'none_exist' check of template 'yamlfile_value' does not work as expected
Closed this issue · 3 comments
tmishina commented
The check result of kubelet_authorization_mode does not work as expected for the following condition.
Does something unexpected happens in yamlfile_value
? or the rule should be updated? Thanks in advance.
rule
template:
name: yamlfile_value
vars:
filepath: /etc/kubernetes/kubelet.conf
yamlpath: ".authorization.mode"
check_existence: "none_exist"
values:
- value: "AlwaysAllow"
operation: "equals"
example kubelet.conf
content
# cat /etc/kubernetes/kubelet.conf | grep 'authorization' -A 2
authorization:
mode: "Webhook"
check log
log says 'exist on the system', but the content (mode: "Webhook"
) does not match the value in the rule (value: "AlwaysAllow"
).
Title Ensure authorization is set to Webhook
Rule xccdf_org.ssgproject.content_rule_kubelet_authorization_mode
Ident CCE-83593-4
I: oscap: Evaluating XCCDF rule 'xccdf_org.ssgproject.content_rule_kubelet_authorization_mode'.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4:def:1': Red Hat OpenShift Container Platform.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4:def:1' evaluated as false.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_node:def:1': Red Hat OpenShift Container Platform Node.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_node:def:1' evaluated as true.
I: oscap: This rule requires an OCIL check. OCIL checks are not supported by OpenSCAP.
I: oscap: Evaluating definition 'oval:ssg-kubelet_authorization_mode:def:1': Ensure authorization is set to Webhook.
I: oscap: Evaluating yamlfilecontent test 'oval:ssg-test_kubelet_authorization_mode:tst:1': In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.authorization.mode'..
I: oscap: Querying yamlfilecontent object 'oval:ssg-object_kubelet_authorization_mode:obj:1', flags: 0.
I: oscap: Creating new syschar for yamlfilecontent_object 'oval:ssg-object_kubelet_authorization_mode:obj:1'.
I: oscap: Object 'oval:ssg-object_kubelet_authorization_mode:obj:1' references variable 'oval:ssg-kubelet_authorization_mode_file_location:var:1' in 'filepath' field.
I: oscap: Querying variable 'oval:ssg-kubelet_authorization_mode_file_location:var:1'.
I: oscap: Variable 'oval:ssg-kubelet_authorization_mode_file_location:var:1' has values "/etc/kubernetes/kubelet.conf".
I: oscap: Switching probe to PROBE_OFFLINE_OWN mode.
I: oscap: I will run yamlfilecontent_probe_main:
I: oscap: Opening file '/host/etc/kubernetes/kubelet.conf'.
I: oscap: Test 'oval:ssg-test_kubelet_authorization_mode:tst:1' requires that none of the objects defined by 'oval:ssg-object_kubelet_authorization_mode:obj:1' exist on the system.
I: oscap: 1 objects defined by 'oval:ssg-object_kubelet_authorization_mode:obj:1' exist on the system.
I: oscap: All items matching object 'oval:ssg-object_kubelet_authorization_mode:obj:1' were collected. (flag=complete)
I: oscap: Test 'oval:ssg-test_kubelet_authorization_mode:tst:1' evaluated as false.
I: oscap: Definition 'oval:ssg-kubelet_authorization_mode:def:1' evaluated as false.
Result fail
JAORMX commented
@tmishina could you file this in ComplianceAsCode? This seems more like a content issue than a Compliance Operator issue.
tmishina commented
@JAORMX thank you for your guidance, I've moved this issue to ComplianceAsCode/content#6658.
JAORMX commented
Closing this, as it's being tracked now in the appropriate repo.