Understanding the Compliance Operator

The Compliance Operator lets OKD administrators describe the required compliance state of a cluster and provides them with an overview of gaps and ways to remediate them. The Compliance Operator assesses compliance of both the Kubernetes API resources of OKD, as well as the nodes running the cluster. The Compliance Operator uses OpenSCAP, a NIST-certified tool, to scan and enforce security policies provided by the content.

The Compliance Operator is available for Fedora CoreOS (FCOS) deployments only.

Compliance Operator profiles

There are several profiles available as part of the Compliance Operator installation. You can use the oc get command to view available profiles, profile details, and specific rules.

  • View the available profiles:

    1. $ oc get -n openshift-compliance profiles.compliance

    Example output

    1. NAME                 AGE
    2. ocp4-cis             94m
    3. ocp4-cis-node        94m
    4. ocp4-e8              94m
    5. ocp4-high            94m
    6. ocp4-high-node       94m
    7. ocp4-moderate        94m
    8. ocp4-moderate-node   94m
    9. ocp4-nerc-cip        94m
    10. ocp4-nerc-cip-node   94m
    11. ocp4-pci-dss         94m
    12. ocp4-pci-dss-node    94m
    13. rhcos4-e8            94m
    14. rhcos4-high          94m
    15. rhcos4-moderate      94m
    16. rhcos4-nerc-cip      94m

    These profiles represent different compliance benchmarks. Each profile has the product name that it applies to added as a prefix to the profile’s name. ocp4-e8 applies the Essential 8 benchmark to the OKD product, while rhcos4-e8 applies the Essential 8 benchmark to the Fedora CoreOS (FCOS) product.

  • Run the following command to view the details of the rhcos4-e8 profile:

    1. $ oc get -n openshift-compliance -oyaml profiles.compliance rhcos4-e8

    Example output

    1. apiVersion: compliance.openshift.io/v1alpha1
    2. description: 'This profile contains configuration checks for Red Hat Enterprise Linux
    3.   CoreOS that align to the Australian Cyber Security Centre (ACSC) Essential Eight.
    4.   A copy of the Essential Eight in Linux Environments guide can be found at the ACSC
    5.   website: https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers'
    6. id: xccdf_org.ssgproject.content_profile_e8
    7. kind: Profile
    8. metadata:
    9.   annotations:
    10.     compliance.openshift.io/image-digest: pb-rhcos4hrdkm
    11.     compliance.openshift.io/product: redhat_enterprise_linux_coreos_4
    12.     compliance.openshift.io/product-type: Node
    13.   creationTimestamp: "2022-10-19T12:06:49Z"
    14.   generation: 1
    15.   labels:
    16.     compliance.openshift.io/profile-bundle: rhcos4
    17.   name: rhcos4-e8
    18.   namespace: openshift-compliance
    19.   ownerReferences:
    20.   - apiVersion: compliance.openshift.io/v1alpha1
    21.     blockOwnerDeletion: true
    22.     controller: true
    23.     kind: ProfileBundle
    24.     name: rhcos4
    25.     uid: 22350850-af4a-4f5c-9a42-5e7b68b82d7d
    26.   resourceVersion: "43699"
    27.   uid: 86353f70-28f7-40b4-bf0e-6289ec33675b
    28. rules:
    29. - rhcos4-accounts-no-uid-except-zero
    30. - rhcos4-audit-rules-dac-modification-chmod
    31. - rhcos4-audit-rules-dac-modification-chown
    32. - rhcos4-audit-rules-execution-chcon
    33. - rhcos4-audit-rules-execution-restorecon
    34. - rhcos4-audit-rules-execution-semanage
    35. - rhcos4-audit-rules-execution-setfiles
    36. - rhcos4-audit-rules-execution-setsebool
    37. - rhcos4-audit-rules-execution-seunshare
    38. - rhcos4-audit-rules-kernel-module-loading-delete
    39. - rhcos4-audit-rules-kernel-module-loading-finit
    40. - rhcos4-audit-rules-kernel-module-loading-init
    41. - rhcos4-audit-rules-login-events
    42. - rhcos4-audit-rules-login-events-faillock
    43. - rhcos4-audit-rules-login-events-lastlog
    44. - rhcos4-audit-rules-login-events-tallylog
    45. - rhcos4-audit-rules-networkconfig-modification
    46. - rhcos4-audit-rules-sysadmin-actions
    47. - rhcos4-audit-rules-time-adjtimex
    48. - rhcos4-audit-rules-time-clock-settime
    49. - rhcos4-audit-rules-time-settimeofday
    50. - rhcos4-audit-rules-time-stime
    51. - rhcos4-audit-rules-time-watch-localtime
    52. - rhcos4-audit-rules-usergroup-modification
    53. - rhcos4-auditd-data-retention-flush
    54. - rhcos4-auditd-freq
    55. - rhcos4-auditd-local-events
    56. - rhcos4-auditd-log-format
    57. - rhcos4-auditd-name-format
    58. - rhcos4-auditd-write-logs
    59. - rhcos4-configure-crypto-policy
    60. - rhcos4-configure-ssh-crypto-policy
    61. - rhcos4-no-empty-passwords
    62. - rhcos4-selinux-policytype
    63. - rhcos4-selinux-state
    64. - rhcos4-service-auditd-enabled
    65. - rhcos4-sshd-disable-empty-passwords
    66. - rhcos4-sshd-disable-gssapi-auth
    67. - rhcos4-sshd-disable-rhosts
    68. - rhcos4-sshd-disable-root-login
    69. - rhcos4-sshd-disable-user-known-hosts
    70. - rhcos4-sshd-do-not-permit-user-env
    71. - rhcos4-sshd-enable-strictmodes
    72. - rhcos4-sshd-print-last-log
    73. - rhcos4-sshd-set-loglevel-info
    74. - rhcos4-sysctl-kernel-dmesg-restrict
    75. - rhcos4-sysctl-kernel-kptr-restrict
    76. - rhcos4-sysctl-kernel-randomize-va-space
    77. - rhcos4-sysctl-kernel-unprivileged-bpf-disabled
    78. - rhcos4-sysctl-kernel-yama-ptrace-scope
    79. - rhcos4-sysctl-net-core-bpf-jit-harden
    80. title: Australian Cyber Security Centre (ACSC) Essential Eight

  • Run the following command to view the details of the rhcos4-audit-rules-login-events rule:

    1. $ oc get -n openshift-compliance -oyaml rules rhcos4-audit-rules-login-events

    Example output

    1. apiVersion: compliance.openshift.io/v1alpha1
    2. checkType: Node
    3. description: |-
    4.   The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix.rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events:
    6.   -w /var/log/tallylog -p wa -k logins
    7.   -w /var/run/faillock -p wa -k logins
    8.   -w /var/log/lastlog -p wa -k logins
    10.   If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events:
    12.   -w /var/log/tallylog -p wa -k logins
    13.   -w /var/run/faillock -p wa -k logins
    14.   -w /var/log/lastlog -p wa -k logins
    15. id: xccdf_org.ssgproject.content_rule_audit_rules_login_events
    16. kind: Rule
    17. metadata:
    18.   annotations:
    19.     compliance.openshift.io/image-digest: pb-rhcos4hrdkm
    20.     compliance.openshift.io/rule: audit-rules-login-events
    21.     control.compliance.openshift.io/NIST-800-53: AU-2(d);AU-12(c);AC-6(9);CM-6(a)
    22.     control.compliance.openshift.io/PCI-DSS: Req-10.2.3
    23.     policies.open-cluster-management.io/controls: AU-2(d),AU-12(c),AC-6(9),CM-6(a),Req-10.2.3
    24.     policies.open-cluster-management.io/standards: NIST-800-53,PCI-DSS
    25.   creationTimestamp: "2022-10-19T12:07:08Z"
    26.   generation: 1
    27.   labels:
    28.     compliance.openshift.io/profile-bundle: rhcos4
    29.   name: rhcos4-audit-rules-login-events
    30.   namespace: openshift-compliance
    31.   ownerReferences:
    32.   - apiVersion: compliance.openshift.io/v1alpha1
    33.     blockOwnerDeletion: true
    34.     controller: true
    35.     kind: ProfileBundle
    36.     name: rhcos4
    37.     uid: 22350850-af4a-4f5c-9a42-5e7b68b82d7d
    38.   resourceVersion: "44819"
    39.   uid: 75872f1f-3c93-40ca-a69d-44e5438824a4
    40. rationale: Manual editing of these files may indicate nefarious activity, such as
    41.   an attacker attempting to remove evidence of an intrusion.
    42. severity: medium
    43. title: Record Attempts to Alter Logon and Logout Events
    44. warning: Manual editing of these files may indicate nefarious activity, such as an
    45.   attacker attempting to remove evidence of an intrusion.