- Use right project
oc project openshift-compliance
- See all profiles
oc get profiles.compliance
# see all profiles and options
- See specific profile I want to run scan against
oc get -oyaml profiles.compliance rhcos4-e8 | yq e -
# see all the rules
- The exact rule we will be using in our demo
oc get -oyaml profiles.compliance rhcos4-e8 | grep dmesg
# see just our specific rule
- See details of the rule
oc get -oyaml rules.compliance rhcos4-sysctl-kernel-dmesg-restrict | yq e -
# see title and rationale and talk to them
- Use OCP Web Console to open a terminal to a Worker Node
# or connect commad line
oc debug node/ip-10-0-137-229.us-east-2.compute.internal
# once connected run
sysctl kernel.dmesg_restrict
# you should see
# kernel.dmesg_restrict = 0
- Run scan from configs from other repo
# create scan settings, when to scan
oc apply -f ./0_scan_settings.yml
# create profile
oc apply -f ./1_dmesg_profile.yml
# create binding of scan setting and profile
oc apply -f ./2_scan_settings_binding.yml
- See results
# while running
# see suite, not compliant
oc get compliancesuites
# see individual scans, not compliant
oc get compliancescans
# see results, see FAIL medium
oc get compliancecheckresults
# see result details
oc describe compliancecheckresults/rhcos4-e8-modified-worker-sysctl-kernel-dmesg-restrict
-
Pull down ARF and generate html reports, instructions can be found here. See that it's red/failing.
-
See remediations that exist
oc get complianceremediations
- See remediation details
oc edit complianceremediation/rhcos4-e8-modified-worker-sysctl-kernel-dmesg-restrict
- Apply remediations
# to actually apply remediation, and look for apply: false and change that to apply: true
oc edit complianceremediation/rhcos4-e8-modified-worker-sysctl-kernel-dmesg-restrict
# then find scan setting and update the schedule so that it runs again quickly
- Wait for scan to run
oc get compliancesuites -w
# should eventually become compliant
- Log in again and see that it's fixed
oc debug node/ip-10-0-137-229.us-east-2.compute.internal
sysctl kernel.dmesg_restrict
# now it is 1
# kernel.dmesg_restrict = 1
- Rename directories so we don't clobber previous results
mv ./resultsdir ./resultsdir_before
mv ./reportsdir ./reportsdir_before
- Pull down new ARF results and generate new html reports, instructions can be found here. See that it's all green.