Connect, learn, share, and engage with IBM Power.
Hi Folks
You may be aware that I am writing a series of blogs related to Security and Compliance on the OpenShift Container Platform (OCP) on IBM Power Systems.
As part of this series, I have written a blog on PCI-DSS and the Compliance Operator to have a secure and compliant cluster. Part of the cluster’s security and compliance depends on the File Integrity Operator – an operator that uses intrusion detection rules to verify the integrity of files and directories on cluster’s nodes.
My team has added support for File Integrity Operator on OpenShift Container Platform on IBM Power, and in this post I’m sharing the background, the setup, verify the setup and the use the Operator in your cluster.
The Background
The file integrity operator deploys a DaemonSet which initializes and runs privileged Advanced Intrusion Detection Environment (AIDE) containers on each node and logs the files and directories which have been modified since the baseline run. The operator works with FileIntegrity resources, where each of these objects represents a managed deployment of AIDE on one or more nodes. This post next shows how to setup File Integrity Operator.
The Setup
To install the File Integrity Operator on your OpenShift Container Platform 4.12 or higher system, execute the following steps:
Login with a user id that has cluster-admin user access
In the OpenShift Container Platform web console, navigate to Operators → OperatorHub.
Search for the File Integrity Operator, then click Install.
Keep the default selection of Installation mode and namespace to ensure that the Operator is installed to the openshift-file-integrity namespace.
Click Install.
Verify the Setup
To confirm that the installation is successful:
Navigate to the Operators → Installed Operators page.
Check that the Operator is installed in the openshift-file-integrity namespace and its status is Succeeded.
3. You can also verify the installation succeeded by inspecting a csv file. You should see output similar below
$ oc get csv -n openshift-file-integrity NAME DISPLAY VERSION REPLACES PHASE file-integrity-operator.v1.2.1 File Integrity Operator 1.2.1 Succeeded
4. Verify that File Integrity Operator is running using below command
$ oc get deploy -n openshift-file-integrity NAME READY UP-TO-DATE AVAILABLE AGE file-integrity-operator 1/1 1 1 31m
Use the File Integrity Operator
Create a FileIntegrity Custom Resource using below file-object.yaml file.
apiVersion: fileintegrity.openshift.io/v1alpha1 kind: FileIntegrity metadata: name: worker-fileintegrity namespace: openshift-file-integrity spec: nodeSelector: node-role.kubernetes.io/worker: "" tolerations: - key: "myNode" operator: "Exists" effect: "NoSchedule" config: name: "myconfig" namespace: "openshift-file-integrity" key: "config" gracePeriod: 20 maxBackups: 5 initialDelay: 60 debug: false status: phase: Active
spec.nodeSelector - Defines the selector for scheduling node scans.
spec.tolerations – Specify tolerations to schedule on nodes with custom taints. When not specified, a default toleration allowing running on main and infra nodes is applied.
spec.config.name - Define a ConfigMap containing an AIDE configuration to use.
For more information on the spec, refer to Understanding the File Integrity Operator
Create File Integrity object.
$ oc apply -f file-object.yaml fileintegrity.fileintegrity.openshift.io/worker-fileintegrity created
Confirm the FileIntegrity object was created successfully.
$ oc get fileintegrities -n openshift-file-integrity NAME AGE worker-fileintegrity 7s
You can also check FileIntegrity Custom Resource status.
$ oc get fileintegrities/worker-fileintegrity -o jsonpath="{ .status.phase }" -n openshift-file-integrity -w PendingInitializingActive $ oc get fileintegrities/worker-fileintegrity -o jsonpath="{ .status.phase }" -n openshift-file-integrity Active
For more information on FileIntegrity CR phases, refer to FileIntegrity custom resource phases
Check FileIntegrityNodeStatuses The scan results of the FileIntegrity CR are reported in another object called FileIntegrityNodeStatuses. The fileintegritynodestatus object reports the latest status of an AIDE run and exposes the status as Failed, Succeeded, or Errored in a status field.
$ oc get fileintegritynodestatuses -n openshift-file-integrity NAME NODE STATUS worker-fileintegrity-osa21-worker-0.ocp-power.xyz osa21-worker-0.ocp-power.xyz Succeeded worker-fileintegrity-osa21-worker-1.ocp-power.xyz osa21-worker-1.ocp-power.xyz Succeeded $ oc get fileintegritynodestatuses.fileintegrity.openshift.io -ojsonpath='{.items[*].results}' -n openshift-file-integrity | jq [ { "condition": "Succeeded", "lastProbeTime": "2023-05-23T09:22:20Z" } ] [ { "condition": "Succeeded", "lastProbeTime": "2023-05-23T09:22:18Z" } ]
For more information on FileIntegrityNodeStatus CR status types, please refer to FileIntegrityNodeStatus CR status types
Check the events of FileIntegrity CR Transitions in the status of the FileIntegrity and FileIntegrityNodeStatus objects are logged by events. The creation time of the event reflects the latest transition, such as Initializing to Active
$ oc get events --field-selector reason=FileIntegrityStatus -n openshift-file-integrity LAST SEEN TYPE REASON OBJECT MESSAGE 16m Normal FileIntegrityStatus fileintegrity/worker-fileintegrity Pending 15m Normal FileIntegrityStatus fileintegrity/worker-fileintegrity Initializing 14m Normal FileIntegrityStatus fileintegrity/worker-fileintegrity Active
This post you’ve seen how to install File Integrity Operator, create File Integrity object and make use the of file integrity operator for file integrity checks in OpenShift cluster.
Thanks for reading! I hope you found this helpful :)
Copy