Skip to content

Instantly share code, notes, and snippets.

@jkeam

jkeam/compliance_operator_demo.md

Last active April 30, 2021 22:03
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jkeam/50c09adf98e1544685fcd810dce25f8d to your computer and use it in GitHub Desktop.
Save jkeam/50c09adf98e1544685fcd810dce25f8d to your computer and use it in GitHub Desktop.
Download ZIP
Compliance Operator Script
Raw
compliance_operator_demo.md

Compliance Operator Demo Script

Steps

  1. Use right project
oc project openshift-compliance
  1. See all profiles
oc get profiles.compliance

# see all profiles and options
  1. See specific profile I want to run scan against
oc get -oyaml profiles.compliance rhcos4-e8  | yq e -

# see all the rules
  1. The exact rule we will be using in our demo
oc get -oyaml profiles.compliance rhcos4-e8  | grep dmesg

# see just our specific rule
  1. See details of the rule
oc get -oyaml rules.compliance rhcos4-sysctl-kernel-dmesg-restrict | yq e -

# see title and rationale and talk to them
  1. Use OCP Web Console to open a terminal to a Worker Node
# or connect commad line
oc debug node/ip-10-0-137-229.us-east-2.compute.internal

# once connected run
sysctl kernel.dmesg_restrict

# you should see
# kernel.dmesg_restrict = 0
  1. Run scan from configs from other repo
# create scan settings, when to scan
oc apply -f ./0_scan_settings.yml

# create profile
oc apply -f ./1_dmesg_profile.yml

# create binding of scan setting and profile
oc apply -f ./2_scan_settings_binding.yml
  1. See results
# while running

# see suite, not compliant
oc get compliancesuites

# see individual scans, not compliant
oc get compliancescans

# see results, see FAIL medium
oc get compliancecheckresults

# see result details
oc describe compliancecheckresults/rhcos4-e8-modified-worker-sysctl-kernel-dmesg-restrict

  1. Pull down ARF and generate html reports, instructions can be found here. See that it's red/failing.

  2. See remediations that exist

oc get complianceremediations
  1. See remediation details
oc edit complianceremediation/rhcos4-e8-modified-worker-sysctl-kernel-dmesg-restrict
  1. Apply remediations
# to actually apply remediation, and look for apply: false and change that to apply: true
oc edit complianceremediation/rhcos4-e8-modified-worker-sysctl-kernel-dmesg-restrict

# then find scan setting and update the schedule so that it runs again quickly
  1. Wait for scan to run
oc get compliancesuites -w

# should eventually become compliant
  1. Log in again and see that it's fixed
oc debug node/ip-10-0-137-229.us-east-2.compute.internal
sysctl kernel.dmesg_restrict

# now it is 1
# kernel.dmesg_restrict = 1
  1. Rename directories so we don't clobber previous results
mv ./resultsdir ./resultsdir_before
mv ./reportsdir ./reportsdir_before
  1. Pull down new ARF results and generate new html reports, instructions can be found here. See that it's all green.

Links

  1. OC Command
  2. OpenSource Repository of the Content
  3. Essential Eight Profile (referenced in this demo)
  4. Remediation (referenced in this demo)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment