Update expected result of e2e tests for sysctls already defined in /usr/lib/sysctl.d

[yuumasato]

Description:

• Update default_result of OCP e2e tests to PASS in the following rules:
  • sysctl_net_ipv4_conf_default_accept_source_route
  • sysctl_fs_protected_hardlinks
  • sysctl_fs_protected_symlinks
  • sysctl_kernel_kptr_restrict

Rationale:

• After Update sysctl template to check(and not fix) /usr/lib/sysctl.d directory  #10637 the sysctls that are defined in /usr/lib/sysctl.d started to be taken into account.
  Previously, the files in that directory were not checked but now they are. And they set up compliant sysctls for these rules.

-Fixes failures in weekly OCP CI

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment

Oracle Linux 8 Environment

[yuumasato]

/test help

[openshift-ci]

@yuumasato: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

• /test e2e-aws-ocp4-cis
• /test e2e-aws-ocp4-cis-node
• /test e2e-aws-ocp4-e8
• /test e2e-aws-ocp4-high
• /test e2e-aws-ocp4-high-node
• /test e2e-aws-ocp4-moderate
• /test e2e-aws-ocp4-moderate-node
• /test e2e-aws-ocp4-pci-dss
• /test e2e-aws-ocp4-pci-dss-node
• /test e2e-aws-ocp4-stig
• /test e2e-aws-ocp4-stig-node
• /test e2e-aws-rhcos4-e8
• /test e2e-aws-rhcos4-high
• /test e2e-aws-rhcos4-moderate
• /test e2e-aws-rhcos4-stig
• /test images

Use /test all to run the following jobs that were automatically triggered:

• pull-ci-ComplianceAsCode-content-master-images

In response to this:

/test help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[yuumasato]

/test e2e-aws-rhcos4-e8
/test e2e-aws-rhcos4-moderate
/test e2e-aws-rhcos4-high

[xiaojiey]

All related rules by default pass with 4.14 nightly pyaload 4.14.0-0.nightly-2023-08-08-094653. I will double check with a 4.10/4.11/4.12 which based on rhel8 later.

##rule sysctl-net-ipv4-conf-default-accept-source-route
$ oc get ccr | grep sysctl-net-ipv4-conf-default-accept-source-route
rhcos4-nerc-cip-master-sysctl-net-ipv4-conf-default-accept-source-route                             PASS     medium
rhcos4-nerc-cip-worker-sysctl-net-ipv4-conf-default-accept-source-route                             PASS     medium
$ oc get ccr rhcos4-nerc-cip-master-sysctl-net-ipv4-conf-default-accept-source-route -o=jsonpath={.instructions}
The runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.default.accept_source_route
0.
$ odebug node/xiyuan-09-b414-j5rmm-master-0.c.openshift-qe.internal -- chroot /host sysctl net.ipv4.conf.default.accept_source_route
Starting pod/xiyuan-09-b414-j5rmm-master-0copenshift-qeinternal-debug ...
To use host binaries, run `chroot /host`
net.ipv4.conf.default.accept_source_route = 0

Removing debug pod ...
##rule sysctl-fs-protected-hardlinks
$ oc get ccr | grep hardlink
rhcos4-nerc-cip-master-sysctl-fs-protected-hardlinks                                                PASS     medium
rhcos4-nerc-cip-worker-sysctl-fs-protected-hardlinks                                                PASS     medium
$ oc get ccr rhcos4-nerc-cip-master-sysctl-fs-protected-hardlinks -o=jsonpath={.instructions}
The runtime status of the fs.protected_hardlinks kernel parameter can be queried
by running the following command:
$ sysctl fs.protected_hardlinks
1.
$ odebug node/xiyuan-09-b414-j5rmm-master-0.c.openshift-qe.internal -- chroot /host sysctl fs.protected_hardlinks
Starting pod/xiyuan-09-b414-j5rmm-master-0copenshift-qeinternal-debug ...
To use host binaries, run `chroot /host`
fs.protected_hardlinks = 1

