OCPBUGS-10508: Add quotes around SCC audit procedure

[rhmdnd]

The json query we're using to help users detect SCCs they need to
monitor is rather complicated and should be quoted. Otherwise, it will
fail to run, which is frustrating for users if they're copy/pasting the
command out of the CRD (which is common).

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment

Oracle Linux 8 Environment

[rhmdnd]

cc: @xiaojiey

[Vincent056]

I think it looks good except the single quote Xiaojie mentioned

[Vincent056]

/lgtm

[yuumasato]

testing-farm:centos-stream-8-x86_64 failed on these rules:

:: [ 18:07:08 ] :: [   FAIL   ] :: Rules not passing after remediation:
xccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy - fail
xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy - fail
xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy - fail
xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy - fail
xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy - fail 

Which is unrelated to this PR.

I have rerun the test, but it may require a rebase to pass CI.

[codeclimate]

Code Climate has analyzed commit 235e77d and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 53.3% (0.0% change).

View more on Code Climate.

[yuumasato]

testing-farm:centos-stream-8-x86_64 failed on these rules:

So this test is not required temporarily.
#10978

[BhargaviGudi]

/hold for testing

[BhargaviGudi]

Verification passed with 4.10.0-0.nightly-2023-08-03-212145 + compliance-operator.v1.2.0 and 4.14.0-0.nightly-2023-08-10-072041 + compliance-operator.v1.2.0

1. Install CO
2.  Check for rule ocp4-scc-limit-container-allowed-capabilities instructions
$ oc get rule upstream-ocp4-scc-limit-container-allowed-capabilities -o=jsonpath={.instructions}
This rule checks the SCCs with allowedCapabilities set to non-null
and fails if there are more such SCCs than those allowed in the variable
named ocp4-var-sccs-with-allowed-capabilities-regex. To debug the rule,
check the variable value, e.g:
$ oc get variable ocp4-var-sccs-with-allowed-capabilities-regex  -ojsonpath='{.value}' 
Then use following command to list the SCCs that would fail the test:
$ oc get scc -o json | jq '[.items[] | select(.metadata.name | test("^privileged$|^hostnetwork-v2$|^restricted-v2$|^nonroot-v2$"; "") | not) | select(.allowedCapabilities != null) | .metadata.name]'
Please replace the regular expression in the test command with the value read from the variable
ocp4-var-sccs-with-allowed-capabilities-regex. You can read the variable
value with:
$ oc get variable ocp4-var-sccs-with-allowed-capabilities-regex -ojsonpath='{.value}' -n openshift-compliance
3. 
$ oc get variable ocp4-var-sccs-with-allowed-capabilities-regex  -ojsonpath='{.value}' 
^privileged$|^hostnetwork-v2$|^restricted-v2$|^nonroot-v2
$ oc get scc -o json | jq '[.items[] | select(.metadata.name | test("^privileged$|^hostnetwork-v2$|^restricted-v2$|^nonroot-v2$"; "") | not) | select(.allowedCapabilities != null) | .metadata.name]'
[]

[BhargaviGudi]

/unhold

[BhargaviGudi]

/qe-approved

[yuumasato]

It seems that tests testing-farm:centos-stream-9-x86_64 and testing-farm:fedora-38-x86_64 are not reporting back, but they passed in a previous run.