Running with gitlab-runner 13.12.0 (7a6612da)  on dsop-privileged-shared-gitlab-runner-776978788c-jqptt eAf6wMEk  feature flags: FF_USE_LEGACY_KUBERNETES_EXECUTION_STRATEGY:false section_start:1630978383:resolve_secrets Resolving secrets section_end:1630978383:resolve_secrets section_start:1630978383:prepare_executor Preparing the "kubernetes" executor Using Kubernetes namespace: gitlab-runner-ironbank-dsop-privileged Using Kubernetes executor with image registry1.dso.mil/ironbank/ironbank-pipelines/pipeline-runner:0.3 ... Using attach strategy to execute scripts... section_end:1630978383:prepare_executor section_start:1630978383:prepare_script Preparing environment Waiting for pod gitlab-runner-ironbank-dsop-privileged/runner-eaf6wmek-project-3478-concurrent-0xl9xh to be running, status is Pending Waiting for pod gitlab-runner-ironbank-dsop-privileged/runner-eaf6wmek-project-3478-concurrent-0xl9xh to be running, status is Pending ContainersNotInitialized: "containers with incomplete status: [init-logs istio-init]" ContainersNotReady: "containers with unready status: [build helper istio-proxy]" ContainersNotReady: "containers with unready status: [build helper istio-proxy]" Waiting for pod gitlab-runner-ironbank-dsop-privileged/runner-eaf6wmek-project-3478-concurrent-0xl9xh to be running, status is Pending ContainersNotInitialized: "containers with incomplete status: [init-logs istio-init]" ContainersNotReady: "containers with unready status: [build helper istio-proxy]" ContainersNotReady: "containers with unready status: [build helper istio-proxy]" Waiting for pod gitlab-runner-ironbank-dsop-privileged/runner-eaf6wmek-project-3478-concurrent-0xl9xh to be running, status is Pending ContainersNotInitialized: "containers with incomplete status: [istio-init]" ContainersNotReady: "containers with unready status: [build helper istio-proxy]" ContainersNotReady: "containers with unready status: [build helper istio-proxy]" Waiting for pod gitlab-runner-ironbank-dsop-privileged/runner-eaf6wmek-project-3478-concurrent-0xl9xh to be running, status is Pending ContainersNotReady: "containers with unready status: [build helper istio-proxy]" ContainersNotReady: "containers with unready status: [build helper istio-proxy]" Waiting for pod gitlab-runner-ironbank-dsop-privileged/runner-eaf6wmek-project-3478-concurrent-0xl9xh to be running, status is Pending ContainersNotReady: "containers with unready status: [build helper istio-proxy]" ContainersNotReady: "containers with unready status: [build helper istio-proxy]" Waiting for pod gitlab-runner-ironbank-dsop-privileged/runner-eaf6wmek-project-3478-concurrent-0xl9xh to be running, status is Pending ContainersNotReady: "containers with unready status: [build helper istio-proxy]" ContainersNotReady: "containers with unready status: [build helper istio-proxy]" Waiting for pod gitlab-runner-ironbank-dsop-privileged/runner-eaf6wmek-project-3478-concurrent-0xl9xh to be running, status is Pending ContainersNotReady: "containers with unready status: [build helper istio-proxy]" ContainersNotReady: "containers with unready status: [build helper istio-proxy]" Waiting for pod gitlab-runner-ironbank-dsop-privileged/runner-eaf6wmek-project-3478-concurrent-0xl9xh to be running, status is Pending ContainersNotReady: "containers with unready status: [build helper istio-proxy]" ContainersNotReady: "containers with unready status: [build helper istio-proxy]" Waiting for pod gitlab-runner-ironbank-dsop-privileged/runner-eaf6wmek-project-3478-concurrent-0xl9xh to be running, status is Pending ContainersNotReady: "containers with unready status: [build helper istio-proxy]" ContainersNotReady: "containers with unready status: [build helper istio-proxy]" Waiting for pod gitlab-runner-ironbank-dsop-privileged/runner-eaf6wmek-project-3478-concurrent-0xl9xh to be running, status is Pending ContainersNotReady: "containers with unready status: [build helper istio-proxy]" ContainersNotReady: "containers with unready status: [build helper istio-proxy]" Waiting for pod gitlab-runner-ironbank-dsop-privileged/runner-eaf6wmek-project-3478-concurrent-0xl9xh to be running, status is Pending ContainersNotReady: "containers with unready status: [build helper istio-proxy]" ContainersNotReady: "containers with unready status: [build helper istio-proxy]" Running on runner-eaf6wmek-project-3478-concurrent-0xl9xh via dsop-privileged-shared-gitlab-runner-776978788c-jqptt... section_end:1630978420:prepare_script section_start:1630978420:get_sources Getting source from Git repository $ until [ $(curl --fail --silent --output /dev/stderr --write-out "%{http_code}" localhost:15020/healthz/ready) -eq 200 ]; do echo Waiting for Sidecar; sleep 3 ; done ; echo Sidecar available; Sidecar available Fetching changes with git depth set to 50... Initialized empty Git repository in /builds/eAf6wMEk/0/dsop/confluent/confluent-component-operator/cp-server-connect-operator-5.5.x/.git/ Created fresh repository. Checking out 13d92c57 as master... Skipping Git submodules setup section_end:1630978432:get_sources section_start:1630978432:download_artifacts Downloading artifacts Downloading artifacts for build (6282650)... Downloading artifacts from coordinator... ok  id=6282650 responseStatus=200 OK token=QzS9Jb7E WARNING: ci-artifacts/build/: lchown ci-artifacts/build/: operation not permitted (suppressing repeats) Downloading artifacts for load-scripts (6282643)... Downloading artifacts from coordinator... ok  id=6282643 responseStatus=200 OK token=75N7VXyc WARNING: ci-artifacts/[MASKED]/: lchown ci-artifacts/[MASKED]/: operation not permitted (suppressing repeats) section_end:1630978432:download_artifacts section_start:1630978432:step_script Executing "step_script" stage of the job script $ "${PIPELINE_REPO_DIR}/stages/scanning/openscap/oscap-compliance-run.sh" Trying to pull registry1.dso.mil/ironbank-staging/confluent/confluent-component-operator/cp-server-connect-operator-5.5.x@sha256:bfb483a2a33682d0d5b2c45b9b5dd57353d9ca6f01a5ac93527841b7a5236ece... Getting image source signatures Copying blob sha256:96476a77b28db43fcb170401c287700d91d95cdff9c06e5ea7b48289d40a8e57 Copying blob sha256:db2f50b75fc09a20e8d9c497d96ad384fbeacf7e77df71e4c7b578d4c07fccce Copying blob sha256:fb81fd9bfce3c67e95ee0e2b2534651d2eb25b7c799418095957cc156c5b896d Copying blob sha256:a987ab50fb37e735969d1490264c0661d81eb787a28eeb02517c9bf909d08218 Copying blob sha256:f0c487b2e4524855c7ce77ebfd1d37968b743b5dbe9bb8e67a100bd451b4b2ea Copying blob sha256:f5fbb496f6e8a8a282ce21fe50cc08189d0c5d64ed6dc0717ba4f284e3745c1e Copying config sha256:674ea4bb8f8644d2d56763bd894e45c9ecebea76310d10ecff3a469c58b6aff2 Writing manifest to image destination Storing signatures 674ea4bb8f8644d2d56763bd894e45c9ecebea76310d10ecff3a469c58b6aff2 Base Image Type: ubi8-container Imported Base Image Type: ubi8-container 674ea4bb8f86 INFO: Log level set to info {"profile": "xccdf_org.ssgproject.content_profile_stig", "securityGuide": "scap-security-guide-0.1.54/ssg-rhel8-ds.xml"} % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 100 636 100 636 0 0 10779 0 --:--:-- --:--:-- --:--:-- 10965 100 56.8M 100 56.8M 0 0 116M 0 --:--:-- --:--:-- --:--:-- 116M profile: xccdf_org.ssgproject.content_profile_stig securityGuide: scap-security-guide-0.1.54/ssg-rhel8-ds.xml time="2021-09-07T01:36:52Z" level=error msg="Error printing inspect output: template: all inspect:1: function \"join\" not defined" Downloading: https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml ... ok Title Install AIDE Rule xccdf_org.ssgproject.content_rule_package_aide_installed Ident CCE-80844-4 Result notapplicable Title Enable FIPS Mode Rule xccdf_org.ssgproject.content_rule_enable_fips_mode Ident CCE-80942-6 Result notapplicable Title Enable Dracut FIPS Module Rule xccdf_org.ssgproject.content_rule_enable_dracut_fips_module Ident CCE-82155-3 Result notapplicable Title Install crypto-policies package Rule xccdf_org.ssgproject.content_rule_package_crypto-policies_installed Ident CCE-82723-8 Result pass Title Configure session renegotiation for SSH client Rule xccdf_org.ssgproject.content_rule_ssh_client_rekey_limit Ident CCE-82880-6 Result fail Title Configure System Cryptography Policy Rule xccdf_org.ssgproject.content_rule_configure_crypto_policy Ident CCE-80935-0 Result fail Title Configure Libreswan to use System Crypto Policy Rule xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy Ident CCE-80937-6 Result pass Title OpenSSL uses strong entropy source Rule xccdf_org.ssgproject.content_rule_openssl_use_strong_entropy Ident CCE-82721-2 Result pass Title Configure SSH to use System Crypto Policy Rule xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy Ident CCE-80939-2 Result pass Title Configure Kerberos to use System Crypto Policy Rule xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy Ident CCE-80936-8 Result pass Title Configure OpenSSL library to use System Crypto Policy Rule xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy Ident CCE-80938-4 Result fail Title Configure BIND to use System Crypto Policy Rule xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy Ident CCE-80934-3 Result pass Title The Installed Operating System Is Vendor Supported Rule xccdf_org.ssgproject.content_rule_installed_OS_is_vendor_supported Ident CCE-80947-5 Result pass Title Ensure /home Located On Separate Partition Rule xccdf_org.ssgproject.content_rule_partition_for_home Ident CCE-81044-0 Result notapplicable Title Encrypt Partitions Rule xccdf_org.ssgproject.content_rule_encrypt_partitions Ident CCE-80789-1 Result notapplicable Title Ensure /var/log/audit Located On Separate Partition Rule xccdf_org.ssgproject.content_rule_partition_for_var_log_audit Ident CCE-80854-3 Result notapplicable Title Ensure /var Located On Separate Partition Rule xccdf_org.ssgproject.content_rule_partition_for_var Ident CCE-80852-7 Result notapplicable Title Ensure /var/log Located On Separate Partition Rule xccdf_org.ssgproject.content_rule_partition_for_var_log Ident CCE-80853-5 Result notapplicable Title Make sure that the dconf databases are up-to-date with regards to respective keyfiles Rule xccdf_org.ssgproject.content_rule_dconf_db_up_to_date Ident CCE-81003-6 Result notapplicable Title Install sudo Package Rule xccdf_org.ssgproject.content_rule_package_sudo_installed Ident CCE-82214-8 Result fail Title Install dnf-automatic Package Rule xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed Ident CCE-82985-3 Result fail Title Ensure gpgcheck Enabled In Main yum Configuration Rule xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated Ident CCE-80790-9 Result pass Title Ensure gpgcheck Enabled for Local Packages Rule xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages Ident CCE-80791-7 Result pass Title Enable dnf-automatic Timer Rule xccdf_org.ssgproject.content_rule_timer_dnf-automatic_enabled Ident CCE-82360-9 Result fail Title Configure dnf-automatic to Install Available Updates Automatically Rule xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates Ident CCE-82494-6 Result fail Title Ensure Red Hat GPG Key Installed Rule xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed Ident CCE-80795-8 Result pass Title Ensure yum Removes Previous Package Versions Rule xccdf_org.ssgproject.content_rule_clean_components_post_updating Ident CCE-82476-3 Result pass Title Configure dnf-automatic to Install Only Security Updates Rule xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only Ident CCE-82267-6 Result fail Title Ensure gpgcheck Enabled for All yum Package Repositories Rule xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled Ident CCE-80792-5 Result pass Title Install dnf-plugin-subscription-manager Package Rule xccdf_org.ssgproject.content_rule_package_dnf-plugin-subscription-manager_installed Ident CCE-82315-3 Result pass Title Ensure gnutls-utils is installed Rule xccdf_org.ssgproject.content_rule_package_gnutls-utils_installed Ident CCE-82395-5 Result fail Title Install libcap-ng-utils Package Rule xccdf_org.ssgproject.content_rule_package_libcap-ng-utils_installed Ident CCE-82979-6 Result fail Title Install openscap-scanner Package Rule xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed Ident CCE-82220-5 Result fail Title Install scap-security-guide Package Rule xccdf_org.ssgproject.content_rule_package_scap-security-guide_installed Ident CCE-82949-9 Result fail Title Install subscription-manager Package Rule xccdf_org.ssgproject.content_rule_package_subscription-manager_installed Ident CCE-82316-1 Result pass Title Uninstall abrt-addon-ccpp Package Rule xccdf_org.ssgproject.content_rule_package_abrt-addon-ccpp_removed Ident CCE-82919-2 Result pass Title Uninstall abrt-addon-kerneloops Package Rule xccdf_org.ssgproject.content_rule_package_abrt-addon-kerneloops_removed Ident CCE-82926-7 Result pass Title Uninstall abrt-addon-python Package Rule xccdf_org.ssgproject.content_rule_package_abrt-addon-python_removed Ident CCE-82923-4 Result pass Title Uninstall abrt-cli Package Rule xccdf_org.ssgproject.content_rule_package_abrt-cli_removed Ident CCE-82907-7 Result pass Title Uninstall abrt-plugin-logger Package Rule xccdf_org.ssgproject.content_rule_package_abrt-plugin-logger_removed Ident CCE-82913-5 Result pass Title Uninstall abrt-plugin-rhtsupport Package Rule xccdf_org.ssgproject.content_rule_package_abrt-plugin-rhtsupport_removed Ident CCE-82916-8 Result pass Title Uninstall abrt-plugin-sosreport Package Rule xccdf_org.ssgproject.content_rule_package_abrt-plugin-sosreport_removed Ident CCE-82910-1 Result pass Title Uninstall gssproxy Package Rule xccdf_org.ssgproject.content_rule_package_gssproxy_removed Ident CCE-82943-2 Result pass Title Uninstall iprutils Package Rule xccdf_org.ssgproject.content_rule_package_iprutils_removed Ident CCE-82946-5 Result pass Title Uninstall krb5-workstation Package Rule xccdf_org.ssgproject.content_rule_package_krb5-workstation_removed Ident CCE-82931-7 Result pass Title Modify the System Login Banner Rule xccdf_org.ssgproject.content_rule_banner_etc_issue Ident CCE-80763-6 Result pass Title Set the GNOME3 Login Warning Banner Text Rule xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text Ident CCE-80770-1 Result notapplicable Title Enable GNOME3 Login Warning Banner Rule xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled Ident CCE-80768-5 Result notapplicable Title Set Lockout Time for Failed Password Attempts Rule xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time Ident CCE-80670-3 Result pass Title Set Deny For Failed Password Attempts Rule xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny Ident CCE-80667-9 Result pass Title Set Interval For Counting Failed Password Attempts Rule xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval Ident CCE-80669-5 Result pass Title Enforce pam_faillock for Local Accounts Only Rule xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local Ident CCE-83401-0 Result fail Title Limit Password Reuse Rule xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember Ident CCE-80666-1 Result pass Title Set Password Maximum Consecutive Repeating Characters Rule xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat Ident CCE-82066-2 Result pass Title Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class Rule xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat Ident CCE-81034-1 Result pass Title Ensure PAM Enforces Password Requirements - Minimum Length Rule xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen Ident CCE-80656-2 Result pass Title Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters Rule xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit Ident CCE-80665-3 Result pass Title Ensure PAM Enforces Password Requirements - Minimum Different Characters Rule xccdf_org.ssgproject.content_rule_accounts_password_pam_difok