OCPBUGS-11334: OCP4: Fix instructions for rules that set the kubelet …

…related sysctls The instructions were confusing and were instructing to check one particular file which doesn't work for cases where the sysctls are either remediated in other way or just are correct by default. Let's fix the text.
ComplianceAsCode · Apr 6, 2023 · 41d9f96 · 41d9f96
1 parent 4fe9508
commit 41d9f96
Show file tree

Hide file tree

Showing 8 changed files with 187 additions and 122 deletions.
diff --git a/applications/openshift/kubelet/kubelet_enable_protect_kernel_sysctl/rule.yml b/applications/openshift/kubelet/kubelet_enable_protect_kernel_sysctl/rule.yml
@@ -6,24 +6,35 @@ platform: ocp4-node
 
 title: 'kubelet - Set Up Sysctl to Enable Protect Kernel Defaults'
 
+{{% set kernel_root_maxbytes_val = 25000000 %}}
+{{% set kernel_root_maxkeys_val = 1000000 %}}
+{{% set kernel_panic_val = 10 %}}
+{{% set kernel_panic_on_oops_val = 1 %}}
+{{% set vm_overcommit_memory_val = 1 %}}
+{{% set vm_panic_on_oom_val = 0 %}}
+
 description: |-
   <p>
-  Setup required tuned kernel parameters before enabling overwritten protection.
+  Setup required tuned kernel parameters before enabling overwritten protection. Note
+  that depending on the Linux distribution and its version that your cluster nodes are
+  running, these parameters might be already set up for you. Please refer to the rule
+  instructions for a check.
   </p>
 
   <p>
   Before enabling kernel parameter overwritten protection default, 
-  it's important and necessary to first create a <tt>MachineConfig</tt>
+  it's important to check if these values are already set to the required values.
+  If not, it is neccessary to first create a <tt>MachineConfig</tt>
   object that persist the required sysctl's. The required sysctl's are the following:
   </p>
 
   <pre>
-  kernel.keys.root_maxbytes=25000000
-  kernel.keys.root_maxkeys=1000000
-  kernel.panic=10
-  kernel.panic_on_oops=1
-  vm.overcommit_memory=1
-  vm.panic_on_oom=0
+  kernel.keys.root_maxbytes={{{ kernel_root_maxbytes_val }}}
+  kernel.keys.root_maxkeys={{{ kernel_root_maxkeys_val }}}
+  kernel.panic={{{ kernel_panic_val }}}
+  kernel.panic_on_oops={{{ kernel_panic_on_oops_val }}}
+  vm.overcommit_memory={{{ vm_overcommit_memory_val }}}
+  vm.panic_on_oom={{{ vm_panic_on_oom_val }}}
   </pre>
   
   <p>
@@ -60,7 +71,7 @@ description: |-
 
   <p>
   To configure, follow the directions in
-  {{{ weblink(link="https://docs.openshift.com/container-platform/4.6/nodes/nodes/nodes-nodes-managing.html",
+  {{{ weblink(link="https://docs.openshift.com/container-platform/latest/nodes/nodes/nodes-nodes-managing.html",
               text="the documentation") }}}
   </p>
 
@@ -78,39 +89,32 @@ severity: medium
 ocil_clause: 'the kubelet can modify kernel parameters'
 
 ocil: |-
-  Run the following command on the kubelet node to check if sysctl configuration file exist(s):
-  <pre>$ sudo [ -f /etc/sysctl.d/90-kubelet.conf ] || echo Not Exists </pre>
-  The output should not return <tt>Not Exists</tt>.
-
   Run the following command on the kubelet node(s) to check parameter vm.panic_on_oom:
-  <pre>$ sudo grep vm.panic_on_oom /etc/sysctl.d/90-kubelet.conf</pre>
-  The output should return <tt>a value</tt>.
+  <pre>$ sysctl vm.panic_on_oom</pre>
+  The output should return {{{ vm_panic_on_oom_val }}}
 
   Run the following command on the kubelet node(s) to check parameter kernel.keys.root_maxbytes:
-  <pre>$ sudo grep kernel.keys.root_maxbytes /etc/sysctl.d/90-kubelet.conf</pre>
-  The output should return <tt>a value</tt>.
+  <pre>$ sysctl kernel.keys.root_maxbytes </pre>
+  The output should return {{{ kernel_root_maxbytes_val }}}
 
   Run the following command on the kubelet node(s) to check parameter kernel.keys.root_maxkeys:
-  <pre>$ sudo grep kernel.keys.root_maxkeys /etc/sysctl.d/90-kubelet.conf</pre>
-  The output should return <tt>a value</tt>.
+  <pre>$ sysctl kernel.keys.root_maxkeys</pre>
+  The output should return {{{ kernel_root_maxkeys_val }}}
 
   Run the following command on the kubelet node(s) to check parameter kernel.panic:
-  <pre>$ sudo grep kernel.panic /etc/sysctl.d/90-kubelet.conf</pre>
-  The output should return <tt>a value</tt>.
+  <pre>$ sysctl kernel.panic</pre>
+  The output should return {{{ kernel_panic_val }}}
 
   Run the following command on the kubelet node(s) to check parameter kernel.panic_on_oops:
-  <pre>$ sudo grep kernel.panic_on_oops /etc/sysctl.d/90-kubelet.conf</pre>
-  The output should return <tt>a value</tt>.
+  <pre>$ sysctl kernel.panic_on_oops</pre>
+  The output should return  {{{ kernel_panic_on_oops_val }}}
 
   Run the following command on the kubelet node(s) to check parameter vm.overcommit_memory:
-  <pre>$ sudo grep vm.overcommit_memory /etc/sysctl.d/90-kubelet.conf</pre>
-  The output should return <tt>a value</tt>.
+  <pre>$ sysctl vm.overcommit_memory</pre>
+  The output should return  {{{ vm_overcommit_memory_val }}}
 
-  Run the following command on the kubelet node(s) to check parameter kernel.panic:
-  <pre>$ sudo grep kernel.panic /etc/sysctl.d/90-kubelet.conf</pre>
-  The output should return <tt>a value</tt>.
-#identifiers:
-#   cce@ocp4: 
+identifiers:
+   cce@ocp4: CCE-86688-9
 
 references:
   cis@ocp4: 4.2.6

diff --git a/...openshift/kubelet/kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxbytes/rule.yml b/...openshift/kubelet/kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxbytes/rule.yml
@@ -6,24 +6,35 @@ platform: ocp4-node
 
 title: 'kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter kernel.keys.root_maxbytes'
 
+{{% set kernel_root_maxbytes_val = 25000000 %}}
+{{% set kernel_root_maxkeys_val = 1000000 %}}
+{{% set kernel_panic_val = 10 %}}
+{{% set kernel_panic_on_oops_val = 1 %}}
+{{% set vm_overcommit_memory_val = 1 %}}
+{{% set vm_panic_on_oom_val = 0 %}}
+
 description: |-
   <p>
-  Setup required tuned kernel parameters before enabling overwritten protection.
+  Setup required tuned kernel parameters before enabling overwritten protection. Note
+  that depending on the Linux distribution and its version that your cluster nodes are
+  running, these parameters might be already set up for you. Please refer to the rule
+  instructions for a check.
   </p>
 
   <p>
   Before enabling kernel parameter overwritten protection default, 
-  it's important and necessary to first create a <tt>MachineConfig</tt>
+  it's important to check if these values are already set to the required values.
+  If not, it is neccessary to first create a <tt>MachineConfig</tt>
   object that persist the required sysctl's. The required sysctl's are the following:
   </p>
 
   <pre>
-  kernel.keys.root_maxbytes=25000000
-  kernel.keys.root_maxkeys=1000000
-  kernel.panic=10
-  kernel.panic_on_oops=1
-  vm.overcommit_memory=1
-  vm.panic_on_oom=0
+  kernel.keys.root_maxbytes={{{ kernel_root_maxbytes_val }}}
+  kernel.keys.root_maxkeys={{{ kernel_root_maxkeys_val }}}
+  kernel.panic={{{ kernel_panic_val }}}
+  kernel.panic_on_oops={{{ kernel_panic_on_oops_val }}}
+  vm.overcommit_memory={{{ vm_overcommit_memory_val }}}
+  vm.panic_on_oom={{{ vm_panic_on_oom_val }}}
   </pre>
   
   <p>
@@ -60,7 +71,7 @@ description: |-
 
   <p>
   To configure, follow the directions in
-  {{{ weblink(link="https://docs.openshift.com/container-platform/4.6/nodes/nodes/nodes-nodes-managing.html",
+  {{{ weblink(link="https://docs.openshift.com/container-platform/latest/nodes/nodes/nodes-nodes-managing.html",
               text="the documentation") }}}
   </p>
 
@@ -78,12 +89,12 @@ severity: medium
 ocil_clause: 'the kubelet can modify kernel parameters'
 
 ocil: |-
-  Run the following command on the kubelet node(s):
-  <pre>$ sudo grep kernel.keys.root_maxbytes /etc/sysctl.d/90-kubelet.conf</pre>
-  The output should return <tt>a value</tt>.
+  Run the following command on the kubelet node(s) to check parameter kernel.keys.root_maxbytes:
+  <pre>$ sysctl kernel.keys.root_maxbytes </pre>
+  The output should return {{{ kernel_root_maxbytes_val }}}
 
-#identifiers:
-#   cce@ocp4: 
+identifiers:
+   cce@ocp4: CCE-86066-8
 
 references:
   cis@ocp4: 4.2.6

diff --git a/.../openshift/kubelet/kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxkeys/rule.yml b/.../openshift/kubelet/kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxkeys/rule.yml
@@ -6,24 +6,35 @@ platform: ocp4-node
 
 title: 'kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter kernel.keys.root_maxkeys'
 
+{{% set kernel_root_maxbytes_val = 25000000 %}}
+{{% set kernel_root_maxkeys_val = 1000000 %}}
+{{% set kernel_panic_val = 10 %}}
+{{% set kernel_panic_on_oops_val = 1 %}}
+{{% set vm_overcommit_memory_val = 1 %}}
+{{% set vm_panic_on_oom_val = 0 %}}
+
 description: |-
   <p>
-  Setup required tuned kernel parameters before enabling overwritten protection.
+  Setup required tuned kernel parameters before enabling overwritten protection. Note
+  that depending on the Linux distribution and its version that your cluster nodes are
+  running, these parameters might be already set up for you. Please refer to the rule
+  instructions for a check.
   </p>
 
   <p>
   Before enabling kernel parameter overwritten protection default, 
-  it's important and necessary to first create a <tt>MachineConfig</tt>
+  it's important to check if these values are already set to the required values.
+  If not, it is neccessary to first create a <tt>MachineConfig</tt>
   object that persist the required sysctl's. The required sysctl's are the following:
   </p>
 
   <pre>
-  kernel.keys.root_maxbytes=25000000
-  kernel.keys.root_maxkeys=1000000
-  kernel.panic=10
-  kernel.panic_on_oops=1
-  vm.overcommit_memory=1
-  vm.panic_on_oom=0
+  kernel.keys.root_maxbytes={{{ kernel_root_maxbytes_val }}}
+  kernel.keys.root_maxkeys={{{ kernel_root_maxkeys_val }}}
+  kernel.panic={{{ kernel_panic_val }}}
+  kernel.panic_on_oops={{{ kernel_panic_on_oops_val }}}
+  vm.overcommit_memory={{{ vm_overcommit_memory_val }}}
+  vm.panic_on_oom={{{ vm_panic_on_oom_val }}}
   </pre>
   
   <p>
@@ -60,7 +71,7 @@ description: |-
 
   <p>
   To configure, follow the directions in
-  {{{ weblink(link="https://docs.openshift.com/container-platform/4.6/nodes/nodes/nodes-nodes-managing.html",
+  {{{ weblink(link="https://docs.openshift.com/container-platform/latest/nodes/nodes/nodes-nodes-managing.html",
               text="the documentation") }}}
   </p>
 
