From 18a01d69bfd70b42533c456e104a521a608366bb Mon Sep 17 00:00:00 2001 From: Andrew Taylor Date: Tue, 13 Aug 2024 10:07:05 -0400 Subject: [PATCH] CO 1.6.0 release notes --- _topic_maps/_topic_map.yml | 4 +- modules/co-scansetting-resources.adoc | 84 +++ modules/compliance-must-gather.adoc | 23 + .../compliance-operator-cli-installation.adoc | 1 + ...pliance-operator-console-installation.adoc | 1 + ...compliance-operator-rosa-installation.adoc | 1 + modules/compliance-profiles.adoc | 57 +- modules/compliance-supported-profiles.adoc | 487 +++++++++++++----- modules/gathering-data-specific-features.adoc | 3 + ...ompliance-using-scan-setting-bindings.adoc | 55 +- modules/operator-resource-constraints.adoc | 21 +- modules/running-compliance-scans.adoc | 70 +-- modules/support.adoc | 2 +- .../compliance-operator-installation.adoc | 5 + ...ompliance-operator-supported-profiles.adoc | 4 +- .../compliance-operator-troubleshooting.adoc | 4 +- .../co-scans/compliance-scans.adoc | 2 + security/compliance_operator/co-support.adoc | 23 + .../compliance-operator-release-notes.adoc | 37 ++ 19 files changed, 670 insertions(+), 214 deletions(-) create mode 100644 modules/co-scansetting-resources.adoc create mode 100644 modules/compliance-must-gather.adoc create mode 100644 security/compliance_operator/co-support.adoc diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml index 634be29f54..2a63d47e32 100644 --- a/_topic_maps/_topic_map.yml +++ b/_topic_maps/_topic_map.yml @@ -1055,6 +1055,8 @@ Topics: File: co-overview - Name: Compliance Operator release notes File: compliance-operator-release-notes + - Name: Compliance Operator support + File: co-support - Name: Compliance Operator concepts Dir: co-concepts Topics: @@ -1088,7 +1090,7 @@ Topics: File: compliance-operator-remediation - Name: Performing advanced Compliance Operator tasks File: compliance-operator-advanced - - Name: Troubleshooting the Compliance Operator + - Name: Troubleshooting Compliance Operator scans File: compliance-operator-troubleshooting - Name: Using the oc-compliance plugin File: oc-compliance-plug-in-using diff --git a/modules/co-scansetting-resources.adoc b/modules/co-scansetting-resources.adoc new file mode 100644 index 0000000000..b58a7bafbc --- /dev/null +++ b/modules/co-scansetting-resources.adoc @@ -0,0 +1,84 @@ +// Module included in the following assemblies: +// +// * security/compliance_operator/co-scans/compliance-operator-troubleshooting.adoc + +:_mod-docs-content-type: REFERENCE +[id="co-scansetting-resources_{context}"] += Configuring ScanSetting resources + +When using the Compliance Operator in a cluster that contains more than 500 MachineConfigs, the `ocp4-pci-dss-api-checks-pod` pod may pause in the `init` phase when performing a `Platform` scan. + +[NOTE] +==== +Resource constraints applied in this process overwrites the existing resource constraints. +==== + +.Procedure + +. Confirm the `ocp4-pci-dss-api-checks-pod` pod is stuck in the `Init:OOMKilled` status: ++ +[source,terminal] +---- +$ oc get pod ocp4-pci-dss-api-checks-pod -w +---- ++ +.Example output +[source,terminal] +---- +NAME READY STATUS RESTARTS AGE +ocp4-pci-dss-api-checks-pod 0/2 Init:1/2 8 (5m56s ago) 25m +ocp4-pci-dss-api-checks-pod 0/2 Init:OOMKilled 8 (6m19s ago) 26m +---- + +. Edit the `scanLimits` attribute in the `ScanSetting` CR to increase the available memory for the `ocp4-pci-dss-api-checks-pod` pod: ++ +[source,yaml] +---- +timeout: 30m +strictNodeScan: true +metadata: + name: default + namespace: openshift-compliance +kind: ScanSetting +showNotApplicable: false +rawResultStorage: + nodeSelector: + node-role.kubernetes.io/master: '' + pvAccessModes: + - ReadWriteOnce + rotation: 3 + size: 1Gi + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + operator: Exists + - effect: NoExecute + key: node.kubernetes.io/not-ready + operator: Exists + tolerationSeconds: 300 + - effect: NoExecute + key: node.kubernetes.io/unreachable + operator: Exists + tolerationSeconds: 300 + - effect: NoSchedule + key: node.kubernetes.io/memory-pressure + operator: Exists +schedule: 0 1 * * * +roles: + - master + - worker +apiVersion: compliance.openshift.io/v1alpha1 +maxRetryOnTimeout: 3 +scanTolerations: + - operator: Exists +scanLimits: + memory: 1024Mi <1> +---- +<1> The default setting is `500Mi`. + +. Apply the `ScanSetting` CR to your cluster: ++ +[source,terminal] +---- +$ oc apply -f scansetting.yaml +---- diff --git a/modules/compliance-must-gather.adoc b/modules/compliance-must-gather.adoc new file mode 100644 index 0000000000..d67f4eb209 --- /dev/null +++ b/modules/compliance-must-gather.adoc @@ -0,0 +1,23 @@ +// Module included in the following assemblies: +// +// * security/compliance_operator/co-support.adoc + +:_mod-docs-content-type: PROCEDURE +[id="compliance-must-gather_{context}"] += Using the must-gather tool for the Compliance Operator + +Starting in Compliance Operator v1.6.0, you can collect data about the Compliance Operator resources by running the `must-gather` command with the Compliance Operator image. + +[NOTE] +==== +Consider using the `must-gather` tool when opening support cases or filing bug reports, as it provides additional details about the Operator configuration and logs. +==== + +.Procedure + +* Run the following command to collect data about the Compliance Operator: ++ +[source,terminal] +---- +$ oc adm must-gather --image=$(oc get csv compliance-operator.v1.6.0 -o=jsonpath='{.spec.relatedImages[?(@.name=="must-gather")].image}') +---- \ No newline at end of file diff --git a/modules/compliance-operator-cli-installation.adoc b/modules/compliance-operator-cli-installation.adoc index 7ec7712c0a..e5e7337858 100644 --- a/modules/compliance-operator-cli-installation.adoc +++ b/modules/compliance-operator-cli-installation.adoc @@ -9,6 +9,7 @@ .Prerequisites * You must have `admin` privileges. +* You must have a `StorageClass` resource configured. .Procedure diff --git a/modules/compliance-operator-console-installation.adoc b/modules/compliance-operator-console-installation.adoc index 7b2de3a034..0005fe1dc9 100644 --- a/modules/compliance-operator-console-installation.adoc +++ b/modules/compliance-operator-console-installation.adoc @@ -9,6 +9,7 @@ .Prerequisites * You must have `admin` privileges. +* You must have a `StorageClass` resource configured. .Procedure diff --git a/modules/compliance-operator-rosa-installation.adoc b/modules/compliance-operator-rosa-installation.adoc index f4c289cc62..d551c4863c 100644 --- a/modules/compliance-operator-rosa-installation.adoc +++ b/modules/compliance-operator-rosa-installation.adoc @@ -13,6 +13,7 @@ As of the Compliance Operator 1.5.0 release, the Operator is tested against {pro .Prerequisites * You must have `admin` privileges. +* You must have a `StorageClass` resource configured. .Procedure diff --git a/modules/compliance-profiles.adoc b/modules/compliance-profiles.adoc index 3f9add6497..73bedaf65b 100644 --- a/modules/compliance-profiles.adoc +++ b/modules/compliance-profiles.adoc @@ -12,28 +12,51 @@ There are several profiles available as part of the Compliance Operator installa + [source,terminal] ---- -$ oc get -n openshift-compliance profiles.compliance +$ oc get profile.compliance -n openshift-compliance ---- + .Example output [source,terminal] ---- -NAME AGE -ocp4-cis 94m -ocp4-cis-node 94m -ocp4-e8 94m -ocp4-high 94m -ocp4-high-node 94m -ocp4-moderate 94m -ocp4-moderate-node 94m -ocp4-nerc-cip 94m -ocp4-nerc-cip-node 94m -ocp4-pci-dss 94m -ocp4-pci-dss-node 94m -rhcos4-e8 94m -rhcos4-high 94m -rhcos4-moderate 94m -rhcos4-nerc-cip 94m +NAME AGE VERSION +ocp4-cis 3h49m 1.5.0 +ocp4-cis-1-4 3h49m 1.4.0 +ocp4-cis-1-5 3h49m 1.5.0 +ocp4-cis-node 3h49m 1.5.0 +ocp4-cis-node-1-4 3h49m 1.4.0 +ocp4-cis-node-1-5 3h49m 1.5.0 +ocp4-e8 3h49m +ocp4-high 3h49m Revision 4 +ocp4-high-node 3h49m Revision 4 +ocp4-high-node-rev-4 3h49m Revision 4 +ocp4-high-rev-4 3h49m Revision 4 +ocp4-moderate 3h49m Revision 4 +ocp4-moderate-node 3h49m Revision 4 +ocp4-moderate-node-rev-4 3h49m Revision 4 +ocp4-moderate-rev-4 3h49m Revision 4 +ocp4-nerc-cip 3h49m +ocp4-nerc-cip-node 3h49m +ocp4-pci-dss 3h49m 3.2.1 +ocp4-pci-dss-3-2 3h49m 3.2.1 +ocp4-pci-dss-4-0 3h49m 4.0.0 +ocp4-pci-dss-node 3h49m 3.2.1 +ocp4-pci-dss-node-3-2 3h49m 3.2.1 +ocp4-pci-dss-node-4-0 3h49m 4.0.0 +ocp4-stig 3h49m V2R1 +ocp4-stig-node 3h49m V2R1 +ocp4-stig-node-v1r1 3h49m V1R1 +ocp4-stig-node-v2r1 3h49m V2R1 +ocp4-stig-v1r1 3h49m V1R1 +ocp4-stig-v2r1 3h49m V2R1 +rhcos4-e8 3h49m +rhcos4-high 3h49m Revision 4 +rhcos4-high-rev-4 3h49m Revision 4 +rhcos4-moderate 3h49m Revision 4 +rhcos4-moderate-rev-4 3h49m Revision 4 +rhcos4-nerc-cip 3h49m +rhcos4-stig 3h49m V2R1 +rhcos4-stig-v1r1 3h49m V1R1 +rhcos4-stig-v2r1 3h49m V2R1 ---- + These profiles represent different compliance benchmarks. Each profile has the product name that it applies to added as a prefix to the profile’s name. `ocp4-e8` applies the Essential 8 benchmark to the {product-title} product, while `rhcos4-e8` applies the Essential 8 benchmark to the {op-system-first} product. diff --git a/modules/compliance-supported-profiles.adoc b/modules/compliance-supported-profiles.adoc index dcb1a1a98d..fe7bfc983d 100644 --- a/modules/compliance-supported-profiles.adoc +++ b/modules/compliance-supported-profiles.adoc @@ -1,204 +1,435 @@ // Module included in the following assemblies: // -// * security/compliance_operator/ +// * security/compliance_operator/co-scans/compliance-operator-supported-profiles.adoc -:_mod-docs-content-type: CONCEPT +:_mod-docs-content-type: REFERENCE [id="compliance-supported-profiles_{context}"] = Compliance profiles -The Compliance Operator provides the following compliance profiles: +The Compliance Operator provides profiles to meet industry standard benchmarks. -.Supported compliance profiles -[cols="10%,40%,10%,10%,40%,10%,40%", options="header"] +[NOTE] +==== +The following tables reflect the latest available profiles in the Compliance Operator. +==== + +[id="cis-profiles_{context}"] +== CIS compliance profiles + +.Supported CIS compliance profiles +[cols="2,2,1,2,1,2", options="header"] |=== |Profile |Profile title |Application -|Compliance Operator version |Industry compliance benchmark |Supported architectures |Supported platforms -|rhcos4-stig -|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift -|Node -|1.3.0+ -|link:https://public.cyber.mil/stigs/downloads/[DISA-STIG] ^[1]^ -|`x86_64` -|Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) - requires 1.5.0+ - -|ocp4-stig-node -|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift -|Node -|1.3.0+ -|link:https://public.cyber.mil/stigs/downloads/[DISA-STIG] ^[1]^ -|`x86_64` -|Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) - requires 1.5.0+ - -|ocp4-stig -|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift +|ocp4-cis ^[1]^ +|CIS Red Hat OpenShift Container Platform Benchmark v1.5.0 |Platform -|1.3.0+ -|link:https://public.cyber.mil/stigs/downloads/[DISA-STIG] ^[1]^ -|`x86_64` -| - -|ocp4-cis-1-4 -|CIS Red Hat OpenShift Container Platform 4 Benchmark v1.4.0 -|Platform -|1.2.0+ |link:https://www.cisecurity.org/cis-benchmarks/[CIS Benchmarks ™] ^[1]^ |`x86_64` `ppc64le` `s390x` | -|ocp4-cis-node-1-4 -|CIS Red Hat OpenShift Container Platform 4 Benchmark v1.4.0 +|ocp4-cis-1-4 ^[3]^ +|CIS Red Hat OpenShift Container Platform Benchmark v1.4.0 +|Platform +|link:https://www.cisecurity.org/cis-benchmarks/[CIS Benchmarks ™] ^[4]^ +|`x86_64` + `ppc64le` + `s390x` +| + +|ocp4-cis-1-5 +|CIS Red Hat OpenShift Container Platform Benchmark v1.5.0 +|Platform +|link:https://www.cisecurity.org/cis-benchmarks/[CIS Benchmarks ™] ^[4]^ +|`x86_64` + `ppc64le` + `s390x` +| + +|ocp4-cis-node ^[1]^ +|CIS Red Hat OpenShift Container Platform Benchmark v1.5.0 |Node ^[2]^ -|1.2.0+ -|link:https://www.cisecurity.org/cis-benchmarks/[CIS