Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sysctl template: allow skipping of runtime checks #11574

Merged
merged 1 commit into from
Feb 13, 2024
Merged

sysctl template: allow skipping of runtime checks #11574

merged 1 commit into from
Feb 13, 2024

Conversation

yuumasato
Copy link
Member

@yuumasato yuumasato commented Feb 9, 2024
edited
Loading

Description:

  • Add new configuration to sysctl template:
    • When check_runtime is "false" the template will not generate checks for the runtime configuration.
    • By default the runtime checks are always generated.
  • Skip generation of runtime checks in rules whose sysctl value is not represented accurately on the scanning pod.
    • net.core.bpf_jit_harden
    • net.ipv6.conf.all.accept_ra
    • net.ipv6.conf.all.accept_redirects
    • net.ipv6.conf.default.accept_ra
    • net.ipv6.conf.default.accept_redirects

Rationale:

  • The goal of these rules is to check for both disk and runtime sysctl configurations. But the way CO checks for runtime sysctls may not be the most reliable. Some sysctls are not represented with fidelity on the openscap pod, despite being correctly configured and in effect in the underlying node OS.

Review Hints:

  • Run a rhco4-high scan with auto-remediation.
  • Check the OpenShift CI results for rhcos4-high

@yuumasato yuumasato added OpenShift OpenShift product related. CoreOS CoreOS product related. Update Rule Issues or pull requests related to Rules updates. labels Feb 9, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 9, 2024

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@yuumasato
Copy link
Member Author

/test e2e-aws-rhcos4-high

@rhmdnd
Copy link
Collaborator

rhmdnd commented Feb 9, 2024

/test

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Feb 9, 2024

@rhmdnd: The /test command needs one or more targets.
The following commands are available to trigger required jobs:

  • /test 4.13-e2e-aws-ocp4-cis
  • /test 4.13-e2e-aws-ocp4-cis-node
  • /test 4.13-e2e-aws-ocp4-e8
  • /test 4.13-e2e-aws-ocp4-high
  • /test 4.13-e2e-aws-ocp4-high-node
  • /test 4.13-e2e-aws-ocp4-moderate
  • /test 4.13-e2e-aws-ocp4-moderate-node
  • /test 4.13-e2e-aws-ocp4-pci-dss
  • /test 4.13-e2e-aws-ocp4-pci-dss-node
  • /test 4.13-e2e-aws-ocp4-stig
  • /test 4.13-e2e-aws-ocp4-stig-node
  • /test 4.13-e2e-aws-rhcos4-e8
  • /test 4.13-e2e-aws-rhcos4-high
  • /test 4.13-e2e-aws-rhcos4-moderate
  • /test 4.13-e2e-aws-rhcos4-stig
  • /test 4.13-images
  • /test 4.14-images
  • /test 4.15-e2e-aws-ocp4-cis
  • /test 4.15-e2e-aws-ocp4-cis-node
  • /test 4.15-e2e-aws-ocp4-e8
  • /test 4.15-e2e-aws-ocp4-high
  • /test 4.15-e2e-aws-ocp4-high-node
  • /test 4.15-e2e-aws-ocp4-moderate
  • /test 4.15-e2e-aws-ocp4-moderate-node
  • /test 4.15-e2e-aws-ocp4-pci-dss
  • /test 4.15-e2e-aws-ocp4-pci-dss-node
  • /test 4.15-e2e-aws-ocp4-stig
  • /test 4.15-e2e-aws-ocp4-stig-node
  • /test 4.15-e2e-aws-rhcos4-e8
  • /test 4.15-e2e-aws-rhcos4-high
  • /test 4.15-e2e-aws-rhcos4-moderate
  • /test 4.15-e2e-aws-rhcos4-stig
  • /test 4.15-images
  • /test 4.16-e2e-aws-ocp4-cis
  • /test 4.16-e2e-aws-ocp4-cis-node
  • /test 4.16-e2e-aws-ocp4-e8
  • /test 4.16-e2e-aws-ocp4-high
  • /test 4.16-e2e-aws-ocp4-high-node
  • /test 4.16-e2e-aws-ocp4-moderate
  • /test 4.16-e2e-aws-ocp4-moderate-node
  • /test 4.16-e2e-aws-ocp4-pci-dss
  • /test 4.16-e2e-aws-ocp4-pci-dss-node
  • /test 4.16-e2e-aws-ocp4-stig
  • /test 4.16-e2e-aws-ocp4-stig-node
  • /test 4.16-e2e-aws-rhcos4-e8
  • /test 4.16-e2e-aws-rhcos4-high
  • /test 4.16-e2e-aws-rhcos4-moderate
  • /test 4.16-e2e-aws-rhcos4-stig
  • /test 4.16-images
  • /test e2e-aws-ocp4-cis
  • /test e2e-aws-ocp4-cis-node
  • /test e2e-aws-ocp4-e8
  • /test e2e-aws-ocp4-high
  • /test e2e-aws-ocp4-high-node
  • /test e2e-aws-ocp4-moderate
  • /test e2e-aws-ocp4-moderate-node
  • /test e2e-aws-ocp4-pci-dss
  • /test e2e-aws-ocp4-pci-dss-node
  • /test e2e-aws-ocp4-stig
  • /test e2e-aws-ocp4-stig-node
  • /test e2e-aws-rhcos4-e8
  • /test e2e-aws-rhcos4-high
  • /test e2e-aws-rhcos4-moderate
  • /test e2e-aws-rhcos4-stig
  • /test images

Use /test all to run the following jobs that were automatically triggered:

  • pull-ci-ComplianceAsCode-content-master-4.13-images
  • pull-ci-ComplianceAsCode-content-master-4.14-images
  • pull-ci-ComplianceAsCode-content-master-4.15-images
  • pull-ci-ComplianceAsCode-content-master-4.16-images
  • pull-ci-ComplianceAsCode-content-master-images

In response to this:

/test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@rhmdnd
Copy link
Collaborator

rhmdnd commented Feb 9, 2024

/test 4.16-e2e-aws-ocp4-high
/test 4.15-e2e-aws-ocp4-high
/test 4.13-e2e-aws-ocp4-high

@yuumasato
Copy link
Member Author

yuumasato commented Feb 9, 2024
edited
Loading

@rhmdnd The sysctls rules are used in rhcoos4 profiles, 😀

/test e2e-aws-rhcos4-e8
/test e2e-aws-rhcos4-hig

@yuumasato
sysctl template: allow skipping of runtime checks
0686917 
When `check_runtime` is false the template will not generate checks
for the runtime configuration. By default the runtime checks are
always generated.

The goal of these rules is to check for the sysctl both disk and
runtime configurations. But the way CO checks for runtime sysctls may
not be the most reliable.

On OCP some sysctls are not represented with fidelity on the openscap
pod, despite being correctly configured and in effect in the
underlying node OS.
@yuumasato yuumasato force-pushed the remove-runtime-check-for-some-sysctls branch from e60872b to 0686917 Compare February 9, 2024 15:32
@codeclimate CodeClimate
Copy link

codeclimate bot commented Feb 9, 2024

Code Climate has analyzed commit 0686917 and detected 1 issue on this pull request.

Here's the issue category breakdown:

Category Count
Complexity 1

Note: there is 1 critical issue.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 58.4% (0.0% change).

View more on Code Climate.

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Feb 9, 2024

@yuumasato: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/4.13-e2e-aws-ocp4-high e60872b link true /test 4.13-e2e-aws-ocp4-high
ci/prow/4.15-e2e-aws-ocp4-high e60872b link true /test 4.15-e2e-aws-ocp4-high
ci/prow/4.16-e2e-aws-ocp4-high e60872b link true /test 4.16-e2e-aws-ocp4-high
ci/prow/4.14-images 0686917 link true /test 4.14-images
ci/prow/4.15-images 0686917 link true /test 4.15-images
ci/prow/4.16-images 0686917 link true /test 4.16-images
ci/prow/images 0686917 link true /test images
ci/prow/4.13-images 0686917 link true /test 4.13-images

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@rhmdnd
Copy link
Collaborator

rhmdnd commented Feb 9, 2024

/test e2e-aws-rhcos4-e8
/test e2e-aws-rhcos4-high
/test 4.15-e2e-aws-rhcos4-e8
/test 4.15-e2e-aws-rhcos4-high

rhmdnd
rhmdnd approved these changes Feb 10, 2024
View reviewed changes
Copy link
Collaborator

@rhmdnd rhmdnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

E2E testing looks good. Thanks for the fix!

@yuumasato
Copy link
Member Author

@BhargaviGudi Hi, should be ready for testing.

