CO 1.6.0 release notes

_topic_maps/_topic_map.yml

@@ -1055,6 +1055,8 @@ Topics:
     File: co-overview
   - Name: Compliance Operator release notes
     File: compliance-operator-release-notes
+  - Name: Compliance Operator support
+    File: co-support
   - Name: Compliance Operator concepts
     Dir: co-concepts
     Topics:
@@ -1088,7 +1090,7 @@ Topics:
       File: compliance-operator-remediation
     - Name: Performing advanced Compliance Operator tasks
       File: compliance-operator-advanced
-    - Name: Troubleshooting the Compliance Operator
+    - Name: Troubleshooting Compliance Operator scans
       File: compliance-operator-troubleshooting
     - Name: Using the oc-compliance plugin
       File: oc-compliance-plug-in-using

modules/co-scansetting-resources.adoc

@@ -0,0 +1,84 @@
+// Module included in the following assemblies:
+//
+// * security/compliance_operator/co-scans/compliance-operator-troubleshooting.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="co-scansetting-resources_{context}"]
+= Configuring ScanSetting resources
+
+When using the Compliance Operator in a cluster that contains more than 500 MachineConfigs, the `ocp4-pci-dss-api-checks-pod` pod may pause in the `init` phase when performing a `Platform` scan.
+
+[NOTE]
+====
+Resource constraints applied in this process overwrites the existing resource constraints.
+====
+
+.Procedure
+
+. Confirm the `ocp4-pci-dss-api-checks-pod` pod is stuck in the `Init:OOMKilled` status: 
++
+[source,terminal]
+----
+$ oc get pod ocp4-pci-dss-api-checks-pod -w
+----
++
+.Example output
+[source,terminal]
+----
+NAME                          READY   STATUS     RESTARTS        AGE
+ocp4-pci-dss-api-checks-pod   0/2     Init:1/2   8 (5m56s ago)   25m
+ocp4-pci-dss-api-checks-pod   0/2     Init:OOMKilled   8 (6m19s ago)   26m
+----
+
+. Edit the  `scanLimits` attribute in the `ScanSetting` CR to increase the available memory for the `ocp4-pci-dss-api-checks-pod` pod:
++
+[source,yaml]
+----
+timeout: 30m
+strictNodeScan: true
+metadata:
+  name: default
+  namespace: openshift-compliance
+kind: ScanSetting
+showNotApplicable: false
+rawResultStorage:
+  nodeSelector:
+    node-role.kubernetes.io/master: ''
+  pvAccessModes:
+    - ReadWriteOnce
+  rotation: 3
+  size: 1Gi
+  tolerations:
+    - effect: NoSchedule
+      key: node-role.kubernetes.io/master
+      operator: Exists
+    - effect: NoExecute
+      key: node.kubernetes.io/not-ready
+      operator: Exists
+      tolerationSeconds: 300
+    - effect: NoExecute
+      key: node.kubernetes.io/unreachable
+      operator: Exists
+      tolerationSeconds: 300
+    - effect: NoSchedule
+      key: node.kubernetes.io/memory-pressure
+      operator: Exists
+schedule: 0 1 * * *
+roles:
+  - master
+  - worker
+apiVersion: compliance.openshift.io/v1alpha1
+maxRetryOnTimeout: 3
+scanTolerations:
+  - operator: Exists
+scanLimits:
+  memory: 1024Mi <1>
+----
+<1> The default setting is `500Mi`.
+
+. Apply the `ScanSetting` CR to your cluster: 
++
+[source,terminal]
+----
+$ oc apply -f scansetting.yaml
+----

modules/compliance-must-gather.adoc

@@ -0,0 +1,23 @@
+// Module included in the following assemblies:
+//
+// * security/compliance_operator/co-support.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="compliance-must-gather_{context}"]
+= Using the must-gather tool for the Compliance Operator
+
+Starting in Compliance Operator v1.6.0, you can collect data about the Compliance Operator resources by running the `must-gather` command with the Compliance Operator image.
+
+[NOTE]
+====
+Consider using the `must-gather` tool when opening support cases or filing bug reports, as it provides additional details about the Operator configuration and logs.
+====
+
+.Procedure
+
+* Run the following command to collect data about the Compliance Operator: 
++
+[source,terminal]
+----
+$ oc adm must-gather --image=$(oc get csv compliance-operator.v1.6.0 -o=jsonpath='{.spec.relatedImages[?(@.name=="must-gather")].image}')
+----

modules/compliance-operator-cli-installation.adoc

@@ -9,6 +9,7 @@
 .Prerequisites
 
 * You must have `admin` privileges.
+* You must have a `StorageClass` resource configured.
 
 .Procedure
 

modules/compliance-operator-console-installation.adoc

@@ -9,6 +9,7 @@
 .Prerequisites
 
 * You must have `admin` privileges.
+* You must have a `StorageClass` resource configured.
 
 .Procedure
 

modules/compliance-operator-rosa-installation.adoc

@@ -13,6 +13,7 @@ As of the Compliance Operator 1.5.0 release, the Operator is tested against {pro
 .Prerequisites
 
 * You must have `admin` privileges.
+* You must have a `StorageClass` resource configured.
 
 .Procedure
 

modules/compliance-profiles.adoc

@@ -12,28 +12,51 @@ There are several profiles available as part of the Compliance Operator installa
 +
 [source,terminal]
 ----
-$ oc get -n openshift-compliance profiles.compliance
+$ oc get profile.compliance -n openshift-compliance
 ----
 +
 .Example output
 [source,terminal]
 ----
-NAME                 AGE
-ocp4-cis             94m
-ocp4-cis-node        94m
-ocp4-e8              94m
-ocp4-high            94m
-ocp4-high-node       94m
-ocp4-moderate        94m
-ocp4-moderate-node   94m
-ocp4-nerc-cip        94m
-ocp4-nerc-cip-node   94m
-ocp4-pci-dss         94m
-ocp4-pci-dss-node    94m
-rhcos4-e8            94m
-rhcos4-high          94m
-rhcos4-moderate      94m
-rhcos4-nerc-cip      94m
+NAME                       AGE     VERSION
+ocp4-cis                   3h49m   1.5.0
+ocp4-cis-1-4               3h49m   1.4.0
+ocp4-cis-1-5               3h49m   1.5.0
+ocp4-cis-node              3h49m   1.5.0
+ocp4-cis-node-1-4          3h49m   1.4.0
+ocp4-cis-node-1-5          3h49m   1.5.0
+ocp4-e8                    3h49m   
+ocp4-high                  3h49m   Revision 4
+ocp4-high-node             3h49m   Revision 4
+ocp4-high-node-rev-4       3h49m   Revision 4
+ocp4-high-rev-4            3h49m   Revision 4
+ocp4-moderate              3h49m   Revision 4
+ocp4-moderate-node         3h49m   Revision 4
+ocp4-moderate-node-rev-4   3h49m   Revision 4
+ocp4-moderate-rev-4        3h49m   Revision 4
+ocp4-nerc-cip              3h49m   
+ocp4-nerc-cip-node         3h49m   
+ocp4-pci-dss               3h49m   3.2.1
+ocp4-pci-dss-3-2           3h49m   3.2.1
+ocp4-pci-dss-4-0           3h49m   4.0.0
+ocp4-pci-dss-node          3h49m   3.2.1
+ocp4-pci-dss-node-3-2      3h49m   3.2.1
+ocp4-pci-dss-node-4-0      3h49m   4.0.0
+ocp4-stig                  3h49m   V2R1
+ocp4-stig-node             3h49m   V2R1
+ocp4-stig-node-v1r1        3h49m   V1R1
+ocp4-stig-node-v2r1        3h49m   V2R1
+ocp4-stig-v1r1             3h49m   V1R1
+ocp4-stig-v2r1             3h49m   V2R1
+rhcos4-e8                  3h49m   
+rhcos4-high                3h49m   Revision 4
+rhcos4-high-rev-4          3h49m   Revision 4
+rhcos4-moderate            3h49m   Revision 4
+rhcos4-moderate-rev-4      3h49m   Revision 4
+rhcos4-nerc-cip            3h49m   
+rhcos4-stig                3h49m   V2R1
+rhcos4-stig-v1r1           3h49m   V1R1
+rhcos4-stig-v2r1           3h49m   V2R1
 ----
 +
 These profiles represent different compliance benchmarks. Each profile has the product name that it applies to added as a prefix to the profile’s name. `ocp4-e8` applies the Essential 8 benchmark to the {product-title} product, while `rhcos4-e8` applies the Essential 8 benchmark to the {op-system-first} product.

modules/compliance-supported-profiles.adoc

@@ -1,204 +1,435 @@
 // Module included in the following assemblies:
 //
-// * security/compliance_operator/
+// * security/compliance_operator/co-scans/compliance-operator-supported-profiles.adoc
 
-:_mod-docs-content-type: CONCEPT
+:_mod-docs-content-type: REFERENCE
 [id="compliance-supported-profiles_{context}"]
 = Compliance profiles
 
-The Compliance Operator provides the following compliance profiles:
+The Compliance Operator provides profiles to meet industry standard benchmarks.
 
-.Supported compliance profiles
-[cols="10%,40%,10%,10%,40%,10%,40%", options="header"]
+[NOTE]
+====
+The following tables reflect the latest available profiles in the Compliance Operator.
+====
+
+[id="cis-profiles_{context}"]
+== CIS compliance profiles
+
+.Supported CIS compliance profiles
+[cols="2,2,1,2,1,2", options="header"]
 
 |===
 |Profile
 |Profile title
 |Application
-|Compliance Operator version
 |Industry compliance benchmark
 |Supported architectures
 |Supported platforms
 
-|rhcos4-stig
-|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift
-|Node
-|1.3.0+
-|link:https://public.cyber.mil/stigs/downloads/[DISA-STIG] ^[1]^
-|`x86_64`
-|Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) - requires 1.5.0+
-
-|ocp4-stig-node
-|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift
-|Node
-|1.3.0+
-|link:https://public.cyber.mil/stigs/downloads/[DISA-STIG] ^[1]^
-|`x86_64`
-|Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) - requires 1.5.0+
-
-|ocp4-stig
-|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift
+|ocp4-cis ^[1]^
+|CIS Red Hat OpenShift Container Platform Benchmark v1.5.0
 |Platform
-|1.3.0+
-|link:https://public.cyber.mil/stigs/downloads/[DISA-STIG] ^[1]^
-|`x86_64`
-|
-
-|ocp4-cis-1-4
-|CIS Red Hat OpenShift Container Platform 4 Benchmark v1.4.0
-|Platform
-|1.2.0+
 |link:https://www.cisecurity.org/cis-benchmarks/[CIS Benchmarks ™] ^[1]^
 |`x86_64`
  `ppc64le`
  `s390x`
 |
 
-|ocp4-cis-node-1-4
-|CIS Red Hat OpenShift Container Platform 4 Benchmark v1.4.0
+|ocp4-cis-1-4 ^[3]^
+|CIS Red Hat OpenShift Container Platform Benchmark v1.4.0
+|Platform
+|link:https://www.cisecurity.org/cis-benchmarks/[CIS Benchmarks ™] ^[4]^
+|`x86_64`
+ `ppc64le`
+ `s390x`
+|
+
+|ocp4-cis-1-5
+|CIS Red Hat OpenShift Container Platform Benchmark v1.5.0
+|Platform
+|link:https://www.cisecurity.org/cis-benchmarks/[CIS Benchmarks ™] ^[4]^
+|`x86_64`
+ `ppc64le`
+ `s390x`
+|
+
+|ocp4-cis-node ^[1]^
+|CIS Red Hat OpenShift Container Platform Benchmark v1.5.0
 |Node ^[2]^
-|1.2.0+
-|link:https://www.cisecurity.org/cis-benchmarks/[CIS Benchmarks ™] ^[1]^
+|link:https://www.cisecurity.org/cis-benchmarks/[CIS Benchmarks ™] ^[4]^
 |`x86_64`
  `ppc64le`
  `s390x`
-|Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) - requires 1.5.0+
+|{product-rosa} with {hcp} (ROSA HCP)
 
-|ocp4-cis
-|CIS Red Hat OpenShift Container Platform 4 Benchmark v1.5.0
-|Platform
-|1.4.1+
-|link:https://www.cisecurity.org/cis-benchmarks/[CIS Benchmarks ™] ^[1]^
-|`x86_64`
- `ppc64le`
- `s390x`
-|
-
-|ocp4-cis-node
-|CIS Red Hat OpenShift Container Platform 4 Benchmark v1.5.0
+|ocp4-cis-node-1-4 ^[3]^
+|CIS Red Hat OpenShift Container Platform Benchmark v1.4.0
 |Node ^[2]^
-|1.4.1+
-|link:https://www.cisecurity.org/cis-benchmarks/[CIS Benchmarks ™] ^[1]^
+|link:https://www.cisecurity.org/cis-benchmarks/[CIS Benchmarks ™] ^[4]^
 |`x86_64`
  `ppc64le`
  `s390x`
-|Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) - requires 1.5.0+
+|{product-rosa} with {hcp} (ROSA HCP)
+
+|ocp4-cis-node-1-5
+|CIS Red Hat OpenShift Container Platform Benchmark v1.5.0
+|Node ^[2]^
+|link:https://www.cisecurity.org/cis-benchmarks/[CIS Benchmarks ™] ^[4]^
+|`x86_64`
+ `ppc64le`
+ `s390x`
+|{product-rosa} with {hcp} (ROSA HCP)
+
+|===
+[.small]
+1. The  `ocp4-cis` and `ocp4-cis-node` profiles maintain the most up-to-date version of the CIS benchmark as it becomes available in the Compliance Operator. If you want to adhere to a specific version, such as CIS v1.4.0, use the `ocp4-cis-1-4` and `ocp4-cis-node-1-4` profiles.
+2. Node profiles must be used with the relevant Platform profile. For more information, see _Compliance Operator profile types_.
+3. CIS v1.4.0 is superceded by CIS v1.5.0. It is recommended to apply the latest profile to your environment.
+4. To locate the CIS {product-title} v4 Benchmark, go to  link:https://www.cisecurity.org/benchmark/kubernetes[CIS Benchmarks] and click *Download Latest CIS Benchmark*, where you can then register to download the benchmark.
+
+[id="e8-profiles_{context}"]
+== Essential Eight compliance profiles
+
+.Supported Essential Eight compliance profiles
+[cols="2,2,1,2,1,2", options="header"]
+
+|===
+|Profile
+|Profile title
+|Application
+|Industry compliance benchmark
+|Supported architectures
+|Supported platforms
 
 |ocp4-e8
 |Australian Cyber Security Centre (ACSC) Essential Eight
 |Platform
-|0.1.39+
 |link:https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers[ACSC Hardening Linux Workstations and Servers]
 |`x86_64`
 |
 
-|ocp4-moderate
-|NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Platform level
-|Platform
-|0.1.39+
-|link:https://nvd.nist.gov/800-53/Rev4/impact/moderate[NIST SP-800-53 Release Search]
-|`x86_64`
- `ppc64le`
- `s390x`
-|
-
 |rhcos4-e8
 |Australian Cyber Security Centre (ACSC) Essential Eight
 |Node
-|0.1.39+
 |link:https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers[ACSC Hardening Linux Workstations and Servers]
 |`x86_64`
-|Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) - requires 1.5.0+
+|{product-rosa} with {hcp} (ROSA HCP)
 
-|rhcos4-moderate
-|NIST 800-53 Moderate-Impact Baseline for Red Hat Enterprise Linux CoreOS
-|Node
-|0.1.39+
-|link:https://nvd.nist.gov/800-53/Rev4/impact/moderate[NIST SP-800-53 Release Search]
+|===
+
+[id="fedramp-high-profiles_{context}"]
+== FedRAMP High compliance profiles
+
+.Supported FedRAMP High compliance profiles
+[cols="2,2,1,2,1,2", options="header"]
+
+|===
+|Profile
+|Profile title
+|Application
+|Industry compliance benchmark
+|Supported architectures
+|Supported platforms
+
+|ocp4-high ^[1]^
+|NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Platform level
+|Platform
+|link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/800-53[NIST SP-800-53 Release Search]
 |`x86_64`
-|Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) - requires 1.5.0+
+|
 
-|ocp4-moderate-node
-|NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Node level
+|ocp4-high-node ^[1]^
+|NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Node level
 |Node ^[2]^
-|0.1.44+
+|link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/800-53[NIST SP-800-53 Release Search]
+|`x86_64`
+|{product-rosa} with {hcp} (ROSA HCP)
+
+|ocp4-high-node-rev-4
+|NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Node level
+|Node ^[2]^
+|link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/800-53[NIST SP-800-53 Release Search]
+|`x86_64`
+|{product-rosa} with {hcp} (ROSA HCP)
+
+|ocp4-high-rev-4
+|NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Platform level
+|Platform
+|link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/800-53[NIST SP-800-53 Release Search]
+|`x86_64`
+|
+
+|rhcos4-high ^[1]^
+|NIST 800-53 High-Impact Baseline for Red Hat Enterprise Linux CoreOS
+|Node
+|link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/800-53[NIST SP-800-53 Release Search]
+|`x86_64`
+|{product-rosa} with {hcp} (ROSA HCP)
+
+|rhcos4-high-rev-4
+|NIST 800-53 High-Impact Baseline for Red Hat Enterprise Linux CoreOS
+|Node
+|link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/800-53[NIST SP-800-53 Release Search]
+|`x86_64`
+|{product-rosa} with {hcp} (ROSA HCP)
+
+|===
+[.small]
+1. The  `ocp4-high`, `ocp4-high-node` and `rhcos4-high` profiles maintain the most up-to-date version of the FedRAMP High standard as it becomes available in the Compliance Operator. If you want to adhere to a specific version, such as FedRAMP high R4, use the `ocp4-high-rev-4` and `ocp4-high-node-rev-4` profiles.
+2. Node profiles must be used with the relevant Platform profile. For more information, see _Compliance Operator profile types_.
+
+[id="fedramp-moderate-profiles_{context}"]
+== FedRAMP Moderate compliance profiles
+
+.Supported FedRAMP Moderate compliance profiles
+[cols="2,2,1,2,1,2", options="header"]
+
+|===
+|Profile
+|Profile title
+|Application
+|Industry compliance benchmark
+|Supported architectures
+|Supported platforms
+
+|ocp4-moderate ^[1]^
+|NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Platform level
+|Platform
 |link:https://nvd.nist.gov/800-53/Rev4/impact/moderate[NIST SP-800-53 Release Search]
 |`x86_64`
  `ppc64le`
  `s390x`
-|Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) - requires 1.5.0+
+|
+
+|ocp4-moderate-node ^[1]^
+|NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Node level
+|Node ^[2]^
+|link:https://nvd.nist.gov/800-53/Rev4/impact/moderate[NIST SP-800-53 Release Search]
+|`x86_64`
+ `ppc64le`
+ `s390x`
+|{product-rosa} with {hcp} (ROSA HCP)
+
+|ocp4-moderate-node-rev-4
+|NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Node level
+|Node ^[2]^
+|link:https://nvd.nist.gov/800-53/Rev4/impact/moderate[NIST SP-800-53 Release Search]
+|`x86_64`
+ `ppc64le`
+ `s390x`
+|{product-rosa} with {hcp} (ROSA HCP)
+
+|ocp4-moderate-rev-4
+|NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Platform level
+|Platform
+|link:https://nvd.nist.gov/800-53/Rev4/impact/moderate[NIST SP-800-53 Release Search]
+|`x86_64`
+ `ppc64le`
+ `s390x`
+|
+
+|rhcos4-moderate ^[1]^
+|NIST 800-53 Moderate-Impact Baseline for Red Hat Enterprise Linux CoreOS
+|Node
+|link:https://nvd.nist.gov/800-53/Rev4/impact/moderate[NIST SP-800-53 Release Search]
+|`x86_64`
+|{product-rosa} with {hcp} (ROSA HCP)
+
+|rhcos4-moderate-rev-4
+|NIST 800-53 Moderate-Impact Baseline for Red Hat Enterprise Linux CoreOS
+|Node
+|link:https://nvd.nist.gov/800-53/Rev4/impact/moderate[NIST SP-800-53 Release Search]
+|`x86_64`
+|{product-rosa} with {hcp} (ROSA HCP)
+
+|===
+[.small]
+1. The  `ocp4-moderate`, `ocp4-moderate-node` and `rhcos4-moderate` profiles maintain the most up-to-date version of the FedRAMP Moderate standard as it becomes available in the Compliance Operator. If you want to adhere to a specific version, such as FedRAMP Moderate R4, use the `ocp4-moderate-rev-4` and `ocp4-moderate-node-rev-4` profiles.
+2. Node profiles must be used with the relevant Platform profile. For more information, see _Compliance Operator profile types_.
+
+[id="nerc-cip-profiles_{context}"]
+== NERC-CIP compliance profiles
+
+.Supported NERC-CIP compliance profiles
+[cols="2,2,1,2,1,2", options="header"]
+
+|===
+|Profile
+|Profile title
+|Application
+|Industry compliance benchmark
+|Supported architectures
+|Supported platforms
 
 |ocp4-nerc-cip
-|North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for the Red Hat OpenShift Container Platform - Platform level
+|North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for the {product-title} - Platform level
 |Platform
-|0.1.44+
 |link:https://www.nerc.com/pa/Stand/Pages/USRelStand.aspx[NERC CIP Standards]
 |`x86_64`
 |
 
 |ocp4-nerc-cip-node
-|North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for the Red Hat OpenShift Container Platform - Node level
-|Node ^[2]^
-|0.1.44+
+|North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for the {product-title} - Node level
+|Node ^[1]^
 |link:https://www.nerc.com/pa/Stand/Pages/USRelStand.aspx[NERC CIP Standards]
 |`x86_64`
-|Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) - requires 1.5.0+
+|{product-rosa} with {hcp} (ROSA HCP)
 
 |rhcos4-nerc-cip
 |North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for Red Hat Enterprise Linux CoreOS
 |Node
-|0.1.44+
 |link:https://www.nerc.com/pa/Stand/Pages/USRelStand.aspx[NERC CIP Standards]
 |`x86_64`
-|Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) - requires 1.5.0+
+|{product-rosa} with {hcp} (ROSA HCP)
 