Benchmarks ™] ^[1]^ +|link:https://www.cisecurity.org/cis-benchmarks/[CIS Benchmarks ™] ^[4]^ |`x86_64` `ppc64le` `s390x` -|Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) - requires 1.5.0+ +|{product-rosa} with {hcp} (ROSA HCP) -|ocp4-cis -|CIS Red Hat OpenShift Container Platform 4 Benchmark v1.5.0 -|Platform -|1.4.1+ -|link:https://www.cisecurity.org/cis-benchmarks/[CIS Benchmarks ™] ^[1]^ -|`x86_64` - `ppc64le` - `s390x` -| - -|ocp4-cis-node -|CIS Red Hat OpenShift Container Platform 4 Benchmark v1.5.0 +|ocp4-cis-node-1-4 ^[3]^ +|CIS Red Hat OpenShift Container Platform Benchmark v1.4.0 |Node ^[2]^ -|1.4.1+ -|link:https://www.cisecurity.org/cis-benchmarks/[CIS Benchmarks ™] ^[1]^ +|link:https://www.cisecurity.org/cis-benchmarks/[CIS Benchmarks ™] ^[4]^ |`x86_64` `ppc64le` `s390x` -|Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) - requires 1.5.0+ +|{product-rosa} with {hcp} (ROSA HCP) + +|ocp4-cis-node-1-5 +|CIS Red Hat OpenShift Container Platform Benchmark v1.5.0 +|Node ^[2]^ +|link:https://www.cisecurity.org/cis-benchmarks/[CIS Benchmarks ™] ^[4]^ +|`x86_64` + `ppc64le` + `s390x` +|{product-rosa} with {hcp} (ROSA HCP) + +|=== +[.small] +1. The `ocp4-cis` and `ocp4-cis-node` profiles maintain the most up-to-date version of the CIS benchmark as it becomes available in the Compliance Operator. If you want to adhere to a specific version, such as CIS v1.4.0, use the `ocp4-cis-1-4` and `ocp4-cis-node-1-4` profiles. +2. Node profiles must be used with the relevant Platform profile. For more information, see _Compliance Operator profile types_. +3. CIS v1.4.0 is superceded by CIS v1.5.0. It is recommended to apply the latest profile to your environment. +4. To locate the CIS {product-title} v4 Benchmark, go to link:https://www.cisecurity.org/benchmark/kubernetes[CIS Benchmarks] and click *Download Latest CIS Benchmark*, where you can then register to download the benchmark. + +[id="e8-profiles_{context}"] +== Essential Eight compliance profiles + +.Supported Essential Eight compliance profiles +[cols="2,2,1,2,1,2", options="header"] + +|=== +|Profile +|Profile title +|Application +|Industry compliance benchmark +|Supported architectures +|Supported platforms |ocp4-e8 |Australian Cyber Security Centre (ACSC) Essential Eight |Platform -|0.1.39+ |link:https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers[ACSC Hardening Linux Workstations and Servers] |`x86_64` | -|ocp4-moderate -|NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Platform level -|Platform -|0.1.39+ -|link:https://nvd.nist.gov/800-53/Rev4/impact/moderate[NIST SP-800-53 Release Search] -|`x86_64` - `ppc64le` - `s390x` -| - |rhcos4-e8 |Australian Cyber Security Centre (ACSC) Essential Eight |Node -|0.1.39+ |link:https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers[ACSC Hardening Linux Workstations and Servers] |`x86_64` -|Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) - requires 1.5.0+ +|{product-rosa} with {hcp} (ROSA HCP) -|rhcos4-moderate -|NIST 800-53 Moderate-Impact Baseline for Red Hat Enterprise Linux CoreOS -|Node -|0.1.39+ -|link:https://nvd.nist.gov/800-53/Rev4/impact/moderate[NIST SP-800-53 Release Search] +|=== + +[id="fedramp-high-profiles_{context}"] +== FedRAMP High compliance profiles + +.Supported FedRAMP High compliance profiles +[cols="2,2,1,2,1,2", options="header"] + +|=== +|Profile +|Profile title +|Application +|Industry compliance benchmark +|Supported architectures +|Supported platforms + +|ocp4-high ^[1]^ +|NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Platform level +|Platform +|link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/800-53[NIST SP-800-53 Release Search] |`x86_64` -|Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) - requires 1.5.0+ +| -|ocp4-moderate-node -|NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Node level +|ocp4-high-node ^[1]^ +|NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Node level |Node ^[2]^ -|0.1.44+ +|link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/800-53[NIST SP-800-53 Release Search] +|`x86_64` +|{product-rosa} with {hcp} (ROSA HCP) + +|ocp4-high-node-rev-4 +|NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Node level +|Node ^[2]^ +|link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/800-53[NIST SP-800-53 Release Search] +|`x86_64` +|{product-rosa} with {hcp} (ROSA HCP) + +|ocp4-high-rev-4 +|NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Platform level +|Platform +|link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/800-53[NIST SP-800-53 Release Search] +|`x86_64` +| + +|rhcos4-high ^[1]^ +|NIST 800-53 High-Impact Baseline for Red Hat Enterprise Linux CoreOS +|Node +|link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/800-53[NIST SP-800-53 Release Search] +|`x86_64` +|{product-rosa} with {hcp} (ROSA HCP) + +|rhcos4-high-rev-4 +|NIST 800-53 High-Impact Baseline for Red Hat Enterprise Linux CoreOS +|Node +|link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/800-53[NIST SP-800-53 Release Search] +|`x86_64` +|{product-rosa} with {hcp} (ROSA HCP) + +|=== +[.small] +1. The `ocp4-high`, `ocp4-high-node` and `rhcos4-high` profiles maintain the most up-to-date version of the FedRAMP High standard as it becomes available in the Compliance Operator. If you want to adhere to a specific version, such as FedRAMP high R4, use the `ocp4-high-rev-4` and `ocp4-high-node-rev-4` profiles. +2. Node profiles must be used with the relevant Platform profile. For more information, see _Compliance Operator profile types_. + +[id="fedramp-moderate-profiles_{context}"] +== FedRAMP Moderate compliance profiles + +.Supported FedRAMP Moderate compliance profiles +[cols="2,2,1,2,1,2", options="header"] + +|=== +|Profile +|Profile title +|Application +|Industry compliance benchmark +|Supported architectures +|Supported platforms + +|ocp4-moderate ^[1]^ +|NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Platform level +|Platform |link:https://nvd.nist.gov/800-53/Rev4/impact/moderate[NIST SP-800-53 Release Search] |`x86_64` `ppc64le` `s390x` -|Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) - requires 1.5.0+ +| + +|ocp4-moderate-node ^[1]^ +|NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Node level +|Node ^[2]^ +|link:https://nvd.nist.gov/800-53/Rev4/impact/moderate[NIST SP-800-53 Release Search] +|`x86_64` + `ppc64le` + `s390x` +|{product-rosa} with {hcp} (ROSA HCP) + +|ocp4-moderate-node-rev-4 +|NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Node level +|Node ^[2]^ +|link:https://nvd.nist.gov/800-53/Rev4/impact/moderate[NIST SP-800-53 Release Search] +|`x86_64` + `ppc64le` + `s390x` +|{product-rosa} with {hcp} (ROSA HCP) + +|ocp4-moderate-rev-4 +|NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Platform level +|Platform +|link:https://nvd.nist.gov/800-53/Rev4/impact/moderate[NIST SP-800-53 Release Search] +|`x86_64` + `ppc64le` + `s390x` +| + +|rhcos4-moderate ^[1]^ +|NIST 800-53 Moderate-Impact Baseline for Red Hat Enterprise Linux CoreOS +|Node +|link:https://nvd.nist.gov/800-53/Rev4/impact/moderate[NIST SP-800-53 Release Search] +|`x86_64` +|{product-rosa} with {hcp} (ROSA HCP) + +|rhcos4-moderate-rev-4 +|NIST 800-53 Moderate-Impact Baseline for Red Hat Enterprise Linux CoreOS +|Node +|link:https://nvd.nist.gov/800-53/Rev4/impact/moderate[NIST SP-800-53 Release Search] +|`x86_64` +|{product-rosa} with {hcp} (ROSA HCP) + +|=== +[.small] +1. The `ocp4-moderate`, `ocp4-moderate-node` and `rhcos4-moderate` profiles maintain the most up-to-date version of the FedRAMP Moderate standard as it becomes available in the Compliance Operator. If you want to adhere to a specific version, such as FedRAMP Moderate R4, use the `ocp4-moderate-rev-4` and `ocp4-moderate-node-rev-4` profiles. +2. Node profiles must be used with the relevant Platform profile. For more information, see _Compliance Operator profile types_. + +[id="nerc-cip-profiles_{context}"] +== NERC-CIP compliance profiles + +.Supported NERC-CIP compliance profiles +[cols="2,2,1,2,1,2", options="header"] + +|=== +|Profile +|Profile title +|Application +|Industry compliance benchmark +|Supported architectures +|Supported platforms |ocp4-nerc-cip -|North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for the Red Hat OpenShift Container Platform - Platform level +|North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for the {product-title} - Platform level |Platform -|0.1.44+ |link:https://www.nerc.com/pa/Stand/Pages/USRelStand.aspx[NERC CIP Standards] |`x86_64` | |ocp4-nerc-cip-node -|North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for the Red Hat OpenShift Container Platform - Node level -|Node ^[2]^ -|0.1.44+ +|North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for the {product-title} - Node level +|Node ^[1]^ |link:https://www.nerc.com/pa/Stand/Pages/USRelStand.aspx[NERC CIP Standards] |`x86_64` -|Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) - requires 1.5.0+ +|{product-rosa} with {hcp} (ROSA HCP) |rhcos4-nerc-cip |North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for Red Hat Enterprise Linux CoreOS |Node -|0.1.44+ |link:https://www.nerc.com/pa/Stand/Pages/USRelStand.aspx[NERC CIP Standards] |`x86_64` -|Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) - requires 1.5.0+ +|{product-rosa} with {hcp} (ROSA HCP) -|ocp4-pci-dss -|PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Platform 4 -|Platform -|0.1.47+ -|link:https://www.pcisecuritystandards.org/document_library?document=pci_dss[PCI Security Standards ® Council Document Library] -|`x86_64` - `ppc64le` - `s390x` -| - -|ocp4-pci-dss-node -|PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Platform 4 -|Node ^[2]^ -|0.1.47+ -|link:https://www.pcisecuritystandards.org/document_library?document=pci_dss[PCI Security Standards ® Council Document Library] -|`x86_64` - `ppc64le` - `s390x` -|Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) - requires 1.5.0+ - -|ocp4-high -|NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Platform level -|Platform -|0.1.52+ -|link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/800-53[NIST SP-800-53 Release Search] -|`x86_64` -| - -|ocp4-high-node -|NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Node level -|Node ^[2]^ -|0.1.52+ -|link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/800-53[NIST SP-800-53 Release Search] -|`x86_64` -|Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) - requires 1.5.0+ - -|rhcos4-high -|NIST 800-53 High-Impact Baseline for Red Hat Enterprise Linux CoreOS -|Node -|0.1.52+ -|link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/800-53[NIST SP-800-53 Release Search] -|`x86_64` -|Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) - requires 1.5.0+ |=== [.small] -1. To locate the CIS {product-title} v4 Benchmark, go to link:https://www.cisecurity.org/benchmark/kubernetes[CIS Benchmarks] and click *Download Latest CIS Benchmark*, where you can then register to download the benchmark. +1. Node profiles must be used with the relevant Platform profile. For more information, see _Compliance Operator profile types_. + +[id="pci-dss-profiles_{context}"] +== PCI-DSS compliance profiles + +.Supported PCI-DSS compliance profiles +[cols="2,2,1,2,1,2", options="header"] + +|=== +|Profile +|Profile title +|Application +|Industry compliance benchmark +|Supported architectures +|Supported platforms + +|ocp4-pci-dss ^[1]^ +|PCI-DSS v4 Control Baseline for {product-title} 4 +|Platform +|link:https://www.pcisecuritystandards.org/document_library?document=pci_dss[PCI Security Standards ® Council Document Library] +|`x86_64` +| + +|ocp4-pci-dss-3-2 ^[3]^ +|PCI-DSS v3.2.1 Control Baseline for {product-title} 4 +|Platform +|link:https://www.pcisecuritystandards.org/document_library?document=pci_dss[PCI Security Standards ® Council Document