deletion-events-unlink FAIL medium upstream-rhcos4-stig-worker-audit-rules-file-deletion-events-unlinkat FAIL medium upstream-rhcos4-stig-worker-audit-rules-immutable FAIL medium upstream-rhcos4-stig-worker-audit-rules-kernel-module-loading-delete FAIL medium upstream-rhcos4-stig-worker-audit-rules-kernel-module-loading-finit FAIL medium upstream-rhcos4-stig-worker-audit-rules-kernel-module-loading-init FAIL medium upstream-rhcos4-stig-worker-audit-rules-login-events-faillock FAIL medium upstream-rhcos4-stig-worker-audit-rules-login-events-lastlog FAIL medium upstream-rhcos4-stig-worker-audit-rules-login-events-tallylog FAIL medium upstream-rhcos4-stig-worker-audit-rules-media-export FAIL medium upstream-rhcos4-stig-worker-audit-rules-privileged-commands-chage FAIL medium upstream-rhcos4-stig-worker-audit-rules-privileged-commands-chsh FAIL medium upstream-rhcos4-stig-worker-audit-rules-privileged-commands-crontab FAIL medium upstream-rhcos4-stig-worker-audit-rules-privileged-commands-dbus-daemon-launch-helper FAIL medium upstream-rhcos4-stig-worker-audit-rules-privileged-commands-fusermount FAIL medium upstream-rhcos4-stig-worker-audit-rules-privileged-commands-fusermount3 FAIL medium upstream-rhcos4-stig-worker-audit-rules-privileged-commands-gpasswd FAIL medium upstream-rhcos4-stig-worker-audit-rules-privileged-commands-grub2-set-bootflag FAIL medium upstream-rhcos4-stig-worker-audit-rules-privileged-commands-mount FAIL medium upstream-rhcos4-stig-worker-audit-rules-privileged-commands-mount-nfs FAIL medium upstream-rhcos4-stig-worker-audit-rules-privileged-commands-newgrp FAIL medium upstream-rhcos4-stig-worker-audit-rules-privileged-commands-pam-timestamp-check FAIL medium upstream-rhcos4-stig-worker-audit-rules-privileged-commands-passwd FAIL medium upstream-rhcos4-stig-worker-audit-rules-privileged-commands-pkexec FAIL medium upstream-rhcos4-stig-worker-audit-rules-privileged-commands-polkit-helper FAIL medium upstream-rhcos4-stig-worker-audit-rules-privileged-commands-postdrop FAIL medium upstream-rhcos4-stig-worker-audit-rules-privileged-commands-postqueue FAIL medium upstream-rhcos4-stig-worker-audit-rules-privileged-commands-pt-chown FAIL medium upstream-rhcos4-stig-worker-audit-rules-privileged-commands-ssh-keysign FAIL medium upstream-rhcos4-stig-worker-audit-rules-privileged-commands-sssd-krb5-child FAIL medium upstream-rhcos4-stig-worker-audit-rules-privileged-commands-sssd-ldap-child FAIL medium upstream-rhcos4-stig-worker-audit-rules-privileged-commands-sssd-proxy-child FAIL medium upstream-rhcos4-stig-worker-audit-rules-privileged-commands-sssd-selinux-child FAIL medium upstream-rhcos4-stig-worker-audit-rules-privileged-commands-su FAIL medium upstream-rhcos4-stig-worker-audit-rules-privileged-commands-sudo FAIL medium upstream-rhcos4-stig-worker-audit-rules-privileged-commands-sudoedit FAIL medium upstream-rhcos4-stig-worker-audit-rules-privileged-commands-umount FAIL medium upstream-rhcos4-stig-worker-audit-rules-privileged-commands-unix-chkpwd FAIL medium upstream-rhcos4-stig-worker-audit-rules-privileged-commands-userhelper FAIL medium upstream-rhcos4-stig-worker-audit-rules-privileged-commands-utempter FAIL medium upstream-rhcos4-stig-worker-audit-rules-privileged-commands-write FAIL medium upstream-rhcos4-stig-worker-audit-rules-session-events FAIL medium upstream-rhcos4-stig-worker-audit-rules-sysadmin-actions FAIL medium