Supported compliance profiles
There are several profiles available as part of the Compliance Operator (CO) installation. While you can use the following profiles to assess gaps in a cluster, usage alone does not infer or guarantee compliance with a particular profile.
The Compliance Operator might report incorrect results on managed platforms, such as OpenShift Dedicated, Red Hat OpenShift Service on AWS, and Azure Red Hat OpenShift. For more information, see the Red Hat Knowledgebase Solution #6983418. |
Compliance profiles
The Compliance Operator provides the following compliance profiles:
Profile | Profile title | Application | Compliance Operator version | Industry compliance benchmark | Supported architectures |
---|---|---|---|---|---|
rhcos4-stig | Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift | Node | 1.3.0+ | DISA-STIG [1] |
|
ocp4-stig-node | Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift | Node | 1.3.0+ | DISA-STIG [1] |
|
ocp4-stig | Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift | Platform | 1.3.0+ | DISA-STIG [1] |
|
ocp4-cis | CIS Red Hat OpenShift Container Platform 4 Benchmark v1.4.0 | Platform | 1.2.0+ | CIS Benchmarks ™ [1] |
|
ocp4-cis-node | CIS Red Hat OpenShift Container Platform 4 Benchmark v1.4.0 | Node [2] | 1.2.0+ | CIS Benchmarks ™ [1] |
|
ocp4-e8 | Australian Cyber Security Centre (ACSC) Essential Eight | Platform | 0.1.39+ |
| |
ocp4-moderate | NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Platform level | Platform | 0.1.39+ |
| |
rhcos4-e8 | Australian Cyber Security Centre (ACSC) Essential Eight | Node | 0.1.39+ |
| |
rhcos4-moderate | NIST 800-53 Moderate-Impact Baseline for Red Hat Enterprise Linux CoreOS | Node | 0.1.39+ |
| |
ocp4-moderate-node | NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Node level | Node [2] | 0.1.44+ |
| |
ocp4-nerc-cip | North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for the Red Hat OpenShift Container Platform - Platform level | Platform | 0.1.44+ |
| |
ocp4-nerc-cip-node | North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for the Red Hat OpenShift Container Platform - Node level | Node [2] | 0.1.44+ |
| |
rhcos4-nerc-cip | North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for Red Hat Enterprise Linux CoreOS | Node | 0.1.44+ |
| |
ocp4-pci-dss | PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Platform 4 | Platform | 0.1.47+ |
| |
ocp4-pci-dss-node | PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Platform 4 | Node [2] | 0.1.47+ |
| |
ocp4-high | NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Platform level | Platform | 0.1.52+ |
| |
ocp4-high-node | NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Node level | Node [2] | 0.1.52+ |
| |
rhcos4-high | NIST 800-53 High-Impact Baseline for Red Hat Enterprise Linux CoreOS | Node | 0.1.52+ |
|
To locate the CIS OKD v4 Benchmark, go to CIS Benchmarks and click Download Latest CIS Benchmark, where you can then register to download the benchmark.
Node profiles must be used with the relevant Platform profile. For more information, see Compliance Operator profile types.
About extended compliance profiles
Some compliance profiles have controls that require following industry best practices, resulting in some profiles extending others. Combining the Center for Internet Security (CIS) best practices with National Institute of Standards and Technology (NIST) security frameworks establishes a path to a secure and compliant environment.
For example, the NIST High-Impact and Moderate-Impact profiles extend the CIS profile to achieve compliance. As a result, extended compliance profiles eliminate the need to run both profiles in a single cluster.
Profile | Extends |
---|---|
ocp4-pci-dss | ocp4-cis |
ocp4-pci-dss-node | ocp4-cis-node |
ocp4-high | ocp4-cis |
ocp4-high-node | ocp4-cis-node |
ocp4-moderate | ocp4-cis |
ocp4-moderate-node | ocp4-cis-node |
ocp4-nerc-cip | ocp4-moderate |
ocp4-nerc-cip-node | ocp4-moderate-node |