Library] +|`x86_64` +| + +|ocp4-pci-dss-4-0 +|PCI-DSS v4 Control Baseline for {product-title} 4 +|Platform +|link:https://www.pcisecuritystandards.org/document_library?document=pci_dss[PCI Security Standards ® Council Document Library] +|`x86_64` +| + +|ocp4-pci-dss-node ^[1]^ +|PCI-DSS v4 Control Baseline for {product-title} 4 +|Node ^[2]^ +|link:https://www.pcisecuritystandards.org/document_library?document=pci_dss[PCI Security Standards ® Council Document Library] +|`x86_64` +|{product-rosa} with {hcp} (ROSA HCP) + +|ocp4-pci-dss-node-3-2 ^[3]^ +|PCI-DSS v3.2.1 Control Baseline for {product-title} 4 +|Node ^[2]^ +|link:https://www.pcisecuritystandards.org/document_library?document=pci_dss[PCI Security Standards ® Council Document Library] +|`x86_64` +|{product-rosa} with {hcp} (ROSA HCP) + +|ocp4-pci-dss-node-4-0 +|PCI-DSS v4 Control Baseline for {product-title} 4 +|Node ^[2]^ +|link:https://www.pcisecuritystandards.org/document_library?document=pci_dss[PCI Security Standards ® Council Document Library] +|`x86_64` +|{product-rosa} with {hcp} (ROSA HCP) +|=== +[.small] +1. The `ocp4-pci-dss` and `ocp4-pci-dss-node` profiles maintain the most up-to-date version of the PCI-DSS standard as it becomes available in the Compliance Operator. If you want to adhere to a specific version, such as PCI-DSS v3.2.1, use the `ocp4-pci-dss-3-2` and `ocp4-pci-dss-node-3-2` profiles. 2. Node profiles must be used with the relevant Platform profile. For more information, see _Compliance Operator profile types_. +3. PCI-DSS v3.2.1 is superceded by PCI-DSS v4. It is recommended to apply the latest profile to your environment. + +[id="stig-profiles_{context}"] +== STIG compliance profiles + +.Supported STIG compliance profiles +[cols="2,2,1,2,1,2", options="header"] + +|=== +|Profile +|Profile title +|Application +|Industry compliance benchmark +|Supported architectures +|Supported platforms + +|ocp4-stig ^[1]^ +|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift +|Platform +|link:https://public.cyber.mil/stigs/downloads/[DISA-STIG] +|`x86_64` +| + +|ocp4-stig-node ^[1]^ +|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift +|Node ^[2]^ +|link:https://public.cyber.mil/stigs/downloads/[DISA-STIG] +|`x86_64` +|{product-rosa} with {hcp} (ROSA HCP) + +|ocp4-stig-node-v1r1 ^[3]^ +|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift V1R1 +|Node ^[2]^ +|link:https://public.cyber.mil/stigs/downloads/[DISA-STIG] +|`x86_64` +|{product-rosa} with {hcp} (ROSA HCP) + +|ocp4-stig-node-v2r1 +|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift V2R1 +|Node ^[2]^ +|link:https://public.cyber.mil/stigs/downloads/[DISA-STIG] +|`x86_64` +|{product-rosa} with {hcp} (ROSA HCP) + +|ocp4-stig-v1r1 ^[3]^ +|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift V1R1 +|Platform +|link:https://public.cyber.mil/stigs/downloads/[DISA-STIG] +|`x86_64` +| + +|ocp4-stig-v2r1 +|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift V2R1 +|Platform +|link:https://public.cyber.mil/stigs/downloads/[DISA-STIG] +|`x86_64` +| + +|rhcos4-stig +|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift +|Node +|link:https://public.cyber.mil/stigs/downloads/[DISA-STIG] +|`x86_64` +|{product-rosa} with {hcp} (ROSA HCP) + +|rhcos4-stig-v1r1 ^[3]^ +|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift V1R1 +|Node +|link:https://public.cyber.mil/stigs/downloads/[DISA-STIG] ^[3]^ +|`x86_64` +|{product-rosa} with {hcp} (ROSA HCP) + +|rhcos4-stig-v2r1 +|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift V2R1 +|Node +|link:https://public.cyber.mil/stigs/downloads/[DISA-STIG] +|`x86_64` +|{product-rosa} with {hcp} (ROSA HCP) + +|=== +[.small] +1. The `ocp4-stig`, `ocp4-stig-node` and `rhcos4-stig` profiles maintain the most up-to-date version of the DISA-STIG benchmark as it becomes available in the Compliance Operator. If you want to adhere to a specific version, such as DISA-STIG V2R1, use the `ocp4-stig-v2r1` and `ocp4-stig-node-v2r1` profiles. +2. Node profiles must be used with the relevant Platform profile. For more information, see _Compliance Operator profile types_. +3. DISA-STIG V1R1 is superceded by DISA-STIG V2R1. It is recommended to apply the latest profile to your environment. [id="compliance-extended-profiles_{context}"] == About extended compliance profiles diff --git a/modules/gathering-data-specific-features.adoc b/modules/gathering-data-specific-features.adoc index 5903aece65..65440354ed 100644 --- a/modules/gathering-data-specific-features.adoc +++ b/modules/gathering-data-specific-features.adoc @@ -74,6 +74,9 @@ endif::openshift-rosa,openshift-dedicated[] ifndef::openshift-rosa,openshift-dedicated[] |`registry.redhat.io/lvms4/lvms-must-gather-rhel9:v` |Data collection for the LVM Operator. + +|`ghcr.io/complianceascode/must-gather-ocp` +|Data collection for the Compliance Operator. endif::openshift-rosa,openshift-dedicated[] |=== diff --git a/modules/oc-compliance-using-scan-setting-bindings.adoc b/modules/oc-compliance-using-scan-setting-bindings.adoc index 751775ee06..cab0ef4a4a 100644 --- a/modules/oc-compliance-using-scan-setting-bindings.adoc +++ b/modules/oc-compliance-using-scan-setting-bindings.