Tailoring the Compliance Operator

While the Compliance Operator comes with ready-to-use profiles, they must be modified to fit the organizations’ needs and requirements. The process of modifying a profile is called tailoring.

The Compliance Operator provides the TailoredProfile object to help tailor profiles.

Creating a new tailored profile

You can write a tailored profile from scratch by using the TailoredProfile object. Set an appropriate title and description and leave the extends field empty. Indicate to the Compliance Operator what type of scan this custom profile will generate:

  • Node scan: Scans the Operating System.

  • Platform scan: Scans the OKD configuration.

Procedure

  • Set the following annotation on the TailoredProfile object:

Example new-profile.yaml

  1. apiVersion: compliance.openshift.io/v1alpha1
  2. kind: TailoredProfile
  3. metadata:
  4.   name: new-profile
  5.   annotations:
  6.     compliance.openshift.io/product-type: Node (1)
  7. spec:
  8.   extends: ocp4-cis-node (2)
  9.   description: My custom profile (3)
  10.   title: Custom profile (4)
  11.   enableRules:
  12.     - name: ocp4-etcd-unique-ca
  13.       rationale: We really need to enable this
  14.   disableRules:
  15.     - name: ocp4-file-groupowner-cni-conf
  16.       rationale: This does not apply to the cluster
1Set Node or Platform accordingly.
2The extends field is optional.
3Use the description field to describe the function of the new TailoredProfile object.
4Give your TailoredProfile object a title with the title field.

Adding the -node suffix to the name field of the TailoredProfile object is similar to adding the Node product type annotation and generates an Operating System scan.

Using tailored profiles to extend existing ProfileBundles

While the TailoredProfile CR enables the most common tailoring operations, the XCCDF standard allows even more flexibility in tailoring OpenSCAP profiles. In addition, if your organization has been using OpenScap previously, you may have an existing XCCDF tailoring file and can reuse it.

The ComplianceSuite object contains an optional TailoringConfigMap attribute that you can point to a custom tailoring file. The value of the TailoringConfigMap attribute is a name of a config map, which must contain a key called tailoring.xml and the value of this key is the tailoring contents.

Procedure

  1. Browse the available rules for the Fedora CoreOS (FCOS) ProfileBundle:

    1. $ oc get rules.compliance -n openshift-compliance -l compliance.openshift.io/profile-bundle=rhcos4

  2. Browse the available variables in the same ProfileBundle:

    1. $ oc get variables.compliance -n openshift-compliance -l compliance.openshift.io/profile-bundle=rhcos4

  3. Create a tailored profile named nist-moderate-modified:

    1. Choose which rules you want to add to the nist-moderate-modified tailored profile. This example extends the rhcos4-moderate profile by disabling two rules and changing one value. Use the rationale value to describe why these changes were made:

      Example new-profile-node.yaml

      1. apiVersion: compliance.openshift.io/v1alpha1
      2. kind: TailoredProfile
      3. metadata:
      4.   name: nist-moderate-modified
      5. spec:
      6.   extends: rhcos4-moderate
      7.   description: NIST moderate profile
      8.   title: My modified NIST moderate profile
      9.   disableRules:
      10.   - name: rhcos4-file-permissions-var-log-messages
      11.     rationale: The file contains logs of error messages in the system
      12.   - name: rhcos4-account-disable-post-pw-expiration
      13.     rationale: No need to check this as it comes from the IdP
      14.   setValues:
      15.   - name: rhcos4-var-selinux-state
      16.     rationale: Organizational requirements
      17.     value: permissive
      Table 1. Attributes for spec variables
      AttributeDescription

      extends

      Name of the Profile object upon which this TailoredProfile is built.

      title

      Human-readable title of the TailoredProfile.

      disableRules

      A list of name and rationale pairs. Each name refers to a name of a rule object that is to be disabled. The rationale value is human-readable text describing why the rule is disabled.

      manualRules

      A list of name and rationale pairs. When a manual rule is added, the check result status will always be manual and remediation will not be generated. This attribute is automatic and by default has no values when set as a manual rule.

      enableRules

      A list of name and rationale pairs. Each name refers to a name of a rule object that is to be enabled. The rationale value is human-readable text describing why the rule is enabled.

      description

      Human-readable text describing the TailoredProfile.

      setValues

      A list of name, rationale, and value groupings. Each name refers to a name of the value set. The rationale is human-readable text describing the set. The value is the actual setting.

    2. Add the tailoredProfile.spec.manualRules attribute:

      Example tailoredProfile.spec.manualRules.yaml

      1. apiVersion: compliance.openshift.io/v1alpha1
      2. kind: TailoredProfile
      3. metadata:
      4.   name: ocp4-manual-scc-check
      5. spec:
      6.   extends: ocp4-cis
      7.   description: This profile extends ocp4-cis by forcing the SCC check to always return MANUAL
      8.   title: OCP4 CIS profile with manual SCC check
      9.   manualRules:
      10.     - name: ocp4-scc-limit-container-allowed-capabilities
      11.       rationale: We use third party software that installs its own SCC with extra privileges

    3. Create the TailoredProfile object:

      1. $ oc create -n openshift-compliance -f new-profile-node.yaml (1)
      1The TailoredProfile object is created in the default openshift-compliance namespace.

      Example output

      1. tailoredprofile.compliance.openshift.io/nist-moderate-modified created

  4. Define the ScanSettingBinding object to bind the new nist-moderate-modified tailored profile to the default ScanSetting object.

    Example new-scansettingbinding.yaml

    1. apiVersion: compliance.openshift.io/v1alpha1
    2. kind: ScanSettingBinding
    3. metadata:
    4.   name: nist-moderate-modified
    5. profiles:
    6.   - apiGroup: compliance.openshift.io/v1alpha1
    7.     kind: Profile
    8.     name: ocp4-moderate
    9.   - apiGroup: compliance.openshift.io/v1alpha1
    10.     kind: TailoredProfile
    11.     name: nist-moderate-modified
    12. settingsRef:
    13.   apiGroup: compliance.openshift.io/v1alpha1
    14.   kind: ScanSetting
    15.   name: default

  5. Create the ScanSettingBinding object:

    1. $ oc create -n openshift-compliance -f new-scansettingbinding.yaml

    Example output

    1. scansettingbinding.compliance.openshift.io/nist-moderate-modified created