openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
1cb5779a356c40a556a99a0349526d36ec9fca35
openshift-docs/modules/compliance-objects.adoc

41 lines
2.1 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
//
// * security/compliance_operator/co-scans/compliance-operator-advanced.adoc
[id="compliance-objects_{context}"]
= Using the ComplianceSuite and ComplianceScan objects directly
While it is recommended that users take advantage of the `ScanSetting` and `ScanSettingBinding` objects to define the suites and scans, there are valid use cases to define the `ComplianceSuite` objects directly:
* Specifying only a single rule to scan. This can be useful for debugging together with the `debug: true` attribute which increases the OpenSCAP scanner verbosity, as the debug mode tends to get quite verbose otherwise. Limiting the test to one rule helps to lower the amount of debug information.
* Providing a custom nodeSelector. In order for a remediation to be applicable, the nodeSelector must match a pool.
* Pointing the Scan to a bespoke config map with a tailoring file.
* For testing or development when the overhead of parsing profiles from bundles is not required.
The following example shows a `ComplianceSuite` that scans the worker machines with only a single rule:
[source,yaml]
----
apiVersion: compliance.openshift.io/v1alpha1
kind: ComplianceSuite
metadata:
name: workers-compliancesuite
spec:
scans:
- name: workers-scan
profile: xccdf_org.ssgproject.content_profile_moderate
content: ssg-rhcos4-ds.xml
contentImage: registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:45dc...
debug: true
rule: xccdf_org.ssgproject.content_rule_no_direct_root_logins
nodeSelector:
node-role.kubernetes.io/worker: ""
----
The `ComplianceSuite` object and the `ComplianceScan` objects referred to above specify several attributes in a format that OpenSCAP expects.
To find out the profile, content, or rule values, you can start by creating a similar Suite from `ScanSetting` and `ScanSettingBinding` or inspect the objects parsed from the `ProfileBundle` objects like rules or profiles. Those objects contain the `xccdf_org` identifiers you can use to refer to them from a `ComplianceSuite`.
View Git Blame Copy Permalink