@BhargaviGudi
Copy link
Collaborator

/hold for test

@openshift-ci openshift-ci bot added the do-not-merge/hold Used by openshift-ci-robot bot. label Feb 13, 2024
@BhargaviGudi
Copy link
Collaborator

Verification passed with 4.16.0-0.nightly-2024-02-08-073857 + compliance-operator with compliance-operator code + PR #11574 code

1. Install CO
2. Create ssb with rhcos4-high profile
$ oc compliance bind -N test -S default-auto-apply profile/upstream-rhcos4-high
Creating ScanSettingBinding test
$ oc get suite -w
NAME   PHASE     RESULT
test   RUNNING   NOT-AVAILABLE
test   RUNNING   NOT-AVAILABLE
test   AGGREGATING   NOT-AVAILABLE
test   AGGREGATING   NOT-AVAILABLE
test   DONE          NON-COMPLIANT
test   DONE          NON-COMPLIANT
  1. Check for sysctl rules mentioned in the epics
$ oc get ccr | grep sysctl-net-core-bpf-jit-harden
upstream-rhcos4-high-master-sysctl-net-core-bpf-jit-harden                                               FAIL     medium
upstream-rhcos4-high-worker-sysctl-net-core-bpf-jit-harden                                               FAIL     medium
$ oc get ccr | grep sysctl-net-ipv6-conf-all-accept-ra
upstream-rhcos4-high-master-sysctl-net-ipv6-conf-all-accept-ra                                           FAIL     medium
upstream-rhcos4-high-worker-sysctl-net-ipv6-conf-all-accept-ra                                           FAIL     medium
$ oc get ccr | grep sysctl-net-ipv6-conf-all-accept-redirects
upstream-rhcos4-high-master-sysctl-net-ipv6-conf-all-accept-redirects                                    FAIL     medium
upstream-rhcos4-high-worker-sysctl-net-ipv6-conf-all-accept-redirects                                    FAIL     medium
$ oc get ccr | grep sysctl-net-ipv6-conf-default-accept-ra
upstream-rhcos4-high-master-sysctl-net-ipv6-conf-default-accept-ra                                       FAIL     medium
upstream-rhcos4-high-worker-sysctl-net-ipv6-conf-default-accept-ra                                       FAIL     medium
$ oc get ccr | grep sysctl-net-ipv6-conf-default-accept-redirects
upstream-rhcos4-high-master-sysctl-net-ipv6-conf-default-accept-redirects                                FAIL     medium
upstream-rhcos4-high-worker-sysctl-net-ipv6-conf-default-accept-redirects                                FAIL     medium
  1. Rescan
$ oc-compliance rerun-now scansettingbinding test
Rerunning scans from 'test': upstream-rhcos4-high-master, upstream-rhcos4-high-worker
Re-running scan 'openshift-compliance/upstream-rhcos4-high-master'
Re-running scan 'openshift-compliance/upstream-rhcos4-high-worker'
$ oc get mcp
NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
master   rendered-master-050d537d6e33a5ee0a0fc9bfb89c75f3   False     True       False      3              2                   2                     0                      5h41m
worker   rendered-worker-46fdd2c070f80d5a606c5d577528b68e   True      False      False      3              3                   3                     0                      5h41m
$ oc get mcp
NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
master   rendered-master-5207acd97c2b5a44ed83f53e267373e7   True      False      False      3              3                   3                     0                      7h38m
worker   rendered-worker-46fdd2c070f80d5a606c5d577528b68e   True      False      False      3              3                   3                     0                      7h38m
  1. Check for sysctl rules mentioned in the epics, all are passed
$ oc get ccr | grep sysctl-net-ipv6-conf-default-accept-redirects
upstream-rhcos4-high-master-sysctl-net-ipv6-conf-default-accept-redirects                                PASS     medium
upstream-rhcos4-high-worker-sysctl-net-ipv6-conf-default-accept-redirects                                PASS     medium
$ oc get ccr | grep sysctl-net-core-bpf-jit-harden
upstream-rhcos4-high-master-sysctl-net-core-bpf-jit-harden                                               PASS     medium
upstream-rhcos4-high-worker-sysctl-net-core-bpf-jit-harden                                               PASS     medium
$ oc get ccr | grep sysctl-net-ipv6-conf-all-accept-ra
upstream-rhcos4-high-master-sysctl-net-ipv6-conf-all-accept-ra                                           PASS     medium
upstream-rhcos4-high-worker-sysctl-net-ipv6-conf-all-accept-ra                                           PASS     medium
$ oc get ccr | grep sysctl-net-ipv6-conf-all-accept-redirects
upstream-rhcos4-high-master-sysctl-net-ipv6-conf-all-accept-redirects                                    PASS     medium
upstream-rhcos4-high-worker-sysctl-net-ipv6-conf-all-accept-redirects                                    PASS     medium
$ oc get ccr | grep sysctl-net-ipv6-conf-default-accept-ra
upstream-rhcos4-high-master-sysctl-net-ipv6-conf-default-accept-ra                                       PASS     medium
upstream-rhcos4-high-worker-sysctl-net-ipv6-conf-default-accept-ra                                       PASS     medium