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * security/oc_compliance_plug_in/co-scans/oc-compliance-plug-in-using.adoc +// * security/compliance_operator/co-scans/oc-compliance-plug-in-using.adoc :_mod-docs-content-type: PROCEDURE [id="using-scan-setting-bindings_{context}"] @@ -34,17 +34,46 @@ $ oc get profile.compliance -n openshift-compliance .Example output [source,terminal] ---- -NAME AGE -ocp4-cis 9m54s -ocp4-cis-node 9m54s -ocp4-e8 9m54s -ocp4-moderate 9m54s -ocp4-ncp 9m54s -rhcos4-e8 9m54s -rhcos4-moderate 9m54s -rhcos4-ncp 9m54s -rhcos4-ospp 9m54s -rhcos4-stig 9m54s +NAME AGE VERSION +ocp4-cis 3h49m 1.5.0 +ocp4-cis-1-4 3h49m 1.4.0 +ocp4-cis-1-5 3h49m 1.5.0 +ocp4-cis-node 3h49m 1.5.0 +ocp4-cis-node-1-4 3h49m 1.4.0 +ocp4-cis-node-1-5 3h49m 1.5.0 +ocp4-e8 3h49m +ocp4-high 3h49m Revision 4 +ocp4-high-node 3h49m Revision 4 +ocp4-high-node-rev-4 3h49m Revision 4 +ocp4-high-rev-4 3h49m Revision 4 +ocp4-moderate 3h49m Revision 4 +ocp4-moderate-node 3h49m Revision 4 +ocp4-moderate-node-rev-4 3h49m Revision 4 +ocp4-moderate-rev-4 3h49m Revision 4 +ocp4-nerc-cip 3h49m +ocp4-nerc-cip-node 3h49m +ocp4-pci-dss 3h49m 3.2.1 +ocp4-pci-dss-3-2 3h49m 3.2.1 +ocp4-pci-dss-4-0 3h49m 4.0.0 +ocp4-pci-dss-node 3h49m 3.2.1 +ocp4-pci-dss-node-3-2 3h49m 3.2.1 +ocp4-pci-dss-node-4-0 3h49m 4.0.0 +ocp4-stig 3h49m V2R1 +ocp4-stig-node 3h49m V2R1 +ocp4-stig-node-v1r1 3h49m V1R1 +ocp4-stig-node-v2r1 3h49m V2R1 +ocp4-stig-v1r1 3h49m V1R1 +ocp4-stig-v2r1 3h49m V2R1 +rhcos4-e8 3h49m +rhcos4-high 3h49m Revision 4 +rhcos4-high-rev-4 3h49m Revision 4 +rhcos4-moderate 3h49m Revision 4 +rhcos4-moderate-rev-4 3h49m Revision 4 +rhcos4-nerc-cip 3h49m +rhcos4-stig 3h49m V2R1 +rhcos4-stig-v1r1 3h49m V1R1 +rhcos4-stig-v2r1 3h49m V2R1 + ---- + [source,terminal] @@ -73,4 +102,4 @@ $ oc compliance bind -N my-binding profile/ocp4-cis profile/ocp4-cis-node Creating ScanSettingBinding my-binding ---- + -Once the `ScanSettingBinding` CR is created, the bound profile begins scanning for both profiles with the related settings. Overall, this is the fastest way to begin scanning with the Compliance Operator. +After the `ScanSettingBinding` CR is created, the bound profile begins scanning for both profiles with the related settings. Overall, this is the fastest way to begin scanning with the Compliance Operator. diff --git a/modules/operator-resource-constraints.adoc b/modules/operator-resource-constraints.adoc index 7715a39c44..acd9eb7cca 100644 --- a/modules/operator-resource-constraints.adoc +++ b/modules/operator-resource-constraints.adoc @@ -21,16 +21,17 @@ Resource Constraints applied in this process overwrites the existing resource co ---- kind: Subscription metadata: - name: custom-operator + name: compliance-operator + namespace: openshift-compliance spec: - package: etcd - channel: alpha + package: package-name + channel: stable config: - resources: - requests: - memory: "64Mi" - cpu: "250m" - limits: - memory: "128Mi" - cpu: "500m" + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" ---- \ No newline at end of file diff --git a/modules/running-compliance-scans.adoc b/modules/running-compliance-scans.adoc index 97bb8b6e05..bf7d8156a1 100644 --- a/modules/running-compliance-scans.adoc +++ b/modules/running-compliance-scans.adoc @@ -15,7 +15,7 @@ For all-in-one control plane and worker nodes, the compliance scan runs twice on .Procedure -. Inspect the `ScanSetting` object by running: +. Inspect the `ScanSetting` object by running the following command: + [source,terminal] ---- @@ -25,45 +25,26 @@ $ oc describe scansettings default -n openshift-compliance .Example output [source,yaml] ---- -Name: default -Namespace: openshift-compliance -Labels: -Annotations: -API Version: compliance.openshift.io/v1alpha1 -Kind: ScanSetting +Name: default +Namespace: openshift-compliance +Labels: +Annotations: +API Version: compliance.openshift.io/v1alpha1 +Kind: ScanSetting +Max Retry On Timeout: 3 Metadata: - Creation Timestamp: 2022-10-10T14:07:29Z - Generation: 1 - Managed Fields: - API Version: compliance.openshift.io/v1alpha1 - Fields Type: FieldsV1 - fieldsV1: - f:rawResultStorage: - .: - f:nodeSelector: - .: - f:node-role.kubernetes.io/master: - f:pvAccessModes: - f:rotation: - f:size: - f:tolerations: - f:roles: - f:scanTolerations: - f:schedule: - f:showNotApplicable: - f:strictNodeScan: - Manager: compliance-operator - Operation: Update - Time: 2022-10-10T14:07:29Z - Resource Version: 56111 - UID: c21d1d14-3472-47d7-a450-b924287aec90 + Creation Timestamp: 2024-07-16T14:56:42Z + Generation: 2 + Resource Version: 91655682 + UID: 50358cf1-57a8-4f69-ac50-5c7a5938e402 Raw Result Storage: Node Selector: - node-role.kubernetes.io/master: + node-role.kubernetes.io/master: Pv Access Modes: ReadWriteOnce <1> - Rotation: 3 <2> - Size: 1Gi <3> + Rotation: 3 <2> + Size: 1Gi <3> + Storage Class Name: standard <4> Tolerations: Effect: NoSchedule Key: node-role.kubernetes.io/master @@ -80,21 +61,26 @@ Raw Result Storage: Key: node.kubernetes.io/memory-pressure Operator: Exists Roles: - master <4> - worker <4> -Scan Tolerations: <5> + master <5> + worker <5> +Scan Tolerations: <6> Operator: Exists -Schedule: 0 1 * * * <6> +Schedule: 0 1 * * * <7> Show Not Applicable: false Strict Node Scan: true +Suspend: false +Timeout: 30m Events: + + ---- <1> The Compliance Operator creates a persistent volume (PV) that contains the results of the scans. By default, the PV will use access mode `ReadWriteOnce` because the Compliance Operator cannot make any assumptions about the storage classes configured on the cluster. Additionally, `ReadWriteOnce` access mode is available on most clusters. If you need to fetch the scan results, you can do so by using a helper pod, which also binds the volume. Volumes that use the `ReadWriteOnce` access mode can be mounted by only one pod at time, so it is important to remember to delete the helper pods. Otherwise, the Compliance Operator will not be able to reuse the volume for subsequent scans. <2> The Compliance Operator keeps results of three subsequent scans in the volume; older scans are rotated. <3> The Compliance Operator will allocate one GB of storage for the scan results. -<4> If the scan setting uses any profiles that scan cluster nodes, scan these node roles. -<5> The default scan setting object scans all the nodes. -<6> The default scan setting object runs scans at 01:00 each day. +<4> The `scansetting.rawResultStorage.storageClassName` field specifies the `storageClassName` value to use when creating the `PersistentVolumeClaim` object to store the raw results. The default value is null, which will attempt to use the default storage class configured in the cluster. If there is no default class specified, then you must set a default class. +<5> If the scan setting uses any profiles that scan cluster nodes, scan these node roles. +<6> The default scan setting object scans all the nodes. +<7> The default scan setting object runs scans at 01:00 each day. + As an alternative to the default scan setting, you can use `default-auto-apply`, which has the following settings: + diff --git a/modules/support.adoc b/modules/support.adoc index 956074d0c0..e426587ad9 100644 --- a/modules/support.adoc +++ b/modules/support.