mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
217 lines
8.2 KiB
Plaintext
217 lines
8.2 KiB
Plaintext
// Module included in the following assemblies:
|
||
//
|
||
// * security/compliance_operator/co-concepts/compliance-operator-understanding.adoc
|
||
|
||
:_mod-docs-content-type: CONCEPT
|
||
[id="compliance_profiles_{context}"]
|
||
= Compliance Operator profiles
|
||
|
||
There are several profiles available as part of the Compliance Operator installation. You can use the `oc get` command to view available profiles, profile details, and specific rules.
|
||
|
||
* View the available profiles:
|
||
+
|
||
[source,terminal]
|
||
----
|
||
$ oc get profile.compliance -n openshift-compliance
|
||
----
|
||
+
|
||
.Example output
|
||
[source,terminal]
|
||
----
|
||
NAME AGE VERSION
|
||
ocp4-cis 3h49m 1.5.0
|
||
ocp4-cis-1-4 3h49m 1.4.0
|
||
ocp4-cis-1-5 3h49m 1.5.0
|
||
ocp4-cis-node 3h49m 1.5.0
|
||
ocp4-cis-node-1-4 3h49m 1.4.0
|
||
ocp4-cis-node-1-5 3h49m 1.5.0
|
||
ocp4-e8 3h49m
|
||
ocp4-high 3h49m Revision 4
|
||
ocp4-high-node 3h49m Revision 4
|
||
ocp4-high-node-rev-4 3h49m Revision 4
|
||
ocp4-high-rev-4 3h49m Revision 4
|
||
ocp4-moderate 3h49m Revision 4
|
||
ocp4-moderate-node 3h49m Revision 4
|
||
ocp4-moderate-node-rev-4 3h49m Revision 4
|
||
ocp4-moderate-rev-4 3h49m Revision 4
|
||
ocp4-nerc-cip 3h49m
|
||
ocp4-nerc-cip-node 3h49m
|
||
ocp4-pci-dss 3h49m 3.2.1
|
||
ocp4-pci-dss-3-2 3h49m 3.2.1
|
||
ocp4-pci-dss-4-0 3h49m 4.0.0
|
||
ocp4-pci-dss-node 3h49m 3.2.1
|
||
ocp4-pci-dss-node-3-2 3h49m 3.2.1
|
||
ocp4-pci-dss-node-4-0 3h49m 4.0.0
|
||
ocp4-stig 3h49m V2R1
|
||
ocp4-stig-node 3h49m V2R1
|
||
ocp4-stig-node-v1r1 3h49m V1R1
|
||
ocp4-stig-node-v2r1 3h49m V2R1
|
||
ocp4-stig-v1r1 3h49m V1R1
|
||
ocp4-stig-v2r1 3h49m V2R1
|
||
rhcos4-e8 3h49m
|
||
rhcos4-high 3h49m Revision 4
|
||
rhcos4-high-rev-4 3h49m Revision 4
|
||
rhcos4-moderate 3h49m Revision 4
|
||
rhcos4-moderate-rev-4 3h49m Revision 4
|
||
rhcos4-nerc-cip 3h49m
|
||
rhcos4-stig 3h49m V2R1
|
||
rhcos4-stig-v1r1 3h49m V1R1
|
||
rhcos4-stig-v2r1 3h49m V2R1
|
||
----
|
||
+
|
||
These profiles represent different compliance benchmarks. Each profile has the product name that it applies to added as a prefix to the profile’s name. `ocp4-e8` applies the Essential 8 benchmark to the {product-title} product, while `rhcos4-e8` applies the Essential 8 benchmark to the {op-system-first} product.
|
||
|
||
* Run the following command to view the details of the `rhcos4-e8` profile:
|
||
+
|
||
[source,terminal]
|
||
----
|
||
$ oc get -n openshift-compliance -oyaml profiles.compliance rhcos4-e8
|
||
----
|
||
+
|
||
.Example output
|
||
[%collapsible]
|
||
====
|
||
[source,yaml]
|
||
----
|
||
apiVersion: compliance.openshift.io/v1alpha1
|
||
description: 'This profile contains configuration checks for Red Hat Enterprise Linux
|
||
CoreOS that align to the Australian Cyber Security Centre (ACSC) Essential Eight.