All sysctl rules are passed

$ oc get ccr | grep sysctl
upstream-rhcos4-high-master-sysctl-fs-protected-hardlinks                                                PASS           medium
upstream-rhcos4-high-master-sysctl-fs-protected-symlinks                                                 PASS           medium
upstream-rhcos4-high-master-sysctl-kernel-core-pattern                                                   PASS           medium
upstream-rhcos4-high-master-sysctl-kernel-dmesg-restrict                                                 PASS           low
upstream-rhcos4-high-master-sysctl-kernel-kexec-load-disabled                                            PASS           medium
upstream-rhcos4-high-master-sysctl-kernel-kptr-restrict                                                  PASS           medium
upstream-rhcos4-high-master-sysctl-kernel-perf-event-paranoid                                            PASS           low
upstream-rhcos4-high-master-sysctl-kernel-unprivileged-bpf-disabled                                      PASS           medium
upstream-rhcos4-high-master-sysctl-kernel-yama-ptrace-scope                                              PASS           medium
upstream-rhcos4-high-master-sysctl-net-core-bpf-jit-harden                                               PASS           medium
upstream-rhcos4-high-master-sysctl-net-ipv4-conf-all-accept-redirects                                    PASS           medium
upstream-rhcos4-high-master-sysctl-net-ipv4-conf-all-accept-source-route                                 PASS           medium
upstream-rhcos4-high-master-sysctl-net-ipv4-conf-all-log-martians                                        PASS           unknown
upstream-rhcos4-high-master-sysctl-net-ipv4-conf-all-rp-filter                                           PASS           medium
upstream-rhcos4-high-master-sysctl-net-ipv4-conf-all-secure-redirects                                    PASS           medium
upstream-rhcos4-high-master-sysctl-net-ipv4-conf-all-send-redirects                                      PASS           medium
upstream-rhcos4-high-master-sysctl-net-ipv4-conf-default-accept-redirects                                PASS           medium
upstream-rhcos4-high-master-sysctl-net-ipv4-conf-default-accept-source-route                             PASS           medium
upstream-rhcos4-high-master-sysctl-net-ipv4-conf-default-log-martians                                    PASS           unknown
upstream-rhcos4-high-master-sysctl-net-ipv4-conf-default-rp-filter                                       PASS           medium
upstream-rhcos4-high-master-sysctl-net-ipv4-conf-default-secure-redirects                                PASS           medium
upstream-rhcos4-high-master-sysctl-net-ipv4-conf-default-send-redirects                                  PASS           medium
upstream-rhcos4-high-master-sysctl-net-ipv4-icmp-echo-ignore-broadcasts                                  PASS           medium
upstream-rhcos4-high-master-sysctl-net-ipv4-icmp-ignore-bogus-error-responses                            PASS           unknown
upstream-rhcos4-high-master-sysctl-net-ipv4-tcp-syncookies                                               PASS           medium
upstream-rhcos4-high-master-sysctl-net-ipv6-conf-all-accept-ra                                           PASS           medium
upstream-rhcos4-high-master-sysctl-net-ipv6-conf-all-accept-redirects                                    PASS           medium
upstream-rhcos4-high-master-sysctl-net-ipv6-conf-all-accept-source-route                                 PASS           medium
upstream-rhcos4-high-master-sysctl-net-ipv6-conf-default-accept-ra                                       PASS           medium
upstream-rhcos4-high-master-sysctl-net-ipv6-conf-default-accept-redirects                                PASS           medium
upstream-rhcos4-high-master-sysctl-net-ipv6-conf-default-accept-source-route                             PASS           medium
upstream-rhcos4-high-worker-sysctl-fs-protected-hardlinks                                                PASS           medium
upstream-rhcos4-high-worker-sysctl-fs-protected-symlinks                                                 PASS           medium
upstream-rhcos4-high-worker-sysctl-kernel-core-pattern                                                   PASS           medium