-|ocp4-pci-dss
-|PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Platform 4
-|Platform
-|0.1.47+
-|link:https://www.pcisecuritystandards.org/document_library?document=pci_dss[PCI Security Standards ® Council Document Library]
-|`x86_64`
- `ppc64le`
- `s390x`
-|
-
-|ocp4-pci-dss-node
-|PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Platform 4
-|Node ^[2]^
-|0.1.47+
-|link:https://www.pcisecuritystandards.org/document_library?document=pci_dss[PCI Security Standards ® Council Document Library]
-|`x86_64`
- `ppc64le`
- `s390x`
-|Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) - requires 1.5.0+
-
-|ocp4-high
-|NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Platform level
-|Platform
-|0.1.52+
-|link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/800-53[NIST SP-800-53 Release Search]
-|`x86_64`
-|
-
-|ocp4-high-node
-|NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Node level
-|Node ^[2]^
-|0.1.52+
-|link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/800-53[NIST SP-800-53 Release Search]
-|`x86_64`
-|Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) - requires 1.5.0+
-
-|rhcos4-high
-|NIST 800-53 High-Impact Baseline for Red Hat Enterprise Linux CoreOS
-|Node
-|0.1.52+
-|link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/800-53[NIST SP-800-53 Release Search]
-|`x86_64`
-|Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) - requires 1.5.0+
 |===
 [.small]
-1. To locate the CIS {product-title} v4 Benchmark, go to  link:https://www.cisecurity.org/benchmark/kubernetes[CIS Benchmarks] and click *Download Latest CIS Benchmark*, where you can then register to download the benchmark.
+1. Node profiles must be used with the relevant Platform profile. For more information, see _Compliance Operator profile types_.
+
+[id="pci-dss-profiles_{context}"]
+== PCI-DSS compliance profiles
+
+.Supported PCI-DSS compliance profiles
+[cols="2,2,1,2,1,2", options="header"]
+
+|===
+|Profile
+|Profile title
+|Application
+|Industry compliance benchmark
+|Supported architectures
+|Supported platforms
+
+|ocp4-pci-dss ^[1]^
+|PCI-DSS v4 Control Baseline for {product-title} 4
+|Platform
+|link:https://www.pcisecuritystandards.org/document_library?document=pci_dss[PCI Security Standards ® Council Document Library]
+|`x86_64`
+|
+
+|ocp4-pci-dss-3-2 ^[3]^
+|PCI-DSS v3.2.1 Control Baseline for {product-title} 4
+|Platform
+|link:https://www.pcisecuritystandards.org/document_library?document=pci_dss[PCI Security Standards ® Council Document Library]
+|`x86_64`
+|
+
+|ocp4-pci-dss-4-0
+|PCI-DSS v4 Control Baseline for {product-title} 4
+|Platform
+|link:https://www.pcisecuritystandards.org/document_library?document=pci_dss[PCI Security Standards ® Council Document Library]
+|`x86_64`
+|
+
+|ocp4-pci-dss-node ^[1]^
+|PCI-DSS v4 Control Baseline for {product-title} 4
+|Node ^[2]^
+|link:https://www.pcisecuritystandards.org/document_library?document=pci_dss[PCI Security Standards ® Council Document Library] 
+|`x86_64`
+|{product-rosa} with {hcp} (ROSA HCP)
+
+|ocp4-pci-dss-node-3-2 ^[3]^
+|PCI-DSS v3.2.1 Control Baseline for {product-title} 4
+|Node ^[2]^
+|link:https://www.pcisecuritystandards.org/document_library?document=pci_dss[PCI Security Standards ® Council Document Library]
+|`x86_64`
+|{product-rosa} with {hcp} (ROSA HCP)
+
+|ocp4-pci-dss-node-4-0
+|PCI-DSS v4 Control Baseline for {product-title} 4
+|Node ^[2]^
+|link:https://www.pcisecuritystandards.org/document_library?document=pci_dss[PCI Security Standards ® Council Document Library]
+|`x86_64`
+|{product-rosa} with {hcp} (ROSA HCP)
+|===
+[.small]
+1. The  `ocp4-pci-dss` and `ocp4-pci-dss-node` profiles maintain the most up-to-date version of the PCI-DSS standard as it becomes available in the Compliance Operator. If you want to adhere to a specific version, such as PCI-DSS v3.2.1, use the `ocp4-pci-dss-3-2` and `ocp4-pci-dss-node-3-2` profiles.
 2. Node profiles must be used with the relevant Platform profile. For more information, see _Compliance Operator profile types_.
+3. PCI-DSS v3.2.1 is superceded by PCI-DSS v4. It is recommended to apply the latest profile to your environment.
+
+[id="stig-profiles_{context}"]
+== STIG compliance profiles
+
+.Supported STIG compliance profiles
+[cols="2,2,1,2,1,2", options="header"]
+
+|===
+|Profile
+|Profile title
+|Application
+|Industry compliance benchmark
+|Supported architectures
+|Supported platforms
+
+|ocp4-stig ^[1]^
+|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift
+|Platform
+|link:https://public.cyber.mil/stigs/downloads/[DISA-STIG]
+|`x86_64`
+|
+
+|ocp4-stig-node ^[1]^
+|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift
+|Node ^[2]^
+|link:https://public.cyber.mil/stigs/downloads/[DISA-STIG]
+|`x86_64`
+|{product-rosa} with {hcp} (ROSA HCP)
+
+|ocp4-stig-node-v1r1 ^[3]^
+|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift V1R1
+|Node ^[2]^
+|link:https://public.cyber.mil/stigs/downloads/[DISA-STIG]
+|`x86_64`
+|{product-rosa} with {hcp} (ROSA HCP)
+
+|ocp4-stig-node-v2r1
+|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift V2R1
+|Node ^[2]^
+|link:https://public.cyber.mil/stigs/downloads/[DISA-STIG]
+|`x86_64`
+|{product-rosa} with {hcp} (ROSA HCP)
+
+|ocp4-stig-v1r1 ^[3]^
+|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift V1R1
+|Platform
+|link:https://public.cyber.mil/stigs/downloads/[DISA-STIG]
+|`x86_64`
+|
+
+|ocp4-stig-v2r1
+|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift V2R1
+|Platform
+|link:https://public.cyber.mil/stigs/downloads/[DISA-STIG]
+|`x86_64`
+|
+
+|rhcos4-stig
+|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift
+|Node
+|link:https://public.cyber.mil/stigs/downloads/[DISA-STIG]
+|`x86_64`
+|{product-rosa} with {hcp} (ROSA HCP)
+
+|rhcos4-stig-v1r1 ^[3]^
+|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift V1R1
+|Node
+|link:https://public.cyber.mil/stigs/downloads/[DISA-STIG] ^[3]^
+|`x86_64`
+|{product-rosa} with {hcp} (ROSA HCP)
+
+|rhcos4-stig-v2r1
+|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift V2R1
+|Node
+|link:https://public.cyber.mil/stigs/downloads/[DISA-STIG]
+|`x86_64`
+|{product-rosa} with {hcp} (ROSA HCP)
+
+|===
+[.small]
+1. The  `ocp4-stig`, `ocp4-stig-node` and `rhcos4-stig` profiles maintain the most up-to-date version of the DISA-STIG benchmark as it becomes available in the Compliance Operator. If you want to adhere to a specific version, such as DISA-STIG V2R1, use the `ocp4-stig-v2r1` and `ocp4-stig-node-v2r1` profiles.
+2. Node profiles must be used with the relevant Platform profile. For more information, see _Compliance Operator profile types_.
+3. DISA-STIG V1R1 is superceded by DISA-STIG V2R1. It is recommended to apply the latest profile to your environment.
 
 [id="compliance-extended-profiles_{context}"]
 == About extended compliance profiles

modules/gathering-data-specific-features.adoc

@@ -74,6 +74,9 @@ endif::openshift-rosa,openshift-dedicated[]
 ifndef::openshift-rosa,openshift-dedicated[]
 |`registry.redhat.io/lvms4/lvms-must-gather-rhel9:v<installed_version_LVMS>`
 |Data collection for the LVM Operator.
+
+|`ghcr.io/complianceascode/must-gather-ocp`
+|Data collection for the Compliance Operator.
 endif::openshift-rosa,openshift-dedicated[]
 
 |===

modules/oc-compliance-using-scan-setting-bindings.adoc

@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * security/oc_compliance_plug_in/co-scans/oc-compliance-plug-in-using.adoc
+// * security/compliance_operator/co-scans/oc-compliance-plug-in-using.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="using-scan-setting-bindings_{context}"]
@@ -34,17 +34,46 @@ $ oc get profile.compliance -n openshift-compliance
 .Example output
 [source,terminal]
 ----
-NAME              AGE
-ocp4-cis          9m54s
-ocp4-cis-node     9m54s
-ocp4-e8           9m54s
-ocp4-moderate     9m54s
-ocp4-ncp          9m54s
-rhcos4-e8         9m54s
-rhcos4-moderate   9m54s
-rhcos4-ncp        9m54s
-rhcos4-ospp       9m54s
-rhcos4-stig       9m54s
+NAME                       AGE     VERSION
+ocp4-cis                   3h49m   1.5.0
+ocp4-cis-1-4               3h49m   1.4.0
+ocp4-cis-1-5               3h49m   1.5.0
+ocp4-cis-node              3h49m   1.5.0
+ocp4-cis-node-1-4          3h49m   1.4.0
+ocp4-cis-node-1-5          3h49m   1.5.0
+ocp4-e8                    3h49m   
+ocp4-high                  3h49m   Revision 4
+ocp4-high-node             3h49m   Revision 4
+ocp4-high-node-rev-4       3h49m   Revision 4
+ocp4-high-rev-4            3h49m   Revision 4
+ocp4-moderate              3h49m   Revision 4
+ocp4-moderate-node         3h49m   Revision 4
+ocp4-moderate-node-rev-4   3h49m   Revision 4
+ocp4-moderate-rev-4        3h49m   Revision 4
+ocp4-nerc-cip              3h49m   
+ocp4-nerc-cip-node         3h49m   
+ocp4-pci-dss               3h49m   3.2.1
+ocp4-pci-dss-3-2           3h49m   3.2.1
+ocp4-pci-dss-4-0           3h49m   4.0.0
+ocp4-pci-dss-node          3h49m   3.2.1
+ocp4-pci-dss-node-3-2      3h49m   3.2.1
+ocp4-pci-dss-node-4-0      3h49m   4.0.0
+ocp4-stig                  3h49m   V2R1
+ocp4-stig-node             3h49m   V2R1
+ocp4-stig-node-v1r1        3h49m   V1R1
+ocp4-stig-node-v2r1        3h49m   V2R1
+ocp4-stig-v1r1             3h49m   V1R1
+ocp4-stig-v2r1             3h49m   V2R1
+rhcos4-e8                  3h49m   
+rhcos4-high                3h49m   Revision 4
+rhcos4-high-rev-4          3h49m   Revision 4
+rhcos4-moderate            3h49m   Revision 4
+rhcos4-moderate-rev-4      3h49m   Revision 4
+rhcos4-nerc-cip            3h49m   
+rhcos4-stig                3h49m   V2R1
+rhcos4-stig-v1r1           3h49m   V1R1
+rhcos4-stig-v2r1           3h49m   V2R1
+
 ----
 +
 [source,terminal]
@@ -73,4 +102,4 @@ $ oc compliance bind -N my-binding profile/ocp4-cis profile/ocp4-cis-node
 Creating ScanSettingBinding my-binding
 ----
 +
-Once the `ScanSettingBinding` CR is created, the bound profile begins scanning for both profiles with the related settings. Overall, this is the fastest way to begin scanning with the Compliance Operator.
+After the `ScanSettingBinding` CR is created, the bound profile begins scanning for both profiles with the related settings. Overall, this is the fastest way to begin scanning with the Compliance Operator.

modules/operator-resource-constraints.adoc

@@ -21,16 +21,17 @@ Resource Constraints applied in this process overwrites the existing resource co
 ----
 kind: Subscription
 metadata:
-  name: custom-operator
+  name: compliance-operator
+  namespace: openshift-compliance
 spec:
-  package: etcd
-  channel: alpha
+  package: package-name
+  channel: stable
   config:
-    resources:
-      requests:
-        memory: "64Mi"
-        cpu: "250m"
-      limits:
-        memory: "128Mi"
-        cpu: "500m"
+	resources:
+  	requests:
+    	memory: "64Mi"
+    	cpu: "250m"
+  	limits:
+    	memory: "128Mi"
+    	cpu: "500m"
 ----

modules/running-compliance-scans.adoc

@@ -15,7 +15,7 @@ For all-in-one control plane and worker nodes, the compliance scan runs twice on
 
 .Procedure
 
-.  Inspect the `ScanSetting` object by running:
+.  Inspect the `ScanSetting` object by running the following command:
 +
 [source,terminal]
 ----
@@ -25,45 +25,26 @@ $ oc describe scansettings default -n openshift-compliance
 .Example output
 [source,yaml]
 ----
-Name:         default
-Namespace:    openshift-compliance
-Labels:       <none>
-Annotations:  <none>
-API Version:  compliance.openshift.io/v1alpha1
-Kind:         ScanSetting
+Name:                  default
+Namespace:             openshift-compliance
+Labels:                <none>
+Annotations:           <none>
+API Version:           compliance.openshift.io/v1alpha1
+Kind:                  ScanSetting
+Max Retry On Timeout:  3
 Metadata:
-  Creation Timestamp:  2022-10-10T14:07:29Z
-  Generation:          1
-  Managed Fields:
-    API Version:  compliance.openshift.io/v1alpha1
-    Fields Type:  FieldsV1
-    fieldsV1:
-      f:rawResultStorage:
-        .:
-        f:nodeSelector:
-          .:
-          f:node-role.kubernetes.io/master:
-        f:pvAccessModes:
-        f:rotation:
-        f:size:
-        f:tolerations:
-      f:roles:
-      f:scanTolerations:
-      f:schedule:
-      f:showNotApplicable:
-      f:strictNodeScan:
-    Manager:         compliance-operator
-    Operation:       Update
-    Time:            2022-10-10T14:07:29Z
-  Resource Version:  56111
-  UID:               c21d1d14-3472-47d7-a450-b924287aec90
+  Creation Timestamp:  2024-07-16T14:56:42Z
+  Generation:          2
+  Resource Version:    91655682
+  UID:                 50358cf1-57a8-4f69-ac50-5c7a5938e402
 Raw Result Storage:
   Node Selector:
-    node-role.kubernetes.io/master:
+    node-role.kubernetes.io/master:  
   Pv Access Modes:
     ReadWriteOnce <1>
-  Rotation:  3 <2>
-  Size:      1Gi <3>
+  Rotation:            3 <2>
+  Size:                1Gi <3>
+  Storage Class Name:  standard <4>
   Tolerations:
     Effect:              NoSchedule
     Key:                 node-role.kubernetes.io/master
@@ -80,21 +61,26 @@ Raw Result Storage:
     Key:                 node.kubernetes.io/memory-pressure
     Operator:            Exists
 Roles:
-  master <4>
-  worker <4>
-Scan Tolerations: <5>
+  master <5>
+  worker <5>
+Scan Tolerations: <6>
   Operator:           Exists
-Schedule:             0 1 * * * <6>
+Schedule:             0 1 * * * <7>
 Show Not Applicable:  false
 Strict Node Scan:     true
+Suspend:              false
+Timeout:              30m
 Events:               <none>
+
+
 ----
 <1> The Compliance Operator creates a persistent volume (PV) that contains the results of the scans. By default, the PV will use access mode `ReadWriteOnce` because the Compliance Operator cannot make any assumptions about the storage classes configured on the cluster. Additionally, `ReadWriteOnce` access mode is available on most clusters. If you need to fetch the scan results, you can do so by using a helper pod, which also binds the volume. Volumes that use the `ReadWriteOnce` access mode can be mounted by only one pod at time, so it is important to remember to delete the helper pods. Otherwise, the Compliance Operator will not be able to reuse the volume for subsequent scans.
 <2> The Compliance Operator keeps results of three subsequent scans in the volume; older scans are rotated.
 <3> The Compliance Operator will allocate one GB of storage for the scan results.
-<4> If the scan setting uses any profiles that scan cluster nodes, scan these node roles.
-<5> The default scan setting object scans all the nodes.
-<6> The default scan setting object runs scans at 01:00 each day.
+<4> The `scansetting.rawResultStorage.storageClassName` field specifies the `storageClassName` value to use when creating the `PersistentVolumeClaim` object to store the raw results. The default value is null, which will attempt to use the default storage class configured in the cluster. If there is no default class specified, then you must set a default class.
+<5> If the scan setting uses any profiles that scan cluster nodes, scan these node roles.
+<6> The default scan setting object scans all the nodes.
+<7> The default scan setting object runs scans at 01:00 each day.
 +
 As an alternative to the default scan setting, you can use `default-auto-apply`, which has the following settings:
 +

modules/support.adoc

@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * security/compliance_operator/co-scans/compliance-operator-troubleshooting.adoc
+// * security/compliance_operator/co-support.adoc
 // * support/getting-support.adoc
 // * distr_tracing/distributed-tracing-release-notes.adoc
 // * service_mesh/v2x/ossm-support.adoc

security/compliance_operator/co-management/compliance-operator-installation.adoc

@@ -13,6 +13,11 @@ Before you can use the Compliance Operator, you must ensure it is deployed in th
 The Compliance Operator might report incorrect results on managed platforms, such as OpenShift Dedicated, Red{nbsp}Hat OpenShift Service on AWS Classic, and Microsoft Azure Red{nbsp}Hat OpenShift. For more information, see the Knowledgebase article link:https://access.redhat.com/solutions/6983418[Compliance Operator reports incorrect results on Managed Services].
 ====
 
+[IMPORTANT]
+====
+Before deploying the Compliance Operator, you are required to define persistent storage in your cluster to store the raw results output. For more information, see xref:../../../storage/understanding-persistent-storage.adoc#persistent-storage-overview_understanding-persistent-storage[Persistant storage overview] and xref:../../../storage/container_storage_interface/persistent-storage-csi-sc-manage.adoc#overview[Managing the default storage class].
+====
+
 include::modules/compliance-operator-console-installation.adoc[leveloffset=+1]
 
 [IMPORTANT]

security/compliance_operator/co-scans/compliance-operator-supported-profiles.adoc

@@ -4,6 +4,8 @@
 include::_attributes/common-attributes.adoc[]
 :context: compliance-operator-supported-profiles
 
+toc::[]
+
 There are several profiles available as part of the Compliance Operator (CO)
 installation. While you can use the following profiles to assess gaps in a
 cluster, usage alone does not infer or guarantee compliance with a particular
@@ -27,4 +29,4 @@ include::modules/compliance-supported-profiles.adoc[leveloffset=+1]
 [role="_additional-resources"]
 == Additional resources
 
-* xref:../../../security/compliance_operator/co-concepts/compliance-operator-understanding.adoc#compliance_profile_types_understanding-compliance[Compliance Operator profile types]
+* xref:../../../security/compliance_operator/co-concepts/compliance-operator-understanding.adoc#compliance_profile_types_understanding-compliance[Compliance Operator profile types]

security/compliance_operator/co-scans/compliance-operator-troubleshooting.adoc

@@ -1,6 +1,6 @@
 :_mod-docs-content-type: ASSEMBLY
 [id="compliance-operator-troubleshooting"]
-= Troubleshooting the Compliance Operator
+= Troubleshooting Compliance Operator scans
 include::_attributes/common-attributes.adoc[]
 :context: compliance-troubleshooting
 
@@ -47,6 +47,8 @@ include::modules/compliance-increasing-operator-limits.adoc[leveloffset=+1]
 
 include::modules/operator-resource-constraints.adoc[leveloffset=+1]
 
+include::modules/co-scansetting-resources.adoc[leveloffset=+1]
+
 include::modules/compliance-timeout.adoc[leveloffset=+1]
 
 include::modules/support.adoc[leveloffset=+1]

security/compliance_operator/co-scans/compliance-scans.adoc

@@ -22,6 +22,8 @@ $ oc explain scansettingbindings
 
 include::modules/running-compliance-scans.adoc[leveloffset=+1]
 
