Skip to content

CMP-4338: Updated the audit rules to properly handle the RHCOS4 audit system config#14812

Open
abushkin-redhat wants to merge 3 commits into
ComplianceAsCode:masterfrom
abushkin-redhat:cmp-4338-audit-rules
Open

CMP-4338: Updated the audit rules to properly handle the RHCOS4 audit system config#14812
abushkin-redhat wants to merge 3 commits into
ComplianceAsCode:masterfrom
abushkin-redhat:cmp-4338-audit-rules

Conversation

@abushkin-redhat

Copy link
Copy Markdown
Collaborator

Description:

Updated the audit rules to properly handle the RHCOS4 audit system configuration (which supports rhel8 - rhel10).
More information related to the ticket can be found here: https://redhat.atlassian.net/browse/CMP-4338

Alexander Bushkin added 2 commits June 19, 2026 12:38
…dle the RHCOS4 audit system configuration (which supports rhel8-rhel10).
…'acccess'. Doesn't currently break anything, but better to fix for correctness' sake.
@openshift-ci openshift-ci Bot added the needs-ok-to-test Used by openshift-ci bot. label Jun 19, 2026
@openshift-ci

openshift-ci Bot commented Jun 19, 2026

Copy link
Copy Markdown

Hi @abushkin-redhat. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@abushkin-redhat

Copy link
Copy Markdown
Collaborator Author

/ok-to-test

@openshift-ci

openshift-ci Bot commented Jun 19, 2026

Copy link
Copy Markdown

@abushkin-redhat: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

Details

In response to this:

/ok-to-test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@yuumasato

Copy link
Copy Markdown
Member

/ok-to-test

@openshift-ci openshift-ci Bot added ok-to-test Used by openshift-ci bot. and removed needs-ok-to-test Used by openshift-ci bot. labels Jun 19, 2026
@yuumasato

Copy link
Copy Markdown
Member

/test 4.22-e2e-aws-openshift-node-compliance-rhcos10

@abushkin-redhat

Copy link
Copy Markdown
Collaborator Author

/retest-required

@abushkin-redhat

Copy link
Copy Markdown
Collaborator Author

/retest

1 similar comment
@abushkin-redhat

Copy link
Copy Markdown
Collaborator Author

/retest

@yuumasato

Copy link
Copy Markdown
Member

/test 4.22-e2e-aws-openshift-node-compliance-rhcos10

1 similar comment
@yuumasato

Copy link
Copy Markdown
Member

/test 4.22-e2e-aws-openshift-node-compliance-rhcos10

@yuumasato yuumasato added this to the 0.1.82 milestone Jun 23, 2026
@yuumasato yuumasato self-assigned this Jun 23, 2026
@yuumasato

Copy link
Copy Markdown
Member

/test 4.22-e2e-aws-openshift-node-compliance-rhcos10

@yuumasato

Copy link
Copy Markdown
Member

/test master-e2e-aws-openshift-node-compliance-rhcos10

@yuumasato

Copy link
Copy Markdown
Member

/test e2e-aws-openshift-platform-compliance-rhcos10

@yuumasato yuumasato left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@yuumasato

Copy link
Copy Markdown
Member

/test e2e-aws-openshift-node-compliance-rhcos10

6 similar comments
@yuumasato

Copy link
Copy Markdown
Member

/test e2e-aws-openshift-node-compliance-rhcos10

@yuumasato

Copy link
Copy Markdown
Member

/test e2e-aws-openshift-node-compliance-rhcos10

@yuumasato

Copy link
Copy Markdown
Member

/test e2e-aws-openshift-node-compliance-rhcos10

@yuumasato

Copy link
Copy Markdown
Member

/test e2e-aws-openshift-node-compliance-rhcos10

@yuumasato

Copy link
Copy Markdown
Member

/test e2e-aws-openshift-node-compliance-rhcos10

@yuumasato

Copy link
Copy Markdown
Member

/test e2e-aws-openshift-node-compliance-rhcos10

@abushkin-redhat

Copy link
Copy Markdown
Collaborator Author

Update: Re-adding ocp4 to product conditionals

CI testing on e2e-aws-openshift-node-compliance-rhcos10 showed all three directory_access rules still failing after remediation. Investigation revealed the root cause:

The previous change (commit c086a44) removed ocp4 from the Jinja2 conditional, leaving only ['rhcos4']. However, the product variable controls which datastream build includes the OR criteria, not which OS the scan runs on. The directory_access_var_log_* rules are in ocp4 profiles (NIST, PCI-DSS) and are scanned using the ocp4 datastream — even though they execute on RHCOS nodes via platform: ocp4-master-node.

With only ['rhcos4'] in the conditional, the ocp4 datastream was built from the else branch and still checked only the old auditd.service path, which doesn't exist on RHCOS10.

Verification via ARF results:

Without ocp4:

  <!-- ocp4 datastream: no OR criteria, only the else branch -->
  <definition id="oval:ssg-audit_rules_augenrules:def:1" result="false">
    <criteria operator="AND" result="false">
      <criterion test_ref="oval:ssg-test_audit_rules_augenrules:tst:1" result="false"/>
    </criteria>
  </definition>

With ocp4 re-added:

  <!-- ocp4 datastream: OR criteria checking both service paths -->
  <definition id="oval:ssg-audit_rules_augenrules:def:1" result="true">
    <criteria operator="OR" result="true">
      <criterion test_ref="oval:ssg-test_audit_rules_augenrules_service:tst:1" result="true"/>
      <criterion test_ref="oval:ssg-test_audit_rules_augenrules:tst:1" result="false"/>
    </criteria>
  </definition>

Tested on RHCOS10 cluster: all three rules FAIL on initial scan (expected), remediations generated and applied successfully, all three rules PASS after remediation.

@yuumasato

Copy link
Copy Markdown
Member

/test e2e-aws-openshift-node-compliance-rhcos10

@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown

@abushkin-redhat: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/4.22-e2e-aws-openshift-node-compliance-rhcos10 c086a44 link true /test 4.22-e2e-aws-openshift-node-compliance-rhcos10
ci/prow/4.19-images f1efd53 link true /test 4.19-images
ci/prow/e2e-aws-openshift-platform-compliance f1efd53 link true /test e2e-aws-openshift-platform-compliance
ci/prow/e2e-aws-openshift-node-compliance f1efd53 link true /test e2e-aws-openshift-node-compliance

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ok-to-test Used by openshift-ci bot.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants