OCPBUGS-20015: Add remediation for RHCOS banners

[rhmdnd]

Public entities typically require systems to present users with a
specific banner when they log in. We have rules that check for a banner,
and a remediation in the description, along with a remediation we use in
testing.

This commit include the same remediation as a formal remediation, which
can be applied through the operator, instead of requiring users to
copy/paste them from the check result or rule description.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment

Oracle Linux 8 Environment

[rhmdnd]

/test

[openshift-ci]

@rhmdnd: The /test command needs one or more targets.
The following commands are available to trigger required jobs:

• /test e2e-aws-ocp4-cis
• /test e2e-aws-ocp4-cis-node
• /test e2e-aws-ocp4-e8
• /test e2e-aws-ocp4-high
• /test e2e-aws-ocp4-high-node
• /test e2e-aws-ocp4-moderate
• /test e2e-aws-ocp4-moderate-node
• /test e2e-aws-ocp4-pci-dss
• /test e2e-aws-ocp4-pci-dss-node
• /test e2e-aws-ocp4-stig
• /test e2e-aws-ocp4-stig-node
• /test e2e-aws-rhcos4-e8
• /test e2e-aws-rhcos4-high
• /test e2e-aws-rhcos4-moderate
• /test e2e-aws-rhcos4-stig
• /test images

Use /test all to run the following jobs that were automatically triggered:

• pull-ci-ComplianceAsCode-content-master-images

In response to this:

/test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[rhmdnd]

/test e2e-aws-rhcos4-high

[codeclimate]

Code Climate has analyzed commit adcf824 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 58.5% (0.0% change).

View more on Code Climate.

[rhmdnd]

/test e2e-aws-rhcos4-high

[xiaojiey]

/hold for test

[rhmdnd]

/test e2e-aws-rhcos4-high

[openshift-ci]

@rhmdnd: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-rhcos4-high	adcf824	link	true	/test e2e-aws-rhcos4-high

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[rhmdnd]

Note for reviewers about this PR, is that it won't work for all nodes if there are additional node pools in the cluster (e.g., infra). In that case, the end user would need to update the machine configuration labels to include any additional node pools so the machine configuration is applied to them, too.

[xiaojiey]

Verification pass.
There is a minor issue about the instruction for rule rhcos4-banner-etc-issue as it not helpful. I created a bug https://issues.redhat.com/browse/OCPBUGS-28796 to track.

1. create ssb:
$ oc compliance bind -N test profile/upstream-rhcos4-high -S default-auto-apply
Creating ScanSettingBinding test
2. Check suite and cluster status
$ oc get suite -w
NAME   PHASE       RESULT
test   LAUNCHING   NOT-AVAILABLE
test   LAUNCHING   NOT-AVAILABLE
test   RUNNING     NOT-AVAILABLE
test   RUNNING     NOT-AVAILABLE
test   AGGREGATING   NOT-AVAILABLE
test   AGGREGATING   NOT-AVAILABLE
test   DONE          NON-COMPLIANT
$ oc get mcp -w
NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
master   rendered-master-a6ba0cf2715e6114dc67d94a90b3ca71   False     True       False      3              0                   0                     0                      5h57m
worker   rendered-worker-dde2711c3dd2270e1fbd97f601ded247   False     True       False      3              0                   0                     0                      5h57m
...
master   rendered-master-2044797427b55c7296f372fa99831037   True      False      False      3              3                   3                     0                      7h6m
worker   rendered-worker-42bdb57db0ed1a7f33023a6987c227e2   True      False      False      3              3                   3                     0                      7h6m
3. Rescan:
$ oc compliance rerun-now scansettingbinding test
Rerunning scans from 'test': upstream-rhcos4-high-master, upstream-rhcos4-high-worker
Re-running scan 'openshift-compliance/upstream-rhcos4-high-master'
Re-running scan 'openshift-compliance/upstream-rhcos4-high-worker'
$ oc get suite
NAME   PHASE       RESULT
...
test   DONE          NON-COMPLIANT
$ oc get ccr | grep banner-etc-issue
upstream-rhcos4-high-master-banner-etc-issue                                                             PASS     medium
upstream-rhcos4-high-worker-banner-etc-issue                                                             PASS     medium
$ oc get cr | grep banner-etc-issue
upstream-rhcos4-high-master-banner-etc-issue                                                             Applied
upstream-rhcos4-high-worker-banner-etc-issue                                                             Applied
$ oc get cr upstream-rhcos4-high-master-banner-etc-issue -o yaml
apiVersion: compliance.openshift.io/v1alpha1
kind: ComplianceRemediation
metadata:
  creationTimestamp: "2024-02-01T07:01:27Z"
  generation: 2
  labels:
    compliance.openshift.io/scan-name: upstream-rhcos4-high-master
    compliance.openshift.io/suite: test
  name: upstream-rhcos4-high-master-banner-etc-issue
  namespace: openshift-compliance
  ownerReferences:
  - apiVersion: compliance.openshift.io/v1alpha1
    blockOwnerDeletion: true
    controller: true
    kind: ComplianceCheckResult
    name: upstream-rhcos4-high-master-banner-etc-issue
    uid: c8d032de-48db-40f3-ad4c-5a8c3f9581d8
  resourceVersion: "142702"
  uid: 851e5999-ea27-4e5a-ab34-15bbd6678858
spec:
  apply: true
  current:
    object:
      apiVersion: machineconfiguration.openshift.io/v1
      kind: MachineConfig
      metadata:
        labels:
          machineconfiguration.openshift.io/role: worker
        name: 75-banner-etc-issue
      spec:
        config:
          ignition:
            version: 3.1.0
          storage:
            files:
            - contents:
                source: data:,You%20are%20accessing%20a%20U.S.%20Government%20%28USG%29%20Information%20System%20%28IS%29%20that%20is%20%0Aprovided%20for%20USG-authorized%20use%20only.%20By%20using%20this%20IS%20%28which%20includes%20any%20%0Adevice%20attached%20to%20this%20IS%29%2C%20you%20consent%20to%20the%20following%20conditions%3A%0A%0A-The%20USG%20routinely%20intercepts%20and%20monitors%20communications%20on%20this%20IS%20for%20%0Apurposes%20including%2C%20but%20not%20limited%20to%2C%20penetration%20testing%2C%20COMSEC%20monitoring%2C%20%0Anetwork%20operations%20and%20defense%2C%20personnel%20misconduct%20%28PM%29%2C%20law%20enforcement%20%0A%28LE%29%2C%20and%20counterintelligence%20%28CI%29%20investigations.%0A%0A-At%20any%20time%2C%20the%20USG%20may%20inspect%20and%20seize%20data%20stored%20on%20this%20IS.%0A%0A-Communications%20using%2C%20or%20data%20stored%20on%2C%20this%20IS%20are%20not%20private%2C%20are%20subject%20%0Ato%20routine%20monitoring%2C%20interception%2C%20and%20search%2C%20and%20may%20be%20disclosed%20or%20used%20%0Afor%20any%20USG-authorized%20purpose.%0A%0A-This%20IS%20includes%20security%20measures%20%28e.g.%2C%20authentication%20and%20access%20controls%29%20%0Ato%20protect%20USG%20interests--not%20for%20your%20personal%20benefit%20or%20privacy.%0A%0A-Notwithstanding%20the%20above%2C%20using%20this%20IS%20does%20not%20constitute%20consent%20to%20PM%2C%20LE%20%0Aor%20CI%20investigative%20searching%20or%20monitoring%20of%20the%20content%20of%20privileged%20%0Acommunications%2C%20or%20work%20product%2C%20related%20to%20personal%20representation%20or%20services%20%0Aby%20attorneys%2C%20psychotherapists%2C%20or%20clergy%2C%20and%20their%20assistants.%20Such%20%0Acommunications%20and%20work%20product%20are%20private%20and%20confidential.%20See%20User%20%0AAgreement%20for%20details.
              mode: 420
              overwrite: true
              path: /etc/issue.d/legal-notice
  outdated: {}
  type: Configuration
status:
  applicationState: Applied
$ oc get ccr upstream-rhcos4-high-master-banner-etc-issue -o=jsonpath={.instructions}
To check if the system login banner is compliant,
run the following command:
$ cat /etc/issue

[xiaojiey]

/unhold

[BhargaviGudi]

/label qe-approved

[openshift-ci]

@BhargaviGudi: The label(s) qe-approved cannot be applied, because the repository doesn't have them.

In response to this:

/label qe-approved

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[rhmdnd]

@yuumasato @Vincent056 should be ready for another look

[yuumasato]

@rhmdnd Are we okay with this rule being hardcoded to a single banner?
The rule uses variable login_banner_text to determine the banner it should be checking for.

[yuumasato]

@rhmdnd Are we okay with this rule being hardcoded to a single banner? The rule uses variable login_banner_text to determine the banner it should be checking for.

The profiles in RHCOS4 only use this rule with the dod_default banner, which is the one this rule's remediation is being hardcoded to.
The login_banner_text variable is the regular expression that matches the compliant banner. The bash and Ansible remediations strip the regex characters when applying the fix.
At the moment there is no way of making this striping for Kubernetes remediations.

This is a smal step forward that we can make while CO doesn't support the login_banner_text variable properly.
Another aspect is that when the rule has a remediations, the user can customize/edit the remediation created to fit their needs.