Containers, Kubernetes, OpenShift on Power

 View Only

Using File Integrity Operator to support file integrity checks on OpenShift Container Platform on Power

By Aditi Jadhav posted Thu May 25, 2023 02:17 AM

  

Hi Folks 

You may be aware that I am writing a series of blogs related to Security and Compliance on the OpenShift Container Platform (OCP) on IBM Power Systems. 

As part of this series, I have written a blog on PCI-DSS and the Compliance Operator to have a secure and compliant cluster. Part of the cluster’s security and compliance depends on the File Integrity Operator – an operator that uses intrusion detection rules to verify the integrity of files and directories on cluster’s nodes. 

My team has added support for File Integrity Operator on OpenShift Container Platform on IBM Power, and in this post I’m sharing the background, the setup, verify the setup and the use the Operator in your cluster. 

The Background 

The file integrity operator deploys a DaemonSet which initializes and runs privileged Advanced Intrusion Detection Environment (AIDE) containers on each node and logs the files and directories which have been modified since the baseline run.  
 
The operator works with  FileIntegrityresources, where each of these objects represents a managed deployment of AIDE on one or more nodes. 
 
This post next shows how to setup File Integrity Operator. 

The Setup 

To install the File Integrity Operator on your OpenShift Container Platform 4.12 or higher system, execute the following steps: 

  1. Login with a user id that has cluster-admin user access 

  1. In the OpenShift Container Platform web console, navigate to Operators → OperatorHub. 

  1. Search for the File Integrity Operator, then click Install. 

  1. Keep the default selection of Installation mode and namespace to ensure that the Operator is installed to the openshift-file-integrity namespace. 

  1. Click Install. 

Verify the Setup 

To confirm that the installation is successful: 

  1. Navigate to the Operators → Installed Operators page. 

  1. Check that the Operator is installed in the openshift-file-integrity namespace and its status is Succeeded. 
     
     

    3. You can also verify the installation succeeded by inspecting a csv file. 
         You should see output similar below 

$ oc get csv -n openshift-file-integrity 
NAME                             DISPLAY                   VERSION   REPLACES   PHASE 
file-integrity-operator.v1.2.1   File Integrity Operator   1.2.1                Succeeded 


     4. Verify that File Integrity Operator is running using below command 

$ oc get deploy -n openshift-file-integrity 
NAME                      READY   UP-TO-DATE   AVAILABLE   AGE 
file-integrity-operator   1/1     1            1           31m 

 

Use the File Integrity Operator 

  1. Create a FileIntegrity Custom Resource using below file-object.yaml file. 

apiVersion: fileintegrity.openshift.io/v1alpha1 
kind: FileIntegrity 
metadata: 
  name: worker-fileintegrity 
  namespace: openshift-file-integrity 
spec: 
  nodeSelector:  
      node-role.kubernetes.io/worker: "" 
  tolerations:  
  - key: "myNode" 
    operator: "Exists" 
    effect: "NoSchedule" 
  config:  
    name: "myconfig" 
    namespace: "openshift-file-integrity" 
    key: "config" 
    gracePeriod: 20  
    maxBackups: 5  
    initialDelay: 60  
  debug: false 
status: 
  phase: Active 

 

spec.nodeSelector - Defines the selector for scheduling node scans. 

spec.tolerationsSpecify tolerations to schedule on nodes with custom taints. When not specified, a default toleration allowing running on main and infra nodes is applied. 

spec.config.name - Define a ConfigMap containing an AIDE configuration to use. 

 For more information on the spec, refer to Understanding the File Integrity Operator 

 

  1. Create File Integrity object. 

$ oc apply -f file-object.yaml 
fileintegrity.fileintegrity.openshift.io/worker-fileintegrity created 

 

  1. Confirm the FileIntegrity object was created successfully. 

$ oc get fileintegrities -n openshift-file-integrity 
NAME                    AGE 
worker-fileintegrity    7s 

 

  1. You can also check FileIntegrity Custom Resource status. 

$ oc get fileintegrities/worker-fileintegrity  -o jsonpath="{ .status.phase }" -n openshift-file-integrity -w 
PendingInitializingActive 

$ oc get fileintegrities/worker-fileintegrity  -o jsonpath="{ .status.phase }" -n openshift-file-integrity 
Active   

 For more information on FileIntegrity CR phases, refer to FileIntegrity custom resource phases 
 

  1. Check FileIntegrityNodeStatuses
    The scan results of the FileIntegrity CR are reported in another object called FileIntegrityNodeStatuses. The fileintegritynodestatus object reports the latest status of an AIDE run and exposes the status as Failed, Succeeded, or Errored in a status field. 

$ oc get fileintegritynodestatuses -n openshift-file-integrity 
NAME                                                     NODE                                                           STATUS 
worker-fileintegrity-osa21-worker-0.ocp-power.xyz        osa21-worker-0.ocp-power.xyz                                   Succeeded 
worker-fileintegrity-osa21-worker-1.ocp-power.xyz        osa21-worker-1.ocp-power.xyz                                   Succeeded 

$ oc get fileintegritynodestatuses.fileintegrity.openshift.io -ojsonpath='{.items[*].results}' -n openshift-file-integrity | jq 
[ 
  { 
    "condition": "Succeeded", 
    "lastProbeTime": "2023-05-23T09:22:20Z" 
  } 
] 
[ 
  { 
    "condition": "Succeeded", 
    "lastProbeTime": "2023-05-23T09:22:18Z" 
  } 
] 

 For more information on FileIntegrityNodeStatus CR status types, please refer to FileIntegrityNodeStatus CR status types 

 

  1. Check the events of FileIntegrity CR
    Transitions in the status of the FileIntegrity and FileIntegrityNodeStatus objects are logged by events. The creation time of the event reflects the latest transition, such as Initializing to Active

$ oc get events --field-selector reason=FileIntegrityStatus -n openshift-file-integrity 
LAST SEEN   TYPE     REASON                OBJECT                               MESSAGE 
16m         Normal   FileIntegrityStatus   fileintegrity/worker-fileintegrity   Pending 
15m         Normal   FileIntegrityStatus   fileintegrity/worker-fileintegrity   Initializing 
14m         Normal   FileIntegrityStatus   fileintegrity/worker-fileintegrity   Active 

 

This post you’ve seen how to install File Integrity Operator, create File Integrity object and make use the of file integrity operator for file integrity checks in OpenShift cluster. 

Thanks for reading! I hope you found this helpful :) 

Permalink