upstream-rhcos4-high-worker-sysctl-kernel-dmesg-restrict                                                 PASS           low
upstream-rhcos4-high-worker-sysctl-kernel-kexec-load-disabled                                            PASS           medium
upstream-rhcos4-high-worker-sysctl-kernel-kptr-restrict                                                  PASS           medium
upstream-rhcos4-high-worker-sysctl-kernel-perf-event-paranoid                                            PASS           low
upstream-rhcos4-high-worker-sysctl-kernel-unprivileged-bpf-disabled                                      PASS           medium
upstream-rhcos4-high-worker-sysctl-kernel-yama-ptrace-scope                                              PASS           medium
upstream-rhcos4-high-worker-sysctl-net-core-bpf-jit-harden                                               PASS           medium
upstream-rhcos4-high-worker-sysctl-net-ipv4-conf-all-accept-redirects                                    PASS           medium
upstream-rhcos4-high-worker-sysctl-net-ipv4-conf-all-accept-source-route                                 PASS           medium
upstream-rhcos4-high-worker-sysctl-net-ipv4-conf-all-log-martians                                        PASS           unknown
upstream-rhcos4-high-worker-sysctl-net-ipv4-conf-all-rp-filter                                           PASS           medium
upstream-rhcos4-high-worker-sysctl-net-ipv4-conf-all-secure-redirects                                    PASS           medium
upstream-rhcos4-high-worker-sysctl-net-ipv4-conf-all-send-redirects                                      PASS           medium
upstream-rhcos4-high-worker-sysctl-net-ipv4-conf-default-accept-redirects                                PASS           medium
upstream-rhcos4-high-worker-sysctl-net-ipv4-conf-default-accept-source-route                             PASS           medium
upstream-rhcos4-high-worker-sysctl-net-ipv4-conf-default-log-martians                                    PASS           unknown
upstream-rhcos4-high-worker-sysctl-net-ipv4-conf-default-rp-filter                                       PASS           medium
upstream-rhcos4-high-worker-sysctl-net-ipv4-conf-default-secure-redirects                                PASS           medium
upstream-rhcos4-high-worker-sysctl-net-ipv4-conf-default-send-redirects                                  PASS           medium
upstream-rhcos4-high-worker-sysctl-net-ipv4-icmp-echo-ignore-broadcasts                                  PASS           medium
upstream-rhcos4-high-worker-sysctl-net-ipv4-icmp-ignore-bogus-error-responses                            PASS           unknown
upstream-rhcos4-high-worker-sysctl-net-ipv4-tcp-syncookies                                               PASS           medium
upstream-rhcos4-high-worker-sysctl-net-ipv6-conf-all-accept-ra                                           PASS           medium
upstream-rhcos4-high-worker-sysctl-net-ipv6-conf-all-accept-redirects                                    PASS           medium
upstream-rhcos4-high-worker-sysctl-net-ipv6-conf-all-accept-source-route                                 PASS           medium
upstream-rhcos4-high-worker-sysctl-net-ipv6-conf-default-accept-ra                                       PASS           medium
upstream-rhcos4-high-worker-sysctl-net-ipv6-conf-default-accept-redirects                                PASS           medium
upstream-rhcos4-high-worker-sysctl-net-ipv6-conf-default-accept-source-route                             PASS           medium

@BhargaviGudi
Copy link
Collaborator

/unhold
/lgtm

@rhmdnd rhmdnd merged commit a74ffbd into ComplianceAsCode:master Feb 13, 2024
37 of 47 checks passed
@Mab879 Mab879 added this to the 0.1.73 milestone Feb 13, 2024
@yuumasato yuumasato deleted the remove-runtime-check-for-some-sysctls branch February 13, 2024 14:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rhmdnd rhmdnd rhmdnd approved these changes

@BhargaviGudi BhargaviGudi BhargaviGudi approved these changes

@Vincent056 Vincent056 Awaiting requested review from Vincent056

Assignees

@rhmdnd rhmdnd

Labels
CoreOS CoreOS product related. do-not-merge/hold Used by openshift-ci-robot bot. OpenShift OpenShift product related. Update Rule Issues or pull requests related to Rules updates.
Projects
None yet
Milestone
0.1.73
Development

Successfully merging this pull request may close these issues.
4 participants
@yuumasato @rhmdnd @BhargaviGudi @Mab879