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * security/compliance_operator/co-scans/compliance-operator-troubleshooting.adoc +// * security/compliance_operator/co-support.adoc // * support/getting-support.adoc // * distr_tracing/distributed-tracing-release-notes.adoc // * service_mesh/v2x/ossm-support.adoc diff --git a/security/compliance_operator/co-management/compliance-operator-installation.adoc b/security/compliance_operator/co-management/compliance-operator-installation.adoc index f3bb959572..8a646b0e24 100644 --- a/security/compliance_operator/co-management/compliance-operator-installation.adoc +++ b/security/compliance_operator/co-management/compliance-operator-installation.adoc @@ -13,6 +13,11 @@ Before you can use the Compliance Operator, you must ensure it is deployed in th The Compliance Operator might report incorrect results on managed platforms, such as OpenShift Dedicated, Red{nbsp}Hat OpenShift Service on AWS Classic, and Microsoft Azure Red{nbsp}Hat OpenShift. For more information, see the Knowledgebase article link:https://access.redhat.com/solutions/6983418[Compliance Operator reports incorrect results on Managed Services]. ==== +[IMPORTANT] +==== +Before deploying the Compliance Operator, you are required to define persistent storage in your cluster to store the raw results output. For more information, see xref:../../../storage/understanding-persistent-storage.adoc#persistent-storage-overview_understanding-persistent-storage[Persistant storage overview] and xref:../../../storage/container_storage_interface/persistent-storage-csi-sc-manage.adoc#overview[Managing the default storage class]. +==== + include::modules/compliance-operator-console-installation.adoc[leveloffset=+1] [IMPORTANT] diff --git a/security/compliance_operator/co-scans/compliance-operator-supported-profiles.adoc b/security/compliance_operator/co-scans/compliance-operator-supported-profiles.adoc index 0760178787..1eb5882921 100644 --- a/security/compliance_operator/co-scans/compliance-operator-supported-profiles.adoc +++ b/security/compliance_operator/co-scans/compliance-operator-supported-profiles.adoc @@ -4,6 +4,8 @@ include::_attributes/common-attributes.adoc[] :context: compliance-operator-supported-profiles +toc::[] + There are several profiles available as part of the Compliance Operator (CO) installation. While you can use the following profiles to assess gaps in a cluster, usage alone does not infer or guarantee compliance with a particular @@ -27,4 +29,4 @@ include::modules/compliance-supported-profiles.adoc[leveloffset=+1] [role="_additional-resources"] == Additional resources -* xref:../../../security/compliance_operator/co-concepts/compliance-operator-understanding.adoc#compliance_profile_types_understanding-compliance[Compliance Operator profile types] +* xref:../../../security/compliance_operator/co-concepts/compliance-operator-understanding.adoc#compliance_profile_types_understanding-compliance[Compliance Operator profile types] \ No newline at end of file diff --git a/security/compliance_operator/co-scans/compliance-operator-troubleshooting.adoc b/security/compliance_operator/co-scans/compliance-operator-troubleshooting.adoc index 2de7afde06..2d46868679 100644 --- a/security/compliance_operator/co-scans/compliance-operator-troubleshooting.adoc +++ b/security/compliance_operator/co-scans/compliance-operator-troubleshooting.adoc @@ -1,6 +1,6 @@ :_mod-docs-content-type: ASSEMBLY [id="compliance-operator-troubleshooting"] -= Troubleshooting the Compliance Operator += Troubleshooting Compliance Operator scans include::_attributes/common-attributes.adoc[] :context: compliance-troubleshooting @@ -47,6 +47,8 @@ include::modules/compliance-increasing-operator-limits.adoc[leveloffset=+1] include::modules/operator-resource-constraints.adoc[leveloffset=+1] +include::modules/co-scansetting-resources.adoc[leveloffset=+1] + include::modules/compliance-timeout.adoc[leveloffset=+1] include::modules/support.adoc[leveloffset=+1] \ No newline at end of file diff --git a/security/compliance_operator/co-scans/compliance-scans.adoc b/security/compliance_operator/co-scans/compliance-scans.adoc index 13317d8d2f..bea4f05665 100644 --- a/security/compliance_operator/co-scans/compliance-scans.adoc +++ b/security/compliance_operator/co-scans/compliance-scans.adoc @@ -22,6 +22,8 @@ $ oc explain scansettingbindings include::modules/running-compliance-scans.adoc[leveloffset=+1] +include::modules/compliance-custom-storage.adoc[leveloffset=+1] + include::modules/running-compliance-scans-worker-node.adoc[leveloffset=+1] include::modules/compliance-scansetting-cr.adoc[leveloffset=+1] diff --git a/security/compliance_operator/co-support.adoc b/security/compliance_operator/co-support.adoc new file mode 100644 index 0000000000..e725e19b41 --- /dev/null +++ b/security/compliance_operator/co-support.adoc @@ -0,0 +1,23 @@ +:_mod-docs-content-type: ASSEMBLY +//OpenShift Compliance Operator support page +[id="co-support"] += Compliance Operator support +:context: co-support +include::_attributes/common-attributes.adoc[] + +toc::[] + +[id="co-lifecycle_{context}"] +== Compliance Operator lifecycle + +The Compliance Operator is a "Rolling Stream" Operator, meaning updates are available asynchronously of {product-title} releases. For more information, see link:https://access.redhat.com/support/policy/updates/openshift_operators[OpenShift