Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OCPBUGS-20015: Add remediation for RHCOS banners #11470

Merged
merged 1 commit into from
Feb 27, 2024

Conversation

rhmdnd
Copy link
Collaborator

@rhmdnd rhmdnd commented Jan 24, 2024

Public entities typically require systems to present users with a
specific banner when they log in. We have rules that check for a banner,
and a remediation in the description, along with a remediation we use in
testing.

This commit include the same remediation as a formal remediation, which
can be applied through the operator, instead of requiring users to
copy/paste them from the check result or rule description.

Copy link

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@rhmdnd rhmdnd changed the title Add remediation for RHCOS banners OCPBUGS-20015: Add remediation for RHCOS banners Jan 24, 2024
@rhmdnd
Copy link
Collaborator Author

rhmdnd commented Jan 24, 2024

/test

Copy link

openshift-ci bot commented Jan 24, 2024

@rhmdnd: The /test command needs one or more targets.
The following commands are available to trigger required jobs:

  • /test e2e-aws-ocp4-cis
  • /test e2e-aws-ocp4-cis-node
  • /test e2e-aws-ocp4-e8
  • /test e2e-aws-ocp4-high
  • /test e2e-aws-ocp4-high-node
  • /test e2e-aws-ocp4-moderate
  • /test e2e-aws-ocp4-moderate-node
  • /test e2e-aws-ocp4-pci-dss
  • /test e2e-aws-ocp4-pci-dss-node
  • /test e2e-aws-ocp4-stig
  • /test e2e-aws-ocp4-stig-node
  • /test e2e-aws-rhcos4-e8
  • /test e2e-aws-rhcos4-high
  • /test e2e-aws-rhcos4-moderate
  • /test e2e-aws-rhcos4-stig
  • /test images

Use /test all to run the following jobs that were automatically triggered:

  • pull-ci-ComplianceAsCode-content-master-images

In response to this:

/test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@rhmdnd
Copy link
Collaborator Author

rhmdnd commented Jan 24, 2024

/test e2e-aws-rhcos4-high

@rhmdnd rhmdnd added the OpenShift OpenShift product related. label Jan 24, 2024
Public entities typically require systems to present users with a
specific banner when they log in. We have rules that check for a banner,
and a remediation in the description, along with a remediation we use in
testing.

This commit include the same remediation as a formal remediation, which
can be applied through the operator, instead of requiring users to
copy/paste them from the check result or rule description.
Copy link

codeclimate bot commented Jan 25, 2024

Code Climate has analyzed commit adcf824 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 58.5% (0.0% change).

View more on Code Climate.

@rhmdnd
Copy link
Collaborator Author

rhmdnd commented Jan 25, 2024

/test e2e-aws-rhcos4-high

@xiaojiey
Copy link
Collaborator

/hold for test

@openshift-ci openshift-ci bot added the do-not-merge/hold Used by openshift-ci-robot bot. label Jan 26, 2024
@rhmdnd
Copy link
Collaborator Author

rhmdnd commented Jan 26, 2024

/test e2e-aws-rhcos4-high

Copy link

openshift-ci bot commented Jan 26, 2024

@rhmdnd: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-rhcos4-high adcf824 link true /test e2e-aws-rhcos4-high

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@rhmdnd
Copy link
Collaborator Author

rhmdnd commented Jan 26, 2024

Note for reviewers about this PR, is that it won't work for all nodes if there are additional node pools in the cluster (e.g., infra). In that case, the end user would need to update the machine configuration labels to include any additional node pools so the machine configuration is applied to them, too.

@xiaojiey
Copy link
Collaborator

xiaojiey commented Feb 1, 2024

Verification pass.
There is a minor issue about the instruction for rule rhcos4-banner-etc-issue as it not helpful. I created a bug https://issues.redhat.com/browse/OCPBUGS-28796 to track.

1. create ssb:
$ oc compliance bind -N test profile/upstream-rhcos4-high -S default-auto-apply
Creating ScanSettingBinding test
2. Check suite and cluster status
$ oc get suite -w
NAME   PHASE       RESULT
test   LAUNCHING   NOT-AVAILABLE
test   LAUNCHING   NOT-AVAILABLE
test   RUNNING     NOT-AVAILABLE
test   RUNNING     NOT-AVAILABLE
test   AGGREGATING   NOT-AVAILABLE
test   AGGREGATING   NOT-AVAILABLE
test   DONE          NON-COMPLIANT
$ oc get mcp -w
NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
master   rendered-master-a6ba0cf2715e6114dc67d94a90b3ca71   False     True       False      3              0                   0                     0                      5h57m
worker   rendered-worker-dde2711c3dd2270e1fbd97f601ded247   False     True       False      3              0                   0                     0                      5h57m
...
master   rendered-master-2044797427b55c7296f372fa99831037   True      False      False      3              3                   3                     0                      7h6m
worker   rendered-worker-42bdb57db0ed1a7f33023a6987c227e2   True      False      False      3              3                   3                     0                      7h6m
3. Rescan:
$ oc compliance rerun-now scansettingbinding test
Rerunning scans from 'test': upstream-rhcos4-high-master, upstream-rhcos4-high-worker
Re-running scan 'openshift-compliance/upstream-rhcos4-high-master'
Re-running scan 'openshift-compliance/upstream-rhcos4-high-worker'
$ oc get suite
NAME   PHASE       RESULT
...
test   DONE          NON-COMPLIANT
$ oc get ccr | grep banner-etc-issue
upstream-rhcos4-high-master-banner-etc-issue                                                             PASS     medium
upstream-rhcos4-high-worker-banner-etc-issue                                                             PASS     medium
$ oc get cr | grep banner-etc-issue
upstream-rhcos4-high-master-banner-etc-issue                                                             Applied
upstream-rhcos4-high-worker-banner-etc-issue                                                             Applied
$ oc get cr upstream-rhcos4-high-master-banner-etc-issue -o yaml
apiVersion: compliance.openshift.io/v1alpha1
kind: ComplianceRemediation
metadata:
  creationTimestamp: "2024-02-01T07:01:27Z"
  generation: 2
  labels:
    compliance.openshift.io/scan-name: upstream-rhcos4-high-master
    compliance.openshift.io/suite: test
  name: upstream-rhcos4-high-master-banner-etc-issue
  namespace: openshift-compliance
  ownerReferences:
  - apiVersion: compliance.openshift.io/v1alpha1
    blockOwnerDeletion: true
    controller: true
    kind: ComplianceCheckResult
    name: upstream-rhcos4-high-master-banner-etc-issue
    uid: c8d032de-48db-40f3-ad4c-5a8c3f9581d8
  resourceVersion: "142702"
  uid: 851e5999-ea27-4e5a-ab34-15bbd6678858
spec:
  apply: true
  current:
    object:
      apiVersion: machineconfiguration.openshift.io/v1
      kind: MachineConfig
      metadata:
        labels:
          machineconfiguration.openshift.io/role: worker
        name: 75-banner-etc-issue
      spec:
        config:
          ignition:
            version: 3.1.0
          storage:
            files:
            - contents:
                source: data:,You%20are%20accessing%20a%20U.S.%20Government%20%28USG%29%20Information%20System%20%28IS%29%20that%20is%20%0Aprovided%20for%20USG-authorized%20use%20only.%20By%20using%20this%20IS%20%28which%20includes%20any%20%0Adevice%20attached%20to%20this%20IS%29%2C%20you%20consent%20to%20the%20following%20conditions%3A%0A%0A-The%20USG%20routinely%20intercepts%20and%20monitors%20communications%20on%20this%20IS%20for%20%0Apurposes%20including%2C%20but%20not%20limited%20to%2C%20penetration%20testing%2C%20COMSEC%20monitoring%2C%20%0Anetwork%20operations%20and%20defense%2C%20personnel%20misconduct%20%28PM%29%2C%20law%20enforcement%20%0A%28LE%29%2C%20and%20counterintelligence%20%28CI%29%20investigations.%0A%0A-At%20any%20time%2C%20the%20USG%20may%20inspect%20and%20seize%20data%20stored%20on%20this%20IS.%0A%0A-Communications%20using%2C%20or%20data%20stored%20on%2C%20this%20IS%20are%20not%20private%2C%20are%20subject%20%0Ato%20routine%20monitoring%2C%20interception%2C%20and%20search%2C%20and%20may%20be%20disclosed%20or%20used%20%0Afor%20any%20USG-authorized%20purpose.%0A%0A-This%20IS%20includes%20security%20measures%20%28e.g.%2C%20authentication%20and%20access%20controls%29%20%0Ato%20protect%20USG%20interests--not%20for%20your%20personal%20benefit%20or%20privacy.%0A%0A-Notwithstanding%20the%20above%2C%20using%20this%20IS%20does%20not%20constitute%20consent%20to%20PM%2C%20LE%20%0Aor%20CI%20investigative%20searching%20or%20monitoring%20of%20the%20content%20of%20privileged%20%0Acommunications%2C%20or%20work%20product%2C%20related%20to%20personal%20representation%20or%20services%20%0Aby%20attorneys%2C%20psychotherapists%2C%20or%20clergy%2C%20and%20their%20assistants.%20Such%20%0Acommunications%20and%20work%20product%20are%20private%20and%20confidential.%20See%20User%20%0AAgreement%20for%20details.
              mode: 420
              overwrite: true
              path: /etc/issue.d/legal-notice
  outdated: {}
  type: Configuration
status:
  applicationState: Applied
$ oc get ccr upstream-rhcos4-high-master-banner-etc-issue -o=jsonpath={.instructions}
To check if the system login banner is compliant,
run the following command:
$ cat /etc/issue

