83 lines
3.0 KiB
Plaintext
83 lines
3.0 KiB
Plaintext
---
|
|
title: Retrieving raw compliance results
|
|
exercise: 6
|
|
date: '2024-09-02'
|
|
tags: ['openshift','containers','kubernetes','disconnected']
|
|
draft: false
|
|
authors: ['default']
|
|
summary: "Need to integrate results with another platform?"
|
|
---
|
|
|
|
Often organisations will have dedicated software for managing governance, risk and compliance or need to provide results to external auditors. In these situations while the dashboards within Red Hat Advanced Cluster Security, or `ComplianceCheckResult` objects in the OpenShift APIServer are helpful, what we really need to do is integrate these results into our third party compliance management platform or pass results in a standardised format to third parties.
|
|
|
|
In this exercise, we'll briefly step through retrieving raw compliance results, in the well known **Asset Reporting Framework** (ARF) format.
|
|
|
|
The Asset Reporting Format is a data model to express the transport format of information about assets, and the relationships between assets and reports. The standardized data model facilitates the reporting, correlating, and fusing of asset information throughout and between organizations. ARF is vendor and technology neutral, flexible, and suited for a wide variety of reporting applications.
|
|
|
|
For more details on the format specification refer to https://www.nist.gov/publications/specification-asset-reporting-format-11
|
|
|
|
|
|
## 6.1 - Understanding raw result storage
|
|
|
|
When the Compliance Operator runs a scan, raw results are stored in a `PersistentVolume`. The following `oc` command shows the mapping `PersistentVolume` name for a given scan name.
|
|
|
|
Let's use our scan name that we set up previously, `daily-nist-800-53-moderate`:
|
|
|
|
```bash
|
|
oc get --namespace openshift-compliance compliancesuites daily-nist-800-53-moderate --output json | jq '.status.scanStatuses[].resultsStorage'
|
|
```
|
|
|
|
We should see results showing the name of each `PersistentVolume` for each profile that was scanned, below is an example:
|
|
|
|
```json
|
|
{
|
|
"name": "ocp4-moderate",
|
|
"namespace": "openshift-compliance"
|
|
}
|
|
{
|
|
"name": "ocp4-moderate-node-master",
|
|
"namespace": "openshift-compliance"
|
|
}
|
|
{
|
|
"name": "ocp4-moderate-node-worker",
|
|
"namespace": "openshift-compliance"
|
|
}
|
|
```
|
|
|
|
We can view the details of these `PersistentVolumes` as follows:
|
|
|
|
|
|
```bash
|
|
oc get pvc --namespace openshift-compliance ocp4-moderate
|
|
```
|
|
|
|
|
|
## 6.2 - Retrieving results from a volume
|
|
|
|
Let's retrieve some specific results files from a volume by mounting the volume into a pod, and then using `oc` to copy the volume contents to our highside ssh host.
|
|
|
|
|
|
```bash
|
|
cat << EOF | oc --namespace openshift-compliance apply --filename -
|
|
apiVersion: "v1"
|
|
kind: Pod
|
|
metadata:
|
|
name: pv-extract
|
|
spec:
|
|
containers:
|
|
- name: pv-extract-pod
|
|
image: registry.access.redhat.com/ubi9/ubi
|
|
command: ["sleep", "3000"]
|
|
volumeMounts:
|
|
- mountPath: "/workers-scan-results"
|
|
name: ocp4-moderate-scan-vol
|
|
volumes:
|
|
- name: ocp4-moderate-scan-vol
|
|
persistentVolumeClaim:
|
|
claimName: ocp4-moderate
|
|
EOF
|
|
```
|
|
|
|
|
|
|