+include::modules/compliance-custom-storage.adoc[leveloffset=+1]
+
 include::modules/running-compliance-scans-worker-node.adoc[leveloffset=+1]
 
 include::modules/compliance-scansetting-cr.adoc[leveloffset=+1]

security/compliance_operator/co-support.adoc

@@ -0,0 +1,23 @@
+:_mod-docs-content-type: ASSEMBLY
+//OpenShift Compliance Operator support page
+[id="co-support"]
+= Compliance Operator support
+:context: co-support
+include::_attributes/common-attributes.adoc[]
+
+toc::[]
+
+[id="co-lifecycle_{context}"]
+== Compliance Operator lifecycle
+
+The Compliance Operator is a "Rolling Stream" Operator, meaning updates are available asynchronously of {product-title} releases. For more information, see link:https://access.redhat.com/support/policy/updates/openshift_operators[OpenShift Operator Life Cycles] on the Red Hat Customer Portal.
+
+include::modules/support.adoc[leveloffset=+1]
+
+include::modules/compliance-must-gather.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+[id="additional-resources_{context}"]
+== Additional resources
+
+* xref:../../support/gathering-cluster-data.adoc#about-must-gather_gathering-cluster-data[About the must-gather tool]

security/compliance_operator/compliance-operator-release-notes.adoc

@@ -15,6 +15,43 @@ For an overview of the Compliance Operator, see xref:../../security/compliance_o
 
 To access the latest release, see xref:../../security/compliance_operator/co-management/compliance-operator-updating.adoc#olm-preparing-upgrade_compliance-operator-updating[Updating the Compliance Operator].
 
+[id="compliance-operator-release-notes-1-6-0_{context}"]
+== OpenShift Compliance Operator 1.6.0
+
+The following advisory is available for the OpenShift Compliance Operator 1.6.0:
+
+* link:https://access.redhat.com/errata/RHBA-2024:6761[RHBA-2024:6761 - OpenShift Compliance Operator 1.6.0 bug fix and enhancement update]
+
+[id="compliance-operator-1-6-0-new-features-and-enhancements_{context}"]
+=== New features and enhancements
+
+* The Compliance Operator now contains supported profiles for Payment Card Industry Data Security Standard (PCI-DSS) version 4. For more information, see xref:../../security/compliance_operator/co-scans/compliance-operator-supported-profiles.adoc#compliance-supported-profiles_compliance-operator-supported-profiles[Supported compliance profiles].
+
+* The Compliance Operator now contains supported profiles for Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) V2R1. For more information, see xref:../../security/compliance_operator/co-scans/compliance-operator-supported-profiles.adoc#compliance-supported-profiles_compliance-operator-supported-profiles[Supported compliance profiles].
+
+* A `must-gather` extension is now available for the Compliance Operator installed on `x86`, `ppc64le`, and `s390x` architectures. The `must-gather` tool provides crucial configuration details to Red Hat Customer Support and engineering. For more information, see xref:../../security/compliance_operator/co-support.adoc#compliance-must-gather_co-support[Using the must-gather tool for the Compliance Operator].
+
+[id="compliance-operator-1-6-0-bug-fixes_{context}"]
+=== Bug fixes
+
+* Before this release, a misleading description in the `ocp4-route-ip-whitelist` rule resulted in misunderstanding, causing potential for misconfigurations. With this update, the rule is now more clearly defined. (link:https://issues.redhat.com/browse/CMP-2485[*CMP-2485*])
+
+* Previously, the reporting of all of the `ComplianceCheckResults` for a `DONE` status `ComplianceScan` was incomplete. With this update, annotation has been added to report the number of total  `ComplianceCheckResults` for a `ComplianceScan` with a `DONE` status. (link:https://issues.redhat.com/browse/CMP-2615[*CMP-2615*])
+
+* Previously, the `ocp4-cis-scc-limit-container-allowed-capabilities` rule description contained ambiguous guidelines, leading to confusion among users. With this update, the rule description and actionable steps are clarified. (link:https://issues.redhat.com/browse/OCPBUGS-17828[*OCPBUGS-17828*])
+
+* Before this update, sysctl configurations caused certain auto remediations for RHCOS4 rules to fail scans in affected clusters. With this update, the correct sysctl settings are applied and RHCOS4 rules for FedRAMP High profiles pass scans correctly. (link:https://issues.redhat.com/browse/OCPBUGS-19690[*OCPBUGS-19690*])
+
+* Before this update, an issue with a `jq` filter caused errors with the `rhacs-operator-controller-manager` deployment during compliance checks. With this update, the `jq` filter expression is updated and the `rhacs-operator-controller-manager` deployment is exempt from compliance checks pertaining to container resource limits, eliminating false positive results. (link:https://issues.redhat.com/browse/OCPBUGS-19690[*OCPBUGS-19690*])
+
+* Before this update, `rhcos4-high` and `rhcos4-moderate` profiles checked values of an incorrectly titled configuration file. As a result, some scan checks could fail. With this update, the `rhcos4` profiles now check the correct configuration file and scans pass correctly. (link:https://issues.redhat.com/browse/OCPBUGS-31674[*OCPBUGS-31674*])
+
+* Previously, the `accessokenInactivityTimeoutSeconds` variable used in the `oauthclient-inactivity-timeout` rule was immutable, leading to a `FAIL` status when performing DISA STIG scans. With this update, proper enforcement of the `accessTokenInactivityTimeoutSeconds` variable operates correctly and a `PASS` status is now possible. (link:https://issues.redhat.com/browse/OCPBUGS-32551[*OCPBUGS-32551*])
+
+* Before this update, some annotations for rules were not updated, displaying the incorrect control standards. With this update, annotations for rules are updated correctly, ensuring the correct control standards are displayed. (link:https://issues.redhat.com/browse/OCPBUGS-34982[*OCPBUGS-34982*])
+
+* Previously, when upgrading to Compliance Operator 1.5.1, an incorrectly referenced secret in a `ServiceMonitor` configuration caused integration issues with the Prometheus Operator. With this update, the Compliance Operator will accurately reference the secret containing the token for `ServiceMonitor` metrics. (link:https://issues.redhat.com/browse/OCPBUGS-39417[*OCPBUGS-39417*])
+
 [id="compliance-operator-release-notes-1-5-1_{context}"]
 == OpenShift Compliance Operator 1.5.1