Removing debug pod ...
##rule sysctl-fs-protected-symlinks  
$ oc get ccr | grep symlinks
rhcos4-nerc-cip-master-sysctl-fs-protected-symlinks                                                 PASS     medium
rhcos4-nerc-cip-worker-sysctl-fs-protected-symlinks                                                 PASS     medium
$ oc get ccr rhcos4-nerc-cip-master-sysctl-fs-protected-symlinks -o=jsonpath={.instructions}
The runtime status of the fs.protected_symlinks kernel parameter can be queried
by running the following command:
$ sysctl fs.protected_symlinks
1.
$ odebug node/xiyuan-09-b414-j5rmm-master-0.c.openshift-qe.internal -- chroot /host sysctl fs.protected_symlinks
Starting pod/xiyuan-09-b414-j5rmm-master-0copenshift-qeinternal-debug ...
To use host binaries, run `chroot /host`
fs.protected_symlinks = 1

Removing debug pod ...
##rule  sysctl-kernel-kptr-restrict
$ oc get ccr | grep sysctl-kernel-kptr-restrict
rhcos4-nerc-cip-master-sysctl-kernel-kptr-restrict                                                  PASS     medium
rhcos4-nerc-cip-worker-sysctl-kernel-kptr-restrict                                                  PASS     medium
$ oc get ccr rhcos4-nerc-cip-master-sysctl-kernel-kptr-restrict -o=jsonpath={.instructions}
The runtime status of the kernel.kptr_restrict kernel parameter can be queried
by running the following command:
$ sysctl kernel.kptr_restrict
The output of the command should indicate either:
kernel.kptr_restrict = 1
or:
kernel.kptr_restrict = 2
The output of the command should not indicate:
kernel.kptr_restrict = 0

The preferable way how to assure the runtime compliance is to have
correct persistent configuration, and rebooting the system.

The persistent kernel parameter configuration is performed by specifying the appropriate
assignment in any file located in the /etc/sysctl.d directory.
Verify that there is not any existing incorrect configuration by executing the following command:
$ grep -r '^\s*kernel.kptr_restrict\s*=' /etc/sysctl.conf /etc/sysctl.d
The command should not find any assignments other than:
kernel.kptr_restrict = 1
or:
kernel.kptr_restrict = 2

Conflicting assignments are not allowed.
$ oc debug node/xiyuan-09-b414-j5rmm-master-0.c.openshift-qe.internal -- chroot /host sysctl kernel.kptr_restrict
Starting pod/xiyuan-09-b414-j5rmm-master-0copenshift-qeinternal-debug ...
To use host binaries, run `chroot /host`
kernel.kptr_restrict = 1

Removing debug pod ...

[xiaojiey]

@yuumasato @rhmdnd For 4.12, rule rhcos4-nerc-cip-master-sysctl-net-ipv4-conf-default-accept-source-route will fail by default. We may need to keep the remediation for this rule? Or can we keep the remediaiton for all rules? Thanks.
$ oc get ccrhcos4-nerc-cip-master-sysctl-net-ipv4-conf-default-accept-source-routete
NAME STATUS SEVERITY
rhcos4-nerc-cip-master-sysctl-net-ipv4-conf-default-accept-source-route FAIL medium
$ oc get ccr rhcos4-nerc-cip-master-sysctl-net-ipv4-conf-default-accept-source-route --show-labels
NAME STATUS SEVERITY LABELS
rhcos4-nerc-cip-master-sysctl-net-ipv4-conf-default-accept-source-route FAIL medium compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/scan-name=rhcos4-nerc-cip-master,compliance.openshift.io/suite=test
$ oc get ccr | grep hardlink
rhcos4-nerc-cip-master-sysctl-fs-protected-hardlinks PASS medium
rhcos4-nerc-cip-worker-sysctl-fs-protected-hardlinks PASS medium
$ oc get ccr | grep symlinks
rhcos4-nerc-cip-master-sysctl-fs-protected-symlinks PASS medium
rhcos4-nerc-cip-worker-sysctl-fs-protected-symlinks PASS medium
$ oc get ccr | grep restrict
rhcos4-nerc-cip-master-sysctl-kernel-dmesg-restrict FAIL low
rhcos4-nerc-cip-master-sysctl-kernel-kptr-restrict PASS medium
rhcos4-nerc-cip-worker-sysctl-kernel-dmesg-restrict FAIL low
rhcos4-nerc-cip-worker-sysctl-kernel-kptr-restrict PASS medium

[yuumasato]

Thanks for checking @xiaojiey
Let's keep the remediations

[yuumasato]

I have dropped the commit that was removing the remediations.

[codeclimate]

Code Climate has analyzed commit 8529633 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 53.3%.

View more on Code Climate.

[rhmdnd]

/lgtm