Understanding the Compliance Operator

    There are several profiles available as part of the Compliance Operator installation.

    Example output

    2. ocp4-cis          4h52m
    3. ocp4-cis-node     4h52m
    4. ocp4-e8           4h52m
    5. ocp4-moderate     4h52m
    6. rhcos4-e8         4h52m
    7. rhcos4-moderate   4h52m

    These profiles represent different compliance benchmarks.

    Example output

    1. apiVersion: compliance.openshift.io/v1alpha1
    2. description: |-
    3.   This profile contains configuration checks for Red Hat
    4.   Enterprise Linux CoreOS that align to the Australian
    5.   Cyber Security Centre (ACSC) Essential Eight.
    6.   A copy of the Essential Eight in Linux Environments guide can
    7.   be found at the ACSC website: ...
    8. id: xccdf_org.ssgproject.content_profile_e8
    9. kind: Profile
    10. metadata:
    11.   annotations:
    12.     compliance.openshift.io/product: redhat_enterprise_linux_coreos_4
    13.     compliance.openshift.io/product-type: Node
    14.     creationTimestamp: "2020-09-07T11:42:51Z"
    15.     generation: 1
    16.   labels:
    17.     compliance.openshift.io/profile-bundle: rhcos4
    18.     name: rhcos4-e8
    19.   namespace: openshift-compliance
    20. rules:
    21. - rhcos4-accounts-no-uid-except-zero
    22. - rhcos4-audit-rules-dac-modification-chmod
    23. - rhcos4-audit-rules-dac-modification-chown
    24. - rhcos4-audit-rules-execution-chcon
    25. - rhcos4-audit-rules-execution-restorecon
    26. - rhcos4-audit-rules-execution-semanage
    27. - rhcos4-audit-rules-execution-setfiles
    28. - rhcos4-audit-rules-execution-setsebool
    29. - rhcos4-audit-rules-kernel-module-loading
    31. - rhcos4-audit-rules-login-events-faillock
    32. - rhcos4-audit-rules-login-events-lastlog
    33. - rhcos4-audit-rules-login-events-tallylog
    34. - rhcos4-audit-rules-networkconfig-modification
    35. - rhcos4-audit-rules-sysadmin-actions
    36. - rhcos4-audit-rules-time-adjtimex
    37. - rhcos4-audit-rules-time-clock-settime
    38. - rhcos4-audit-rules-time-settimeofday
    39. - rhcos4-audit-rules-time-stime
    40. - rhcos4-audit-rules-time-watch-localtime
    41. - rhcos4-audit-rules-usergroup-modification
    42. - rhcos4-auditd-data-retention-flush
    43. - rhcos4-auditd-freq
    44. - rhcos4-auditd-local-events
    45. - rhcos4-auditd-log-format
    46. - rhcos4-auditd-name-format
    47. - rhcos4-auditd-write-logs
    48. - rhcos4-configure-crypto-policy
    49. - rhcos4-configure-ssh-crypto-policy
    50. - rhcos4-no-empty-passwords
    51. - rhcos4-selinux-policytype
    52. - rhcos4-selinux-state
    53. - rhcos4-service-auditd-enabled
    54. - rhcos4-sshd-disable-empty-passwords
    55. - rhcos4-sshd-disable-gssapi-auth
    56. - rhcos4-sshd-disable-rhosts
    57. - rhcos4-sshd-disable-root-login
    58. - rhcos4-sshd-disable-user-known-hosts
    59. - rhcos4-sshd-do-not-permit-user-env
    60. - rhcos4-sshd-enable-strictmodes
    61. - rhcos4-sshd-print-last-log
    62. - rhcos4-sshd-set-loglevel-info
    63. - rhcos4-sshd-use-priv-separation
    64. - rhcos4-sysctl-kernel-dmesg-restrict
    65. - rhcos4-sysctl-kernel-kptr-restrict
    67. - rhcos4-sysctl-kernel-unprivileged-bpf-disabled
    68. - rhcos4-sysctl-kernel-yama-ptrace-scope
    69. - rhcos4-sysctl-net-core-bpf-jit-harden
    70. title: Australian Cyber Security Centre (ACSC) Essential Eight

    View the rules within a desired profile:

    1. apiVersion: compliance.openshift.io/v1alpha1
    2. description: '<code>auditd</code><code>augenrules</code><code>.rules</code><code>/etc/audit/rules.d</code><pre>-w /var/log/tallylog -p wa -k logins -w /var/run/faillock -p wa -k logins -w /var/log/lastlog -p wa -k logins</pre><code>auditd</code><code>auditctl</code><code>/etc/audit/audit.rules</code><pre>-w /var/log/tallylog -p wa -k logins -w /var/run/faillock -p wa -k logins -w /var/log/lastlog -p wa -k logins</pre>file in order to watch for unattempted manual edits of files involved in storing logon events:'
    3. id: xccdf_org.ssgproject.content_rule_audit_rules_login_events
    4. kind: Rule
    5. metadata:
    6.   annotations:
    7.     compliance.openshift.io/rule: audit-rules-login-events
    8.     control.compliance.openshift.io/NIST-800-53: AU-2(d);AU-12(c);AC-6(9);CM-6(a)
    9.     policies.open-cluster-management.io/controls: AU-2(d),AU-12(c),AC-6(9),CM-6(a)
    10.     policies.open-cluster-management.io/standards: NIST-800-53
    11.     creationTimestamp: "2020-09-07T11:43:03Z"
    12.     generation: 1
    13.   labels:
    14.     compliance.openshift.io/profile-bundle: rhcos4
    15.   name: rhcos4-audit-rules-login-events
    16.   namespace: openshift-compliance
    17.   rationale: |-
    18.     Manual editing of these files may indicate nefarious activity,
    19.     such as an attacker attempting to remove evidence of an
    20.     intrusion.
    21.   severity: medium
    22.   title: Record Attempts to Alter Logon and Logout Events
    23.   warning: |-
    24.     <ul><li><code>audit_rules_login_events_tallylog</code></li>
    25.     <li><code>audit_rules_login_events_faillock</code></li>
    26.     <li><code>audit_rules_login_events_lastlog</code></li></ul>
    27.     This rule checks for multiple syscalls related to login
    28.     events and was written with DISA STIG in mind.
    29.     Other policies should use separate rule for
    30.     each syscall that needs to be checked.

    Each profile has the product name that it applies to added as a prefix to the profile’s name. ocp4-e8 applies the Essential 8 benchmark to the OKD product, while rhcos4-e8 applies the Essential 8 benchmark to the Fedora CoreOS (FCOS) product.