RHCOS4: Enhance instructions to better reflect how to work with the platform #6796

JAORMX · 2021-04-06T12:05:59Z

This changes various descriptions and macros in the case of rhcos4 to better
reflect what an admin would really need to do to check or remediate.

openscap-ci · 2021-04-06T12:06:20Z

Changes identified:
Macros:
systemd_ocil_service_disabled
systemd_ocil_service_enabled
systemd_describe_service_disable
systemd_describe_service_enable
machineconfig_description_footer
rhcos_node_login_instructions

Show details

Macro systemd_ocil_service_disabled:
In rule description for service_ypbind_disabled.
In rule description for service_messagebus_disabled.
In rule description for service_quota_nld_disabled.
In rule description for service_rsyncd_disabled.
In rule description for service_rpcsvcgssd_disabled.
In rule description for service_bluetooth_disabled.
In rule description for service_squid_disabled.
In rule description for service_httpd_disabled.
In rule description for service_portreserve_disabled.
In rule description for service_cpupower_disabled.
In rule description for service_oddjobd_disabled.
In rule description for service_sysstat_disabled.
In rule description for service_debug-shell_disabled.
In rule description for service_named_disabled.
In rule description for service_xinetd_disabled.
In rule description for service_saslauthd_disabled.
In rule description for service_avahi-daemon_disabled.
In rule description for service_rhnsd_disabled.
In rule description for service_abrtd_disabled.
In rule description for service_cgred_disabled.
In rule description for service_acpid_disabled.
In rule description for service_irqbalance_enabled.
In rule description for service_vsftpd_disabled.
In rule description for service_snmpd_disabled.
In rule description for service_kdump_disabled.
In rule description for service_nfs_disabled.
In rule description for service_psacct_enabled.
In rule description for service_netconsole_disabled.
In rule description for service_cgconfig_disabled.
In rule description for service_certmonger_disabled.
In rule description for service_cups_disabled.
In rule description for service_mdmonitor_disabled.
In rule description for service_rhsmcertd_disabled.
In rule description for service_dovecot_disabled.
In rule description for service_zebra_disabled.
In rule description for service_atd_disabled.
In rule description for service_ntpdate_disabled.
In rule description for service_dhcpd_disabled.
In rule description for service_cockpit_disabled.
In rule description for service_smartd_disabled.
In rule description for service_smb_disabled.
In rule description for service_qpidd_disabled.
In rule description for service_tftp_disabled.
In rule description for service_autofs_disabled.
In rule description for service_rdisc_disabled.
Macro systemd_ocil_service_enabled:
In rule description for service_chronyd_or_ntpd_enabled.
In rule description for service_SuSEfirewall2_enabled.
In rule description for susefirewall2_only_required_services.
In rule description for service_rngd_enabled.
In rule description for service_ntpd_enabled.
In rule description for httpd_configure_remote_session_encryption.
In rule description for service_nails_enabled.
In rule description for service_pcscd_enabled.
In rule description for service_crond_enabled.
In rule description for service_auditd_enabled.
In rule description for service_ntp_enabled.
In rule description for service_fapolicyd_enabled.
In rule description for service_iptables_enabled.
In rule description for service_firewalld_enabled.
In rule description for service_ip6tables_enabled.
In rule description for service_rsyslog_enabled.
In rule description for service_sshd_enabled.
In rule description for service_usbguard_enabled.
In rule description for service_syslogng_enabled.
In rule description for service_cron_enabled.
In rule description for service_docker_enabled.
In rule description for susefirewall2_ddos_protection.
In rule description for service_timesyncd_enabled.
In rule description for service_postfix_enabled.
In rule description for service_chronyd_enabled.
In rule description for service_sssd_enabled.
Macro systemd_describe_service_disable:
In rule description for service_ypbind_disabled.
In rule description for service_messagebus_disabled.
In rule description for service_quota_nld_disabled.
In rule description for service_rsyncd_disabled.
In rule description for service_rpcsvcgssd_disabled.
In rule description for service_bluetooth_disabled.
In rule description for service_oddjobd_disabled.
In rule description for service_squid_disabled.
In rule description for service_portreserve_disabled.
In rule description for service_httpd_disabled.
In rule description for service_cpupower_disabled.
In rule description for service_sysstat_disabled.
In rule description for service_apport_disabled.
In rule description for service_debug-shell_disabled.
In rule description for service_named_disabled.
In rule description for service_xinetd_disabled.
In rule description for service_saslauthd_disabled.
In rule description for service_sshd_disabled.
In rule description for service_avahi-daemon_disabled.
In rule description for service_rhnsd_disabled.
