Change OCP4 (RHCOS) audit=1 kernel option rule to check only the latest entry #6088
Conversation
|
Changes identified: Recommended tests to execute: |
|
What's the follow up to fix BLS for all entries? Not having all entries configured is usually an audit finding. |
|
/retest |
@redhatrises Hadn't we mentioned agreed that this would the solution while we figured out a way to fix this in coreos? Let me add a task for the team to follow up on this. |
|
/retest |
|
/test e2e-aws-rhcos4-moderate |
|
/retest |
| <unix:filepath operation="pattern match">^/boot/loader/entries/ostree-2-*\.conf</unix:filepath> | ||
| </unix:file_object> | ||
|
|
||
| </def-group> |
There was a problem hiding this comment.
For completeness; what about checking /proc/cmdline as well? That would ensure that the current configuration is compliant.
There was a problem hiding this comment.
I'm still not sure if it should be a part of this check. Other bootloader-related rules don't have the runtime counterpart (because runtime check might be different even when bootloaders are the same). While this is not really applicable to this particular hackish rule, it would definitely be a problem for generic BLS-compatible check bls_entries_option in the future.
There was a problem hiding this comment.
I would suggest creating a proc_cmdline_option template and a new rule based on this. It might be more preferable to have composite rules that could combine multiple templates into a single runtime+configuration check, but there is no way to make such a thing ATM, AFAIK.
There was a problem hiding this comment.
Right; however, this is already a coreos specificy check. So maybe in this case it would make sense to add the proc/cmdline check here.
There was a problem hiding this comment.
btw contrary to applying remediations on RHEL, applying a MachineConfig remediation through MachineConfigOperator always reboots the nodes, so when you apply this remediation, the machines in the cluster would automatically reboot into the approved config and at that point the /proc/cmdline check should pass as well. There is no extra disruption for the admin.
|
/test e2e-aws-rhcos4-moderate |
yuumasato
left a comment
yuumasato
left a comment
There was a problem hiding this comment.
LGTM.
CoreOS replaces the first boot entry with the second boot entry when updating right? So that there are only 2 boot entries.
I would a comment somewhere in the template mentioning that the check relies on this behavior.
| <criteria operator="AND"> | ||
| <criterion test_ref="test_coreos_{{{ SANITIZED_ARG_NAME }}}_entry_1_options" | ||
| comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/ostree-1-*.conf" /> | ||
| <criterion test_ref="test_coreos_{{{ SANITIZED_ARG_NAME }}}_entry_2_does_not_exists" | ||
| comment="Check if /boot/loader/entries/ostree-2-*.conf is not present" /> | ||
| </criteria> |
There was a problem hiding this comment.
This whole criteria is here to check the case when there wasn't a kernel update yet, thus entry 2 doesn't exist yet, right?
I would add a comment to the criteria, I was a bit confused a first, why ensure that entry 2 doesn't exist.
There was a problem hiding this comment.
I continued working on these rules in #6100, let's move there.
openshift-ci-robot
added
the
do-not-merge/work-in-progress
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
|
I think we can merge it, follow-up improvements are in #6100. |
|
LGTM |
A recent commit [1] introduced an enhanced check for kernel arguments that works in CoreOS. This commit takes them into use in rhcos4's moderate profile. The needed checks were created with appropriate text. [1] ComplianceAsCode#6088
A recent commit [1] introduced an enhanced check for kernel arguments that works in CoreOS. This commit takes them into use in rhcos4's moderate & ncp profiles. The needed checks were created with appropriate text. [1] ComplianceAsCode#6088
A recent commit [1] introduced an enhanced check for kernel arguments that works in CoreOS. This commit takes them into use in rhcos4's moderate & ncp profiles. The needed checks were created with appropriate text. [1] ComplianceAsCode#6088
A recent commit [1] introduced an enhanced check for kernel arguments that works in CoreOS. This commit takes them into use in rhcos4's moderate & ncp profiles. The needed checks were created with appropriate text. [1] ComplianceAsCode#6088
A recent commit [1] introduced an enhanced check for kernel arguments that works in CoreOS. This commit takes them into use in rhcos4's moderate & ncp profiles. The needed checks were created with appropriate text. [1] ComplianceAsCode#6088
A recent commit [1] introduced an enhanced check for kernel arguments that works in CoreOS. This commit takes them into use in rhcos4's moderate & ncp profiles. The needed checks were created with appropriate text. [1] ComplianceAsCode#6088
8 participants
Change the audit=1 kernel option rule for RHCOS to be able to pass after remediation.
The
coreos_kernel_optiontemplate only checks if the latest boot entry is compliant (acc. to #5285 (comment)).@JAORMX I ended up with a different template for CoreOS. Once the problem of stalled boot entry will be solved this rule (and other kernel option related rules) could be switched to
bls_entries_optiontemplate (which would check all boot entries).