diff --git a/applications/openshift/scc/scc_limit_container_allowed_capabilities/rule.yml b/applications/openshift/scc/scc_limit_container_allowed_capabilities/rule.yml index 2fd0ad6e779..647e58743cb 100644 --- a/applications/openshift/scc/scc_limit_container_allowed_capabilities/rule.yml +++ b/applications/openshift/scc/scc_limit_container_allowed_capabilities/rule.yml @@ -25,17 +25,17 @@ description: |- spec: description: Allows an additional scc setValues: - - name: upstream-ocp4-var-sccs-with-allowed-capabilities-regex + - name: ocp4-var-sccs-with-allowed-capabilities-regex rationale: Allow our own custom SCC value: ^privileged$|^hostnetwork-v2$|^restricted-v2$|^nonroot-v2$|^additional$ - extends: upstream-ocp4-cis + extends: ocp4-cis title: Modified CIS allowing one more SCC
Finally, reference this TailoredProfile in a ScanSettingBinding For more information on Tailoring the Compliance Operator, please consult the OpenShift documentation: - {{{ weblink(link="https://docs.openshift.com/container-platform/4.12/security/compliance_operator/compliance-operator-tailor.html") }}} + {{{ weblink(link="https://docs.openshift.com/container-platform/latest/security/compliance_operator/co-scans/compliance-operator-tailor.html") }}}
rationale: |- @@ -65,7 +65,7 @@ ocil: |- check the variable value, e.g:$ oc get variable ocp4-var-sccs-with-allowed-capabilities-regex -ojsonpath='{.value}'Then use following command to list the SCCs that would fail the test: -
$ oc get scc -o json | jq '{{{ jqfilter }}}'+ {{{ ocil_oc_pipe_jq_filter('scc', jqfilter) }}} Please replace the regular expression in the test command with the value read from the variable
ocp4-var-sccs-with-allowed-capabilities-regex. You can read the variable value with: diff --git a/shared/macros/10-ocil.jinja b/shared/macros/10-ocil.jinja index 947191319f1..7ac489f1ee7 100644 --- a/shared/macros/10-ocil.jinja +++ b/shared/macros/10-ocil.jinja @@ -21,7 +21,7 @@ #}} {{% macro ocil_oc_pipe_jq_filter(object, jqfilter, namespace=none, all_namespaces=false) -%}} -oc get {{% if all_namespaces %}}--all-namespaces{{% elif namespace %}}-n {{{ namespace }}}{{% endif %}} {{{ object }}} -o json | jq '{{{ jqfilter }}}' +$ oc get {{% if all_namespaces %}}--all-namespaces{{% elif namespace %}}-n {{{ namespace }}}{{% endif %}} {{{ object }}} -o json | jq '{{{ jqfilter }}}' {{%- endmacro %}}