In rule description for service_rpcbind_disabled.
In rule description for service_abrtd_disabled.
In rule description for service_cgred_disabled.
In rule description for service_rpcidmapd_disabled.
In rule description for service_acpid_disabled.
In rule description for service_netfs_disabled.
In rule description for service_vsftpd_disabled.
In rule description for service_snmpd_disabled.
In rule description for service_rpcgssd_disabled.
In rule description for service_kdump_disabled.
In rule description for service_nfs_disabled.
In rule description for service_nfslock_disabled.
In rule description for service_netconsole_disabled.
In rule description for service_cgconfig_disabled.
In rule description for service_certmonger_disabled.
In rule description for service_cups_disabled.
In rule description for service_mdmonitor_disabled.
In rule description for service_rhsmcertd_disabled.
In rule description for service_dovecot_disabled.
In rule description for service_zebra_disabled.
In rule description for service_atd_disabled.
In rule description for service_ntpdate_disabled.
In rule description for service_dhcpd_disabled.
In rule description for service_cockpit_disabled.
In rule description for service_smartd_disabled.
In rule description for service_smb_disabled.
In rule description for service_qpidd_disabled.
In rule description for service_tftp_disabled.
In rule description for service_autofs_disabled.
In rule description for service_rdisc_disabled.
Macro systemd_describe_service_enable:
In rule description for service_SuSEfirewall2_enabled.
In rule description for susefirewall2_only_required_services.
In rule description for service_rngd_enabled.
In rule description for service_ntpd_enabled.
In rule description for httpd_configure_remote_session_encryption.
In rule description for service_nails_enabled.
In rule description for service_pcscd_enabled.
In rule description for service_crond_enabled.
In rule description for service_auditd_enabled.
In rule description for service_ntp_enabled.
In rule description for service_irqbalance_enabled.
In rule description for service_fapolicyd_enabled.
In rule description for service_iptables_enabled.
In rule description for service_firewalld_enabled.
In rule description for service_psacct_enabled.
In rule description for service_ip6tables_enabled.
In rule description for service_rsyslog_enabled.
In rule description for service_sshd_enabled.
In rule description for service_usbguard_enabled.
In rule description for service_syslogng_enabled.
In rule description for service_cron_enabled.
In rule description for service_docker_enabled.
In rule description for susefirewall2_ddos_protection.
In rule description for service_timesyncd_enabled.
In rule description for service_postfix_enabled.
In rule description for service_sssd_enabled.
Macro machineconfig_description_footer:
In rule description for service_quota_nld_disabled.
In rule description for service_httpd_disabled.
In rule description for service_apport_disabled.
In rule description for service_saslauthd_disabled.
In rule description for service_sshd_disabled.
In rule description for httpd_configure_remote_session_encryption.
In rule description for service_rhnsd_disabled.
In rule description for service_rpcidmapd_disabled.
In rule description for service_acpid_disabled.
In rule description for service_firewalld_enabled.
In rule description for service_kdump_disabled.
In rule description for service_certmonger_disabled.
In rule description for service_sshd_enabled.
In rule description for service_cups_disabled.
In rule description for disable_ctrlaltdel_burstaction.
In rule description for service_atd_disabled.
In rule description for susefirewall2_ddos_protection.
In rule description for service_sssd_enabled.
In rule description for service_messagebus_disabled.
In rule description for service_rpcsvcgssd_disabled.
In rule description for service_rsyncd_disabled.
In rule description for service_cpupower_disabled.
In rule description for service_squid_disabled.
In rule description for service_sysstat_disabled.
In rule description for service_avahi-daemon_disabled.
In rule description for service_crond_enabled.
In rule description for service_auditd_enabled.
In rule description for service_fapolicyd_enabled.
In rule description for service_snmpd_disabled.
In rule description for service_nfs_disabled.
In rule description for service_ntpdate_disabled.
In rule description for service_cron_enabled.
In rule description for service_cockpit_disabled.
In rule description for service_docker_enabled.
In rule description for service_timesyncd_enabled.
In rule description for service_ypbind_disabled.
In rule description for service_bluetooth_disabled.
In rule description for service_oddjobd_disabled.
In rule description for susefirewall2_only_required_services.
In rule description for service_xinetd_disabled.
In rule description for service_rngd_enabled.
In rule description for service_ntpd_enabled.
In rule description for service_nails_enabled.
In rule description for service_rpcbind_disabled.
In rule description for service_iptables_enabled.
In rule description for service_vsftpd_disabled.
In rule description for service_psacct_enabled.
