OCP4: Fix instructions of rules that set kubelet related sysctls, use the sysctl probe #10434
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Start a new ephemeral environment with changes proposed in this pull request: ocp4 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl'.
--- xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl
+++ xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl
@@ -3,11 +3,15 @@
kubelet - Set Up Sysctl to Enable Protect Kernel Defaults
[description]:
-Setup required tuned kernel parameters before enabling overwritten protection.
+Setup required tuned kernel parameters before enabling overwritten protection. Note
+that depending on the Linux distribution and its version that your cluster nodes are
+running, these parameters might be already set up for you. Please refer to the rule
+instructions for a check.
Before enabling kernel parameter overwritten protection default,
-it's important and necessary to first create a MachineConfig
+it's important to check if these values are already set to the required values.
+If not, it is neccessary to first create a MachineConfig
object that persist the required sysctl's. The required sysctl's are the following:
@@ -79,3 +83,6 @@
parameters should be appropriately set to match the desired secured system
state. Ignoring this could potentially lead to running pods with undesired
kernel behavior.
+
+[ident]:
+CCE-86688-9
OVAL for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl' differs.
--- oval:ssg-kubelet_enable_protect_kernel_sysctl:def:1
+++ oval:ssg-kubelet_enable_protect_kernel_sysctl:def:1
@@ -1,6 +1,5 @@
criteria OR
criteria AND
-extend_definition oval:ssg-kubelet_enable_protect_kernel_sysctl_file_exist:def:1
extend_definition oval:ssg-kubelet_enable_protect_kernel_sysctl_kernel_panic:def:1
extend_definition oval:ssg-kubelet_enable_protect_kernel_sysctl_kernel_panic_on_oops:def:1
extend_definition oval:ssg-kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxbytes:def:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl' differs.
--- ocil:ssg-kubelet_enable_protect_kernel_sysctl_ocil:questionnaire:1
+++ ocil:ssg-kubelet_enable_protect_kernel_sysctl_ocil:questionnaire:1
@@ -1,33 +1,25 @@
-Run the following command on the kubelet node to check if sysctl configuration file exist(s):
-$ sudo [ -f /etc/sysctl.d/90-kubelet.conf ] || echo Not Exists
-The output should not return Not Exists.
-
Run the following command on the kubelet node(s) to check parameter vm.panic_on_oom:
-$ sudo grep vm.panic_on_oom /etc/sysctl.d/90-kubelet.conf
-The output should return a value.
+$ sysctl vm.panic_on_oom
+The output should return 0
Run the following command on the kubelet node(s) to check parameter kernel.keys.root_maxbytes:
-$ sudo grep kernel.keys.root_maxbytes /etc/sysctl.d/90-kubelet.conf
-The output should return a value.
+$ sysctl kernel.keys.root_maxbytes
+The output should return 25000000
Run the following command on the kubelet node(s) to check parameter kernel.keys.root_maxkeys:
-$ sudo grep kernel.keys.root_maxkeys /etc/sysctl.d/90-kubelet.conf
-The output should return a value.
+$ sysctl kernel.keys.root_maxkeys
+The output should return 1000000
Run the following command on the kubelet node(s) to check parameter kernel.panic:
-$ sudo grep kernel.panic /etc/sysctl.d/90-kubelet.conf
-The output should return a value.
+$ sysctl kernel.panic
+The output should return 10
Run the following command on the kubelet node(s) to check parameter kernel.panic_on_oops:
-$ sudo grep kernel.panic_on_oops /etc/sysctl.d/90-kubelet.conf
-The output should return a value.
+$ sysctl kernel.panic_on_oops
+The output should return 1
Run the following command on the kubelet node(s) to check parameter vm.overcommit_memory:
-$ sudo grep vm.overcommit_memory /etc/sysctl.d/90-kubelet.conf
-The output should return a value.
-
-Run the following command on the kubelet node(s) to check parameter kernel.panic:
-$ sudo grep kernel.panic /etc/sysctl.d/90-kubelet.conf
-The output should return a value.
+$ sysctl vm.overcommit_memory
+The output should return 1
Is it the case that the kubelet can modify kernel parameters?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxbytes'.
--- xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxbytes
+++ xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxbytes
@@ -3,11 +3,15 @@
kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter kernel.keys.root_maxbytes
[description]:
-Setup required tuned kernel parameters before enabling overwritten protection.
+Setup required tuned kernel parameters before enabling overwritten protection. Note
+that depending on the Linux distribution and its version that your cluster nodes are
+running, these parameters might be already set up for you. Please refer to the rule
+instructions for a check.
Before enabling kernel parameter overwritten protection default,
-it's important and necessary to first create a MachineConfig
+it's important to check if these values are already set to the required values.
+If not, it is neccessary to first create a MachineConfig
object that persist the required sysctl's. The required sysctl's are the following:
@@ -79,3 +83,6 @@
parameters should be appropriately set to match the desired secured system
state. Ignoring this could potentially lead to running pods with undesired
kernel behavior.
+
+[ident]:
+CCE-86066-8
OVAL for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxbytes' differs.
--- oval:ssg-kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxbytes:def:1
+++ oval:ssg-kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxbytes:def:1
@@ -1,2 +1,3 @@
criteria AND
-criterion oval:ssg-test_kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxbytes:tst:1
+extend_definition oval:ssg-kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxbytes_static:def:1
+extend_definition oval:ssg-kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxbytes_runtime:def:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxbytes' differs.
--- ocil:ssg-kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxbytes_ocil:questionnaire:1
+++ ocil:ssg-kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxbytes_ocil:questionnaire:1
@@ -1,5 +1,5 @@
-Run the following command on the kubelet node(s):
-$ sudo grep kernel.keys.root_maxbytes /etc/sysctl.d/90-kubelet.conf
-The output should return a value.
+Run the following command on the kubelet node(s) to check parameter kernel.keys.root_maxbytes:
+$ sysctl kernel.keys.root_maxbytes
+The output should return 25000000
Is it the case that the kubelet can modify kernel parameters?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxkeys'.
--- xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxkeys
+++ xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxkeys
@@ -3,11 +3,15 @@
kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter kernel.keys.root_maxkeys
[description]:
-Setup required tuned kernel parameters before enabling overwritten protection.
+Setup required tuned kernel parameters before enabling overwritten protection. Note
+that depending on the Linux distribution and its version that your cluster nodes are
+running, these parameters might be already set up for you. Please refer to the rule
+instructions for a check.
Before enabling kernel parameter overwritten protection default,
-it's important and necessary to first create a MachineConfig
+it's important to check if these values are already set to the required values.
+If not, it is neccessary to first create a MachineConfig
object that persist the required sysctl's. The required sysctl's are the following:
@@ -79,3 +83,6 @@
parameters should be appropriately set to match the desired secured system
state. Ignoring this could potentially lead to running pods with undesired
kernel behavior.
+
+[ident]:
+CCE-86139-3
OVAL for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxkeys' differs.
--- oval:ssg-kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxkeys:def:1
+++ oval:ssg-kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxkeys:def:1
@@ -1,2 +1,3 @@
criteria AND
-criterion oval:ssg-test_kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxkeys:tst:1
+extend_definition oval:ssg-kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxkeys_static:def:1
+extend_definition oval:ssg-kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxkeys_runtime:def:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxkeys' differs.
--- ocil:ssg-kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxkeys_ocil:questionnaire:1
+++ ocil:ssg-kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxkeys_ocil:questionnaire:1
@@ -1,5 +1,5 @@
-Run the following command on the kubelet node(s):
-$ sudo grep kernel.keys.root_maxkeys /etc/sysctl.d/90-kubelet.conf
-The output should return a value.
+Run the following command on the kubelet node(s) to check parameter kernel.keys.root_maxkeys:
+$ sysctl kernel.keys.root_maxkeys
+The output should return 1000000
Is it the case that the kubelet can modify kernel parameters?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl_kernel_panic'.
--- xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl_kernel_panic
+++ xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl_kernel_panic
@@ -3,11 +3,15 @@
kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter kernel.panic
[description]:
-Setup required tuned kernel parameters before enabling overwritten protection.
+Setup required tuned kernel parameters before enabling overwritten protection. Note
+that depending on the Linux distribution and its version that your cluster nodes are
+running, these parameters might be already set up for you. Please refer to the rule
+instructions for a check.
Before enabling kernel parameter overwritten protection default,
-it's important and necessary to first create a MachineConfig
+it's important to check if these values are already set to the required values.
+If not, it is neccessary to first create a MachineConfig
object that persist the required sysctl's. The required sysctl's are the following:
@@ -79,3 +83,6 @@
parameters should be appropriately set to match the desired secured system
state. Ignoring this could potentially lead to running pods with undesired
kernel behavior.
+
+[ident]:
+CCE-86124-5
OVAL for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl_kernel_panic' differs.
--- oval:ssg-kubelet_enable_protect_kernel_sysctl_kernel_panic:def:1
+++ oval:ssg-kubelet_enable_protect_kernel_sysctl_kernel_panic:def:1
@@ -1,2 +1,3 @@
criteria AND
-criterion oval:ssg-test_kubelet_enable_protect_kernel_sysctl_kernel_panic:tst:1
+extend_definition oval:ssg-kubelet_enable_protect_kernel_sysctl_kernel_panic_static:def:1
+extend_definition oval:ssg-kubelet_enable_protect_kernel_sysctl_kernel_panic_runtime:def:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl_kernel_panic' differs.
