Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add PAM rules to default RHCOS profiles #12941

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add PAM rules to default RHCOS profiles #12941

wants to merge 1 commit into from

Conversation

rhmdnd
Copy link
Collaborator

@rhmdnd rhmdnd commented Jan 30, 2025

These rules are used in CIS linux benchmarks, and make sense to apply to
OpenShift environments. Since there isn't a CIS benchmark for RHCOS,
we'll just have to add them to the default profile so they're available
for users to enable with a TailoredProfile.

@rhmdnd
Add PAM rules to default RHCOS profiles
edb75b4 
These rules are used in CIS linux benchmarks, and make sense to apply to
OpenShift environments. Since there isn't a CIS benchmark for RHCOS,
we'll just have to add them to the default profile so they're available
for users to enable with a TailoredProfile.
@codeclimate CodeClimate
Copy link

codeclimate bot commented Jan 30, 2025

Code Climate has analyzed commit edb75b4 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.9% (0.0% change).

View more on Code Climate.

@jan-cerny jan-cerny added the OpenShift OpenShift product related. label Feb 3, 2025
@BhargaviGudi
Copy link
Collaborator

Raised bug regarding rule upstream-rhcos4-ensure-pam-wheel-group-empty instructions: https://issues.redhat.com/browse/OCPBUGS-52287

@BhargaviGudi
Copy link
Collaborator

Verification failed with 4.18.0-0.nightly-2025-03-03-170152 + compliance-operator from upstream repo + PR code #12941
scan test-node-worker stuck at LAUNCHING state

$ oc create -f tp12941.yaml 
tailoredprofile.compliance.openshift.io/test-node created
$ cat tp12941.yaml 
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
  name: test-node
  namespace: openshift-compliance
spec:                                         
  description: enable rules upstream-rhcos4-ensure-pam-wheel-group-empty and upstream-rhcos4-use-pam-wheel-group-for-su
  title: enable rules upstream-rhcos4-ensure-pam-wheel-group-empty and upstream-rhcos4-use-pam-wheel-group-for-su
  enableRules:
    - name: upstream-rhcos4-ensure-pam-wheel-group-empty
      rationale: Node 
    - name: upstream-rhcos4-use-pam-wheel-group-for-su
      rationale: Node
  setValues:
    - name: upstream-rhcos4-var-pam-wheel-group-for-su
      rationale: Node
      value: wheel  
$ oc get tp
NAME        STATE
test-node   READY
$ oc compliance bind -N test -S default tailoredprofile/test-node 
Creating ScanSettingBinding test
$ oc get ssb
NAME   STATUS
test   READY
$ oc get scan
NAME               PHASE         RESULT
test-node-master   AGGREGATING   NOT-AVAILABLE
test-node-worker   LAUNCHING     NOT-AVAILABLE
$ oc get mcp 
NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
master   rendered-master-614fe8a06edaefff5f95a898c9bb2f31   True      False      False      3              3                   3                     0                      9h
worker   rendered-worker-6a86d9170d847a8b684ada555f5593bd   False     True       False      3              2                   3                     0                      9h

@BhargaviGudi
Copy link
Collaborator

/hold for test

@openshift-ci openshift-ci bot added the do-not-merge/hold Used by openshift-ci-robot bot. label Mar 5, 2025
@BhargaviGudi
Copy link
Collaborator

BhargaviGudi commented Mar 5, 2025
edited
Loading

Did not observe the issue mentioned in the previous comment. However rules are failed.
@rhmdnd Could you please help me understand the expected behavior of these rules? Thanks
Rule upstream-rhcos4-use-pam-wheel-group-for-su failed with value as wheel as well as sugroup.
Seems default value for var var-pam-wheel-group-for-su is sugroup. But not sure if it is the same case for OCP.

