Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCPBUGS-28242: Fix remediation for service_debug-shell_disabled #11638

Merged
merged 2 commits into from
Mar 5, 2024
Merged

OCPBUGS-28242: Fix remediation for service_debug-shell_disabled #11638

merged 2 commits into from
Mar 5, 2024

Conversation

Vincent056
Copy link
Contributor

Added mask:true to the remediation. Previously the test was still failling after remediation applied, this is due to lack of mask in the remediation.

@Vincent056
Copy link
Contributor Author

/test

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Mar 1, 2024

@Vincent056: The /test command needs one or more targets.
The following commands are available to trigger required jobs:

  • /test 4.13-e2e-aws-ocp4-cis
  • /test 4.13-e2e-aws-ocp4-cis-node
  • /test 4.13-e2e-aws-ocp4-e8
  • /test 4.13-e2e-aws-ocp4-high
  • /test 4.13-e2e-aws-ocp4-high-node
  • /test 4.13-e2e-aws-ocp4-moderate
  • /test 4.13-e2e-aws-ocp4-moderate-node
  • /test 4.13-e2e-aws-ocp4-pci-dss
  • /test 4.13-e2e-aws-ocp4-pci-dss-node
  • /test 4.13-e2e-aws-ocp4-stig
  • /test 4.13-e2e-aws-ocp4-stig-node
  • /test 4.13-e2e-aws-rhcos4-e8
  • /test 4.13-e2e-aws-rhcos4-high
  • /test 4.13-e2e-aws-rhcos4-moderate
  • /test 4.13-e2e-aws-rhcos4-stig
  • /test 4.13-images
  • /test 4.14-images
  • /test 4.15-e2e-aws-ocp4-cis
  • /test 4.15-e2e-aws-ocp4-cis-node
  • /test 4.15-e2e-aws-ocp4-e8
  • /test 4.15-e2e-aws-ocp4-high
  • /test 4.15-e2e-aws-ocp4-high-node
  • /test 4.15-e2e-aws-ocp4-moderate
  • /test 4.15-e2e-aws-ocp4-moderate-node
  • /test 4.15-e2e-aws-ocp4-pci-dss
  • /test 4.15-e2e-aws-ocp4-pci-dss-node
  • /test 4.15-e2e-aws-ocp4-stig
  • /test 4.15-e2e-aws-ocp4-stig-node
  • /test 4.15-e2e-aws-rhcos4-e8
  • /test 4.15-e2e-aws-rhcos4-high
  • /test 4.15-e2e-aws-rhcos4-moderate
  • /test 4.15-e2e-aws-rhcos4-stig
  • /test 4.15-images
  • /test 4.16-e2e-aws-ocp4-cis
  • /test 4.16-e2e-aws-ocp4-cis-node
  • /test 4.16-e2e-aws-ocp4-e8
  • /test 4.16-e2e-aws-ocp4-high
  • /test 4.16-e2e-aws-ocp4-high-node
  • /test 4.16-e2e-aws-ocp4-moderate
  • /test 4.16-e2e-aws-ocp4-moderate-node
  • /test 4.16-e2e-aws-ocp4-pci-dss
  • /test 4.16-e2e-aws-ocp4-pci-dss-node
  • /test 4.16-e2e-aws-ocp4-stig
  • /test 4.16-e2e-aws-ocp4-stig-node
  • /test 4.16-e2e-aws-rhcos4-e8
  • /test 4.16-e2e-aws-rhcos4-high
  • /test 4.16-e2e-aws-rhcos4-moderate
  • /test 4.16-e2e-aws-rhcos4-stig
  • /test 4.16-images
  • /test e2e-aws-ocp4-cis
  • /test e2e-aws-ocp4-cis-node
  • /test e2e-aws-ocp4-e8
  • /test e2e-aws-ocp4-high
  • /test e2e-aws-ocp4-high-node
  • /test e2e-aws-ocp4-moderate
  • /test e2e-aws-ocp4-moderate-node
  • /test e2e-aws-ocp4-pci-dss
  • /test e2e-aws-ocp4-pci-dss-node
  • /test e2e-aws-ocp4-stig
  • /test e2e-aws-ocp4-stig-node
  • /test e2e-aws-rhcos4-e8
  • /test e2e-aws-rhcos4-high
  • /test e2e-aws-rhcos4-moderate
  • /test e2e-aws-rhcos4-stig
  • /test images

