CMP-4049: Add rules to RHCOS DS by yuumasato · Pull Request #14461 · ComplianceAsCode/content

yuumasato · 2026-02-26T12:59:20Z

Description:

Adds a few rules to the RHCOS4 ProfileBundle
- This is done by adding them to the hidden default profile.

Rationale:

By making these rules available in RHCOS4 DS, they can be used in TailoredProfiles in Compliance Operator

Review Hints:

Make sure these rules are present in RHCOS4 PB.

rhmdnd

One question on adding additional CCEs for the RHCOS rules now that we're using them there. Otherwise looks good.

products/rhcos4/profiles/default.profile

linux_os/guide/system/software/system-tools/package_python3-dnf_removed/rule.yml

xiaojiey · 2026-03-04T10:02:20Z

Generally the PR is good. I have created a tailoredprofile for all newly added rules. After autoremediations applied, two rules failed, one rule was accounts-authorized-local-users , the other rule was package-python3-dnf-removed. After add rules "core|containers" to the variable upstream-rhcos4-var-accounts-authorized-local-users-regex, the rule accounts-authorized-local-users could PASS.
There are two minor issues:

I am wondering how to make rule ackage-python3-dnf-removed pass.
The default value for upstream-rhcos4-var-accounts-authorized-local-users-regex will by default fail the check and no default value for rhel10.

$ oc get cr
NAME                                                                                   STATE
pr14461-new-rules-test-master-audit-rules-login-events-faillog                         Applied
pr14461-new-rules-test-master-audit-rules-mac-modification-etc-selinux                 Applied
pr14461-new-rules-test-master-audit-rules-networkconfig-modification-network-scripts   Applied
pr14461-new-rules-test-worker-audit-rules-login-events-faillog                         Applied
pr14461-new-rules-test-worker-audit-rules-mac-modification-etc-selinux                 Applied
pr14461-new-rules-test-worker-audit-rules-networkconfig-modification-network-scripts   Applied
$ oc-compliance rerun-now scansettingbinding test-pr11461-autor
Rerunning scans from 'test-pr11461-autor': pr14461-new-rules-test-master, pr14461-new-rules-test-worker
Re-running scan 'openshift-compliance/pr14461-new-rules-test-master'
Re-running scan 'openshift-compliance/pr14461-new-rules-test-worker'
$ oc get ccr
NAME                                                                                   STATUS   SEVERITY
pr14461-new-rules-test-master-accounts-authorized-local-users                          FAIL     medium
pr14461-new-rules-test-master-audit-rules-login-events-faillog                         PASS     medium
pr14461-new-rules-test-master-audit-rules-mac-modification-etc-selinux                 PASS     medium
pr14461-new-rules-test-master-audit-rules-networkconfig-modification-network-scripts   PASS     medium
pr14461-new-rules-test-master-package-at-removed                                       PASS     medium
pr14461-new-rules-test-master-package-python3-dnf-removed                              FAIL     medium
pr14461-new-rules-test-master-package-vsftpd-removed                                   PASS     high
pr14461-new-rules-test-master-service-atd-disabled                                     PASS     medium
pr14461-new-rules-test-master-service-cups-disabled                                    PASS     unknown
pr14461-new-rules-test-master-service-named-disabled                                   PASS     medium
pr14461-new-rules-test-master-service-vsftpd-disabled                                  PASS     medium
pr14461-new-rules-test-worker-accounts-authorized-local-users                          FAIL     medium
pr14461-new-rules-test-worker-audit-rules-login-events-faillog                         PASS     medium
pr14461-new-rules-test-worker-audit-rules-mac-modification-etc-selinux                 PASS     medium
pr14461-new-rules-test-worker-audit-rules-networkconfig-modification-network-scripts   PASS     medium
pr14461-new-rules-test-worker-package-at-removed                                       PASS     medium
pr14461-new-rules-test-worker-package-python3-dnf-removed                              FAIL     medium
pr14461-new-rules-test-worker-package-vsftpd-removed                                   PASS     high
pr14461-new-rules-test-worker-service-atd-disabled                                     PASS     medium
pr14461-new-rules-test-worker-service-cups-disabled                                    PASS     unknown
pr14461-new-rules-test-worker-service-named-disabled                                   PASS     medium
pr14461-new-rules-test-worker-service-vsftpd-disabled                                  PASS     medium
$ oc get variables.compliance.openshift.io upstream-rhcos4-var-accounts-authorized-local-users-regex -o=jsonpath={.value}
^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|tss|systemd-coredump|dbus|polkitd|avahi|colord|rtkit|pipewire|clevis|sssd|geoclue|flatpak|setroubleshoot|libstoragemgmt|systemd-oom|gdm|cockpit-ws|cockpit-wsinstance|gnome-initial-setup|sshd|chrony|dnsmasq|tcpdump|admin)
$ oc get variables.compliance.openshift.io upstream-rhcos4-var-accounts-authorized-local-users-regex -o=jsonpath={.selections} | jq -r
[
  {
    "description": "ol7",
    "value": "^(abrt|adm|avahi|bin|chrony|clevis|cockpit-ws|cockpit-wsinstance|colord|daemon|dbus|dnsmasq|flatpak|ftp|games|gdm|geoclue|gluster|gnome-initial-setup|halt|libstoragemgmt|lp|mail|nfsnobody|nobody|ntp|operator|oprofile|oracle|pcp|pegasus|pipewire|polkitd|postfix|pulse|qemu|radvd|rngd|root|rpc|rpcuser|rtkit|saned|saslauth|setroubleshoot|shutdown|sshd|sssd|sync|systemd-bus-proxy|systemd-coredump|systemd-network|systemd-resolve|tcpdump|tss|unbound|usbmuxd$|uuidd)$"
  },
  {
    "description": "ol8",
    "value": "^(abrt|adm|avahi|bin|chrony|clevis|cockpit-ws|cockpit-wsinstance|colord|daemon|dbus|dnsmasq|flatpak|ftp|games|gdm|geoclue|gluster|gnome-initial-setup|halt|libstoragemgmt|lp|mail|nfsnobody|nobody|ntp|operator|oprofile|oracle|pcp|pegasus|pipewire|polkitd|postfix|pulse|qemu|radvd|rngd|root|rpc|rpcuser|rtkit|saned|saslauth|setroubleshoot|shutdown|sshd|sssd|sync|systemd-bus-proxy|systemd-coredump|systemd-network|systemd-resolve|tcpdump|tss|unbound|usbmuxd$|uuidd)$"
  },
  {
    "description": "ol9",
    "value": "^(abrt|adm|avahi|bin|chrony|clevis|cockpit-ws|cockpit-wsinstance|colord|daemon|dbus|dnsmasq|fapolicyd|flatpak|ftp|games|gdm|geoclue|gluster|gnome-initial-setup|halt|libstoragemgmt|lp|mail|nfsnobody|nobody|ntp|operator|oprofile|oracle|pcp|pegasus|pipewire|polkitd|postfix|pulse|qemu|radvd|rngd|root|rpc|rpcuser|rtkit|saned|saslauth|setroubleshoot|shutdown|sshd|sssd|sync|systemd-bus-proxy|systemd-coredump|systemd-network|systemd-oom|systemd-resolve|tcpdump|tss|unbound|usbmuxd$|uuidd)$"
  },
  {
    "description": "ol7forsap",
    "value": "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd)$"
  },
  {
    "description": "rhel8",
    "value": "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|systemd-resolve|systemd-coredump|sssd|rngd)$"
  },
  {
    "description": "rhel9",
    "value": "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|tss|systemd-coredump|dbus|polkitd|avahi|colord|rtkit|pipewire|clevis|sssd|geoclue|flatpak|setroubleshoot|libstoragemgmt|systemd-oom|gdm|cockpit-ws|cockpit-wsinstance|gnome-initial-setup|sshd|chrony|dnsmasq|tcpdump|admin)$"
  },
  {
    "description": "sle12",
    "value": "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|systemd-resolve|systemd-coredump|sssd|rngd|man|systemd-timesync|scard|hacluster|statd|at|dockremap|vnc)$"
  },
  {
    "description": "sle15",
    "value": "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|systemd-resolve|systemd-coredump|sssd|rngd|man|systemd-timesync|scard|hacluster|statd|at|dockremap|vnc|messagebus|nscd|flatpak|srvGeoClue|tftp|wsdd|dnsmasq|usbmux|brltty)$"
  },
  {
    "description": "slmicro5",
    "value": "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|systemd-resolve|systemd-coredump|sssd|rngd|man|systemd-timesync|scard|hacluster|statd|at|dockremap|vnc|messagebus|nscd|flatpak|srvGeoClue|tftp|wsdd|dnsmasq|usbmux|brltty|salt|cockpit-ws|cockpit-wsinstance)$"
  },
  {
    "description": "slmicro6",
    "value": "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|systemd-resolve|systemd-coredump|sssd|rngd|man|systemd-timesync|scard|hacluster|statd|at|dockremap|vnc|messagebus|nscd|flatpak|srvGeoClue|tftp|wsdd|dnsmasq|usbmux|brltty|salt|cockpit-ws|cockpit-wsinstance)$"
  }
]

rhmdnd

/lgtm

Will need a rebase, but otherwise looks great.

Curious why you wanted to remove the new rules though?

yuumasato · 2026-03-05T13:02:05Z

@rhmdnd Rebased, I'll propose them in separate PR. Makes it easier to merge this one.

yuumasato · 2026-03-05T13:04:31Z

@xiaojiey I have removed the new rules, will add them later.

And I added a variable selector for RHCOS4.
https://github.com/ComplianceAsCode/content/pull/14461/changes#diff-9857042cc3848d830d64c02f0b61c2f07911f65508c8008ca0ce9ef6dd2d6a53R29

rhmdnd

Only one rule recommendation inline, otherwise this looks good.

rhmdnd · 2026-03-05T16:53:00Z

products/rhcos4/profiles/default.profile

+    - service_cups_disabled
+    - audit_rules_networkconfig_modification_network_scripts
+    - audit_rules_mac_modification_etc_selinux
+    - audit_rules_login_events_faillog


What about? That's similar to audit_rules_mac_modifications_etc_selinux.

- audit_rules_mac_modification_usr_share

The rule is already in default.profile.

yuumasato · 2026-03-09T13:03:48Z

products/rhcos4/profiles/default.profile

    - sshd_disable_root_password_login
    - harden_sshd_crypto_policy
    - file_ownership_audit_configuration
    - audit_rules_mac_modification_usr_share


@rhmdnd The rule is already added here. 😁

xiaojiey · 2026-03-10T03:20:48Z

After autoremediation applied, all rules PASS. The only thing is the default value of variable upstream-rhcos4-var-accounts-authorized-local-users-regex still doesn't work. Need to set it to '^(root|core|containers)$' manaully.

$ oc get scan
NAME                            PHASE   RESULT
pr14461-new-rules-test-master   DONE    COMPLIANT
pr14461-new-rules-test-worker   DONE    COMPLIANT
$ oc get ccr
NAME                                                                                   STATUS   SEVERITY
pr14461-new-rules-test-master-accounts-authorized-local-users                          PASS     medium
pr14461-new-rules-test-master-audit-rules-login-events-faillog                         PASS     medium
pr14461-new-rules-test-master-audit-rules-mac-modification-etc-selinux                 PASS     medium
pr14461-new-rules-test-master-audit-rules-networkconfig-modification-network-scripts   PASS     medium
pr14461-new-rules-test-master-package-vsftpd-removed                                   PASS     high
pr14461-new-rules-test-master-service-atd-disabled                                     PASS     medium
pr14461-new-rules-test-master-service-cups-disabled                                    PASS     unknown
pr14461-new-rules-test-master-service-named-disabled                                   PASS     medium
pr14461-new-rules-test-master-service-vsftpd-disabled                                  PASS     medium
pr14461-new-rules-test-worker-accounts-authorized-local-users                          PASS     medium
pr14461-new-rules-test-worker-audit-rules-login-events-faillog                         PASS     medium
pr14461-new-rules-test-worker-audit-rules-mac-modification-etc-selinux                 PASS     medium
pr14461-new-rules-test-worker-audit-rules-networkconfig-modification-network-scripts   PASS     medium
pr14461-new-rules-test-worker-package-vsftpd-removed                                   PASS     high
pr14461-new-rules-test-worker-service-atd-disabled                                     PASS     medium
pr14461-new-rules-test-worker-service-cups-disabled                                    PASS     unknown
pr14461-new-rules-test-worker-service-named-disabled                                   PASS     medium
pr14461-new-rules-test-worker-service-vsftpd-disabled                                  PASS     medium
$ oc get variable  upstream-rhcos4-var-accounts-authorized-local-users-regex -o=jsonpath={.value}
^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|tss|systemd-coredump|dbus|polkitd|avahi|colord|rtkit|pipewire|clevis|sssd|geoclue|flatpak|setroubleshoot|libstoragemgmt|systemd-oom|gdm|cockpit-ws|cockpit-wsinstance|gnome-initial-setup|sshd|chrony|dnsmasq|tcpdump|admin)
$ cat ~/func/pr14461-test-tailored-profile.yaml | tail -n 4
  setValues:
    - name: upstream-rhcos4-var-accounts-authorized-local-users-regex
      rationale: 'Add RHCOS-specific users: core (default SSH user) and containers (container runtime user)'
      value: '^(root|core|containers)$'

Ensure RHCOS4 default variable value inline with the node's users. Ensure warning about no automated remediation is shown.

yuumasato · 2026-03-10T13:19:07Z

@xiaojiey Thanks for your remark.
I had added a variable selector for the user customize with a tailored profile, but it is much better to set the default value to a value that evaluates to PASS by default.

xiaojiey · 2026-03-12T02:19:19Z

Thank for the update, @yuumasato
It works as expected now. No setValues needed for the variable now.

$ oc get variables.compliance.openshift.io upstream-rhcos4-var-accounts-authorized-local-users-regex -o=jsonpath={.value}
^(root|core|containers)$xiyuan@p1:~/isc/content$ oc apply -f ^C
$ cat ~/func/pr14461-test-tailored-profile.yaml
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
  annotations:
    compliance.openshift.io/product-type: Node
  name: pr14461-new-rules-test
  namespace: openshift-compliance
spec:
  title: "PR 14461 - New RHCOS4 Rules Test"
  description: "This TailoredProfile enables all 11 rules that were newly added to the RHCOS4 default profile"
  enableRules:
    # Existing rules newly added to RHCOS4 default profile
    - name: upstream-rhcos4-accounts-authorized-local-users
      rationale: "Ensure only authorized local user accounts exist on the system"

    - name: upstream-rhcos4-service-vsftpd-disabled
      rationale: "Disable vsftpd service if not required"

    - name: upstream-rhcos4-package-vsftpd-removed
      rationale: "Remove vsftpd package if FTP service is not needed"

    - name: upstream-rhcos4-service-named-disabled
      rationale: "Disable named DNS service if not required"

    - name: upstream-rhcos4-service-atd-disabled
      rationale: "Disable atd service to prevent scheduled task execution"

    - name: upstream-rhcos4-service-cups-disabled
      rationale: "Disable CUPS printing service if not required"

    - name: upstream-rhcos4-audit-rules-networkconfig-modification-network-scripts
      rationale: "Audit modifications to network configuration scripts"

    - name: upstream-rhcos4-audit-rules-mac-modification-etc-selinux
      rationale: "Audit modifications to SELinux mandatory access controls"

    - name: upstream-rhcos4-audit-rules-login-events-faillog
      rationale: "Audit failed login attempts via faillog"
$ oc apply -f ~/func/pr14461-test-tailored-profile.yaml
tailoredprofile.compliance.openshift.io/pr14461-new-rules-test created
$ oc-compliance bind -N test tailoredprofile/pr14461-new-rules-test
Creating ScanSettingBinding test
$ oc get scan
NAME                            PHASE       RESULT
pr14461-new-rules-test-worker   DONE          NON-COMPLIANT
$ oc get ccr
NAME                                                                                   STATUS   SEVERITY
pr14461-new-rules-test-master-accounts-authorized-local-users                          PASS     medium
pr14461-new-rules-test-master-audit-rules-login-events-faillog                         FAIL     medium
pr14461-new-rules-test-master-audit-rules-mac-modification-etc-selinux                 FAIL     medium
pr14461-new-rules-test-master-audit-rules-networkconfig-modification-network-scripts   FAIL     medium
pr14461-new-rules-test-master-package-vsftpd-removed                                   PASS     high
pr14461-new-rules-test-master-service-atd-disabled                                     PASS     medium
pr14461-new-rules-test-master-service-cups-disabled                                    PASS     unknown
pr14461-new-rules-test-master-service-named-disabled                                   PASS     medium
pr14461-new-rules-test-master-service-vsftpd-disabled                                  PASS     medium
pr14461-new-rules-test-worker-accounts-authorized-local-users                          PASS     medium
pr14461-new-rules-test-worker-audit-rules-login-events-faillog                         FAIL     medium
pr14461-new-rules-test-worker-audit-rules-mac-modification-etc-selinux                 FAIL     medium
pr14461-new-rules-test-worker-audit-rules-networkconfig-modification-network-scripts   FAIL     medium
pr14461-new-rules-test-worker-package-vsftpd-removed                                   PASS     high
pr14461-new-rules-test-worker-service-atd-disabled                                     PASS     medium
pr14461-new-rules-test-worker-service-cups-disabled                                    PASS     unknown
pr14461-new-rules-test-worker-service-named-disabled                                   PASS     medium
pr14461-new-rules-test-worker-service-vsftpd-disabled                                  PASS     medium

yuumasato requested a review from Vincent056 February 26, 2026 12:59

yuumasato force-pushed the add-rules-to-co-pb branch 2 times, most recently from 69a6a41 to 0854ba4 Compare February 27, 2026 10:33

rhmdnd requested review from Anna-Koudelkova, rhmdnd and xiaojiey March 3, 2026 16:33

yuumasato added this to the 0.1.81 milestone Mar 3, 2026

rhmdnd reviewed Mar 3, 2026

View reviewed changes

products/rhcos4/profiles/default.profile Show resolved Hide resolved

linux_os/guide/system/software/system-tools/package_python3-dnf_removed/rule.yml Outdated Show resolved Hide resolved

yuumasato force-pushed the add-rules-to-co-pb branch from 0854ba4 to 340d167 Compare March 5, 2026 10:28

openshift-merge-robot added the needs-rebase Used by openshift-ci bot. label Mar 5, 2026

rhmdnd approved these changes Mar 5, 2026

View reviewed changes

Add useful rules to RHCOS4 data stream

3c89388

yuumasato force-pushed the add-rules-to-co-pb branch from 0fb640f to 07a0d8c Compare March 5, 2026 13:00

openshift-merge-robot removed the needs-rebase Used by openshift-ci bot. label Mar 5, 2026

yuumasato force-pushed the add-rules-to-co-pb branch from 07a0d8c to 2cda2eb Compare March 5, 2026 13:03

Ensure all rules in RHCOS4 DS have CCE identifier

2df3d60

yuumasato force-pushed the add-rules-to-co-pb branch from 2cda2eb to ced8ff7 Compare March 5, 2026 16:26

rhmdnd reviewed Mar 5, 2026

View reviewed changes

yuumasato commented Mar 9, 2026

View reviewed changes

Adjust accounts_authorized_local_users for RHCOS4

d5d2636

Ensure RHCOS4 default variable value inline with the node's users. Ensure warning about no automated remediation is shown.

yuumasato force-pushed the add-rules-to-co-pb branch from ced8ff7 to d5d2636 Compare March 10, 2026 13:16

yuumasato added the CoreOS CoreOS product related. label Mar 12, 2026

Conversation

yuumasato commented Feb 26, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description:

Rationale:

Review Hints:

Uh oh!

rhmdnd left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

xiaojiey commented Mar 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

rhmdnd left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

yuumasato commented Mar 5, 2026

Uh oh!

yuumasato commented Mar 5, 2026

Uh oh!

rhmdnd left a comment

Choose a reason for hiding this comment

Uh oh!

rhmdnd Mar 5, 2026

Choose a reason for hiding this comment

Uh oh!

yuumasato Mar 9, 2026

Choose a reason for hiding this comment

Uh oh!

yuumasato Mar 9, 2026

Choose a reason for hiding this comment

Uh oh!

xiaojiey commented Mar 10, 2026

Uh oh!

yuumasato commented Mar 10, 2026

Uh oh!

xiaojiey commented Mar 12, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

yuumasato commented Feb 26, 2026 •

edited

Loading

xiaojiey commented Mar 4, 2026 •

edited

Loading

rhmdnd left a comment •

edited

Loading