|
||
A copy of the Essential Eight in Linux Environments guide can be found at the ACSC
|
||
website: https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers'
|
||
id: xccdf_org.ssgproject.content_profile_e8
|
||
kind: Profile
|
||
metadata:
|
||
annotations:
|
||
compliance.openshift.io/image-digest: pb-rhcos4hrdkm
|
||
compliance.openshift.io/product: redhat_enterprise_linux_coreos_4
|
||
compliance.openshift.io/product-type: Node
|
||
creationTimestamp: "2022-10-19T12:06:49Z"
|
||
generation: 1
|
||
labels:
|
||
compliance.openshift.io/profile-bundle: rhcos4
|
||
name: rhcos4-e8
|
||
namespace: openshift-compliance
|
||
ownerReferences:
|
||
- apiVersion: compliance.openshift.io/v1alpha1
|
||
blockOwnerDeletion: true
|
||
controller: true
|
||
kind: ProfileBundle
|
||
name: rhcos4
|
||
uid: 22350850-af4a-4f5c-9a42-5e7b68b82d7d
|
||
resourceVersion: "43699"
|
||
uid: 86353f70-28f7-40b4-bf0e-6289ec33675b
|
||
rules:
|
||
- rhcos4-accounts-no-uid-except-zero
|
||
- rhcos4-audit-rules-dac-modification-chmod
|
||
- rhcos4-audit-rules-dac-modification-chown
|
||
- rhcos4-audit-rules-execution-chcon
|
||
- rhcos4-audit-rules-execution-restorecon
|
||
- rhcos4-audit-rules-execution-semanage
|
||
- rhcos4-audit-rules-execution-setfiles
|
||
- rhcos4-audit-rules-execution-setsebool
|
||
- rhcos4-audit-rules-execution-seunshare
|
||
- rhcos4-audit-rules-kernel-module-loading-delete
|
||
- rhcos4-audit-rules-kernel-module-loading-finit
|
||
- rhcos4-audit-rules-kernel-module-loading-init
|
||
- rhcos4-audit-rules-login-events
|
||
- rhcos4-audit-rules-login-events-faillock
|
||
- rhcos4-audit-rules-login-events-lastlog
|
||
- rhcos4-audit-rules-login-events-tallylog
|
||
- rhcos4-audit-rules-networkconfig-modification
|
||
- rhcos4-audit-rules-sysadmin-actions
|
||
- rhcos4-audit-rules-time-adjtimex
|
||
- rhcos4-audit-rules-time-clock-settime
|
||
- rhcos4-audit-rules-time-settimeofday
|
||
- rhcos4-audit-rules-time-stime
|
||
- rhcos4-audit-rules-time-watch-localtime
|
||
- rhcos4-audit-rules-usergroup-modification
|
||
- rhcos4-auditd-data-retention-flush
|
||
- rhcos4-auditd-freq
|
||
- rhcos4-auditd-local-events
|
||
- rhcos4-auditd-log-format
|
||
- rhcos4-auditd-name-format
|
||
- rhcos4-auditd-write-logs
|
||
- rhcos4-configure-crypto-policy
|
||
- rhcos4-configure-ssh-crypto-policy
|
||
- rhcos4-no-empty-passwords
|
||
- rhcos4-selinux-policytype
|
||
- rhcos4-selinux-state
|
||
- rhcos4-service-auditd-enabled
|
||
- rhcos4-sshd-disable-empty-passwords
|
||
- rhcos4-sshd-disable-gssapi-auth
|
||
- rhcos4-sshd-disable-rhosts
|
||
- rhcos4-sshd-disable-root-login
|
||
- rhcos4-sshd-disable-user-known-hosts
|
||
- rhcos4-sshd-do-not-permit-user-env
|
||
- rhcos4-sshd-enable-strictmodes
|
||
- rhcos4-sshd-print-last-log
|
||
- rhcos4-sshd-set-loglevel-info
|
||
- rhcos4-sysctl-kernel-dmesg-restrict
|
||
- rhcos4-sysctl-kernel-kptr-restrict
|
||
- rhcos4-sysctl-kernel-randomize-va-space
|
||
- rhcos4-sysctl-kernel-unprivileged-bpf-disabled
|
||
- rhcos4-sysctl-kernel-yama-ptrace-scope
|
||
- rhcos4-sysctl-net-core-bpf-jit-harden
|
||
title: Australian Cyber Security Centre (ACSC) Essential Eight
|
||
----
|
||
====
|
||
|
||
* Run the following command to view the details of the `rhcos4-audit-rules-login-events` rule:
|
||
+
|
||
[source,terminal]
|
||
----
|
||
$ oc get -n openshift-compliance -oyaml rules rhcos4-audit-rules-login-events
|
||
----
|
||
+
|
||
.Example output
|
||
[%collapsible]
|
||
====
|
||
[source,yaml]
|
||
----
|
||
apiVersion: compliance.openshift.io/v1alpha1
|
||
checkType: Node
|
||
description: |-
|
||
The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix.rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events:
|
||
|
||
-w /var/log/tallylog -p wa -k logins
|
||
-w /var/run/faillock -p wa -k logins
|
||
-w /var/log/lastlog -p wa -k logins
|
||
|
||
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events:
|
||
|
||
-w /var/log/tallylog -p wa -k logins
|
||
-w /var/run/faillock -p wa -k logins
|
||
-w /var/log/lastlog -p wa -k logins
|
||
id: xccdf_org.ssgproject.content_rule_audit_rules_login_events
|
||
kind: Rule
|
||
metadata:
|
||
annotations:
|
||
compliance.openshift.io/image-digest: pb-rhcos4hrdkm
|
||
compliance.openshift.io/rule: audit-rules-login-events
|
||
control.compliance.openshift.io/NIST-800-53: AU-2(d);AU-12(c);AC-6(9);CM-6(a)
|
||
control.compliance.openshift.io/PCI-DSS: Req-10.2.3
|
||
policies.open-cluster-management.io/controls: AU-2(d),AU-12(c),AC-6(9),CM-6(a),Req-10.2.3
|
||
policies.open-cluster-management.io/standards: NIST-800-53,PCI-DSS
|
||
creationTimestamp: "2022-10-19T12:07:08Z"
|
||
generation: 1
|
||
labels:
|
||
compliance.openshift.io/profile-bundle: rhcos4
|
||
name: rhcos4-audit-rules-login-events
|
||
namespace: openshift-compliance
|
||
ownerReferences:
|
||
- apiVersion: compliance.openshift.io/v1alpha1
|
||
blockOwnerDeletion: true
|
||
controller: true
|
||
kind: ProfileBundle
|
||
name: rhcos4
|
||
uid: 22350850-af4a-4f5c-9a42-5e7b68b82d7d
|
||
resourceVersion: "44819"
|
||
uid: 75872f1f-3c93-40ca-a69d-44e5438824a4
|
||
rationale: Manual editing of these files may indicate nefarious activity, such as
|
||
an attacker attempting to remove evidence of an intrusion.
|
||
severity: medium
|
||
title: Record Attempts to Alter Logon and Logout Events
|
||
warning: Manual editing of these files may indicate nefarious activity, such as an
|
||
attacker attempting to remove evidence of an intrusion.
|
||
----
|
||
==== |