@@ -78,12 +89,13 @@ severity: medium
 ocil_clause: 'the kubelet can modify kernel parameters'
 
 ocil: |-
-  Run the following command on the kubelet node(s):
-  <pre>$ sudo grep kernel.keys.root_maxkeys /etc/sysctl.d/90-kubelet.conf</pre>
-  The output should return <tt>a value</tt>.
+  Run the following command on the kubelet node(s) to check parameter kernel.keys.root_maxkeys:
+  <pre>$ sysctl kernel.keys.root_maxkeys</pre>
+  The output should return {{{ kernel_root_maxkeys_val }}}
+
 
-#identifiers:
-#   cce@ocp4: 
+identifiers:
+  cce@ocp4: CCE-86139-3
 
 references:
   cis@ocp4: 4.2.6
@@ -96,4 +108,4 @@ template:
   vars:
       sysctlvar: kernel.keys.root_maxkeys
       sysctlval: '1000000'
-      datatype: int
+      datatype: int
diff --git a/applications/openshift/kubelet/kubelet_enable_protect_kernel_sysctl_kernel_panic/rule.yml b/applications/openshift/kubelet/kubelet_enable_protect_kernel_sysctl_kernel_panic/rule.yml
@@ -6,24 +6,35 @@ platform: ocp4-node
 
 title: 'kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter kernel.panic'
 
+{{% set kernel_root_maxbytes_val = 25000000 %}}
+{{% set kernel_root_maxkeys_val = 1000000 %}}
+{{% set kernel_panic_val = 10 %}}
+{{% set kernel_panic_on_oops_val = 1 %}}
+{{% set vm_overcommit_memory_val = 1 %}}
+{{% set vm_panic_on_oom_val = 0 %}}
+
 description: |-
   <p>
-  Setup required tuned kernel parameters before enabling overwritten protection.
+  Setup required tuned kernel parameters before enabling overwritten protection. Note
+  that depending on the Linux distribution and its version that your cluster nodes are
+  running, these parameters might be already set up for you. Please refer to the rule
+  instructions for a check.
   </p>
 
   <p>
   Before enabling kernel parameter overwritten protection default, 
-  it's important and necessary to first create a <tt>MachineConfig</tt>
+  it's important to check if these values are already set to the required values.
+  If not, it is neccessary to first create a <tt>MachineConfig</tt>
   object that persist the required sysctl's. The required sysctl's are the following:
   </p>
 
   <pre>
-  kernel.keys.root_maxbytes=25000000
-  kernel.keys.root_maxkeys=1000000
-  kernel.panic=10
-  kernel.panic_on_oops=1
-  vm.overcommit_memory=1
-  vm.panic_on_oom=0
+  kernel.keys.root_maxbytes={{{ kernel_root_maxbytes_val }}}
+  kernel.keys.root_maxkeys={{{ kernel_root_maxkeys_val }}}
+  kernel.panic={{{ kernel_panic_val }}}
+  kernel.panic_on_oops={{{ kernel_panic_on_oops_val }}}
+  vm.overcommit_memory={{{ vm_overcommit_memory_val }}}
+  vm.panic_on_oom={{{ vm_panic_on_oom_val }}}
   </pre>
   
   <p>
@@ -60,10 +71,11 @@ description: |-
 
   <p>
   To configure, follow the directions in
-  {{{ weblink(link="https://docs.openshift.com/container-platform/4.6/nodes/nodes/nodes-nodes-managing.html",
+  {{{ weblink(link="https://docs.openshift.com/container-platform/latest/nodes/nodes/nodes-nodes-managing.html",
               text="the documentation") }}}
   </p>
 
+
 rationale: |-
   Kernel parameters are usually tuned and hardened by the system administrators
   before putting the systems into production. These parameters protect the
@@ -78,12 +90,12 @@ severity: medium
 ocil_clause: 'the kubelet can modify kernel parameters'
 
 ocil: |-
-  Run the following command on the kubelet node(s):
-  <pre>$ sudo grep kernel.panic /etc/sysctl.d/90-kubelet.conf</pre>
-  The output should return <tt>a value</tt>.
+  Run the following command on the kubelet node(s) to check parameter kernel.panic:
+  <pre>$ sysctl kernel.panic</pre>
+  The output should return {{{ kernel_panic_val }}}
 
-#identifiers:
-#   cce@ocp4: 
+identifiers:
+   cce@ocp4: CCE-86124-5
 
 references:
   cis@ocp4: 4.2.6