Understanding the Compliance Operator

The Compliance Operator lets OKD administrators describe the required compliance state of a cluster and provides them with an overview of gaps and ways to remediate them. The Compliance Operator assesses compliance of both the Kubernetes API resources of OKD, as well as the nodes running the cluster. The Compliance Operator uses OpenSCAP, a NIST-certified tool, to scan and enforce security policies provided by the content.

The Compliance Operator is available for Fedora CoreOS (FCOS) deployments only.

Compliance Operator profiles

There are several profiles available as part of the Compliance Operator installation. You can use the oc get command to view available profiles, profile details, and specific rules.

  • View the available profiles:

    1. $ oc get -n openshift-compliance profiles.compliance

    Example output

    1. NAME AGE
    2. ocp4-cis 94m
    3. ocp4-cis-node 94m
    4. ocp4-e8 94m
    5. ocp4-high 94m
    6. ocp4-high-node 94m
    7. ocp4-moderate 94m
    8. ocp4-moderate-node 94m
    9. ocp4-nerc-cip 94m
    10. ocp4-nerc-cip-node 94m
    11. ocp4-pci-dss 94m
    12. ocp4-pci-dss-node 94m
    13. rhcos4-e8 94m
    14. rhcos4-high 94m
    15. rhcos4-moderate 94m
    16. rhcos4-nerc-cip 94m

    These profiles represent different compliance benchmarks. Each profile has the product name that it applies to added as a prefix to the profile’s name. ocp4-e8 applies the Essential 8 benchmark to the OKD product, while rhcos4-e8 applies the Essential 8 benchmark to the Fedora CoreOS (FCOS) product.

  • Run the following command to view the details of the rhcos4-e8 profile:

    1. $ oc get -n openshift-compliance -oyaml profiles.compliance rhcos4-e8

    Example output

    1. apiVersion: compliance.openshift.io/v1alpha1
    2. description: 'This profile contains configuration checks for Red Hat Enterprise Linux
    3. CoreOS that align to the Australian Cyber Security Centre (ACSC) Essential Eight.
    4. A copy of the Essential Eight in Linux Environments guide can be found at the ACSC
    5. website: https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers'
    6. id: xccdf_org.ssgproject.content_profile_e8
    7. kind: Profile
    8. metadata:
    9. annotations:
    10. compliance.openshift.io/image-digest: pb-rhcos4hrdkm
    11. compliance.openshift.io/product: redhat_enterprise_linux_coreos_4
    12. compliance.openshift.io/product-type: Node
    13. creationTimestamp: "2022-10-19T12:06:49Z"
    14. generation: 1
    15. labels:
    16. compliance.openshift.io/profile-bundle: rhcos4
    17. name: rhcos4-e8
    18. namespace: openshift-compliance
    19. ownerReferences:
    20. - apiVersion: compliance.openshift.io/v1alpha1
    21. blockOwnerDeletion: true
    22. controller: true
    23. kind: ProfileBundle
    24. name: rhcos4
    25. uid: 22350850-af4a-4f5c-9a42-5e7b68b82d7d
    26. resourceVersion: "43699"
    27. uid: 86353f70-28f7-40b4-bf0e-6289ec33675b
    28. rules:
    29. - rhcos4-accounts-no-uid-except-zero
    30. - rhcos4-audit-rules-dac-modification-chmod
    31. - rhcos4-audit-rules-dac-modification-chown
    32. - rhcos4-audit-rules-execution-chcon
    33. - rhcos4-audit-rules-execution-restorecon
    34. - rhcos4-audit-rules-execution-semanage
    35. - rhcos4-audit-rules-execution-setfiles
    36. - rhcos4-audit-rules-execution-setsebool
    37. - rhcos4-audit-rules-execution-seunshare
    38. - rhcos4-audit-rules-kernel-module-loading-delete
    39. - rhcos4-audit-rules-kernel-module-loading-finit
    40. - rhcos4-audit-rules-kernel-module-loading-init
    41. - rhcos4-audit-rules-login-events
    42. - rhcos4-audit-rules-login-events-faillock
    43. - rhcos4-audit-rules-login-events-lastlog
    44. - rhcos4-audit-rules-login-events-tallylog
    45. - rhcos4-audit-rules-networkconfig-modification
    46. - rhcos4-audit-rules-sysadmin-actions
    47. - rhcos4-audit-rules-time-adjtimex
    48. - rhcos4-audit-rules-time-clock-settime
    49. - rhcos4-audit-rules-time-settimeofday
    50. - rhcos4-audit-rules-time-stime
    51. - rhcos4-audit-rules-time-watch-localtime
    52. - rhcos4-audit-rules-usergroup-modification
    53. - rhcos4-auditd-data-retention-flush
    54. - rhcos4-auditd-freq
    55. - rhcos4-auditd-local-events
    56. - rhcos4-auditd-log-format
    57. - rhcos4-auditd-name-format
    58. - rhcos4-auditd-write-logs
    59. - rhcos4-configure-crypto-policy
    60. - rhcos4-configure-ssh-crypto-policy
    61. - rhcos4-no-empty-passwords
    62. - rhcos4-selinux-policytype
    63. - rhcos4-selinux-state
    64. - rhcos4-service-auditd-enabled
    65. - rhcos4-sshd-disable-empty-passwords
    66. - rhcos4-sshd-disable-gssapi-auth
    67. - rhcos4-sshd-disable-rhosts
    68. - rhcos4-sshd-disable-root-login
    69. - rhcos4-sshd-disable-user-known-hosts
    70. - rhcos4-sshd-do-not-permit-user-env
    71. - rhcos4-sshd-enable-strictmodes
    72. - rhcos4-sshd-print-last-log
    73. - rhcos4-sshd-set-loglevel-info
    74. - rhcos4-sysctl-kernel-dmesg-restrict
    75. - rhcos4-sysctl-kernel-kptr-restrict
    76. - rhcos4-sysctl-kernel-randomize-va-space
    77. - rhcos4-sysctl-kernel-unprivileged-bpf-disabled
    78. - rhcos4-sysctl-kernel-yama-ptrace-scope
    79. - rhcos4-sysctl-net-core-bpf-jit-harden
    80. title: Australian Cyber Security Centre (ACSC) Essential Eight
  • Run the following command to view the details of the rhcos4-audit-rules-login-events rule:

    1. $ oc get -n openshift-compliance -oyaml rules rhcos4-audit-rules-login-events

    Example output

    1. apiVersion: compliance.openshift.io/v1alpha1
    2. checkType: Node
    3. description: |-
    4. The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix.rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events:
    5. -w /var/log/tallylog -p wa -k logins
    6. -w /var/run/faillock -p wa -k logins
    7. -w /var/log/lastlog -p wa -k logins
    8. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events:
    9. -w /var/log/tallylog -p wa -k logins
    10. -w /var/run/faillock -p wa -k logins
    11. -w /var/log/lastlog -p wa -k logins
    12. id: xccdf_org.ssgproject.content_rule_audit_rules_login_events
    13. kind: Rule
    14. metadata:
    15. annotations:
    16. compliance.openshift.io/image-digest: pb-rhcos4hrdkm
    17. compliance.openshift.io/rule: audit-rules-login-events
    18. control.compliance.openshift.io/NIST-800-53: AU-2(d);AU-12(c);AC-6(9);CM-6(a)
    19. control.compliance.openshift.io/PCI-DSS: Req-10.2.3
    20. policies.open-cluster-management.io/controls: AU-2(d),AU-12(c),AC-6(9),CM-6(a),Req-10.2.3
    21. policies.open-cluster-management.io/standards: NIST-800-53,PCI-DSS
    22. creationTimestamp: "2022-10-19T12:07:08Z"
    23. generation: 1
    24. labels:
    25. compliance.openshift.io/profile-bundle: rhcos4
    26. name: rhcos4-audit-rules-login-events
    27. namespace: openshift-compliance
    28. ownerReferences:
    29. - apiVersion: compliance.openshift.io/v1alpha1
    30. blockOwnerDeletion: true
    31. controller: true
    32. kind: ProfileBundle
    33. name: rhcos4
    34. uid: 22350850-af4a-4f5c-9a42-5e7b68b82d7d
    35. resourceVersion: "44819"
    36. uid: 75872f1f-3c93-40ca-a69d-44e5438824a4
    37. rationale: Manual editing of these files may indicate nefarious activity, such as
    38. an attacker attempting to remove evidence of an intrusion.
    39. severity: medium
    40. title: Record Attempts to Alter Logon and Logout Events
    41. warning: Manual editing of these files may indicate nefarious activity, such as an
    42. attacker attempting to remove evidence of an intrusion.

Compliance Operator profile types

There are two types of compliance profiles available: Platform and Node.

Platform

Platform scans target your OKD cluster.

Node

Node scans target the nodes of the cluster.

For compliance profiles that have Node and Platform applications, such as pci-dss compliance profiles, you must run both in your OKD environment.

Additional resources