In rule description for service_nfslock_disabled.
In rule description for service_rsyslog_enabled.
In rule description for service_netconsole_disabled.
In rule description for service_dovecot_disabled.
In rule description for service_qpidd_disabled.
In rule description for service_tftp_disabled.
In rule description for service_postfix_enabled.
In rule description for service_rdisc_disabled.
In rule description for service_SuSEfirewall2_enabled.
In rule description for service_portreserve_disabled.
In rule description for service_debug-shell_disabled.
In rule description for service_named_disabled.
In rule description for disable_ctrlaltdel_reboot.
In rule description for service_pcscd_enabled.
In rule description for service_abrtd_disabled.
In rule description for service_cgred_disabled.
In rule description for service_ntp_enabled.
In rule description for service_irqbalance_enabled.
In rule description for service_netfs_disabled.
In rule description for service_rpcgssd_disabled.
In rule description for configure_crypto_policy.
In rule description for service_ip6tables_enabled.
In rule description for package_usbguard_installed.
In rule description for service_cgconfig_disabled.
In rule description for service_mdmonitor_disabled.
In rule description for service_usbguard_enabled.
In rule description for service_rhsmcertd_disabled.
In rule description for service_syslogng_enabled.
In rule description for service_zebra_disabled.
In rule description for service_dhcpd_disabled.
In rule description for service_smartd_disabled.
In rule description for service_smb_disabled.
In rule description for service_autofs_disabled.
Macro rhcos_node_login_instructions:
In rule description for service_ypbind_disabled.
In rule description for service_chronyd_or_ntpd_enabled.
In rule description for service_messagebus_disabled.
In rule description for service_quota_nld_disabled.
In rule description for service_rpcsvcgssd_disabled.
In rule description for service_SuSEfirewall2_enabled.
In rule description for service_rsyncd_disabled.
In rule description for service_squid_disabled.
In rule description for service_httpd_disabled.
In rule description for service_portreserve_disabled.
In rule description for service_bluetooth_disabled.
In rule description for service_cpupower_disabled.
In rule description for susefirewall2_only_required_services.
In rule description for service_sysstat_disabled.
In rule description for service_debug-shell_disabled.
In rule description for service_oddjobd_disabled.
In rule description for service_named_disabled.
In rule description for service_rngd_enabled.
In rule description for service_xinetd_disabled.
In rule description for service_ntpd_enabled.
In rule description for service_saslauthd_disabled.
In rule description for httpd_configure_remote_session_encryption.
In rule description for service_nails_enabled.
In rule description for service_avahi-daemon_disabled.
In rule description for service_rhnsd_disabled.
In rule description for service_pcscd_enabled.
In rule description for service_crond_enabled.
In rule description for service_abrtd_disabled.
In rule description for service_cgred_disabled.
In rule description for service_auditd_enabled.
In rule description for service_ntp_enabled.
In rule description for service_acpid_disabled.
In rule description for service_irqbalance_enabled.
In rule description for service_fapolicyd_enabled.
In rule description for service_firewalld_enabled.
In rule description for service_vsftpd_disabled.
In rule description for service_snmpd_disabled.
In rule description for service_iptables_enabled.
In rule description for service_kdump_disabled.
In rule description for service_nfs_disabled.
In rule description for service_psacct_enabled.
In rule description for service_ip6tables_enabled.
In rule description for service_netconsole_disabled.
In rule description for service_rsyslog_enabled.
In rule description for service_cups_disabled.
In rule description for service_certmonger_disabled.
In rule description for service_sshd_enabled.
In rule description for service_cgconfig_disabled.
In rule description for service_mdmonitor_disabled.
In rule description for service_usbguard_enabled.
In rule description for service_rhsmcertd_disabled.
In rule description for service_syslogng_enabled.
In rule description for service_dovecot_disabled.
In rule description for service_zebra_disabled.
In rule description for service_atd_disabled.
In rule description for service_ntpdate_disabled.
In rule description for service_dhcpd_disabled.
In rule description for service_cron_enabled.
In rule description for service_cockpit_disabled.
In rule description for susefirewall2_ddos_protection.
In rule description for service_docker_enabled.
In rule description for service_smartd_disabled.
In rule description for service_smb_disabled.
In rule description for service_qpidd_disabled.
In rule description for service_timesyncd_enabled.
In rule description for service_tftp_disabled.
In rule description for service_postfix_enabled.
In rule description for service_autofs_disabled.
In rule description for service_chronyd_enabled.
In rule description for service_sssd_enabled.
In rule description for service_rdisc_disabled.