upstream-rhcos4-stig-worker-audit-rules-unsuccessful-file-modification-creat FAIL medium upstream-rhcos4-stig-worker-audit-rules-unsuccessful-file-modification-ftruncate FAIL medium upstream-rhcos4-stig-worker-audit-rules-unsuccessful-file-modification-open FAIL medium upstream-rhcos4-stig-worker-audit-rules-unsuccessful-file-modification-open-by-handle-at FAIL medium upstream-rhcos4-stig-worker-audit-rules-unsuccessful-file-modification-openat FAIL medium upstream-rhcos4-stig-worker-audit-rules-unsuccessful-file-modification-rename FAIL medium upstream-rhcos4-stig-worker-audit-rules-unsuccessful-file-modification-renameat FAIL medium upstream-rhcos4-stig-worker-audit-rules-unsuccessful-file-modification-truncate FAIL medium upstream-rhcos4-stig-worker-audit-rules-unsuccessful-file-modification-unlink FAIL medium upstream-rhcos4-stig-worker-audit-rules-unsuccessful-file-modification-unlinkat FAIL medium upstream-rhcos4-stig-worker-audit-rules-usergroup-modification FAIL medium upstream-rhcos4-stig-worker-audit-rules-usergroup-modification-group FAIL medium upstream-rhcos4-stig-worker-audit-rules-usergroup-modification-gshadow FAIL medium upstream-rhcos4-stig-worker-audit-rules-usergroup-modification-opasswd FAIL medium upstream-rhcos4-stig-worker-audit-rules-usergroup-modification-passwd FAIL medium upstream-rhcos4-stig-worker-audit-rules-usergroup-modification-shadow FAIL medium upstream-rhcos4-stig-worker-auditd-data-disk-error-action FAIL medium upstream-rhcos4-stig-worker-coreos-audit-backlog-limit-kernel-argument FAIL medium upstream-rhcos4-stig-worker-coreos-audit-option FAIL medium upstream-rhcos4-stig-worker-coreos-page-poison-kernel-argument FAIL medium upstream-rhcos4-stig-worker-coreos-slub-debug-kernel-argument FAIL medium upstream-rhcos4-stig-worker-kernel-module-usb-storage-disabled FAIL medium upstream-rhcos4-stig-worker-package-usbguard-installed FAIL medium upstream-rhcos4-stig-worker-service-sshd-disabled FAIL high upstream-rhcos4-stig-worker-service-usbguard-enabled FAIL medium upstream-rhcos4-stig-worker-sshd-disable-root-login FAIL medium upstream-rhcos4-stig-worker-sysctl-kernel-dmesg-restrict FAIL low upstream-rhcos4-stig-worker-sysctl-kernel-perf-event-paranoid FAIL low upstream-rhcos4-stig-worker-sysctl-kernel-randomize-va-space FAIL medium upstream-rhcos4-stig-worker-usbguard-allow-hid-and-hub FAIL medium $ oc-compliance rerun-now scansettingbinding test-rhcos4 Rerunning scans from 'test-rhcos4': upstream-rhcos4-stig-master, upstream-rhcos4-stig-worker Re-running scan 'openshift-compliance/upstream-rhcos4-stig-master' Re-running scan 'openshift-compliance/upstream-rhcos4-stig-worker' $ oc get mcp NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE master rendered-master-5c2f388f55a1e963789ce3f85f6dd5f1 True False False 3 3 3 0 5h44m worker rendered-worker-9fafad7ce7363e3e8994da447789593c True False False 3 3 3 0 5h44m $ oc get suite NAME PHASE RESULT test-rhcos4 DONE NON-COMPLIANT $ oc get scan NAME PHASE RESULT upstream-rhcos4-stig-master DONE NON-COMPLIANT upstream-rhcos4-stig-worker DONE NON-COMPLIANT $ oc get ^C $ oc get cr | grep MissingDependencies $ oc get ccr -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status=FAIL NAME STATUS SEVERITY upstream-rhcos4-stig-master-audit-delete-failed FAIL medium upstream-rhcos4-stig-master-configure-usbguard-auditbackend FAIL low upstream-rhcos4-stig-master-service-usbguard-enabled FAIL medium upstream-rhcos4-stig-master-usbguard-allow-hid-and-hub FAIL medium upstream-rhcos4-stig-worker-audit-delete-failed FAIL medium upstream-rhcos4-stig-worker-configure-usbguard-auditbackend FAIL low upstream-rhcos4-stig-worker-service-usbguard-enabled FAIL medium upstream-rhcos4-stig-worker-usbguard-allow-hid-and-hub FAIL medium After multiple rescan, $ oc-compliance rerun-now scansettingbinding test-rhcos4 Rerunning scans from 'test-rhcos4': upstream-rhcos4-stig-master, upstream-rhcos4-stig-worker Re-running scan 'openshift-compliance/upstream-rhcos4-stig-master' Re-running scan 'openshift-compliance/upstream-rhcos4-stig-worker' $ oc get suite -w NAME PHASE RESULT test-rhcos4 LAUNCHING NOT-AVAILABLE test-rhcos4 RUNNING NOT-AVAILABLE test-rhcos4 RUNNING NOT-AVAILABLE test-rhcos4 AGGREGATING NOT-AVAILABLE test-rhcos4 AGGREGATING NOT-AVAILABLE test-rhcos4 DONE INCONSISTENT test-rhcos4 DONE INCONSISTENT $ oc get ccr -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status=FAIL NAME STATUS SEVERITY upstream-rhcos4-stig-master-audit-delete-failed FAIL medium upstream-rhcos4-stig-worker-audit-delete-failed FAIL medium $ oc get ccr | grep INCONSISTENT upstream-rhcos4-stig-worker-service-usbguard-enabled INCONSISTENT medium $ oc describe ccr upstream-rhcos4-stig-worker-service-usbguard-enabled | tail Rationale: The usbguard service must be running in order to enforce the USB device authorization policy for all USB devices. Severity: medium Status: INCONSISTENT Events: |
|
@BhargaviGudi I was not able to get the |
yuumasato
force-pushed
the
fix_stig_ctr_selections
branch
from
67cabe0
to
04b8a94
Compare
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_rename'.
--- xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_rename
+++ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_rename
@@ -394,6 +394,12 @@
[reference]:
SRG-OS-000468-GPOS-00212
+[reference]:
+SRG-APP-000501-CTR-001265
+
+[reference]:
+SRG-APP-000502-CTR-001270
+
[rationale]:
Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_renameat'.
--- xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_renameat
+++ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_renameat
@@ -395,6 +395,12 @@
[reference]:
SRG-OS-000468-GPOS-00212
+[reference]:
+SRG-APP-000501-CTR-001265
+
+[reference]:
+SRG-APP-000502-CTR-001270
+
[rationale]:
Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlink'.
--- xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlink
+++ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlink
@@ -397,6 +397,12 @@
[reference]:
SRG-OS-000468-GPOS-00212
+[reference]:
+SRG-APP-000501-CTR-001265
+
+[reference]:
+SRG-APP-000502-CTR-001270
+
[rationale]:
Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlinkat'.
--- xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlinkat
+++ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlinkat
@@ -397,6 +397,12 @@
[reference]:
SRG-OS-000468-GPOS-00212
+[reference]:
+SRG-APP-000501-CTR-001265
+
+[reference]:
+SRG-APP-000502-CTR-001270
+
[rationale]:
Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pt_chown'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pt_chown
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pt_chown
@@ -221,6 +221,15 @@
[reference]:
SRG-OS-000471-GPOS-00215
+[reference]:
+SRG-APP-000499-CTR-001255
+
+[reference]:
+SRG-APP-000501-CTR-001265
+
+[reference]:
+SRG-APP-000502-CTR-001270
+
[rationale]:
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_delete_failed'.
--- xccdf_org.ssgproject.content_rule_audit_delete_failed
+++ xccdf_org.ssgproject.content_rule_audit_delete_failed
@@ -44,6 +44,12 @@
[reference]:
SRG-OS-000468-GPOS-00212
+[reference]:
+SRG-APP-000501-CTR-001265
+
+[reference]:
+SRG-APP-000502-CTR-001270
+
[rationale]:
Unsuccessful attempts to delete a file might be signs of malicious activities. Auditing of such events help in monitoring and investigating of such activities.
kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_audit_delete_failed' differs.
--- xccdf_org.ssgproject.content_rule_audit_delete_failed
+++ xccdf_org.ssgproject.content_rule_audit_delete_failed
@@ -8,7 +8,7 @@
storage:
files:
- contents:
- source: data:,%23%23%20Unsuccessful%20file%20delete%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EACCES%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EACCES%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EPERM%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EPERM%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete
+ source: data:,%23%23%20Unsuccessful%20file%20delete%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A
mode: 0600
path: /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
overwrite: true
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled'.
--- xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled
@@ -253,6 +253,9 @@
SRG-OS-000480-GPOS-00227
[reference]:
+SRG-APP-000141-CTR-000315
+
+[reference]:
RHEL-08-040080
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_usbguard_installed'.
--- xccdf_org.ssgproject.content_rule_package_usbguard_installed
+++ xccdf_org.ssgproject.content_rule_package_usbguard_installed
@@ -23,6 +23,9 @@
SRG-OS-000378-GPOS-00163
[reference]:
+SRG-APP-000141-CTR-000315
+
+[reference]:
RHEL-08-040139
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_service_usbguard_enabled'.
--- xccdf_org.ssgproject.content_rule_service_usbguard_enabled
+++ xccdf_org.ssgproject.content_rule_service_usbguard_enabled
@@ -30,6 +30,9 @@
SRG-OS-000378-GPOS-00163
[reference]:
+SRG-APP-000141-CTR-000315
+
+[reference]:
RHEL-08-040141
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub'.
--- xccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub
+++ xccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub
@@ -24,6 +24,9 @@
[reference]:
SRG-OS-000114-GPOS-00059
+[reference]:
+SRG-APP-000092-CTR-000165
+
[rationale]:
Without allowing Human Interface Devices, it might not be possible
to interact with the system. Without allowing hubs, it might not be possible to use any |
Select rule oauth_or_oauthclient_token_maxage to satisfy SRG-APP-000400-CTR-000960. The default value is 24h (86400 seconds), but the STIG requires 8h (28800 seconds).
Select rules for to generate audit records for unsuccessful attempts to delete objects and catergories of information.
Select rule to generate audit records for the use of pt_chown binary.
The rules for control SRG-APP-000141-CTR-000315 were defined as related, instead of being atually selected.
SRG-APP-000092-CTR-000165 is about setting 'audit' and 'audit_backlog_limit' options. Only one of them was being set.
Select rule USBGuard that authorizes hid and hub devices.
Fix kubernetes remediation for audit_delete_failed.
Make rules `oauth_token_maxage` and `oauthclient_token_maxage` check the token expiry timeout based on a variable. Default timeout is 24h, but STIG requires it to be 8h.
yuumasato
force-pushed
the
fix_stig_ctr_selections
branch
from
04b8a94
to
b05da3d
Compare
|
/test e2e-aws-ocp4-stig |
|
Code Climate has analyzed commit b05da3d and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 58.3% (0.0% change). View more on Code Climate. |
|
/retest |
|
Looks like the most recent CI failure was due to an unrelated change that we're already tracking to clean up CI. |
|
/hold for test |
|
Verification passed with 4.16.0-0.nightly-2024-02-08-073857 + compliance-operator with compliance-operator code Please find the testing details below Scenario 2: rhcos4-stig profile -> PASS First rescan: Second rescan: Third rescan: |
|
/unhold |
|
@BhargaviGudi: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/test |
|
@rhmdnd: The
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/test 4.15-e2e-aws-ocp4-stig |
|
@yuumasato: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Mab879
added
the
Update Profile
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
Rationale: