Skip to content

CMP-3730: Updated banner_etc_issue to use variable#14615

Open
vickeybrown wants to merge 2 commits intoComplianceAsCode:masterfrom
vickeybrown:CMP-3730-banner-fix
Open

CMP-3730: Updated banner_etc_issue to use variable#14615
vickeybrown wants to merge 2 commits intoComplianceAsCode:masterfrom
vickeybrown:CMP-3730-banner-fix

Conversation

@vickeybrown
Copy link
Copy Markdown

@vickeybrown vickeybrown commented Apr 2, 2026

Description:

banner_etc_issue currently uses a hardcoded remediation value, while the check allows for the configuration of different values via variable. This update changes it to follow that flow to allow for successful remediations.

Review Hints:

  • All of the default rhcos4 profiles use dod_banner by default, which is what it was hardcoded to before. To test this change, you can either create a TailoredProfile that uses a test hardcoded value (specifying a variable in TailoredProfiles for this field doesn't yet work), or create a test profile locally with one of the predefined banners and scan with that.

@openshift-ci openshift-ci Bot added the needs-ok-to-test Used by openshift-ci bot. label Apr 2, 2026
@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Apr 2, 2026

Hi @vickeybrown. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@yuumasato
Copy link
Copy Markdown
Member

yuumasato commented Apr 2, 2026

/ok-to-test

@openshift-ci openshift-ci Bot added ok-to-test Used by openshift-ci bot. and removed needs-ok-to-test Used by openshift-ci bot. labels Apr 2, 2026
@vickeybrown
Copy link
Copy Markdown
Author

vickeybrown commented Apr 3, 2026

/retest-required

@rhmdnd
Copy link
Copy Markdown
Collaborator

rhmdnd commented Apr 6, 2026

/ok-to-test

@jan-cerny jan-cerny added the OpenShift OpenShift product related. label Apr 7, 2026
@vickeybrown
Copy link
Copy Markdown
Author

vickeybrown commented Apr 7, 2026

/retest

@vickeybrown vickeybrown force-pushed the CMP-3730-banner-fix branch from 709a72d to 813621b Compare April 7, 2026 14:55
@Vincent056
Copy link
Copy Markdown
Contributor

Vincent056 commented Apr 7, 2026

/ok-to-test

@vickeybrown
Copy link
Copy Markdown
Author

vickeybrown commented Apr 7, 2026

/test e2e-aws-openshift-node-compliance

@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Apr 7, 2026

@vickeybrown: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-openshift-node-compliance 813621b link true /test e2e-aws-openshift-node-compliance

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@yuumasato yuumasato self-assigned this Apr 17, 2026
@yuumasato yuumasato added this to the 0.1.81 milestone Apr 17, 2026
yuumasato
yuumasato requested changes Apr 20, 2026
View reviewed changes
Comment thread linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/kubernetes/shared.yml
files:
- contents:
source: data:,You%20are%20accessing%20a%20U.S.%20Government%20%28USG%29%20Information%20System%20%28IS%29%20that%20is%20%0Aprovided%20for%20USG-authorized%20use%20only.%20By%20using%20this%20IS%20%28which%20includes%20any%20%0Adevice%20attached%20to%20this%20IS%29%2C%20you%20consent%20to%20the%20following%20conditions%3A%0A%0A-The%20USG%20routinely%20intercepts%20and%20monitors%20communications%20on%20this%20IS%20for%20%0Apurposes%20including%2C%20but%20not%20limited%20to%2C%20penetration%20testing%2C%20COMSEC%20monitoring%2C%20%0Anetwork%20operations%20and%20defense%2C%20personnel%20misconduct%20%28PM%29%2C%20law%20enforcement%20%0A%28LE%29%2C%20and%20counterintelligence%20%28CI%29%20investigations.%0A%0A-At%20any%20time%2C%20the%20USG%20may%20inspect%20and%20seize%20data%20stored%20on%20this%20IS.%0A%0A-Communications%20using%2C%20or%20data%20stored%20on%2C%20this%20IS%20are%20not%20private%2C%20are%20subject%20%0Ato%20routine%20monitoring%2C%20interception%2C%20and%20search%2C%20and%20may%20be%20disclosed%20or%20used%20%0Afor%20any%20USG-authorized%20purpose.%0A%0A-This%20IS%20includes%20security%20measures%20%28e.g.%2C%20authentication%20and%20access%20controls%29%20%0Ato%20protect%20USG%20interests--not%20for%20your%20personal%20benefit%20or%20privacy.%0A%0A-Notwithstanding%20the%20above%2C%20using%20this%20IS%20does%20not%20constitute%20consent%20to%20PM%2C%20LE%20%0Aor%20CI%20investigative%20searching%20or%20monitoring%20of%20the%20content%20of%20privileged%20%0Acommunications%2C%20or%20work%20product%2C%20related%20to%20personal%20representation%20or%20services%20%0Aby%20attorneys%2C%20psychotherapists%2C%20or%20clergy%2C%20and%20their%20assistants.%20Such%20%0Acommunications%20and%20work%20product%20are%20private%20and%20confidential.%20See%20User%20%0AAgreement%20for%20details.
source: data:,{{.login_banner_contents | urlquery}}
Copy link
Copy Markdown
Member

@yuumasato yuumasato Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you need to use urlencode rather than urlquery.
https://jinja.palletsprojects.com/en/stable/templates/#jinja-filters.urlencode

The rule is still failing after remediation.

When I tried with cis_default I got the following remediation:

spec:
  apply: true
  current:
    object:
      apiVersion: machineconfiguration.openshift.io/v1
      kind: MachineConfig
      metadata:
        labels:
          machineconfiguration.openshift.io/role: worker
        name: 75-banner-etc-issue
      spec:
        config:
          ignition:
            version: 3.1.0
          storage:
            files:
            - contents:
                source: data:,Authorized+users+only.+All+activity+may+be+monitored+and+reported.
              mode: 420
              overwrite: true
              path: /etc/issue.d/legal-notice
  type: Configuration

Which got applied as:

sh-5.1# cat /etc/issue.d/legal-notice
Authorized+users+only.+All+activity+may+be+monitored+and+reported.sh-5.1#

 oc get ccr | grep banner
upstream-rhcos4-e8-master-banner-etc-issue                                                                   FAIL     medium
upstream-rhcos4-e8-worker-banner-etc-issue                                                                   FAIL     medium

With urlencode it passed. The banner was set as:

sh-5.1# cat /etc/issue.d/legal-notice
Authorized users only. All activity may be monitored and reported.sh-5.1# ^C

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yuumasato yuumasato yuumasato requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@yuumasato yuumasato

Labels

ok-to-test Used by openshift-ci bot. OpenShift OpenShift product related.

Projects

None yet

Milestone

0.1.81

Development

Successfully merging this pull request may close these issues.

5 participants

@vickeybrown @yuumasato @rhmdnd @Vincent056 @jan-cerny