--- ocil:ssg-kubelet_enable_protect_kernel_sysctl_kernel_panic_ocil:questionnaire:1
+++ ocil:ssg-kubelet_enable_protect_kernel_sysctl_kernel_panic_ocil:questionnaire:1
@@ -1,5 +1,5 @@
-Run the following command on the kubelet node(s):
-$ sudo grep kernel.panic /etc/sysctl.d/90-kubelet.conf
-The output should return a value.
+Run the following command on the kubelet node(s) to check parameter kernel.panic:
+$ sysctl kernel.panic
+The output should return 10
Is it the case that the kubelet can modify kernel parameters?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl_kernel_panic_on_oops'.
--- xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl_kernel_panic_on_oops
+++ xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl_kernel_panic_on_oops
@@ -3,11 +3,15 @@
kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter kernel.panic_on_oops
[description]:
-Setup required tuned kernel parameters before enabling overwritten protection.
+Setup required tuned kernel parameters before enabling overwritten protection. Note
+that depending on the Linux distribution and its version that your cluster nodes are
+running, these parameters might be already set up for you. Please refer to the rule
+instructions for a check.
Before enabling kernel parameter overwritten protection default,
-it's important and necessary to first create a MachineConfig
+it's important to check if these values are already set to the required values.
+If not, it is neccessary to first create a MachineConfig
object that persist the required sysctl's. The required sysctl's are the following:
@@ -79,3 +83,6 @@
parameters should be appropriately set to match the desired secured system
state. Ignoring this could potentially lead to running pods with undesired
kernel behavior.
+
+[ident]:
+CCE-86114-6
OVAL for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl_kernel_panic_on_oops' differs.
--- oval:ssg-kubelet_enable_protect_kernel_sysctl_kernel_panic_on_oops:def:1
+++ oval:ssg-kubelet_enable_protect_kernel_sysctl_kernel_panic_on_oops:def:1
@@ -1,2 +1,3 @@
criteria AND
-criterion oval:ssg-test_kubelet_enable_protect_kernel_sysctl_kernel_panic_on_oops:tst:1
+extend_definition oval:ssg-kubelet_enable_protect_kernel_sysctl_kernel_panic_on_oops_static:def:1
+extend_definition oval:ssg-kubelet_enable_protect_kernel_sysctl_kernel_panic_on_oops_runtime:def:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl_kernel_panic_on_oops' differs.
--- ocil:ssg-kubelet_enable_protect_kernel_sysctl_kernel_panic_on_oops_ocil:questionnaire:1
+++ ocil:ssg-kubelet_enable_protect_kernel_sysctl_kernel_panic_on_oops_ocil:questionnaire:1
@@ -1,5 +1,5 @@
-Run the following command on the kubelet node(s):
-$ sudo grep kernel.panic_on_oops /etc/sysctl.d/90-kubelet.conf
-The output should return a value.
+Run the following command on the kubelet node(s) to check parameter kernel.panic_on_oops:
+$ sysctl kernel.panic_on_oops
+The output should return 1
Is it the case that the kubelet can modify kernel parameters?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl_vm_overcommit_memory'.
--- xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl_vm_overcommit_memory
+++ xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl_vm_overcommit_memory
@@ -3,11 +3,15 @@
kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter vm.overcommit_memory
[description]:
-Setup required tuned kernel parameters before enabling overwritten protection.
+Setup required tuned kernel parameters before enabling overwritten protection. Note
+that depending on the Linux distribution and its version that your cluster nodes are
+running, these parameters might be already set up for you. Please refer to the rule
+instructions for a check.
Before enabling kernel parameter overwritten protection default,
-it's important and necessary to first create a MachineConfig
+it's important to check if these values are already set to the required values.
+If not, it is neccessary to first create a MachineConfig
object that persist the required sysctl's. The required sysctl's are the following:
@@ -79,3 +83,6 @@
parameters should be appropriately set to match the desired secured system
state. Ignoring this could potentially lead to running pods with undesired
kernel behavior.
+
+[ident]:
+CCE-86085-8
OVAL for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl_vm_overcommit_memory' differs.
--- oval:ssg-kubelet_enable_protect_kernel_sysctl_vm_overcommit_memory:def:1
+++ oval:ssg-kubelet_enable_protect_kernel_sysctl_vm_overcommit_memory:def:1
@@ -1,2 +1,3 @@
criteria AND
-criterion oval:ssg-test_kubelet_enable_protect_kernel_sysctl_vm_overcommit_memory:tst:1
+extend_definition oval:ssg-kubelet_enable_protect_kernel_sysctl_vm_overcommit_memory_static:def:1
+extend_definition oval:ssg-kubelet_enable_protect_kernel_sysctl_vm_overcommit_memory_runtime:def:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl_vm_overcommit_memory' differs.
