ComplianceAsCode
OCPBUGS-20015: Add remediation for RHCOS banners
Public entities typically require systems to present users with a specific banner when they log in. We have rules that check for a banner, and a remediation in the description, along with a remediation we use in testing.
This commit include the same remediation as a formal remediation, which can be applied through the operator, instead of requiring users to copy/paste them from the check result or rule description.
Start a new ephemeral environment with changes proposed in this pull request:
Fedora Environment
Oracle Linux 8 Environment
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
@rhmdnd: The /test command needs one or more targets.
The following commands are available to trigger required jobs:
/test e2e-aws-ocp4-cis/test e2e-aws-ocp4-cis-node/test e2e-aws-ocp4-e8/test e2e-aws-ocp4-high/test e2e-aws-ocp4-high-node/test e2e-aws-ocp4-moderate/test e2e-aws-ocp4-moderate-node/test e2e-aws-ocp4-pci-dss/test e2e-aws-ocp4-pci-dss-node/test e2e-aws-ocp4-stig/test e2e-aws-ocp4-stig-node/test e2e-aws-rhcos4-e8/test e2e-aws-rhcos4-high/test e2e-aws-rhcos4-moderate/test e2e-aws-rhcos4-stig/test images
Use /test all to run the following jobs that were automatically triggered:
pull-ci-ComplianceAsCode-content-master-images
In response to this:
/test
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
![openshift-ci[bot] avatar](https://avatars.githubusercontent.com/in/91280?v=4 "Published by a pub.dev verified publisher"){kind=small}
Code Climate has analyzed commit adcf8249 and detected 0 issues on this pull request.
The test coverage on the diff in this pull request is 100.0% (50% is the threshold).
This pull request will bring the total coverage in the repository to 58.5% (0.0% change).
View more on Code Climate.
![qlty-cloud-legacy[bot] avatar](https://avatars.githubusercontent.com/in/9403?v=4 "Published by a pub.dev verified publisher"){kind=small}
@rhmdnd: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:
| Test name | Commit | Details | Required | Rerun command |
|---|---|---|---|---|
| ci/prow/e2e-aws-rhcos4-high | adcf8249216a1bf88a6d37fb5069e18268be9083 | link | true | /test e2e-aws-rhcos4-high |
Full PR test history. Your PR dashboard.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.
Note for reviewers about this PR, is that it won't work for all nodes if there are additional node pools in the cluster (e.g., infra). In that case, the end user would need to update the machine configuration labels to include any additional node pools so the machine configuration is applied to them, too.
Verification pass. There is a minor issue about the instruction for rule rhcos4-banner-etc-issue as it not helpful. I created a bug https://issues.redhat.com/browse/OCPBUGS-28796 to track.
1. create ssb:
$ oc compliance bind -N test profile/upstream-rhcos4-high -S default-auto-apply
Creating ScanSettingBinding test
2. Check suite and cluster status
$ oc get suite -w
NAME PHASE RESULT
test LAUNCHING NOT-AVAILABLE
test LAUNCHING NOT-AVAILABLE
test RUNNING NOT-AVAILABLE
test RUNNING NOT-AVAILABLE
test AGGREGATING NOT-AVAILABLE
test AGGREGATING NOT-AVAILABLE
test DONE NON-COMPLIANT
$ oc get mcp -w
NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE
master rendered-master-a6ba0cf2715e6114dc67d94a90b3ca71 False True False 3 0 0 0 5h57m
worker rendered-worker-dde2711c3dd2270e1fbd97f601ded247 False True False 3 0 0 0 5h57m
...
master rendered-master-2044797427b55c7296f372fa99831037 True False False 3 3 3 0 7h6m
worker rendered-worker-42bdb57db0ed1a7f33023a6987c227e2 True False False 3 3 3 0 7h6m
3. Rescan:
$ oc compliance rerun-now scansettingbinding test
Rerunning scans from 'test': upstream-rhcos4-high-master, upstream-rhcos4-high-worker
Re-running scan 'openshift-compliance/upstream-rhcos4-high-master'
Re-running scan 'openshift-compliance/upstream-rhcos4-high-worker'
$ oc get suite
NAME PHASE RESULT
...