Operator Life Cycles] on the Red Hat Customer Portal. + +include::modules/support.adoc[leveloffset=+1] + +include::modules/compliance-must-gather.adoc[leveloffset=+1] + +[role="_additional-resources"] +[id="additional-resources_{context}"] +== Additional resources + +* xref:../../support/gathering-cluster-data.adoc#about-must-gather_gathering-cluster-data[About the must-gather tool] \ No newline at end of file diff --git a/security/compliance_operator/compliance-operator-release-notes.adoc b/security/compliance_operator/compliance-operator-release-notes.adoc index 005751f531..c3c4eff186 100644 --- a/security/compliance_operator/compliance-operator-release-notes.adoc +++ b/security/compliance_operator/compliance-operator-release-notes.adoc @@ -15,6 +15,43 @@ For an overview of the Compliance Operator, see xref:../../security/compliance_o To access the latest release, see xref:../../security/compliance_operator/co-management/compliance-operator-updating.adoc#olm-preparing-upgrade_compliance-operator-updating[Updating the Compliance Operator]. +[id="compliance-operator-release-notes-1-6-0_{context}"] +== OpenShift Compliance Operator 1.6.0 + +The following advisory is available for the OpenShift Compliance Operator 1.6.0: + +* link:https://access.redhat.com/errata/RHBA-2024:6761[RHBA-2024:6761 - OpenShift Compliance Operator 1.6.0 bug fix and enhancement update] + +[id="compliance-operator-1-6-0-new-features-and-enhancements_{context}"] +=== New features and enhancements + +* The Compliance Operator now contains supported profiles for Payment Card Industry Data Security Standard (PCI-DSS) version 4. For more information, see xref:../../security/compliance_operator/co-scans/compliance-operator-supported-profiles.adoc#compliance-supported-profiles_compliance-operator-supported-profiles[Supported compliance profiles]. + +* The Compliance Operator now contains supported profiles for Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) V2R1. For more information, see xref:../../security/compliance_operator/co-scans/compliance-operator-supported-profiles.adoc#compliance-supported-profiles_compliance-operator-supported-profiles[Supported compliance profiles]. + +* A `must-gather` extension is now available for the Compliance Operator installed on `x86`, `ppc64le`, and `s390x` architectures. The `must-gather` tool provides crucial configuration details to Red Hat Customer Support and engineering. For more information, see xref:../../security/compliance_operator/co-support.adoc#compliance-must-gather_co-support[Using the must-gather tool for the Compliance Operator]. + +[id="compliance-operator-1-6-0-bug-fixes_{context}"] +=== Bug fixes + +* Before this release, a misleading description in the `ocp4-route-ip-whitelist` rule resulted in misunderstanding, causing potential for misconfigurations. With this update, the rule is now more clearly defined. (link:https://issues.redhat.com/browse/CMP-2485[*CMP-2485*]) + +* Previously, the reporting of all of the `ComplianceCheckResults` for a `DONE` status `ComplianceScan` was incomplete. With this update, annotation has been added to report the number of total `ComplianceCheckResults` for a `ComplianceScan` with a `DONE` status. (link:https://issues.redhat.com/browse/CMP-2615[*CMP-2615*]) + +* Previously, the `ocp4-cis-scc-limit-container-allowed-capabilities` rule description contained ambiguous guidelines, leading to confusion among users. With this update, the rule description and actionable steps are clarified. (link:https://issues.redhat.com/browse/OCPBUGS-17828[*OCPBUGS-17828*]) + +* Before this update, sysctl configurations caused certain auto remediations for RHCOS4 rules to fail scans in affected clusters. With this update, the correct sysctl settings are applied and RHCOS4 rules for FedRAMP High profiles pass scans correctly. (link:https://issues.redhat.com/browse/OCPBUGS-19690[*OCPBUGS-19690*]) + +* Before this update, an issue with a `jq` filter caused errors with the `rhacs-operator-controller-manager` deployment during compliance checks. With this update, the `jq` filter expression is updated and the `rhacs-operator-controller-manager` deployment is exempt from compliance checks pertaining to container resource limits, eliminating false positive results. (link:https://issues.redhat.com/browse/OCPBUGS-19690[*OCPBUGS-19690*]) + +* Before this update, `rhcos4-high` and `rhcos4-moderate` profiles checked values of an incorrectly titled configuration file. As a result, some scan checks could fail. With this update, the `rhcos4` profiles now check the correct configuration file and scans pass correctly. (link:https://issues.redhat.com/browse/OCPBUGS-31674[*OCPBUGS-31674*]) + +* Previously, the `accessokenInactivityTimeoutSeconds` variable used in the `oauthclient-inactivity-timeout` rule was immutable, leading to a `FAIL` status when performing DISA STIG scans. With this update, proper enforcement of the `accessTokenInactivityTimeoutSeconds` variable operates correctly and a `PASS` status is now possible. (link:https://issues.redhat.com/browse/OCPBUGS-32551[*OCPBUGS-32551*]) + +* Before this update, some annotations for rules were not updated, displaying the incorrect control standards. With this update, annotations for rules are updated correctly, ensuring the correct control standards are displayed. (link:https://issues.redhat.com/browse/OCPBUGS-34982[*OCPBUGS-34982*]) + +* Previously, when upgrading to Compliance Operator 1.5.1, an incorrectly referenced secret in a `ServiceMonitor` configuration caused integration issues with the Prometheus Operator. With this update, the Compliance Operator will accurately reference the secret containing the token for `ServiceMonitor` metrics. (link:https://issues.redhat.com/browse/OCPBUGS-39417[*OCPBUGS-39417*]) + [id="compliance-operator-release-notes-1-5-1_{context}"] == OpenShift Compliance Operator 1.5.1