Skip to content

CMP-4049: Add rules to RHCOS DS#14461

Open
yuumasato wants to merge 3 commits intoComplianceAsCode:masterfrom
yuumasato:add-rules-to-co-pb
Open

CMP-4049: Add rules to RHCOS DS#14461
yuumasato wants to merge 3 commits intoComplianceAsCode:masterfrom
yuumasato:add-rules-to-co-pb

Conversation

@yuumasato
Copy link
Member

@yuumasato yuumasato commented Feb 26, 2026
edited
Loading

Description:

  • Adds a few rules to the RHCOS4 ProfileBundle
    • This is done by adding them to the hidden default profile.

Rationale:

  • By making these rules available in RHCOS4 DS, they can be used in TailoredProfiles in Compliance Operator

Review Hints:

  • Make sure these rules are present in RHCOS4 PB.

@yuumasato yuumasato requested a review from Vincent056 February 26, 2026 12:59
@yuumasato yuumasato force-pushed the add-rules-to-co-pb branch 2 times, most recently from 69a6a41 to 0854ba4 Compare February 27, 2026 10:33
@yuumasato yuumasato added this to the 0.1.81 milestone Mar 3, 2026
rhmdnd
rhmdnd reviewed Mar 3, 2026
View reviewed changes
Copy link
Collaborator

@rhmdnd rhmdnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One question on adding additional CCEs for the RHCOS rules now that we're using them there. Otherwise looks good.

@xiaojiey
Copy link
Collaborator

xiaojiey commented Mar 4, 2026
edited
Loading

Generally the PR is good. I have created a tailoredprofile for all newly added rules. After autoremediations applied, two rules failed, one rule was accounts-authorized-local-users , the other rule was package-python3-dnf-removed. After add rules "core|containers" to the variable upstream-rhcos4-var-accounts-authorized-local-users-regex, the rule accounts-authorized-local-users could PASS.
There are two minor issues:

  • I am wondering how to make rule ackage-python3-dnf-removed pass.
  • The default value for upstream-rhcos4-var-accounts-authorized-local-users-regex will by default fail the check and no default value for rhel10.
$ oc get cr
NAME                                                                                   STATE
pr14461-new-rules-test-master-audit-rules-login-events-faillog                         Applied
pr14461-new-rules-test-master-audit-rules-mac-modification-etc-selinux                 Applied
pr14461-new-rules-test-master-audit-rules-networkconfig-modification-network-scripts   Applied
pr14461-new-rules-test-worker-audit-rules-login-events-faillog                         Applied
pr14461-new-rules-test-worker-audit-rules-mac-modification-etc-selinux                 Applied
pr14461-new-rules-test-worker-audit-rules-networkconfig-modification-network-scripts   Applied
$ oc-compliance rerun-now scansettingbinding test-pr11461-autor
Rerunning scans from 'test-pr11461-autor': pr14461-new-rules-test-master, pr14461-new-rules-test-worker
Re-running scan 'openshift-compliance/pr14461-new-rules-test-master'
Re-running scan 'openshift-compliance/pr14461-new-rules-test-worker'
$ oc get ccr
NAME                                                                                   STATUS   SEVERITY
pr14461-new-rules-test-master-accounts-authorized-local-users                          FAIL     medium
pr14461-new-rules-test-master-audit-rules-login-events-faillog                         PASS     medium
pr14461-new-rules-test-master-audit-rules-mac-modification-etc-selinux                 PASS     medium
pr14461-new-rules-test-master-audit-rules-networkconfig-modification-network-scripts   PASS     medium
pr14461-new-rules-test-master-package-at-removed                                       PASS     medium
pr14461-new-rules-test-master-package-python3-dnf-removed                              FAIL     medium
pr14461-new-rules-test-master-package-vsftpd-removed                                   PASS     high
pr14461-new-rules-test-master-service-atd-disabled                                     PASS     medium
pr14461-new-rules-test-master-service-cups-disabled                                    PASS     unknown
pr14461-new-rules-test-master-service-named-disabled                                   PASS     medium
pr14461-new-rules-test-master-service-vsftpd-disabled                                  PASS     medium
pr14461-new-rules-test-worker-accounts-authorized-local-users                          FAIL     medium
pr14461-new-rules-test-worker-audit-rules-login-events-faillog                         PASS     medium
pr14461-new-rules-test-worker-audit-rules-mac-modification-etc-selinux                 PASS     medium
pr14461-new-rules-test-worker-audit-rules-networkconfig-modification-network-scripts   PASS     medium
pr14461-new-rules-test-worker-package-at-removed                                       PASS     medium
pr14461-new-rules-test-worker-package-python3-dnf-removed                              FAIL     medium
pr14461-new-rules-test-worker-package-vsftpd-removed                                   PASS     high
pr14461-new-rules-test-worker-service-atd-disabled                                     PASS     medium
pr14461-new-rules-test-worker-service-cups-disabled                                    PASS     unknown
pr14461-new-rules-test-worker-service-named-disabled                                   PASS     medium
pr14461-new-rules-test-worker-service-vsftpd-disabled                                  PASS     medium
$ oc get variables.compliance.openshift.io upstream-rhcos4-var-accounts-authorized-local-users-regex -o=jsonpath={.value}
^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|tss|systemd-coredump|dbus|polkitd|avahi|colord|rtkit|pipewire|clevis|sssd|geoclue|flatpak|setroubleshoot|libstoragemgmt|systemd-oom|gdm|cockpit-ws|cockpit-wsinstance|gnome-initial-setup|sshd|chrony|dnsmasq|tcpdump|admin)
$ oc get variables.compliance.openshift.io upstream-rhcos4-var-accounts-authorized-local-users-regex -o=jsonpath={.selections} | jq -r
[
  {
    "description": "ol7",
    "value": "^(abrt|adm|avahi|bin|chrony|clevis|cockpit-ws|cockpit-wsinstance|colord|daemon|dbus|dnsmasq|flatpak|ftp|games|gdm|geoclue|gluster|gnome-initial-setup|halt|libstoragemgmt|lp|mail|nfsnobody|nobody|ntp|operator|oprofile|oracle|pcp|pegasus|pipewire|polkitd|postfix|pulse|qemu|radvd|rngd|root|rpc|rpcuser|rtkit|saned|saslauth|setroubleshoot|shutdown|sshd|sssd|sync|systemd-bus-proxy|systemd-coredump|systemd-network|systemd-resolve|tcpdump|tss|unbound|usbmuxd$|uuidd)$"
  },
  {
    "description": "ol8",
    "value": "^(abrt|adm|avahi|bin|chrony|clevis|cockpit-ws|cockpit-wsinstance|colord|daemon|dbus|dnsmasq|flatpak|ftp|games|gdm|geoclue|gluster|gnome-initial-setup|halt|libstoragemgmt|lp|mail|nfsnobody|nobody|ntp|operator|oprofile|oracle|pcp|pegasus|pipewire|polkitd|postfix|pulse|qemu|radvd|rngd|root|rpc|rpcuser|rtkit|saned|saslauth|setroubleshoot|shutdown|sshd|sssd|sync|systemd-bus-proxy|systemd-coredump|systemd-network|systemd-resolve|tcpdump|tss|unbound|usbmuxd$|uuidd)$"
  },
  {
    "description": "ol9",
    "value": "^(abrt|adm|avahi|bin|chrony|clevis|cockpit-ws|cockpit-wsinstance|colord|daemon|dbus|dnsmasq|fapolicyd|flatpak|ftp|games|gdm|geoclue|gluster|gnome-initial-setup|halt|libstoragemgmt|lp|mail|nfsnobody|nobody|ntp|operator|oprofile|oracle|pcp|pegasus|pipewire|polkitd|postfix|pulse|qemu|radvd|rngd|root|rpc|rpcuser|rtkit|saned|saslauth|setroubleshoot|shutdown|sshd|sssd|sync|systemd-bus-proxy|systemd-coredump|systemd-network|systemd-oom|systemd-resolve|tcpdump|tss|unbound|usbmuxd$|uuidd)$"
  },
  {
    "description": "ol7forsap",
    "value": "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd)$"
  },
  {
    "description": "rhel8",
    "value": "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|systemd-resolve|systemd-coredump|sssd|rngd)$"
  },
  {
    "description": "rhel9",
    "value": "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|tss|systemd-coredump|dbus|polkitd|avahi|colord|rtkit|pipewire|clevis|sssd|geoclue|flatpak|setroubleshoot|libstoragemgmt|systemd-oom|gdm|cockpit-ws|cockpit-wsinstance|gnome-initial-setup|sshd|chrony|dnsmasq|tcpdump|admin)$"
  },
  {
    "description": "sle12",
    "value": "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|systemd-resolve|systemd-coredump|sssd|rngd|man|systemd-timesync|scard|hacluster|statd|at|dockremap|vnc)$"
  },
  {
    "description": "sle15",
    "value": "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|systemd-resolve|systemd-coredump|sssd|rngd|man|systemd-timesync|scard|hacluster|statd|at|dockremap|vnc|messagebus|nscd|flatpak|srvGeoClue|tftp|wsdd|dnsmasq|usbmux|brltty)$"
  },
  {
    "description": "slmicro5",
    "value": "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|systemd-resolve|systemd-coredump|sssd|rngd|man|systemd-timesync|scard|hacluster|statd|at|dockremap|vnc|messagebus|nscd|flatpak|srvGeoClue|tftp|wsdd|dnsmasq|usbmux|brltty|salt|cockpit-ws|cockpit-wsinstance)$"
  },
  {
    "description": "slmicro6",
    "value": "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|systemd-resolve|systemd-coredump|sssd|rngd|man|systemd-timesync|scard|hacluster|statd|at|dockremap|vnc|messagebus|nscd|flatpak|srvGeoClue|tftp|wsdd|dnsmasq|usbmux|brltty|salt|cockpit-ws|cockpit-wsinstance)$"
  }
]

@yuumasato yuumasato force-pushed the add-rules-to-co-pb branch from 0854ba4 to 340d167 Compare March 5, 2026 10:28
@openshift-merge-robot openshift-merge-robot added the needs-rebase Used by openshift-ci bot. label Mar 5, 2026
rhmdnd
rhmdnd approved these changes Mar 5, 2026
View reviewed changes
Copy link
Collaborator

@rhmdnd rhmdnd left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

Will need a rebase, but otherwise looks great.

Curious why you wanted to remove the new rules though?

@yuumasato yuumasato force-pushed the add-rules-to-co-pb branch from 0fb640f to 07a0d8c Compare March 5, 2026 13:00
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Used by openshift-ci bot. label Mar 5, 2026
@yuumasato
Copy link
Member Author

yuumasato commented Mar 5, 2026

@rhmdnd Rebased, I'll propose them in separate PR. Makes it easier to merge this one.

@yuumasato yuumasato force-pushed the add-rules-to-co-pb branch from 07a0d8c to 2cda2eb Compare March 5, 2026 13:03
@yuumasato
Copy link
Member Author

yuumasato commented Mar 5, 2026

@xiaojiey I have removed the new rules, will add them later.

And I added a variable selector for RHCOS4.
https://github.com/ComplianceAsCode/content/pull/14461/changes#diff-9857042cc3848d830d64c02f0b61c2f07911f65508c8008ca0ce9ef6dd2d6a53R29

yuumasato added 2 commits March 5, 2026 17:26
@yuumasato
Ensure all rules in RHCOS4 DS have CCE identifier
2df3d60
@yuumasato
Adjust accounts_authorized_local_users for RHCOS4
ced8ff7 
Ensure warning about no automated remediation is shown.
Add RHCOS4 variable selector for 'var_accounts_authorized_local_users_regex'.
@yuumasato yuumasato force-pushed the add-rules-to-co-pb branch from 2cda2eb to ced8ff7 Compare March 5, 2026 16:26
rhmdnd
rhmdnd reviewed Mar 5, 2026
View reviewed changes
Copy link
Collaborator

@rhmdnd rhmdnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only one rule recommendation inline, otherwise this looks good.

products/rhcos4/profiles/default.profile
- service_cups_disabled
- audit_rules_networkconfig_modification_network_scripts
- audit_rules_mac_modification_etc_selinux
- audit_rules_login_events_faillog
Copy link
Collaborator

@rhmdnd rhmdnd Mar 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about? That's similar to audit_rules_mac_modifications_etc_selinux.

- audit_rules_mac_modification_usr_share

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rhmdnd rhmdnd rhmdnd approved these changes

@Vincent056 Vincent056 Awaiting requested review from Vincent056

@xiaojiey xiaojiey Awaiting requested review from xiaojiey

@Anna-Koudelkova Anna-Koudelkova Awaiting requested review from Anna-Koudelkova

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

0.1.81

Development

Successfully merging this pull request may close these issues.

4 participants

@yuumasato @xiaojiey @rhmdnd @openshift-merge-robot