JAORMX · 2021-04-06T12:06:55Z

@yuumasato @ggbecker could you take a look at this? I'm starting to change instructions for RHCOS4 to better guide users reading the content. this is a bit bigger change since I'm modifying the macros, and before going forward, I want to know what you folks think of this approach.

JAORMX · 2021-04-06T12:09:00Z

/test all

linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml

yuumasato · 2021-04-06T12:54:08Z

linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml

+    setting, create a <tt>MachineConfig</tt> similar to the following:
+    <pre>
+    apiVersion: machineconfiguration.openshift.io/v1
+    kind: MachineConfig
+    metadata:
+      labels:
+        machineconfiguration.openshift.io/role: master
+      name: 75-master-disable-ctrlaltdel-burstaction
+    spec:
+      config:
+        ignition:
+          version: 3.1.0
+        storage:
+          files:
+          - contents:
+              source: data:,CtrlAltDelBurstAction%3Dnone
+            mode: 0644
+            path: /etc/systemd/system.conf.d/disable_ctrlaltdelete_burstaction.conf
+            overwrite: true
+    EOF


I think you'll want to add similar text to the OCIL as well.

Yeah, that makes sense. I'll get to that.

yuumasato · 2021-04-06T13:15:50Z

linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml

+    {{% if product != "rhcos4" %}}
    setting, add or modify the following to <tt>/etc/systemd/system.conf</tt>:
    <pre>CtrlAltDelBurstAction=none</pre>
+    {{% else %}}
+    setting, create a <tt>MachineConfig</tt> similar to the following:
+    <pre>
+    apiVersion: machineconfiguration.openshift.io/v1
+    kind: MachineConfig
+    metadata:
+      labels:
+        machineconfiguration.openshift.io/role: master
+      name: 75-master-disable-ctrlaltdel-burstaction
+    spec:
+      config:
+        ignition:
+          version: 3.1.0
+        storage:
+          files:
+          - contents:
+              source: data:,CtrlAltDelBurstAction%3Dnone
+            mode: 0644
+            path: /etc/systemd/system.conf.d/disable_ctrlaltdelete_burstaction.conf
+            overwrite: true
+    EOF
+    </pre>
+    <p>
+    This will add the relevant configuration to <tt>/etc/systemd/system.conf.d/</tt>,
+    thus configuring Systemd apropriately.
+    </p>
+    {{{ machineconfig_description_footer() | indent(4) }}}
+    {{% endif %}}


Side comment: The Jinja conditionals in between the text make things tricky to read...

One way to increase readability, would be to make it possible to split the description in two parts, one which pertains to description of the setting and its behavior, and another about product specific configuration steps. For example, description and configuration.

Another approach would be to allow entire product specific descriptions, e.g. description@rhcos4

maybe the former approach is better, (having description@<product>

JAORMX · 2021-04-06T13:21:01Z

@yuumasato, thanks for the review! I'll continue adding changes then! I'll target the ocil macros and service_disabled next.

JAORMX · 2021-04-07T10:05:54Z

Pull-request updated, HEAD is now 8636b28

JAORMX · 2021-04-07T10:06:49Z

@yuumasato added changes to both descriptions and ocil, WDYT?

JAORMX · 2021-04-07T11:36:53Z

/retest

This makes it easier for folks to remediate themselves. Signed-off-by: Juan Antonio Osorio Robles <jaosorior@redhat.com>

This reduces the duplication in the content. Signed-off-by: Juan Antonio Osorio Robles <jaosorior@redhat.com>

This adds an alternative description for this macro in case of rhcos4 to better reflect what an admin would actually need to do. Signed-off-by: Juan Antonio Osorio Robles <jaosorior@redhat.com>

…d) macros This ensures admins have a better notion of what to do. Signed-off-by: Juan Antonio Osorio Robles <jaosorior@redhat.com>

JAORMX · 2021-04-08T08:43:22Z

/retest

shared/macros.jinja

mrogers950 · 2021-04-08T13:28:27Z

one nit, looks good to me otherwise

yuumasato

LGTM

Signed-off-by: Juan Antonio Osorio Robles <jaosorior@redhat.com>

mrogers950 · 2021-04-08T16:38:00Z

/retest

JAORMX requested review from ggbecker and yuumasato April 6, 2021 12:06

JAORMX marked this pull request as draft April 6, 2021 12:07

openshift-ci-robot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Apr 6, 2021

JAORMX added the OpenShift OpenShift product related. label Apr 6, 2021

yuumasato reviewed Apr 6, 2021

View reviewed changes

JAORMX force-pushed the rhcos4-instructions branch from 3bdbd44 to 8636b28 Compare April 7, 2021 10:05