Use /test all to run the following jobs that were automatically triggered:

  • pull-ci-ComplianceAsCode-content-master-4.13-images
  • pull-ci-ComplianceAsCode-content-master-4.14-images
  • pull-ci-ComplianceAsCode-content-master-4.15-images
  • pull-ci-ComplianceAsCode-content-master-4.16-images
  • pull-ci-ComplianceAsCode-content-master-images

In response to this:

/test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 1, 2024

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@Vincent056
Copy link
Contributor Author

/test e2e-aws-rhcos4-moderate

@Vincent056 Vincent056 mentioned this pull request Mar 1, 2024
Merged
@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 1, 2024
edited
Loading

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11638
This image was built from commit: 7046452

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11638

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11638 make deploy-local

@yuumasato yuumasato self-assigned this Mar 1, 2024
yuumasato
yuumasato reviewed Mar 1, 2024
View reviewed changes
Copy link
Member

@yuumasato yuumasato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Vincent056 The rule is templated, can we leverage it?
https://github.com/ComplianceAsCode/content/blob/08ed709ef5f3bc3d25f9926a3f03664d53bbe67d/shared/templates/service_disabled/kubernetes.template

If we remove this file, the templated kubernetes remediations will be used.

@Vincent056
Copy link
Contributor Author

@Vincent056 The rule is templated, can we leverage it? https://github.com/ComplianceAsCode/content/blob/08ed709ef5f3bc3d25f9926a3f03664d53bbe67d/shared/templates/service_disabled/kubernetes.template

If we remove this file, the templated kubernetes remediations will be used.

yes, I think that's a good point

@Vincent056
Copy link
Contributor Author

/test e2e-aws-rhcos4-moderate

@BhargaviGudi
Copy link
Collaborator

/hold for test

@openshift-ci openshift-ci bot added the do-not-merge/hold Used by openshift-ci-robot bot. label Mar 4, 2024
@Vincent056
OCPBUGS-28242: Fix remediation for service_debug-shell_disabled
d28068b 
Added mask:true to the remediation. Previously the test was still failling after remediation applied, this is due to lack of mask in the remediation.
@Vincent056
Remove Kubernetes remediation for service_debug-shell_disabled
7046452 
We already have a templated remediation for service_disabled, we should remove the remediation in the rule and use the templated remediation instead.
@codeclimate CodeClimate
Copy link

codeclimate bot commented Mar 4, 2024

Code Climate has analyzed commit 7046452 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.8% (0.0% change).

View more on Code Climate.

@yuumasato yuumasato mentioned this pull request Mar 5, 2024
Merged
@BhargaviGudi
Copy link
Collaborator

verification passed with 4.16.0-0.nightly-2024-02-29-062601 + compliance-operator deployed from PR-489 code

  1. Install Co from PR-489 code
  2. ./utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11638
$ oc get pb
NAME              CONTENTIMAGE                                 CONTENTFILE         STATUS
ocp4              ghcr.io/complianceascode/k8scontent:latest   ssg-ocp4-ds.xml     VALID
rhcos4            ghcr.io/complianceascode/k8scontent:latest   ssg-rhcos4-ds.xml   VALID
upstream-ocp4     ghcr.io/complianceascode/k8scontent:11638    ssg-ocp4-ds.xml     VALID
upstream-rhcos4   ghcr.io/complianceascode/k8scontent:11638    ssg-rhcos4-ds.xml   VALID
  1. Create ssb with both ocp4 and rhcos4 profiles
Creating ScanSettingBinding test
$ oc get ccr -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status=FAIL  | wc -l
384
$ oc get suite
NAME   PHASE   RESULT
test   DONE    NON-COMPLIANT
$ oc get scan
NAME                                 PHASE   RESULT
upstream-ocp4-moderate               DONE    NON-COMPLIANT
upstream-ocp4-moderate-node-master   DONE    NON-COMPLIANT
upstream-ocp4-moderate-node-worker   DONE    NON-COMPLIANT
upstream-rhcos4-moderate-master      DONE    NON-COMPLIANT
upstream-rhcos4-moderate-worker      DONE    NON-COMPLIANT
  1. Run second run of rescan
Rerunning scans from 'test': upstream-ocp4-moderate, upstream-ocp4-moderate-node-master, upstream-ocp4-moderate-node-worker, upstream-rhcos4-moderate-master, upstream-rhcos4-moderate-worker
Re-running scan 'openshift-compliance/upstream-ocp4-moderate'
Re-running scan 'openshift-compliance/upstream-ocp4-moderate-node-master'
Re-running scan 'openshift-compliance/upstream-ocp4-moderate-node-worker'
Re-running scan 'openshift-compliance/upstream-rhcos4-moderate-master'
Re-running scan 'openshift-compliance/upstream-rhcos4-moderate-worker'
$ oc get ccr -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status=FAIL
NAME                                                              STATUS   SEVERITY
upstream-rhcos4-moderate-master-configure-usbguard-auditbackend   FAIL     low
upstream-rhcos4-moderate-master-service-usbguard-enabled          FAIL     medium
upstream-rhcos4-moderate-master-usbguard-allow-hid-and-hub        FAIL     medium
upstream-rhcos4-moderate-worker-configure-usbguard-auditbackend   FAIL     low
upstream-rhcos4-moderate-worker-service-usbguard-enabled          FAIL     medium
upstream-rhcos4-moderate-worker-usbguard-allow-hid-and-hub        FAIL     medium
$ oc get ccr -l compliance.openshift.io/inconsistent-check
No resources found in openshift-compliance namespace.
  1. Run third round of rescan. rhcos4-service-debug-shell-disabled is passed
 oc compliance rerun-now scansettingbinding test
Rerunning scans from 'test': upstream-ocp4-moderate, upstream-ocp4-moderate-node-master, upstream-ocp4-moderate-node-worker, upstream-rhcos4-moderate-master, upstream-rhcos4-moderate-worker
Re-running scan 'openshift-compliance/upstream-ocp4-moderate'
Re-running scan 'openshift-compliance/upstream-ocp4-moderate-node-master'
Re-running scan 'openshift-compliance/upstream-ocp4-moderate-node-worker'
Re-running scan 'openshift-compliance/upstream-rhcos4-moderate-master'
Re-running scan 'openshift-compliance/upstream-rhcos4-moderate-worker'
$ oc get mcp
NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
master   rendered-master-a1f05cfbbaa21690581f59286ee079d0   True      False      False      3              3                   3                     0                      4h3m
worker   rendered-worker-18841050370cd5887121fc73e38c2ce6   True      False      False      3              3                   3                     0                      4h3m
$ oc get ccr -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status=FAIL
No resources found in openshift-compliance namespace.
$ oc get ccr -l compliance.openshift.io/inconsistent-check
No resources found in openshift-compliance namespace.

@BhargaviGudi
Copy link
Collaborator

/unhold

@openshift-ci openshift-ci bot removed the do-not-merge/hold Used by openshift-ci-robot bot. label Mar 5, 2024
@yuumasato yuumasato added this to the 0.1.73 milestone Mar 5, 2024
@yuumasato yuumasato added OpenShift OpenShift product related. Kubernetes Kubernetes remediation update. labels Mar 5, 2024
@yuumasato yuumasato merged commit 18cf4d8 into ComplianceAsCode:master Mar 5, 2024
44 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yuumasato yuumasato yuumasato approved these changes

Assignees

@yuumasato yuumasato

Labels
Kubernetes Kubernetes remediation update. OpenShift OpenShift product related.
Projects
None yet
Milestone
0.1.73
Development

Successfully merging this pull request may close these issues.
3 participants
@Vincent056 @BhargaviGudi @yuumasato