Understanding the Compliance Operator

The Compliance Operator lets OKD administrators describe the required compliance state of a cluster and provides them with an overview of gaps and ways to remediate them. The Compliance Operator assesses compliance of both the Kubernetes API resources of OKD, as well as the nodes running the cluster. The Compliance Operator uses OpenSCAP, a NIST-certified tool, to scan and enforce security policies provided by the content.

The Compliance Operator is available for Fedora CoreOS (FCOS) deployments only.

Compliance Operator profiles

There are several profiles available as part of the Compliance Operator installation.

View the available profiles:

  1. $ oc get -n <namespace> profiles.compliance

Example output

  1. NAME AGE
  2. ocp4-cis 4h52m
  3. ocp4-cis-node 4h52m
  4. ocp4-e8 4h52m
  5. ocp4-moderate 4h52m
  6. rhcos4-e8 4h52m
  7. rhcos4-moderate 4h52m

These profiles represent different compliance benchmarks.

View the details of a profile:

  1. $ oc get -n <namespace> -oyaml profiles.compliance <profile name>

Example output

  1. apiVersion: compliance.openshift.io/v1alpha1
  2. description: |-
  3. This profile contains configuration checks for Red Hat
  4. Enterprise Linux CoreOS that align to the Australian
  5. Cyber Security Centre (ACSC) Essential Eight.
  6. A copy of the Essential Eight in Linux Environments guide can
  7. be found at the ACSC website: ...
  8. id: xccdf_org.ssgproject.content_profile_e8
  9. kind: Profile
  10. metadata:
  11. annotations:
  12. compliance.openshift.io/product: redhat_enterprise_linux_coreos_4
  13. compliance.openshift.io/product-type: Node
  14. creationTimestamp: "2020-09-07T11:42:51Z"
  15. generation: 1
  16. labels:
  17. compliance.openshift.io/profile-bundle: rhcos4
  18. name: rhcos4-e8
  19. namespace: openshift-compliance
  20. rules:
  21. - rhcos4-accounts-no-uid-except-zero
  22. - rhcos4-audit-rules-dac-modification-chmod
  23. - rhcos4-audit-rules-dac-modification-chown
  24. - rhcos4-audit-rules-execution-chcon
  25. - rhcos4-audit-rules-execution-restorecon
  26. - rhcos4-audit-rules-execution-semanage
  27. - rhcos4-audit-rules-execution-setfiles
  28. - rhcos4-audit-rules-execution-setsebool
  29. - rhcos4-audit-rules-execution-seunshare
  30. - rhcos4-audit-rules-kernel-module-loading
  31. - rhcos4-audit-rules-login-events
  32. - rhcos4-audit-rules-login-events-faillock
  33. - rhcos4-audit-rules-login-events-lastlog
  34. - rhcos4-audit-rules-login-events-tallylog
  35. - rhcos4-audit-rules-networkconfig-modification
  36. - rhcos4-audit-rules-sysadmin-actions
  37. - rhcos4-audit-rules-time-adjtimex
  38. - rhcos4-audit-rules-time-clock-settime
  39. - rhcos4-audit-rules-time-settimeofday
  40. - rhcos4-audit-rules-time-stime
  41. - rhcos4-audit-rules-time-watch-localtime
  42. - rhcos4-audit-rules-usergroup-modification
  43. - rhcos4-auditd-data-retention-flush
  44. - rhcos4-auditd-freq
  45. - rhcos4-auditd-local-events
  46. - rhcos4-auditd-log-format
  47. - rhcos4-auditd-name-format
  48. - rhcos4-auditd-write-logs
  49. - rhcos4-configure-crypto-policy
  50. - rhcos4-configure-ssh-crypto-policy
  51. - rhcos4-no-empty-passwords
  52. - rhcos4-selinux-policytype
  53. - rhcos4-selinux-state
  54. - rhcos4-service-auditd-enabled
  55. - rhcos4-sshd-disable-empty-passwords
  56. - rhcos4-sshd-disable-gssapi-auth
  57. - rhcos4-sshd-disable-rhosts
  58. - rhcos4-sshd-disable-root-login
  59. - rhcos4-sshd-disable-user-known-hosts
  60. - rhcos4-sshd-do-not-permit-user-env
  61. - rhcos4-sshd-enable-strictmodes
  62. - rhcos4-sshd-print-last-log
  63. - rhcos4-sshd-set-loglevel-info
  64. - rhcos4-sshd-use-priv-separation
  65. - rhcos4-sysctl-kernel-dmesg-restrict
  66. - rhcos4-sysctl-kernel-kexec-load-disabled
  67. - rhcos4-sysctl-kernel-kptr-restrict
  68. - rhcos4-sysctl-kernel-randomize-va-space
  69. - rhcos4-sysctl-kernel-unprivileged-bpf-disabled
  70. - rhcos4-sysctl-kernel-yama-ptrace-scope
  71. - rhcos4-sysctl-net-core-bpf-jit-harden
  72. title: Australian Cyber Security Centre (ACSC) Essential Eight

View the rules within a desired profile:

  1. $ oc get -n <namespace> -oyaml rules.compliance <rule_name>

Example output

  1. apiVersion: compliance.openshift.io/v1alpha1
  2. description: '<code>auditd</code><code>augenrules</code><code>.rules</code><code>/etc/audit/rules.d</code><pre>-w /var/log/tallylog -p wa -k logins -w /var/run/faillock -p wa -k logins -w /var/log/lastlog -p wa -k logins</pre><code>auditd</code><code>auditctl</code><code>/etc/audit/audit.rules</code><pre>-w /var/log/tallylog -p wa -k logins -w /var/run/faillock -p wa -k logins -w /var/log/lastlog -p wa -k logins</pre>file in order to watch for unattempted manual edits of files involved in storing logon events:'
  3. id: xccdf_org.ssgproject.content_rule_audit_rules_login_events
  4. kind: Rule
  5. metadata:
  6. annotations:
  7. compliance.openshift.io/rule: audit-rules-login-events
  8. control.compliance.openshift.io/NIST-800-53: AU-2(d);AU-12(c);AC-6(9);CM-6(a)
  9. policies.open-cluster-management.io/controls: AU-2(d),AU-12(c),AC-6(9),CM-6(a)
  10. policies.open-cluster-management.io/standards: NIST-800-53
  11. creationTimestamp: "2020-09-07T11:43:03Z"
  12. generation: 1
  13. labels:
  14. compliance.openshift.io/profile-bundle: rhcos4
  15. name: rhcos4-audit-rules-login-events
  16. namespace: openshift-compliance
  17. rationale: |-
  18. Manual editing of these files may indicate nefarious activity,
  19. such as an attacker attempting to remove evidence of an
  20. intrusion.
  21. severity: medium
  22. title: Record Attempts to Alter Logon and Logout Events
  23. warning: |-
  24. <ul><li><code>audit_rules_login_events_tallylog</code></li>
  25. <li><code>audit_rules_login_events_faillock</code></li>
  26. <li><code>audit_rules_login_events_lastlog</code></li></ul>
  27. This rule checks for multiple syscalls related to login
  28. events and was written with DISA STIG in mind.
  29. Other policies should use separate rule for
  30. each syscall that needs to be checked.

Each profile has the product name that it applies to added as a prefix to the profile’s name. ocp4-e8 applies the Essential 8 benchmark to the OKD product, while rhcos4-e8 applies the Essential 8 benchmark to the Fedora CoreOS (FCOS) product.