Ident CCE-80654-7 Result pass Title Ensure PAM Enforces Password Requirements - Minimum Digit Characters Rule xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit Ident CCE-80653-9 Result pass Title Ensure PAM Enforces Password Requirements - Enforce for root User Rule xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_root Ident CCE-83377-2 Result pass Title Ensure PAM Enforces Password Requirements - Minimum Special Characters Rule xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit Ident CCE-80663-8 Result pass Title Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters Rule xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit Ident CCE-80655-4 Result pass Title Ensure PAM Enforces Password Requirements - Enforce for Local Accounts Only Rule xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_local Ident CCE-83364-0 Result pass Title Disable debug-shell SystemD Service Rule xccdf_org.ssgproject.content_rule_service_debug-shell_disabled Ident CCE-80876-6 Result notapplicable Title Require Authentication for Single User Mode Rule xccdf_org.ssgproject.content_rule_require_singleuser_auth Ident CCE-80855-0 Result notapplicable Title Disable Ctrl-Alt-Del Reboot Activation Rule xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot Ident CCE-80785-9 Result notapplicable Title Disable Ctrl-Alt-Del Burst Action Rule xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction Ident CCE-80784-2 Result pass Title Verify that Interactive Boot is Disabled Rule xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot Ident CCE-80826-1 Result notapplicable Title Configure Smart Card Certificate Status Checking Rule xccdf_org.ssgproject.content_rule_smartcard_configure_cert_checking Ident CCE-82475-5 Result notapplicable Title Install the tmux Package Rule xccdf_org.ssgproject.content_rule_package_tmux_installed Ident CCE-80644-8 Result notapplicable Title Configure tmux to lock session after inactivity Rule xccdf_org.ssgproject.content_rule_configure_tmux_lock_after_time Ident CCE-82199-1 Result notapplicable Title Configure the tmux Lock Command Rule xccdf_org.ssgproject.content_rule_configure_tmux_lock_command Ident CCE-80940-0 Result notapplicable Title Support session locking with tmux Rule xccdf_org.ssgproject.content_rule_configure_bashrc_exec_tmux Ident CCE-82266-8 Result notapplicable Title Prevent user from disabling the screen lock Rule xccdf_org.ssgproject.content_rule_no_tmux_in_shells Ident CCE-82361-7 Result notapplicable Title Enforce usage of pam_wheel for su authentication Rule xccdf_org.ssgproject.content_rule_use_pam_wheel_for_su Ident CCE-83318-6 Result pass Title Restrict Virtual Console Root Logins Rule xccdf_org.ssgproject.content_rule_securetty_root_login_console_only Ident CCE-80864-2 Result pass Title Prevent Login to Accounts With Empty Password Rule xccdf_org.ssgproject.content_rule_no_empty_passwords Ident CCE-80841-0 Result pass Title Set Existing Passwords Minimum Age Rule xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing Ident CCE-82472-2 Result notchecked Title Set Existing Passwords Maximum Age Rule xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing Ident CCE-82473-0 Result notchecked Title Set Password Minimum Length in login.defs Rule xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs Ident CCE-80652-1 Result pass Title Assign Expiration Date to Temporary Accounts Rule xccdf_org.ssgproject.content_rule_account_temp_expire_date Ident CCE-82474-8 Result notchecked Title Set Account Expiration Following Inactivity Rule xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration Ident CCE-80954-1 Result pass Title Limit the Number of Concurrent Login Sessions Allowed Per User Rule xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions Ident CCE-80955-8 Result pass Title Ensure the Default C Shell Umask is Set Correctly Rule xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc Ident CCE-81037-4 Result pass Title Ensure the Default Bash Umask is Set Correctly Rule xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc Ident CCE-81036-6 Result pass Title Ensure the Default Umask is Set Correctly in /etc/profile Rule xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile Ident CCE-81035-8 Result pass Title Install audispd-plugins Package Rule xccdf_org.ssgproject.content_rule_package_audispd-plugins_installed Ident CCE-82953-1 Result notapplicable Title Ensure the audit Subsystem is Installed Rule xccdf_org.ssgproject.content_rule_package_audit_installed Ident CCE-81043-2 Result notapplicable Title Enable auditd Service Rule xccdf_org.ssgproject.content_rule_service_auditd_enabled Ident CCE-80872-5 Result notapplicable Title Enable Auditing for Processes Which Start Prior to the Audit Daemon Rule xccdf_org.ssgproject.content_rule_grub2_audit_argument Ident CCE-80825-3 Result notapplicable Title Extend Audit Backlog Limit for the Audit Daemon Rule xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument Ident CCE-80943-4 Result notapplicable Title Configure auditing of unsuccessful file modifications Rule xccdf_org.ssgproject.content_rule_audit_modify_failed Ident CCE-82830-1 Result notapplicable Title Configure auditing of unsuccessful file creations Rule xccdf_org.ssgproject.content_rule_audit_create_failed Ident CCE-82374-0 Result notapplicable Title Configure auditing of unsuccessful permission changes Rule xccdf_org.ssgproject.content_rule_audit_perm_change_failed Ident CCE-82837-6 Result notapplicable Title Configure auditing of successful file accesses Rule xccdf_org.ssgproject.content_rule_audit_access_success Ident CCE-82834-3 Result notapplicable Title Configure auditing of unsuccessful file deletions Rule xccdf_org.ssgproject.content_rule_audit_delete_failed Ident CCE-82835-0 Result notapplicable Title Configure basic parameters of Audit system Rule xccdf_org.ssgproject.content_rule_audit_basic_configuration Ident CCE-82827-7 Result notapplicable Title Configure auditing of unsuccessful file accesses Rule xccdf_org.ssgproject.content_rule_audit_access_failed Ident CCE-82833-5 Result notapplicable Title Configure auditing of successful file deletions Rule xccdf_org.ssgproject.content_rule_audit_delete_success Ident CCE-82836-8 Result notapplicable Title Configure auditing of unsuccessful ownership changes Rule xccdf_org.ssgproject.content_rule_audit_owner_change_failed Ident CCE-82384-9 Result notapplicable Title Configure immutable Audit login UIDs Rule xccdf_org.ssgproject.content_rule_audit_immutable_login_uids Ident CCE-82828-5 Result notapplicable Title Configure auditing of loading and unloading of kernel modules Rule xccdf_org.ssgproject.content_rule_audit_module_load Ident CCE-82838-4 Result notapplicable Title Perform general configuration of Audit for OSPP Rule xccdf_org.ssgproject.content_rule_audit_ospp_general Ident CCE-82373-2 Result notapplicable Title Configure auditing of successful permission changes Rule xccdf_org.ssgproject.content_rule_audit_perm_change_success Ident CCE-82383-1 Result notapplicable Title Configure auditing of successful file modifications Rule xccdf_org.ssgproject.content_rule_audit_modify_success Ident CCE-82832-7 Result notapplicable Title Configure auditing of successful ownership changes Rule xccdf_org.ssgproject.content_rule_audit_owner_change_success Ident CCE-82385-6 Result notapplicable Title Configure auditing of successful file creations Rule xccdf_org.ssgproject.content_rule_audit_create_success Ident CCE-82829-3 Result notapplicable Title Set hostname as computer node name in audit logs Rule xccdf_org.ssgproject.content_rule_auditd_name_format Ident CCE-82897-0 Result notapplicable Title Write Audit Logs to the Disk Rule xccdf_org.ssgproject.content_rule_auditd_write_logs Ident CCE-82366-6 Result notapplicable Title Resolve information before writing to audit logs Rule xccdf_org.ssgproject.content_rule_auditd_log_format Ident CCE-82201-5 Result notapplicable Title Configure auditd to use audispd's syslog plugin Rule xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated Ident CCE-80677-8 Result notapplicable Title Configure auditd flush priority Rule xccdf_org.ssgproject.content_rule_auditd_data_retention_flush Ident CCE-80680-2 Result notapplicable Title Set number of records to cause an explicit flush to audit logs Rule xccdf_org.ssgproject.content_rule_auditd_freq Ident CCE-82258-5 Result notapplicable Title Include Local Events in Audit Logs Rule xccdf_org.ssgproject.content_rule_auditd_local_events Ident CCE-82233-8 Result notapplicable Title Record Events that Modify User/Group Information - /etc/passwd Rule xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd Ident CCE-80761-0 Result notapplicable Title Disable Mounting of cramfs Rule xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled Ident CCE-81031-7 Result notapplicable Title Add nosuid Option to /var/log/audit Rule xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid Ident CCE-82921-8 Result notapplicable Title Add nosuid Option to /var/tmp Rule xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid Ident CCE-82154-6 Result notapplicable Title Add nosuid Option to /tmp Rule xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid Ident CCE-82140-5 Result notapplicable Title Add noexec Option to /tmp Rule xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec Ident CCE-82139-7 Result notapplicable Title Add nosuid Option to /boot Rule xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid Ident CCE-81033-3 Result notapplicable Title Add nodev Option to /var/tmp Rule xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev Ident CCE-82068-8 Result notapplicable Title Add nosuid Option to /var/log Rule xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid Ident CCE-82065-4 Result notapplicable Title Add nodev Option to /boot Rule xccdf_org.ssgproject.content_rule_mount_option_boot_nodev Ident CCE-82941-6 Result notapplicable Title Add nodev Option to /dev/shm Rule xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev Ident CCE-80837-8 Result notapplicable Title Add nodev Option to /tmp Rule xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev Ident CCE-82623-0 Result notapplicable Title Add noexec Option to /dev/shm Rule xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec Ident CCE-80838-6 Result notapplicable Title Add nodev Option to /var/log Rule xccdf_org.ssgproject.content_rule_mount_option_var_log_nodev Ident CCE-82077-9 Result notapplicable Title Add noexec Option to /var/log Rule xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec Ident CCE-82008-4 Result notapplicable Title Add noexec Option to /var/tmp Rule xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec Ident CCE-82151-2 Result notapplicable Title Add nosuid Option to /home Rule xccdf_org.ssgproject.content_rule_mount_option_home_nosuid Ident CCE-81050-7 Result notapplicable Title Add nodev Option to /var Rule xccdf_org.ssgproject.content_rule_mount_option_var_nodev Ident CCE-82062-1 Result notapplicable Title Add noexec Option to /var/log/audit Rule xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec Ident CCE-82975-4 Result notapplicable Title Add nodev Option to Non-Root Local Partitions Rule xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions Ident CCE-82069-6 Result notapplicable Title Add nodev Option to /var/log/audit Rule xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev Ident CCE-82080-3 Result notapplicable Title Add nosuid Option to /dev/shm Rule xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid Ident CCE-80839-4 Result notapplicable Title Add nodev Option to /home Rule xccdf_org.ssgproject.content_rule_mount_option_home_nodev Ident CCE-81048-1 Result notapplicable Title Restrict Access to Kernel Message Buffer Rule xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict Ident CCE-80913-7 Result notapplicable Title Disable Kernel Image Loading Rule xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled Ident CCE-80952-5 Result notapplicable Title Disable the use of user namespaces Rule xccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces Ident CCE-82211-4 Result notapplicable Title Disable storing core dumps Rule xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern Ident CCE-82215-5 Result notapplicable Title Disable Access to Network bpf() Syscall From Unprivileged Processes Rule xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled Ident CCE-82974-7 Result notapplicable Title Restrict usage of ptrace to descendant processes Rule xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope Ident CCE-80953-3 Result notapplicable Title Disallow kernel profiling by unprivileged users Rule xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid Ident CCE-81054-9 Result notapplicable Title Harden the operation of the BPF just-in-time compiler Rule xccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden Ident CCE-82934-1 Result notapplicable Title Enable page allocator poisoning Rule xccdf_org.ssgproject.content_rule_grub2_page_poison_argument Ident CCE-80944-2 Result notapplicable Title Enable SLUB/SLAB allocator poisoning Rule xccdf_org.ssgproject.content_rule_grub2_slub_debug_argument Ident CCE-80945-9 Result notapplicable Title Restrict Exposed Kernel Pointer Addresses Access Rule xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict Ident CCE-80915-2 Result notapplicable Title Disable acquiring, saving, and processing core dumps Rule xccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled Ident CCE-82881-4 Result notapplicable Title Disable Core Dumps for All Users Rule xccdf_org.ssgproject.content_rule_disable_users_coredumps Ident CCE-81038-2 Result pass Title Disable core dump backtraces Rule xccdf_org.ssgproject.content_rule_coredump_disable_backtraces Ident CCE-82251-0 Result pass Title Disable storing core dump Rule xccdf_org.ssgproject.content_rule_coredump_disable_storage Ident CCE-82252-8 Result pass Title Enable Kernel Parameter to Enforce DAC on Hardlinks Rule xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks Ident CCE-81027-5 Result notapplicable Title Enable Kernel Parameter to Enforce DAC on Symlinks Rule xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks Ident CCE-81030-9 Result notapplicable Title Enable Kernel Page-Table Isolation (KPTI) Rule xccdf_org.ssgproject.content_rule_grub2_pti_argument Ident CCE-82194-2 Result notapplicable Title Disable vsyscalls Rule xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument Ident CCE-80946-7 Result notapplicable Title Configure kernel to trust the CPU random number generator Rule xccdf_org.ssgproject.content_rule_grub2_kernel_trust_cpu_rng Ident CCE-83314-5 Result notapplicable Title Set the UEFI Boot Loader Password Rule xccdf_org.ssgproject.content_rule_grub2_uefi_password Ident CCE-80829-5 Result notapplicable Title Ensure rsyslog-gnutls is installed Rule xccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed Ident CCE-82859-0 Result notapplicable Title Ensure rsyslog is Installed Rule xccdf_org.ssgproject.content_rule_package_rsyslog_installed Ident CCE-80847-7 Result notapplicable Title Configure TLS for rsyslog remote logging Rule xccdf_org.ssgproject.content_rule_rsyslog_remote_tls Ident CCE-82457-3 Result notapplicable Title Configure CA certificate for rsyslog remote logging Rule xccdf_org.ssgproject.content_rule_rsyslog_remote_tls_cacert Ident CCE-82458-1 Result notapplicable Title Disable Bluetooth Kernel Module Rule xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled Ident CCE-80832-9 Result notapplicable Title Disable CAN Support Rule xccdf_org.ssgproject.content_rule_kernel_module_can_disabled Ident CCE-82059-7 Result notapplicable Title Disable IEEE 1394 (FireWire) Support Rule xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled Ident CCE-82005-0 Result notapplicable Title Disable TIPC Support Rule xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled Ident CCE-82297-3 Result notapplicable Title Disable ATM Support Rule xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled Ident CCE-82028-2 Result notapplicable Title Disable SCTP Support Rule xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled Ident CCE-80834-5 Result notapplicable Title Install firewalld Package Rule xccdf_org.ssgproject.content_rule_package_firewalld_installed Ident CCE-82998-6 Result notapplicable Title Verify firewalld Enabled Rule xccdf_org.ssgproject.content_rule_service_firewalld_enabled Ident CCE-80877-4 Result notapplicable Title Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces Rule xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route Ident CCE-81013-5 Result notapplicable Title Disable Accepting ICMP Redirects for All IPv6 Interfaces Rule xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects Ident CCE-81009-3 Result notapplicable Title Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces Rule xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects Ident CCE-81010-1 Result notapplicable Title Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default Rule xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route Ident CCE-81015-0 Result notapplicable Title Configure Accepting Router Advertisements on All IPv6 Interfaces Rule xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra Ident CCE-81006-9 Result notapplicable Title Disable Accepting Router Advertisements on all IPv6 Interfaces by Default Rule xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra Ident CCE-81007-7 Result notapplicable Title Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default Rule xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter Ident CCE-81022-6 Result notapplicable Title Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces Rule xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects Ident CCE-81016-8 Result notapplicable Title Configure Kernel Parameter for Accepting Secure Redirects By Default Rule xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects Ident CCE-81017-6 Result notapplicable Title Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces Rule xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects Ident CCE-80919-4 Result notapplicable Title Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces Rule xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts Ident CCE-80922-8 Result notapplicable Title Disable Accepting ICMP Redirects for All IPv4 Interfaces Rule xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects Ident CCE-80917-8 Result notapplicable Title Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default Rule xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route Ident CCE-80920-2 Result notapplicable Title Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces Rule xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians Ident CCE-81018-4 Result notapplicable Title Enable Kernel Parameter to Use TCP Syncookies on IPv4 Interfaces Rule xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies Ident CCE-80923-6 Result notapplicable Title Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces Rule xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route Ident CCE-81011-9 Result notapplicable Title Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces Rule xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter Ident CCE-81021-8 Result notapplicable Title Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces Rule xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses Ident CCE-81023-4 Result notapplicable Title Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default Rule xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians Ident CCE-81020-0 Result notapplicable Title Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces Rule xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward Ident CCE-81024-2 Result notapplicable Title Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default Rule xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects Ident CCE-80921-0 Result notapplicable Title Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces Rule xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects Ident CCE-80918-6 Result notapplicable Title Install policycoreutils-python-utils package Rule xccdf_org.ssgproject.content_rule_package_policycoreutils-python-utils_installed Ident CCE-82724-6 Result notapplicable Title Install policycoreutils Package Rule xccdf_org.ssgproject.content_rule_package_policycoreutils_installed Ident CCE-82976-2 Result notapplicable Title Ensure SELinux State is Enforcing Rule xccdf_org.ssgproject.content_rule_selinux_state Ident CCE-80869-1 Result notapplicable Title Configure SELinux Policy Rule xccdf_org.ssgproject.content_rule_selinux_policytype Ident CCE-80868-3 Result notapplicable Title Enable Smartcards in SSSD Rule xccdf_org.ssgproject.content_rule_sssd_enable_smartcards Ident CCE-80909-5 Result notapplicable Title Configure SSSD to Expire Offline Credentials Rule xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration Ident CCE-82460-7 Result notapplicable Title Uninstall Sendmail Package Rule xccdf_org.ssgproject.content_rule_package_sendmail_removed Ident CCE-81039-0 Result notapplicable Title Install OpenSSH client software Rule xccdf_org.ssgproject.content_rule_package_openssh-clients_installed Ident CCE-82722-0 Result notapplicable Title Install the OpenSSH Server Package Rule xccdf_org.ssgproject.content_rule_package_openssh-server_installed Ident CCE-83303-8 Result notapplicable Title Set SSH Client Alive Count Max Rule xccdf_org.ssgproject.content_rule_sshd_set_keepalive Ident CCE-80907-9 Result notapplicable Title Enable SSH Warning Banner Rule xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner Ident CCE-80905-3 Result notapplicable Title Disable GSSAPI Authentication Rule xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth Ident CCE-80897-2 Result notapplicable Title Disable Host-Based Authentication Rule xccdf_org.ssgproject.content_rule_disable_host_auth Ident CCE-80786-7 Result notapplicable Title Disable SSH Root Login Rule xccdf_org.ssgproject.content_rule_sshd_disable_root_login Ident CCE-80901-2 Result notapplicable Title Force frequent session key renegotiation Rule xccdf_org.ssgproject.content_rule_sshd_rekey_limit Ident CCE-82177-7 Result notapplicable Title Disable SSH Access via Empty Passwords Rule xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords Ident CCE-80896-4 Result notapplicable Title SSH server uses strong entropy to seed Rule xccdf_org.ssgproject.content_rule_sshd_use_strong_rng Ident CCE-82462-3 Result notapplicable Title Disable Kerberos Authentication Rule xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth Ident CCE-80898-0 Result notapplicable Title Enable Use of Strict Mode Checking Rule xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes Ident CCE-80904-6 Result notapplicable Title Set SSH Idle Timeout Interval Rule xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout Ident CCE-80906-1 Result notapplicable Title SSH client uses strong entropy to seed (for CSH like shells) Rule xccdf_org.ssgproject.content_rule_ssh_client_use_strong_rng_csh Ident CCE-83349-1 Result notapplicable Title SSH client uses strong entropy to seed (Bash-like shells) Rule xccdf_org.ssgproject.content_rule_ssh_client_use_strong_rng_sh Ident CCE-83346-7 Result notapplicable Title The Chrony package is installed Rule xccdf_org.ssgproject.content_rule_package_chrony_installed Ident CCE-82874-9 Result notapplicable Title Disable network management of chrony daemon Rule xccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network Ident CCE-82840-0 Result notapplicable Title Disable chrony daemon from acting as server Rule xccdf_org.ssgproject.content_rule_chronyd_client_only Ident CCE-82988-7 Result notapplicable Title Install fapolicyd Package Rule xccdf_org.ssgproject.content_rule_package_fapolicyd_installed Ident CCE-82191-8 Result notapplicable Title Enable the File Access Policy Service Rule xccdf_org.ssgproject.content_rule_service_fapolicyd_enabled Ident CCE-82249-4 Result notapplicable Title Uninstall Automatic Bug Reporting Tool (abrt) Rule xccdf_org.ssgproject.content_rule_package_abrt_removed Ident CCE-80948-3 Result pass Title Disable KDump Kernel Crash Analyzer (kdump) Rule xccdf_org.ssgproject.content_rule_service_kdump_disabled Ident CCE-80878-2 Result notapplicable Title Uninstall nfs-utils Package Rule xccdf_org.ssgproject.content_rule_package_nfs-utils_removed Ident CCE-82932-5 Result pass Title Disable Kerberos by removing host keytab Rule xccdf_org.ssgproject.content_rule_kerberos_disable_no_keytab Ident CCE-82175-1 Result notapplicable Title Install usbguard Package Rule xccdf_org.ssgproject.content_rule_package_usbguard_installed Ident CCE-82959-8 Result fail Title Enable the USBGuard Service Rule xccdf_org.ssgproject.content_rule_service_usbguard_enabled Ident CCE-82853-3 Result notapplicable Title Authorize Human Interface Devices and USB hubs in USBGuard daemon Rule xccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub Ident CCE-82368-2 Result fail Title Log USBGuard daemon audit events using Linux Audit Rule xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend Ident CCE-82168-6 Result fail time="2021-09-07T01:37:18Z" level=error msg="Error removing timer for container 4c23567586b6c904a8c820bc3ac105cd615acd2eb37b9a51e6dc7ff4f56ec9b9 healthcheck: unable to get systemd connection to remove healthchecks: dial unix /run/systemd/private: connect: no such file or directory" compliance_output_report.xml report.html OSCAP_COMPLIANCE_URL=https://repo1.dso.mil/dsop/confluent/confluent-component-operator/cp-server-connect-operator-5.5.x/-/jobs/6282653 section_end:1630978643:step_script section_start:1630978643:upload_artifacts_on_success Uploading artifacts for successful job Uploading artifacts... ci-artifacts/scan-results/openscap: found 4 matching files and directories Uploading artifacts as "archive" to coordinator... ok id=6282653 responseStatus=201 Created token=bNwwnw7h Uploading artifacts... oscap-compliance.env: found 1 matching files and directories Uploading artifacts as "dotenv" to coordinator... ok id=6282653 responseStatus=201 Created token=bNwwnw7h section_end:1630978645:upload_artifacts_on_success section_start:1630978645:cleanup_file_variables Cleaning up file based variables section_end:1630978645:cleanup_file_variables Job succeeded