Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment

Oracle Linux 8 Environment

/test

@rhmdnd: The /test command needs one or more targets.
The following commands are available to trigger required jobs:

• /test e2e-aws-ocp4-cis
• /test e2e-aws-ocp4-cis-node
• /test e2e-aws-ocp4-e8
• /test e2e-aws-ocp4-high
• /test e2e-aws-ocp4-high-node
• /test e2e-aws-ocp4-moderate
• /test e2e-aws-ocp4-moderate-node
• /test e2e-aws-ocp4-pci-dss
• /test e2e-aws-ocp4-pci-dss-node
• /test e2e-aws-ocp4-stig
• /test e2e-aws-ocp4-stig-node
• /test e2e-aws-rhcos4-e8
• /test e2e-aws-rhcos4-high
• /test e2e-aws-rhcos4-moderate
• /test e2e-aws-rhcos4-stig
• /test images

Use /test all to run the following jobs that were automatically triggered:

• pull-ci-ComplianceAsCode-content-master-images

/test e2e-aws-ocp4-cis
/test e2e-aws-ocp4-cis-node

/test e2e-aws-ocp4-cis
/test e2e-aws-ocp4-cis-node

/test e2e-aws-ocp4-cis
/test e2e-aws-ocp4-cis-node

The OpenShift tests should work a bit better once #10841 lands

Rebased to pick up the YAML fix in section 5.

#10843

/test e2e-aws-ocp4-cis
/test e2e-aws-ocp4-cis-node

@rhmdnd can you rebase?

/test e2e-aws-ocp4-cis
/test e2e-aws-ocp4-cis-node

The CIS tests are failing because we don't have any filtering in place for the node versus platform rules. Working on that now.

/test e2e-aws-ocp4-cis
/test e2e-aws-ocp4-cis-node

/test e2e-aws-ocp4-cis
/test e2e-aws-ocp4-cis-node

Filtering worked for the CIS profile. Adding in filtering for the node profile now.

/test e2e-aws-ocp4-cis
/test e2e-aws-ocp4-cis-node

cc: @xiaojiey for awareness that these changes are coming to the CIS profile for the next Compliance Operator release.

OCP4 CIS testing passed. cc @jhrozek @Vincent056 @yuumasato

cc: @xiaojiey for awareness that these changes are coming to the CIS profile for the next Compliance Operator release.

Got it. Thanks for the notification. Does it mean cis 1.4.0 is available?

@xiaojiey: The label(s) `/label qe-

cannot be applied. These labels are supported:platform/aws, platform/azure, platform/baremetal, platform/google, platform/libvirt, platform/openstack, ga, tide/merge-method-merge, tide/merge-method-rebase, tide/merge-method-squash, px-approved, docs-approved, qe-approved, downstream-change-needed, rebase/manual, approved, backport-risk-assessed, bugzilla/valid-bug, cherry-pick-approved, jira/valid-bug, staff-eng-approved. Is this label configured under labels -> additional_labelsorlabels -> restricted_labelsinplugin.yaml`?

cc: @xiaojiey for awareness that these changes are coming to the CIS profile for the next Compliance Operator release.

Got it. Thanks for the notification. Does it mean cis 1.4.0 is available?

Mostly. We've ported the existing rules and did some changes, but not all. We need to make a second pass to sync the upstream benchmark that we worked on with CIS to the rules, but I don't think there will be many changes. Some parts of CIS are not implementable with CIS yet (some permission issues) outside 4.14+.

But for now this is mostly a different way of building the profile and the references should point to the right controls and sections in upstream CIS.

It appears that we have either missed some rules or maybe these rules were deprecated:

- file_permissions_kube_controller_manager (was in node, 1.1.3, now there is a typo that says file_permissions_kube_apiserver)
- file_owner_kubelet (was in node 4.1.6)
- file_permissions_scheduler (was in node 1.1.5)
- general_configure_imagepolicywebhook (was 5.5.1)
- kubelet_enable_protect_kernel_sysctl (was in node 4.2.6)
- kubelet_enable_protect_kernel_defaults (was in node 4.2.6)
- api_server_admission_control_plugin_securitycontextdeny (was 1.2.13)
- api_server_api_priority_flowschema_catch_all (was 1.2.10)
- api_server_auth_mode_node (was 1.2.8)
- api_server_no_adm_ctrl_plugins_disabled (was 1.2.14)
- controller_rotate_kubelet_server_certs (was 1.3.6)
- general_configure_imagepolicywebhook (was 5.5.1)
- kubelet_configure_tls_key (was 4.2.10)
- var_openshift_audit_profile = WriteRequestBodies (wtf diff, can't find it now)

I'll check them out and send PRs for the obvious cases. We can discuss the rest.

I think we can skip these rules:

- general_configure_imagepolicywebhook - I don't see this rule being used in CIS at all except a footnote in 5.5.1
- kubelet_enable_protect_kernel_sysctl (was in node 4.2.6) - unused, is the default in newer OCP versions anyway
- kubelet_enable_protect_kernel_defaults (was in node 4.2.6) - ditto
- api_server_admission_control_plugin_securitycontextdeny - explicitly removed in 1.4

These were also removed:

api_server_api_priority_flowschema_catch_all - can't find it in 1.4
api_server_auth_mode_node - CIS now only checks for the mode not being AlwaysAllow
api_server_no_adm_ctrl_plugins_disabled - deprecated in favor of api_server_admission_control_plugin_scc

In this patch, please explicitly set the audit policy to WriteRequestBodies like we do e.g. in the STIG profile: https://github.com/ComplianceAsCode/content/blob/master/products/ocp4/profiles/stig.profile#L28

I will send some minor patches in a separate PR.

The audit policy needs to be set.

It was set in a previous patch, but it wasn't commented under Variable like we usually do, so I updated that to be more clear.

f7eeac7 (see line 34)

/test e2e-aws-ocp4-cis
/test e2e-aws-ocp4-cis-node

/test e2e-aws-ocp4-cis
/test e2e-aws-ocp4-cis-node

Code Climate has analyzed commit 632d332 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 53.2% (0.0% change).

View more on Code Climate.