CyberSecurity / Kubernetes / OpenShift

Red Hat OpenShift Compliance Operator – Report

Overview

In my previous posts, I have shared the overview, installation procedure, how to trigger compliance scans and remediations using the Red Hat OpenShift compliance operator. In this post, I will discuss how to generate a HTML report for the scan results.

Pre-requirements

In order to generate a report:

1. Compliance scan should be completed and the results are stored on a persistent volume (PV).
2. Sudo or root access to install openscap utilities package on the bastion host.

Report

After the compliance scan is completed, results are stored in the underlying persistent storage used using a PV object. Create a pod to extract the results from the PV to jump host. In order to do this, we mount the same PVC used by the compliance pods in our pod.

In the below example, I have mounted each individual PVC’s used for ocp4-cis, ocp4-cis-master-node and ocp4-cis-worker-node scan results.

$ vi results-extract.yaml

apiVersion: "v1"
kind: Pod
metadata:
  name: pv-extract
spec:
  containers:
    - name: pv-extract-pod
      image: registry.access.redhat.com/ubi9/ubi
      command: ["sleep", "3000"]
      volumeMounts:
      - mountPath: "/workers-scan-results"
        name: workers-scan-vol
      - mountPath: "/masters-scan-results"
        name: masters-scan-vol
      - mountPath: "/cis-scan-results"
        name: cis-scan-vol
  volumes:
    - name: workers-scan-vol
      persistentVolumeClaim:
        claimName: ocp4-cis-node-worker
    - name: masters-scan-vol
      persistentVolumeClaim:
        claimName: ocp4-cis-node-master
    - name: cis-scan-vol
      persistentVolumeClaim:
        claimName: ocp4-cis

Create the pod and wait for it to start.

$ oc create -f results-extract.yaml -n openshift-compliance

$ oc get pods -n openshift-compliance

Once the pod is in running state, create three directories to store the scan results locally on the jump host. Run the “oc cp” command to copy the results from the PVs to the local host.

$ mkdir master-scan-results worker-scan-results cis-scan-results

$ oc cp pv-extract:/masters-scan-results -n openshift-compliance ./master-scan-results
tar: Removing leading `/' from member names

$ oc cp pv-extract:/workers-scan-results -n openshift-compliance ./worker-scan-results
tar: Removing leading `/' from member names

$ oc cp pv-extract:/cis-scan-results -n openshift-compliance ./cis-scan-results
tar: Removing leading `/' from member names

$ ls *-scan-results/*/
cis-scan-results/0/:
ocp4-cis-api-checks-pod.xml.bzip2

master-scan-results/0/:
ocp4-cis-node-master-master1-pod.xml.bzip2  ocp4-cis-node-master-master2-pod.xml.bzip2  ocp4-cis-node-master-master3-pod.xml.bzip2

worker-scan-results/0/:
ocp4-cis-node-worker-master1-pod.xml.bzip2  ocp4-cis-node-worker-master2-pod.xml.bzip2  ocp4-cis-node-worker-master3-pod.xml.bzip2

Once the results are extracted, install the openscap utils package on the jump host to generate the host.

$ yum install -y openscap-utils

$ oscap xccdf generate report ./cis-scan-results/0/ocp4-cis-api-checks-pod.xml.bzip2 >> ./cis-scan-results/0/cis-scan-results.html

Review the HTML report and verify the results.

NOTE: Once the report is generated, delete the pod. If you leave the pod running then operator won’t be able to start the scan and store the results as the PV is in bound state with other pod.

Conclusion

In this post, I have shared how to generate a HTML report for the compliance scan performed on the OpenShift cluster.

I hope this series on Red Hat OpenShift compliance operator would help you to better understand the operator, scan and keep the cluster compliant. Feel free to leave your comments/feedback.

Disclaimer:

The views expressed and the content shared in all published articles on this website are solely those of the respective authors, and they do not necessarily reflect the views of the author’s employer or the techbeatly platform. We strive to ensure the accuracy and validity of the content published on our website. However, we cannot guarantee the absolute correctness or completeness of the information provided. It is the responsibility of the readers and users of this website to verify the accuracy and appropriateness of any information or opinions expressed within the articles. If you come across any content that you believe to be incorrect or invalid, please contact us immediately so that we can address the issue promptly.

Tags: compliance operator · compliance scans · openshift container platform · openshift4

Comments