A copy of the Essential Eight in Linux Environments guide can be found at the ACSC website: OCP4-E8– This profile contains configuration checks for Red Hat OpenShift Container Platform that align to the Australian Cyber Security Centre (ACSC) Essential Eight. This profile is applicable to OpenShift versions 4.6 and greater. Note that this part of the profile is meant to run on the Operating System that Red Hat OpenShift Container Platform 4 runs on top of. This profile includes Center for Internet Security® Red Hat OpenShift Container Platform 4 CIS Benchmarks™ content. OCP4-CIS-NODE– This profile defines a baseline that aligns to the Center for Internet Security Red Hat OpenShift Container Platform 4 Benchmark™, V0.3, currently unreleased. Note that this part of the profile is meant to run on the Platform that Red Hat OpenShift Container Platform 4 runs on top of.This profile is applicable to OpenShift versions 4.6 and greater. This profile includes Center for Internet Security Red Hat OpenShift Container Platform 4 CIS Benchmarks™ content. OCP4-CIS– This profile defines a baseline that aligns to the Center for Internet Security Red Hat OpenShift Container Platform 4 Benchmark™, V0.3, currently unreleased. Here is some information about the profiles (pliance CRD) that are available out-of-the-box: To describe each of these policies, run the following command: oc describe pliance -n openshift-compliance To list the various profiles that are available, run the following command: oc get -n openshift-compliance pliance Variable– Variable describes a tunable in the XCCDF profile. TailoredProfile– TailoredProfile is the Schema for the tailoredprofiles API. ScanSetting– ScanSetting is the Schema for the scansettings API. ScanSetBinding– ScanSettingBinding is the Schema for the scansettingbindings API. Rule– Rule is the Schema for the rules API. Profile– Profile is the Schema for the profiles API. ProfileBundle– ProfileBundle is the Schema for the profilebundles API. These should help deployers achieve a certain compliance target. These could be nodes that apply to a certain nodeSelector, or the cluster itself.ĬomplianceSuite– ComplianceSuite represents a set of scans that will be applied to the cluster. The Compliance Operator uses OpenSCAP, a NIST-certified tool, to scan and enforce security policies provided by the content.Ĭustom-Resource-Definitions for Compliance OperatorĪ brief overview of the various custom-resource-defintons will follow.ĬomplianceCheckResult- ComplianceCheckResult represent a result of a single compliance “test”ĬomplianceRemediation – ComplianceRemediation represents a remediation that can be applied to the cluster to fix the found issues.ĬomplianceScan– ComplianceScan represents a scan with a certain configuration that will be applied to objects of a certain entity in the host. The Compliance Operator assesses compliance of both the Kubernetes API resources of OpenShift Container Platform, as well as the nodes running the cluster. The Compliance Operator lets OpenShift Container Platform administrators describe the desired compliance state of a cluster and provides them with an overview of gaps and ways to remediate them. Explain the profiles that are available out-of-the-box.Explain the various custom-resource-defininions/APIs that are available after installing the Compliance Operator.Show how the Compliance Operator is installed via the OCP web console.In this post and accompanying videos, I will: By installing this operator, you will be able to scan your Openshift cluster and the underlying operating system (CoreOS) which is read-only (hardened) version of RHEL (Red Hat Enterprise Linux) for any compliance violations and in most-cases, the violation can be mitigated by applying a MachineConfig configuration to the operating system. For more information about OpenScap, please visit. The Openshift Compliance Operator is based on the OpenScap project which should be familiar to anyone who is in charge of IT security. Many enterprises are required by law and/or corporate policies to follow the Center for Internet Security (CIS) framework and other best-practices for the secure configuration of target systems. This post will be based on the documentation available at.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |