From 68fa1cf02f746662575c3760cbffc1fae948083f Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Mon, 8 Apr 2024 15:49:43 -0500 Subject: [PATCH] Clarify the role of compliance operator It's important to note that the compliance operator is a useful tool, but not a complete replacement for an auditor, or regulatory authority required in some industries. This commit tries to bring that message to the front of the OpenShift Compliance Operator book. --- security/compliance_operator/co-overview.adoc | 21 +++++++++++++------ ...ompliance-operator-supported-profiles.adoc | 13 ++++++++++-- 2 files changed, 26 insertions(+), 8 deletions(-) diff --git a/security/compliance_operator/co-overview.adoc b/security/compliance_operator/co-overview.adoc index ab9701d0c6..876d48fe03 100644 --- a/security/compliance_operator/co-overview.adoc +++ b/security/compliance_operator/co-overview.adoc @@ -4,12 +4,21 @@ include::_attributes/common-attributes.adoc[] :context: co-overview -{product-title} Compliance Operator (CO) runs compliance scans and provides remediations to assist users in meeting compliance standards. For the latest updates, see the xref:../../security/compliance_operator/compliance-operator-release-notes.adoc#compliance-operator-release-notes[Compliance Operator release notes]. If needed, you can engage link:https://access.redhat.com/support/[Red Hat support]. +The {product-title} Compliance Operator assists users by automating the +inspection of numerous technical implementations and compares those against +certain aspects of industry standards, benchmarks, and baselines; the +Compliance Operator is not an auditor. In order to be compliant or certified +under these various standards, you need to engage an authorized auditor such as +a Qualified Security Assessor (QSA), Joint Authorization Board (JAB), or other +industry recognized regulatory authority to assess your environment. -[IMPORTANT] -==== -The Compliance Operator does not automatically perform remediations. Ensuring compliance standards are met is required by the user. -==== +The Compliance Operator makes recommendations based on generally available +information and practices regarding such standards and may assist with +remediations, but actual compliance is your responsibility. You are required to +work with an authorized auditor to achieve compliance with a standard. For the +latest updates, see the +xref:../../security/compliance_operator/compliance-operator-release-notes.adoc#compliance-operator-release-notes[Compliance +Operator release notes] [discrete] ==== Compliance Operator concepts @@ -47,4 +56,4 @@ xref:../../security/compliance_operator/co-scans/compliance-operator-advanced.ad xref:../../security/compliance_operator/co-scans/compliance-operator-troubleshooting.adoc#compliance-operator-troubleshooting[Troubleshooting the Compliance Operator] -xref:../../security/compliance_operator/co-scans/oc-compliance-plug-in-using.adoc#using-oc-compliance-plug-in[Using the oc-compliance plugin] \ No newline at end of file +xref:../../security/compliance_operator/co-scans/oc-compliance-plug-in-using.adoc#using-oc-compliance-plug-in[Using the oc-compliance plugin] diff --git a/security/compliance_operator/co-scans/compliance-operator-supported-profiles.adoc b/security/compliance_operator/co-scans/compliance-operator-supported-profiles.adoc index 2ec6ad5bc4..710ff5b440 100644 --- a/security/compliance_operator/co-scans/compliance-operator-supported-profiles.adoc +++ b/security/compliance_operator/co-scans/compliance-operator-supported-profiles.adoc @@ -4,7 +4,16 @@ include::_attributes/common-attributes.adoc[] :context: compliance-operator-supported-profiles -There are several profiles available as part of the Compliance Operator (CO) installation. While you can use the following profiles to assess gaps in a cluster, usage alone does not infer or guarantee compliance with a particular profile. +There are several profiles available as part of the Compliance Operator (CO) +installation. While you can use the following profiles to assess gaps in a +cluster, usage alone does not infer or guarantee compliance with a particular +profile and is not an auditor. + +In order to be compliant or certified under these various standards, you need +to engage an authorized auditor such as a Qualified Security Assessor (QSA), +Joint Authorization Board (JAB), or other industry recognized regulatory +authority to assess your environment. You are required to work with an +authorized auditor to achieve compliance with a standard. [IMPORTANT] @@ -18,4 +27,4 @@ include::modules/compliance-supported-profiles.adoc[leveloffset=+1] [role="_additional-resources"] == Additional resources -* xref:../../../security/compliance_operator/co-concepts/compliance-operator-understanding.html#compliance_profile_types_understanding-compliance[Compliance Operator profile types] \ No newline at end of file +* xref:../../../security/compliance_operator/co-concepts/compliance-operator-understanding.adoc#compliance_profile_types_understanding-compliance[Compliance Operator profile types]