1215542 – AUDIT-WHITELIST: kubernetes1.28, kubernetes1.27, kubernetes1.26, kubernetes1.25, kubernetes1.24 : audit of sysctl.d drop-in configuration files for kubeadm binary

Bug 1215542 - AUDIT-WHITELIST: kubernetes1.28, kubernetes1.27, kubernetes1.26, kubernetes1.25, kubernetes1.24 : audit of sysctl.d drop-in configuration files for kubeadm binary

Summary: AUDIT-WHITELIST: kubernetes1.28, kubernetes1.27, kubernetes1.26, kubernetes1....

Status:	RESOLVED FIXED

Alias:	None

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Audits (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P2 - High Severity: Normal
Target Milestone:	---
Assignee:	Filippo Bonazzi
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-09-20 19:59 UTC by Priyanka Saggu
Modified:	2023-10-10 12:48 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Priyanka Saggu 2023-09-20 19:59:12 UTC

(copy of a similar previous ticket - https://bugzilla.suse.com/show_bug.cgi?id=1210951)

I would like whitelisting for the following rpmlint error (pasted from my old ticket) for the new Kubernetes package version - `kubernetes1.28`

```
[  916s] kubernetes1.25-kubeadm.x86_64: E: sysctl-file-unauthorized (Badness: 10000) /usr/lib/sysctl.d/90-kubeadm.conf (sha256 file digest default filter:1edd91f46e7dee2e0a0eb0553c2b130f2c1f414af0c7af7029ef787209d9f19c shell filter:e2c2ac17097616ee184af9965776f83ad87dcf9e82ada5c8a3ea0f8371813fe8 xml filter:<failed-to-calculate>)
[  916s] Packaging sysctl.d drop-in configuration files requires a review and
[  916s] whitelisting by the SUSE security team. If the package is intended for
[  916s] inclusion in any SUSE product please open a bug report to request review of
[  916s] the package by the security team. Please refer to
[  916s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for
[  916s] more information.
```

Reference links:

Factory SR: https://build.opensuse.org/request/show/1112622

Comment 1 Priyanka Saggu 2023-09-21 03:01:17 UTC

For the packages — kubernetes1.28, kubernetes1.27, kubernetes1.26, kubernetes1.25, and kubernetes1.24, found in OBS in "openSUSE:Factory:Staging:adi:18", I would like a whitelisting for the following rpmlint error:

### kubernetes1.28

```
[  477s] kubernetes1.28-kubeadm.x86_64: E: sysctl-file-unauthorized (Badness: 10000) /usr/lib/sysctl.d/90-kubeadm.conf (sha256 file digest default filter:5f49eab5bfbb68772cb4b2cc32f8192063a15aa834c0707b554dd5871443f580 shell filter:43e95061f764465452c91708145e6d5948ab0e4750ed9ce98b59e1a1f223f45a xml filter:<failed-to-calculate>)
[  477s] Packaging sysctl.d drop-in configuration files requires a review and
[  477s] whitelisting by the SUSE security team. If the package is intended for
[  477s] inclusion in any SUSE product please open a bug report to request review of
[  477s] the package by the security team. Please refer to
[  477s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for
[  477s] more information.
```

### kubernetes1.27

```
[  455s] kubernetes1.27-kubeadm.x86_64: E: sysctl-file-digest-mismatch (Badness: 10000) /usr/lib/sysctl.d/90-kubeadm.conf expected sha256:e2c2ac17097616ee184af9965776f83ad87dcf9e82ada5c8a3ea0f8371813fe8, has:43e95061f764465452c91708145e6d5948ab0e4750ed9ce98b59e1a1f223f45a
[  455s] A whitelisting related sysctl.d drop-in file changed in content. Packaging
[  455s] sysctl.d drop in configuration files requires a review and whitelisting by the
[  455s] SUSE security team. If the package is intended for inclusion in any SUSE
[  455s] product please open a bug report to request review of the package by the
[  455s] security team. Please refer to
[  455s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for
[  455s] more information.
```

### kubernetes1.26

```
[  470s] kubernetes1.26-kubeadm.x86_64: E: sysctl-file-digest-mismatch (Badness: 10000) /usr/lib/sysctl.d/90-kubeadm.conf expected sha256:e2c2ac17097616ee184af9965776f83ad87dcf9e82ada5c8a3ea0f8371813fe8, has:43e95061f764465452c91708145e6d5948ab0e4750ed9ce98b59e1a1f223f45a
[  470s] A whitelisting related sysctl.d drop-in file changed in content. Packaging
[  470s] sysctl.d drop in configuration files requires a review and whitelisting by the
[  470s] SUSE security team. If the package is intended for inclusion in any SUSE
[  470s] product please open a bug report to request review of the package by the
[  470s] security team. Please refer to
[  470s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for
[  470s] more information.
```

### kubernetes1.25

```
[  519s] kubernetes1.25-kubeadm.x86_64: E: sysctl-file-digest-mismatch (Badness: 10000) /usr/lib/sysctl.d/90-kubeadm.conf expected sha256:e2c2ac17097616ee184af9965776f83ad87dcf9e82ada5c8a3ea0f8371813fe8, has:43e95061f764465452c91708145e6d5948ab0e4750ed9ce98b59e1a1f223f45a
[  519s] A whitelisting related sysctl.d drop-in file changed in content. Packaging
[  519s] sysctl.d drop in configuration files requires a review and whitelisting by the
[  519s] SUSE security team. If the package is intended for inclusion in any SUSE
[  519s] product please open a bug report to request review of the package by the
[  519s] security team. Please refer to
[  519s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for
[  519s] more information.
```

### kubernetes1.24

```
[  516s] kubernetes1.24-kubeadm.x86_64: E: sysctl-file-digest-mismatch (Badness: 10000) /usr/lib/sysctl.d/90-kubeadm.conf expected sha256:e2c2ac17097616ee184af9965776f83ad87dcf9e82ada5c8a3ea0f8371813fe8, has:43e95061f764465452c91708145e6d5948ab0e4750ed9ce98b59e1a1f223f45a
[  516s] A whitelisting related sysctl.d drop-in file changed in content. Packaging
[  516s] sysctl.d drop in configuration files requires a review and whitelisting by the
[  516s] SUSE security team. If the package is intended for inclusion in any SUSE
[  516s] product please open a bug report to request review of the package by the
[  516s] security team. Please refer to
[  516s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for
[  516s] more information.
```

---

Full logs are available at:

kubernetes1.28 - https://build.opensuse.org/package/live_build_log/openSUSE:Factory:Staging:adi:18/kubernetes1.28/standard/x86_64

kubernetes1.27 -
https://build.opensuse.org/package/live_build_log/openSUSE:Factory:Staging:adi:18/kubernetes1.27/standard/x86_64

kubernetes1.26 -
https://build.opensuse.org/package/live_build_log/openSUSE:Factory:Staging:adi:18/kubernetes1.26/standard/x86_64

kubernetes1.25 -
https://build.opensuse.org/package/live_build_log/openSUSE:Factory:Staging:adi:18/kubernetes1.25/standard/x86_64

kubernetes1.24 -
https://build.opensuse.org/package/live_build_log/openSUSE:Factory:Staging:adi:18/kubernetes1.24/standard/x86_64

Comment 2 Marcus Meissner 2023-09-26 09:28:55 UTC

Hi, this is blocking factory submissions, can you take a look soonish?

Comment 4 Filippo Bonazzi 2023-09-27 10:31:01 UTC

Submitted in https://build.opensuse.org/request/show/1113857