test DONE NON-COMPLIANT
$ oc get ccr | grep banner-etc-issue
upstream-rhcos4-high-master-banner-etc-issue PASS medium
upstream-rhcos4-high-worker-banner-etc-issue PASS medium
$ oc get cr | grep banner-etc-issue
upstream-rhcos4-high-master-banner-etc-issue Applied
upstream-rhcos4-high-worker-banner-etc-issue Applied
$ oc get cr upstream-rhcos4-high-master-banner-etc-issue -o yaml
apiVersion: compliance.openshift.io/v1alpha1
kind: ComplianceRemediation
metadata:
creationTimestamp: "2024-02-01T07:01:27Z"
generation: 2
labels:
compliance.openshift.io/scan-name: upstream-rhcos4-high-master
compliance.openshift.io/suite: test
name: upstream-rhcos4-high-master-banner-etc-issue
namespace: openshift-compliance
ownerReferences:
- apiVersion: compliance.openshift.io/v1alpha1
blockOwnerDeletion: true
controller: true
kind: ComplianceCheckResult
name: upstream-rhcos4-high-master-banner-etc-issue
uid: c8d032de-48db-40f3-ad4c-5a8c3f9581d8
resourceVersion: "142702"
uid: 851e5999-ea27-4e5a-ab34-15bbd6678858
spec:
apply: true
current:
object:
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: worker
name: 75-banner-etc-issue
spec:
config:
ignition:
version: 3.1.0
storage:
files:
- contents:
source: data:,You%20are%20accessing%20a%20U.S.%20Government%20%28USG%29%20Information%20System%20%28IS%29%20that%20is%20%0Aprovided%20for%20USG-authorized%20use%20only.%20By%20using%20this%20IS%20%28which%20includes%20any%20%0Adevice%20attached%20to%20this%20IS%29%2C%20you%20consent%20to%20the%20following%20conditions%3A%0A%0A-The%20USG%20routinely%20intercepts%20and%20monitors%20communications%20on%20this%20IS%20for%20%0Apurposes%20including%2C%20but%20not%20limited%20to%2C%20penetration%20testing%2C%20COMSEC%20monitoring%2C%20%0Anetwork%20operations%20and%20defense%2C%20personnel%20misconduct%20%28PM%29%2C%20law%20enforcement%20%0A%28LE%29%2C%20and%20counterintelligence%20%28CI%29%20investigations.%0A%0A-At%20any%20time%2C%20the%20USG%20may%20inspect%20and%20seize%20data%20stored%20on%20this%20IS.%0A%0A-Communications%20using%2C%20or%20data%20stored%20on%2C%20this%20IS%20are%20not%20private%2C%20are%20subject%20%0Ato%20routine%20monitoring%2C%20interception%2C%20and%20search%2C%20and%20may%20be%20disclosed%20or%20used%20%0Afor%20any%20USG-authorized%20purpose.%0A%0A-This%20IS%20includes%20security%20measures%20%28e.g.%2C%20authentication%20and%20access%20controls%29%20%0Ato%20protect%20USG%20interests--not%20for%20your%20personal%20benefit%20or%20privacy.%0A%0A-Notwithstanding%20the%20above%2C%20using%20this%20IS%20does%20not%20constitute%20consent%20to%20PM%2C%20LE%20%0Aor%20CI%20investigative%20searching%20or%20monitoring%20of%20the%20content%20of%20privileged%20%0Acommunications%2C%20or%20work%20product%2C%20related%20to%20personal%20representation%20or%20services%20%0Aby%20attorneys%2C%20psychotherapists%2C%20or%20clergy%2C%20and%20their%20assistants.%20Such%20%0Acommunications%20and%20work%20product%20are%20private%20and%20confidential.%20See%20User%20%0AAgreement%20for%20details.
mode: 420
overwrite: true
path: /etc/issue.d/legal-notice
outdated: {}
type: Configuration
status:
applicationState: Applied
$ oc get ccr upstream-rhcos4-high-master-banner-etc-issue -o=jsonpath={.instructions}
To check if the system login banner is compliant,
run the following command:
$ cat /etc/issue
@BhargaviGudi: The label(s) qe-approved cannot be applied, because the repository doesn't have them.
In response to this:
/label qe-approved
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
@rhmdnd Are we okay with this rule being hardcoded to a single banner?
The rule uses variable login_banner_text to determine the banner it should be checking for.
@rhmdnd Are we okay with this rule being hardcoded to a single banner? The rule uses variable
login_banner_textto determine the banner it should be checking for.
The profiles in RHCOS4 only use this rule with the dod_default banner, which is the one this rule's remediation is being hardcoded to.
The login_banner_text variable is the regular expression that matches the compliant banner. The bash and Ansible remediations strip the regex characters when applying the fix.
At the moment there is no way of making this striping for Kubernetes remediations.
This is a smal step forward that we can make while CO doesn't support the login_banner_text variable properly.
Another aspect is that when the rule has a remediations, the user can customize/edit the remediation created to fit their needs.