@xiaojiey
Copy link
Collaborator

xiaojiey commented Feb 1, 2024

/unhold

@openshift-ci openshift-ci bot removed the do-not-merge/hold Used by openshift-ci-robot bot. label Feb 1, 2024
@BhargaviGudi
Copy link
Collaborator

/label qe-approved

Copy link

openshift-ci bot commented Feb 7, 2024

@BhargaviGudi: The label(s) qe-approved cannot be applied, because the repository doesn't have them.

In response to this:

/label qe-approved

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@rhmdnd
Copy link
Collaborator Author

rhmdnd commented Feb 7, 2024

@yuumasato @Vincent056 should be ready for another look

@yuumasato yuumasato self-assigned this Feb 21, 2024
@yuumasato
Copy link
Member

@rhmdnd Are we okay with this rule being hardcoded to a single banner?
The rule uses variable login_banner_text to determine the banner it should be checking for.

@yuumasato
Copy link
Member

@rhmdnd Are we okay with this rule being hardcoded to a single banner? The rule uses variable login_banner_text to determine the banner it should be checking for.

The profiles in RHCOS4 only use this rule with the dod_default banner, which is the one this rule's remediation is being hardcoded to.
The login_banner_text variable is the regular expression that matches the compliant banner. The bash and Ansible remediations strip the regex characters when applying the fix.
At the moment there is no way of making this striping for Kubernetes remediations.

This is a smal step forward that we can make while CO doesn't support the login_banner_text variable properly.
Another aspect is that when the rule has a remediations, the user can customize/edit the remediation created to fit their needs.

@yuumasato yuumasato added this to the 0.1.73 milestone Feb 27, 2024
@yuumasato yuumasato merged commit c0135ba into ComplianceAsCode:master Feb 27, 2024
45 of 48 checks passed
@Mab879 Mab879 added the Update Rule Issues or pull requests related to Rules updates. label May 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
OpenShift OpenShift product related. Update Rule Issues or pull requests related to Rules updates.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants