Understanding the Compliance Operator
- Compliance Operator profiles

Understanding the Compliance Operator

The Compliance Operator lets OKD administrators describe the required compliance state of a cluster and provides them with an overview of gaps and ways to remediate them. The Compliance Operator assesses compliance of both the Kubernetes API resources of OKD, as well as the nodes running the cluster. The Compliance Operator uses OpenSCAP, a NIST-certified tool, to scan and enforce security policies provided by the content.

The Compliance Operator is available for Fedora CoreOS (FCOS) deployments only.

Compliance Operator profiles

There are several profiles available as part of the Compliance Operator installation. You can use the oc get command to view available profiles, profile details, and specific rules.

View the available profiles:

$ oc get -n <namespace> profiles.compliance

This example displays the profiles in the default openshift-compliance namespace:

$ oc get -n openshift-compliance profiles.compliance

Example output

NAME                 AGE
ocp4-cis             32m
ocp4-cis-node        32m
ocp4-e8              32m
ocp4-moderate        32m
ocp4-moderate-node   32m
ocp4-nerc-cip        32m
ocp4-nerc-cip-node   32m
ocp4-pci-dss         32m
ocp4-pci-dss-node    32m
rhcos4-e8            32m
rhcos4-moderate      32m
rhcos4-nerc-cip      32m

These profiles represent different compliance benchmarks. Each profile has the product name that it applies to added as a prefix to the profile’s name. ocp4-e8 applies the Essential 8 benchmark to the OKD product, while rhcos4-e8 applies the Essential 8 benchmark to the Fedora CoreOS (FCOS) product.

View the details of a profile:

$ oc get -n <namespace> -oyaml profiles.compliance <profile name>

This example displays the details of the rhcos4-e8 profile:

$ oc get -n openshift-compliance -oyaml profiles.compliance rhcos4-e8

Example output

apiVersion: compliance.openshift.io/v1alpha1
description: |-
  This profile contains configuration checks for Red Hat
  Enterprise Linux CoreOS that align to the Australian
  Cyber Security Centre (ACSC) Essential Eight.
  A copy of the Essential Eight in Linux Environments guide can
  be found at the ACSC website: ...
  id: xccdf_org.ssgproject.content_profile_e8
  kind: Profile
  metadata:
    annotations:
      compliance.openshift.io/image-digest: pb-rhcos426smj
      compliance.openshift.io/product: redhat_enterprise_linux_coreos_4
      compliance.openshift.io/product-type: Node
    labels:
      compliance.openshift.io/profile-bundle: rhcos4
    name: rhcos4-e8
    namespace: openshift-compliance
    ownerReferences:
    - apiVersion: compliance.openshift.io/v1alpha1
      blockOwnerDeletion: true
      controller: true
      kind: ProfileBundle
      name: rhcos4
  rules:
  - rhcos4-accounts-no-uid-except-zero
  - rhcos4-audit-rules-dac-modification-chmod
  - rhcos4-audit-rules-dac-modification-chown
  - rhcos4-audit-rules-execution-chcon
  - rhcos4-audit-rules-execution-restorecon
  - rhcos4-audit-rules-execution-semanage
  - rhcos4-audit-rules-execution-setfiles
  - rhcos4-audit-rules-execution-setsebool
  - rhcos4-audit-rules-execution-seunshare
  - rhcos4-audit-rules-kernel-module-loading-delete
  - rhcos4-audit-rules-kernel-module-loading-finit
  - rhcos4-audit-rules-kernel-module-loading-init
  - rhcos4-audit-rules-login-events
  - rhcos4-audit-rules-login-events-faillock
  - rhcos4-audit-rules-login-events-lastlog
  - rhcos4-audit-rules-login-events-tallylog
  - rhcos4-audit-rules-networkconfig-modification
  - rhcos4-audit-rules-sysadmin-actions
  - rhcos4-audit-rules-time-adjtimex
  - rhcos4-audit-rules-time-clock-settime
  - rhcos4-audit-rules-time-settimeofday
  - rhcos4-audit-rules-time-stime
  - rhcos4-audit-rules-time-watch-localtime
  - rhcos4-audit-rules-usergroup-modification
  - rhcos4-auditd-data-retention-flush
  - rhcos4-auditd-freq
  - rhcos4-auditd-local-events
  - rhcos4-auditd-log-format
  - rhcos4-auditd-name-format
  - rhcos4-auditd-write-logs
  - rhcos4-configure-crypto-policy
  - rhcos4-configure-ssh-crypto-policy
  - rhcos4-no-empty-passwords
  - rhcos4-selinux-policytype
  - rhcos4-selinux-state
  - rhcos4-service-auditd-enabled
  - rhcos4-sshd-disable-empty-passwords
  - rhcos4-sshd-disable-gssapi-auth
  - rhcos4-sshd-disable-rhosts
  - rhcos4-sshd-disable-root-login
  - rhcos4-sshd-disable-user-known-hosts
  - rhcos4-sshd-do-not-permit-user-env
  - rhcos4-sshd-enable-strictmodes
  - rhcos4-sshd-print-last-log
  - rhcos4-sshd-set-loglevel-info
  - rhcos4-sysctl-kernel-dmesg-restrict
  - rhcos4-sysctl-kernel-kptr-restrict
  - rhcos4-sysctl-kernel-randomize-va-space
  - rhcos4-sysctl-kernel-unprivileged-bpf-disabled
  - rhcos4-sysctl-kernel-yama-ptrace-scope
  - rhcos4-sysctl-net-core-bpf-jit-harden
  title: Australian Cyber Security Centre (ACSC) Essential Eight

View the rules within a desired profile:

$ oc get -n <namespace> -oyaml rules.compliance <rule_name>

This example displays the rhcos4-audit-rules-login-events rule in the rhcos4 profile:

$ oc get -n openshift-compliance -oyaml rules.compliance rhcos4-audit-rules-login-events

Example output

  apiVersion: compliance.openshift.io/v1alpha1
  checkType: Node
  description: |-
    The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix.rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events:
    -w /var/log/tallylog -p wa -k logins
    -w /var/run/faillock -p wa -k logins
    -w /var/log/lastlog -p wa -k logins
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events:
    -w /var/log/tallylog -p wa -k logins
    -w /var/run/faillock -p wa -k logins
    -w /var/log/lastlog -p wa -k logins
  id: xccdf_org.ssgproject.content_rule_audit_rules_login_events
  kind: Rule
  metadata:
    annotations:
      compliance.openshift.io/image-digest: pb-rhcos426smj
      compliance.openshift.io/rule: audit-rules-login-events
      control.compliance.openshift.io/NIST-800-53: AU-2(d);AU-12(c);AC-6(9);CM-6(a)
      control.compliance.openshift.io/PCI-DSS: Req-10.2.3
      policies.open-cluster-management.io/controls: AU-2(d),AU-12(c),AC-6(9),CM-6(a),Req-10.2.3
      policies.open-cluster-management.io/standards: NIST-800-53,PCI-DSS
    labels:
      compliance.openshift.io/profile-bundle: rhcos4
    name: rhcos4-audit-rules-login-events
    namespace: openshift-compliance
    ownerReferences:
    - apiVersion: compliance.openshift.io/v1alpha1
      blockOwnerDeletion: true
      controller: true
      kind: ProfileBundle
      name: rhcos4
  rationale: Manual editing of these files may indicate nefarious activity, such as
    an attacker attempting to remove evidence of an intrusion.
  severity: medium
  title: Record Attempts to Alter Logon and Logout Events
  warning: Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.