RHBA-2021:1022 - Bug Fix Advisory

Topic

An updated Compliance Operator image (v0.1.29) is now available for
OpenShift Container Platform 4.7.

Version 0.1.29:

• Adds fixes to compliance content.
• Complete OpenShift CIS Benchmark scanning.
• Added flag to ScanSettings to auto-update remediations: autoUpdateRemediations.
• Create "default-auto-apply" ScanSetting (auto applies remediations and auto-updates them too).
• CIS references are now annotated in the results.
• Resource consumption improvements.
• CRDs now support short names.
• SKIP state is now more specific (marking NOT-APPLICABLE if a scan doesn't apply to a certain node or configuration).
• Remediations now support dependencies (e.g. don't apply a remediation unless another one is passing).
• ComplianceCheckResults which can't have automation are now marked as 'MANUAL'
• Manual auditing instructions are now represented in the results.

Description

The Compliance Operator v0.1.29 image update is now available for OpenShift
Container Platform 4.7.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat OpenShift Container Platform 4.7 for RHEL 8 x86_64

Fixes

• BZ - 1940776 - Compliance operator pod fails with: Couldn't ensure directory","error":"mkdir /reports/0: permission denied"
• BZ - 1940778 - Compliance operator returns NON-COMPLIANT when no remediation found for profile ocp4-cis-node
• BZ - 1940779 - Provide better visibility into 'SKIP' scan result status as well as into OpenSCAP 'not applicable'
• BZ - 1940780 - ocp4-cis scan reports FAIL for audit logforward check

CVEs

• CVE-2020-1971
• CVE-2020-24659

References

(none)