Tailoring the Compliance Operator
While the Compliance Operator comes with ready-to-use profiles, they must be modified to fit the organizations’ needs and requirements. The process of modifying a profile is called tailoring.
The Compliance Operator provides an object to easily tailor profiles called a TailoredProfile
. This assumes that you are extending a pre-existing profile, and allows you to enable and disable rules and values which come from the ProfileBundle
.
You will only be able to use rules and variables that are available as part of the |
Using tailored profiles
While the TailoredProfile
CR enables the most common tailoring operations, the XCCDF standard allows even more flexibility in tailoring OpenSCAP profiles. In addition, if your organization has been using OpenScap previously, you may have an existing XCCDF tailoring file and can reuse it.
The ComplianceSuite
object contains an optional TailoringConfigMap
attribute that you can point to a custom tailoring file. The value of the TailoringConfigMap
attribute is a name of a config map, which must contain a key called tailoring.xml
and the value of this key is the tailoring contents.
Procedure
Browse the available rules for the Fedora CoreOS (FCOS)
ProfileBundle
:$ oc get rules.compliance -l compliance.openshift.io/profile-bundle=rhcos4
Browse the available variables in the same
ProfileBundle
:$ oc get variables.compliance -l compliance.openshift.io/profile-bundle=rhcos4
Choose which rules you want to add to the
TailoredProfile
. ThisTailoredProfile
example disables two rules and changes one value. Use therationale
value to describe why these changes were made:Example output
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
name: nist-moderate-modified
spec:
extends: rhcos4-moderate
title: My modified NIST moderate profile
disableRules:
- name: rhcos4-file-permissions-node-config
rationale: This breaks X application.
- name: rhcos4-account-disable-post-pw-expiration
rationale: No need to check this as it comes from the IdP
setValues:
- name: rhcos4-var-selinux-state
rationale: Organizational requirements
value: permissive
Table 1. Attributes for spec variables Attribute Description extends
Name of the
Profile
object upon which thisTailoredProfile
is built.title
Human-readable title of the
TailoredProfile
.disableRules
A list of name and rationale pairs. Each name refers to a name of a rule object that is to be disabled. The rationale value is human-readable text describing why the rule is disabled.
enableRules
A list of name and rationale pairs. Each name refers to a name of a rule object that is to be enabled. The rationale value is human-readable text describing why the rule is enabled.
description
Human-readable text describing the
TailoredProfile
.setValues
A list of name, rationale, and value groupings. Each name refers to a name of the value set. The rationale is human-readable text describing the set. The value is the actual setting.
Add the profile to the
ScanSettingsBinding
object:$ cat nist-moderate-modified.yaml
Example output
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
name: nist-moderate-modified
profiles:
- apiGroup: compliance.openshift.io/v1alpha1
kind: Profile
name: ocp4-moderate
- apiGroup: compliance.openshift.io/v1alpha1
kind: TailoredProfile
name: nist-moderate-modified
settingsRef:
apiGroup: compliance.openshift.io/v1alpha1
kind: ScanSetting
name: default
Create the
TailoredProfile
:$ oc create -n <namespace> -f <file-name>.yaml
Example output
scansettingbinding.compliance.openshift.io/nist-moderate-modified created