$ cat tp12941.yaml 
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
  name: test-node
  namespace: openshift-compliance
spec:                                         
  description: enable rules upstream-rhcos4-ensure-pam-wheel-group-empty and upstream-rhcos4-use-pam-wheel-group-for-su
  title: enable rules upstream-rhcos4-ensure-pam-wheel-group-empty and upstream-rhcos4-use-pam-wheel-group-for-su
  enableRules:
    - name: upstream-rhcos4-ensure-pam-wheel-group-empty
      rationale: Node 
    - name: upstream-rhcos4-use-pam-wheel-group-for-su
      rationale: Node
  setValues:
    - name: upstream-rhcos4-var-pam-wheel-group-for-su
      rationale: Node
      value: wheel  
$ oc create  -f tp12941.yaml 
tailoredprofile.compliance.openshift.io/test-node created
$ oc get tp
NAME        STATE
test-node   READY
$ oc compliance bind -N test -S default tailoredprofile/test-node 
Creating ScanSettingBinding test
$ oc get ssb
NAME   STATUS
test   READY
$ oc get suite
NAME   PHASE     RESULT
test   PENDING   
$ oc get scan
NAME               PHASE       RESULT
test-node-master   LAUNCHING   NOT-AVAILABLE
test-node-worker   LAUNCHING   NOT-AVAILABLE
$ oc get scan
NAME               PHASE   RESULT
test-node-master   DONE    NON-COMPLIANT
test-node-worker   DONE    NON-COMPLIANT
$ oc get suite
NAME   PHASE   RESULT
test   DONE    NON-COMPLIANT
$ oc get ccr
NAME                                            STATUS   SEVERITY
test-node-master-ensure-pam-wheel-group-empty   FAIL     medium
test-node-master-use-pam-wheel-group-for-su     FAIL     medium
test-node-worker-ensure-pam-wheel-group-empty   FAIL     medium
test-node-worker-use-pam-wheel-group-for-su     FAIL     medium

Rule upstream-rhcos4-use-pam-wheel-group-for-su fails even after applying manual remediaion.

Warning: metadata.name: this is used in the Pod's hostname, which can result in surprising behavior; a DNS label is recommended: [must be no more than 63 characters]
Starting pod/bgudi-m5-v8mjz-master-0us-central1-acopenshift-qeinternal-debug-cpkpk ...
To use host binaries, run `chroot /host`
#auth		sufficient	pam_wheel.so trust use_uid
#auth		required	pam_wheel.so use_uid
auth required pam_wheel.so use_uid group=sugroup

$ oc get ccr test-node-master-use-pam-wheel-group-for-su -o=jsonpath={.instructions}
Run the following command to check if the line is present:
grep pam_wheel /etc/pam.d/su
The output should contain the following line:
auth required pam_wheel.so use_uid group=
Is it the case that the line is not in the file or it is commented?$ 
$ oc debug node/bgudi-m5-v8mjz-worker-a-t78vw -- chroot /host grep pam_wheel /etc/pam.d/su
Starting pod/bgudi-m5-v8mjz-worker-a-t78vw-debug-m79xj ...
To use host binaries, run `chroot /host`
#auth		sufficient	pam_wheel.so trust use_uid
#auth		required	pam_wheel.so use_uid

Removing debug pod ...
$ oc debug node/bgudi-m5-v8mjz-worker-a-t78vw -- chroot /host grep wheel /etc/pam.d/su
Starting pod/bgudi-m5-v8mjz-worker-a-t78vw-debug-g4kjm ...
To use host binaries, run `chroot /host`
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth		sufficient	pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth		required	pam_wheel.so use_uid

Removing debug pod ...

Raised a bug for below issue (OCPBUGS-52287)

$ oc get ccr test-node-master-ensure-pam-wheel-group-empty -o=jsonpath={.instructions}
Run the following command to check if the  group exists:
grep  /etc/group
The output should contain the following line:
:x:

@BhargaviGudi
Copy link
Collaborator

@rhmdnd Could you please help me unblock the verification for this PR. Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@evgenyz evgenyz

@yuumasato yuumasato

@Vincent056 Vincent056

@BhargaviGudi BhargaviGudi

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
do-not-merge/hold Used by openshift-ci-robot bot. OpenShift OpenShift product related.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rhmdnd @BhargaviGudi @jan-cerny