JAORMX marked this pull request as ready for review April 7, 2021 10:06

openshift-ci-robot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Apr 7, 2021

JAORMX requested a review from yuumasato April 7, 2021 11:38

JAORMX added 7 commits April 8, 2021 10:08

rhcos4: Add better instructions for disable_ctrlaltdel_reboot

bcb922e

This makes it easier for folks to remediate themselves. Signed-off-by: Juan Antonio Osorio Robles <jaosorior@redhat.com>

rhcos4: Add better instructions for disable_ctrlaltdel_burstaction

05254e7

This makes it easier for folks to remediate themselves. Signed-off-by: Juan Antonio Osorio Robles <jaosorior@redhat.com>

rhcos4: Add better instructions for package_usbguard_installed

6b13c0d

This makes it easier for folks to remediate themselves. Signed-off-by: Juan Antonio Osorio Robles <jaosorior@redhat.com>

rhcos4: Replace repetitive MachineConfig footer with macro

4651558

This reduces the duplication in the content. Signed-off-by: Juan Antonio Osorio Robles <jaosorior@redhat.com>

Modify describe_service_enabled template for RHCOS4

a3ff5ad

This adds an alternative description for this macro in case of rhcos4 to better reflect what an admin would actually need to do. Signed-off-by: Juan Antonio Osorio Robles <jaosorior@redhat.com>

Modify describe_service_disabled template for RHCOS4

aff0b3b

This adds an alternative description for this macro in case of rhcos4 to better reflect what an admin would actually need to do. Signed-off-by: Juan Antonio Osorio Robles <jaosorior@redhat.com>

Add rhcos4-specific instructions in the ocil_service_(enabled|disable…

4ffa281

…d) macros This ensures admins have a better notion of what to do. Signed-off-by: Juan Antonio Osorio Robles <jaosorior@redhat.com>

JAORMX force-pushed the rhcos4-instructions branch from 8636b28 to 4ffa281 Compare April 8, 2021 07:09

mrogers950 reviewed Apr 8, 2021

View reviewed changes

shared/macros.jinja Outdated Show resolved Hide resolved

yuumasato approved these changes Apr 8, 2021

View reviewed changes

rhcos4: Add relevant instructions to configure_crypto_policy rule

99b8f66

Signed-off-by: Juan Antonio Osorio Robles <jaosorior@redhat.com>

JAORMX force-pushed the rhcos4-instructions branch from d6e9255 to 99b8f66 Compare April 8, 2021 14:01

mrogers950 merged commit 2b2152d into ComplianceAsCode:master Apr 8, 2021

vojtapolasek added this to the 0.1.56 milestone May 6, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

RHCOS4: Enhance instructions to better reflect how to work with the platform #6796

RHCOS4: Enhance instructions to better reflect how to work with the platform #6796

JAORMX commented Apr 6, 2021

openscap-ci commented Apr 6, 2021 •

edited

JAORMX commented Apr 6, 2021

JAORMX commented Apr 6, 2021

yuumasato Apr 6, 2021

JAORMX Apr 6, 2021

yuumasato Apr 6, 2021

JAORMX Apr 6, 2021

JAORMX commented Apr 6, 2021

JAORMX commented Apr 7, 2021

JAORMX commented Apr 7, 2021 •

edited

JAORMX commented Apr 7, 2021

JAORMX commented Apr 8, 2021

mrogers950 commented Apr 8, 2021

yuumasato left a comment

mrogers950 commented Apr 8, 2021

RHCOS4: Enhance instructions to better reflect how to work with the platform #6796

RHCOS4: Enhance instructions to better reflect how to work with the platform #6796

Conversation

JAORMX commented Apr 6, 2021

openscap-ci commented Apr 6, 2021 • edited

JAORMX commented Apr 6, 2021

JAORMX commented Apr 6, 2021

yuumasato Apr 6, 2021

Choose a reason for hiding this comment

JAORMX Apr 6, 2021

Choose a reason for hiding this comment

yuumasato Apr 6, 2021

Choose a reason for hiding this comment

JAORMX Apr 6, 2021

Choose a reason for hiding this comment

JAORMX commented Apr 6, 2021

JAORMX commented Apr 7, 2021

JAORMX commented Apr 7, 2021 • edited

JAORMX commented Apr 7, 2021

JAORMX commented Apr 8, 2021

mrogers950 commented Apr 8, 2021

yuumasato left a comment

Choose a reason for hiding this comment

mrogers950 commented Apr 8, 2021

openscap-ci commented Apr 6, 2021 •

edited

JAORMX commented Apr 7, 2021 •

edited