--- ocil:ssg-kubelet_enable_protect_kernel_sysctl_vm_overcommit_memory_ocil:questionnaire:1
+++ ocil:ssg-kubelet_enable_protect_kernel_sysctl_vm_overcommit_memory_ocil:questionnaire:1
@@ -1,5 +1,5 @@
-Run the following command on the kubelet node(s):
-$ sudo grep vm.overcommit_memory /etc/sysctl.d/90-kubelet.conf
-The output should return a value.
+Run the following command on the kubelet node(s) to check parameter vm.overcommit_memory:
+$ sysctl vm.overcommit_memory
+The output should return 1
Is it the case that the kubelet can modify kernel parameters?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl_vm_panic_on_oom'.
--- xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl_vm_panic_on_oom
+++ xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl_vm_panic_on_oom
@@ -3,11 +3,15 @@
kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter vm.panic_on_oom
[description]:
-Setup required tuned kernel parameters before enabling overwritten protection.
+Setup required tuned kernel parameters before enabling overwritten protection. Note
+that depending on the Linux distribution and its version that your cluster nodes are
+running, these parameters might be already set up for you. Please refer to the rule
+instructions for a check.
Before enabling kernel parameter overwritten protection default,
-it's important and necessary to first create a MachineConfig
+it's important to check if these values are already set to the required values.
+If not, it is neccessary to first create a MachineConfig
object that persist the required sysctl's. The required sysctl's are the following:
@@ -79,3 +83,6 @@
parameters should be appropriately set to match the desired secured system
state. Ignoring this could potentially lead to running pods with undesired
kernel behavior.
+
+[ident]:
+CCE-86086-6
OVAL for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl_vm_panic_on_oom' differs.
--- oval:ssg-kubelet_enable_protect_kernel_sysctl_vm_panic_on_oom:def:1
+++ oval:ssg-kubelet_enable_protect_kernel_sysctl_vm_panic_on_oom:def:1
@@ -1,2 +1,3 @@
criteria AND
-criterion oval:ssg-test_kubelet_enable_protect_kernel_sysctl_vm_panic_on_oom:tst:1
+extend_definition oval:ssg-kubelet_enable_protect_kernel_sysctl_vm_panic_on_oom_static:def:1
+extend_definition oval:ssg-kubelet_enable_protect_kernel_sysctl_vm_panic_on_oom_runtime:def:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl_vm_panic_on_oom' differs.
--- ocil:ssg-kubelet_enable_protect_kernel_sysctl_vm_panic_on_oom_ocil:questionnaire:1
+++ ocil:ssg-kubelet_enable_protect_kernel_sysctl_vm_panic_on_oom_ocil:questionnaire:1
@@ -1,5 +1,5 @@
-Run the following command on the kubelet node(s):
-$ sudo grep kernel.panic /etc/sysctl.d/90-kubelet.conf
-The output should return a value.
+Run the following command on the kubelet node(s) to check parameter kernel.panic:
+$ sysctl kernel.panic
+The output should return 10
Is it the case that the kubelet can modify kernel parameters?
|
|
/lgtm |
|
/test e2e-aws-ocp4-cis-node |
|
/test e2e-aws-rhcos4-high |
|
/test e2e-aws-rhcos4-moderate |
|
@Vincent056 you need to click on the approve button in review, there's no prow in this repo |
We used to check one particular file and were using the lineinfile probe. This would fail in case someone just uses a different file for setting the sysctls. Let's use the sysctl probe instead. Related: OCPBUGS-11422
…related sysctls The instructions were confusing and were instructing to check one particular file which doesn't work for cases where the sysctls are either remediated in other way or just are correct by default. Let's fix the text.
|
Code Climate has analyzed commit 82a04d8 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 52.4% (0.0% change). View more on Code Climate. |
rhmdnd
reviewed
May 4, 2023
| vars: | ||
| path: /etc/sysctl.d/90-kubelet.conf | ||
| text: "kernel.panic_on_oops=1" | ||
| name: sysctl |
There was a problem hiding this comment.
nit: doesn't look like this affects the tests, but the indentation shifted right a layer.
rhmdnd
approved these changes
May 4, 2023
jan-cerny
added
the
Update Rule
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
Rationale:
The instructions were confusing and were instructing to check one particular file which doesn't work for cases where the sysctls are either remediated in other way or just are correct by default. Let's fix the text.
We used to check one particular file and were using the lineinfile probe. This would fail in case someone just uses a different file for setting the sysctls. Let's use the sysctl probe instead.
Review Hints: