Merge pull request #41597 from kmccarron-rh/AvailProfiles

ahardin-rh · web-flow · commit 4bb5f79d35aa · 2022-02-15T10:36:32.000-05:00
OSDOCS-3262: Update Understanding the Compliance Operator with the latest information
diff --git a/modules/compliance-profiles.adoc b/modules/compliance-profiles.adoc
@@ -5,36 +5,56 @@
 [id="compliance_profiles_{context}"]
 = Compliance Operator profiles
 
-There are several profiles available as part of the Compliance Operator installation.
-
-View the available profiles:
+There are several profiles available as part of the Compliance Operator installation. You can use the `oc get` command to view available profiles, profile details, and specific rules.
 
+* View the available profiles:
++
 [source,terminal]
 ----
 $ oc get -n <namespace> profiles.compliance
 ----
-
++
+This example displays the profiles in the default `openshift-compliance` namespace:
++
+[source,terminal]
+----
+$ oc get -n openshift-compliance profiles.compliance
+----
++
 .Example output
 [source,terminal]
 ----
-NAME              AGE
-ocp4-cis          4h52m
-ocp4-cis-node     4h52m
-ocp4-e8           4h52m
-ocp4-moderate     4h52m
-rhcos4-e8         4h52m
-rhcos4-moderate   4h52m
+NAME                 AGE
+ocp4-cis             32m
+ocp4-cis-node        32m
+ocp4-e8              32m
+ocp4-moderate        32m
+ocp4-moderate-node   32m
+ocp4-nerc-cip        32m
+ocp4-nerc-cip-node   32m
+ocp4-pci-dss         32m
+ocp4-pci-dss-node    32m
+rhcos4-e8            32m
+rhcos4-moderate      32m
+rhcos4-nerc-cip      32m
 ----
++
+These profiles represent different compliance benchmarks. Each profile has the product name that it applies to added as a prefix to the profile’s name. `ocp4-e8` applies the Essential 8 benchmark to the {product-title} product, while `rhcos4-e8` applies the Essential 8 benchmark to the {op-system-first} product.
 
-These profiles represent different compliance benchmarks.
-
-View the details of a profile:
-
+* View the details of a profile:
++
 [source,terminal]
 ----
 $ oc get -n <namespace> -oyaml profiles.compliance <profile name>
 ----
-
++
+This example displays the details of the `rhcos4-e8` profile:
++
+[source,terminal]
+----
+$ oc get -n openshift-compliance -oyaml profiles.compliance rhcos4-e8
+----
++
 .Example output
 [source,yaml]
 ----
@@ -45,113 +65,133 @@ description: |-
   Cyber Security Centre (ACSC) Essential Eight.
   A copy of the Essential Eight in Linux Environments guide can
   be found at the ACSC website: ...
-id: xccdf_org.ssgproject.content_profile_e8
-kind: Profile
-metadata:
-  annotations:
-    compliance.openshift.io/product: redhat_enterprise_linux_coreos_4
-    compliance.openshift.io/product-type: Node
-    creationTimestamp: "2020-09-07T11:42:51Z"
-    generation: 1
-  labels:
-    compliance.openshift.io/profile-bundle: rhcos4
-  name: rhcos4-e8
-  namespace: openshift-compliance
-rules:
-- rhcos4-accounts-no-uid-except-zero
-- rhcos4-audit-rules-dac-modification-chmod
-- rhcos4-audit-rules-dac-modification-chown
-- rhcos4-audit-rules-execution-chcon
-- rhcos4-audit-rules-execution-restorecon
-- rhcos4-audit-rules-execution-semanage
-- rhcos4-audit-rules-execution-setfiles
-- rhcos4-audit-rules-execution-setsebool
-- rhcos4-audit-rules-execution-seunshare
-- rhcos4-audit-rules-kernel-module-loading
-- rhcos4-audit-rules-login-events
-- rhcos4-audit-rules-login-events-faillock
-- rhcos4-audit-rules-login-events-lastlog
-- rhcos4-audit-rules-login-events-tallylog
-- rhcos4-audit-rules-networkconfig-modification
-- rhcos4-audit-rules-sysadmin-actions
-- rhcos4-audit-rules-time-adjtimex
-- rhcos4-audit-rules-time-clock-settime
-- rhcos4-audit-rules-time-settimeofday
-- rhcos4-audit-rules-time-stime
-- rhcos4-audit-rules-time-watch-localtime
-- rhcos4-audit-rules-usergroup-modification
-- rhcos4-auditd-data-retention-flush
-- rhcos4-auditd-freq
-- rhcos4-auditd-local-events
-- rhcos4-auditd-log-format
-- rhcos4-auditd-name-format
-- rhcos4-auditd-write-logs
-- rhcos4-configure-crypto-policy
-- rhcos4-configure-ssh-crypto-policy
-- rhcos4-no-empty-passwords
-- rhcos4-selinux-policytype
-- rhcos4-selinux-state
-- rhcos4-service-auditd-enabled
-- rhcos4-sshd-disable-empty-passwords
-- rhcos4-sshd-disable-gssapi-auth
-- rhcos4-sshd-disable-rhosts
-- rhcos4-sshd-disable-root-login
-- rhcos4-sshd-disable-user-known-hosts
-- rhcos4-sshd-do-not-permit-user-env
-- rhcos4-sshd-enable-strictmodes
-- rhcos4-sshd-print-last-log
-- rhcos4-sshd-set-loglevel-info
-- rhcos4-sshd-use-priv-separation
-- rhcos4-sysctl-kernel-dmesg-restrict
-- rhcos4-sysctl-kernel-kexec-load-disabled
-- rhcos4-sysctl-kernel-kptr-restrict
-- rhcos4-sysctl-kernel-randomize-va-space
-- rhcos4-sysctl-kernel-unprivileged-bpf-disabled
-- rhcos4-sysctl-kernel-yama-ptrace-scope
-- rhcos4-sysctl-net-core-bpf-jit-harden
-title: Australian Cyber Security Centre (ACSC) Essential Eight
+  id: xccdf_org.ssgproject.content_profile_e8
+  kind: Profile
+  metadata:
+    annotations:
+      compliance.openshift.io/image-digest: pb-rhcos426smj
+      compliance.openshift.io/product: redhat_enterprise_linux_coreos_4
+      compliance.openshift.io/product-type: Node
+    labels:
+      compliance.openshift.io/profile-bundle: rhcos4
+    name: rhcos4-e8
+    namespace: openshift-compliance
+    ownerReferences:
+    - apiVersion: compliance.openshift.io/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: ProfileBundle
+      name: rhcos4
+  rules:
+  - rhcos4-accounts-no-uid-except-zero
+  - rhcos4-audit-rules-dac-modification-chmod
+  - rhcos4-audit-rules-dac-modification-chown
+  - rhcos4-audit-rules-execution-chcon
+  - rhcos4-audit-rules-execution-restorecon
+  - rhcos4-audit-rules-execution-semanage
+  - rhcos4-audit-rules-execution-setfiles
+  - rhcos4-audit-rules-execution-setsebool
+  - rhcos4-audit-rules-execution-seunshare
+  - rhcos4-audit-rules-kernel-module-loading-delete
+  - rhcos4-audit-rules-kernel-module-loading-finit
+  - rhcos4-audit-rules-kernel-module-loading-init
+  - rhcos4-audit-rules-login-events
+  - rhcos4-audit-rules-login-events-faillock
+  - rhcos4-audit-rules-login-events-lastlog
+  - rhcos4-audit-rules-login-events-tallylog
+  - rhcos4-audit-rules-networkconfig-modification
+  - rhcos4-audit-rules-sysadmin-actions
+  - rhcos4-audit-rules-time-adjtimex
+  - rhcos4-audit-rules-time-clock-settime
+  - rhcos4-audit-rules-time-settimeofday
+  - rhcos4-audit-rules-time-stime
+  - rhcos4-audit-rules-time-watch-localtime
+  - rhcos4-audit-rules-usergroup-modification
+  - rhcos4-auditd-data-retention-flush
+  - rhcos4-auditd-freq
+  - rhcos4-auditd-local-events
+  - rhcos4-auditd-log-format
+  - rhcos4-auditd-name-format
+  - rhcos4-auditd-write-logs
+  - rhcos4-configure-crypto-policy
+  - rhcos4-configure-ssh-crypto-policy
+  - rhcos4-no-empty-passwords
+  - rhcos4-selinux-policytype
+  - rhcos4-selinux-state
+  - rhcos4-service-auditd-enabled
+  - rhcos4-sshd-disable-empty-passwords
+  - rhcos4-sshd-disable-gssapi-auth
+  - rhcos4-sshd-disable-rhosts
+  - rhcos4-sshd-disable-root-login
+  - rhcos4-sshd-disable-user-known-hosts
+  - rhcos4-sshd-do-not-permit-user-env
+  - rhcos4-sshd-enable-strictmodes
+  - rhcos4-sshd-print-last-log
+  - rhcos4-sshd-set-loglevel-info
+  - rhcos4-sysctl-kernel-dmesg-restrict
+  - rhcos4-sysctl-kernel-kptr-restrict
+  - rhcos4-sysctl-kernel-randomize-va-space
+  - rhcos4-sysctl-kernel-unprivileged-bpf-disabled
+  - rhcos4-sysctl-kernel-yama-ptrace-scope
+  - rhcos4-sysctl-net-core-bpf-jit-harden
+  title: Australian Cyber Security Centre (ACSC) Essential Eight
 ----
 
-View the rules within a desired profile:
-
+* View the rules within a desired profile:
++
 [source,terminal]
 ----
 $ oc get -n <namespace> -oyaml rules.compliance <rule_name>
 ----
-
++
+This example displays the `rhcos4-audit-rules-login-events` rule in the `rhcos4` profile:
++
+[source,terminal]
+----
+$ oc get -n openshift-compliance -oyaml rules.compliance rhcos4-audit-rules-login-events
+----
++
 .Example output
 [source,yaml]
 ----
-apiVersion: compliance.openshift.io/v1alpha1
-description: '<code>auditd</code><code>augenrules</code><code>.rules</code><code>/etc/audit/rules.d</code><pre>-w /var/log/tallylog -p wa -k logins -w /var/run/faillock -p wa -k logins -w /var/log/lastlog -p wa -k logins</pre><code>auditd</code><code>auditctl</code><code>/etc/audit/audit.rules</code><pre>-w /var/log/tallylog -p wa -k logins -w /var/run/faillock -p wa -k logins -w /var/log/lastlog -p wa -k logins</pre>file in order to watch for unattempted manual edits of files involved in storing logon events:'
-id: xccdf_org.ssgproject.content_rule_audit_rules_login_events
-kind: Rule
-metadata:
-  annotations:
-    compliance.openshift.io/rule: audit-rules-login-events
-    control.compliance.openshift.io/NIST-800-53: AU-2(d);AU-12(c);AC-6(9);CM-6(a)
-    policies.open-cluster-management.io/controls: AU-2(d),AU-12(c),AC-6(9),CM-6(a)
-    policies.open-cluster-management.io/standards: NIST-800-53
-    creationTimestamp: "2020-09-07T11:43:03Z"
-    generation: 1
-  labels:
-    compliance.openshift.io/profile-bundle: rhcos4
-  name: rhcos4-audit-rules-login-events
-  namespace: openshift-compliance
-  rationale: |-
-    Manual editing of these files may indicate nefarious activity,
-    such as an attacker attempting to remove evidence of an
-    intrusion.
+  apiVersion: compliance.openshift.io/v1alpha1
+  checkType: Node
+  description: |-
+    The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix.rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events:
+
+    -w /var/log/tallylog -p wa -k logins
+    -w /var/run/faillock -p wa -k logins
+    -w /var/log/lastlog -p wa -k logins
+
+    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events:
+
+    -w /var/log/tallylog -p wa -k logins
+    -w /var/run/faillock -p wa -k logins
+    -w /var/log/lastlog -p wa -k logins
+  id: xccdf_org.ssgproject.content_rule_audit_rules_login_events
+  kind: Rule
+  metadata:
+    annotations:
+      compliance.openshift.io/image-digest: pb-rhcos426smj
+      compliance.openshift.io/rule: audit-rules-login-events
+      control.compliance.openshift.io/NIST-800-53: AU-2(d);AU-12(c);AC-6(9);CM-6(a)
+      control.compliance.openshift.io/PCI-DSS: Req-10.2.3
+      policies.open-cluster-management.io/controls: AU-2(d),AU-12(c),AC-6(9),CM-6(a),Req-10.2.3
+      policies.open-cluster-management.io/standards: NIST-800-53,PCI-DSS
+    labels:
+      compliance.openshift.io/profile-bundle: rhcos4
+    name: rhcos4-audit-rules-login-events
+    namespace: openshift-compliance
+    ownerReferences:
+    - apiVersion: compliance.openshift.io/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: ProfileBundle
+      name: rhcos4
+  rationale: Manual editing of these files may indicate nefarious activity, such as
+    an attacker attempting to remove evidence of an intrusion.
   severity: medium
   title: Record Attempts to Alter Logon and Logout Events
-  warning: |-
-    <ul><li><code>audit_rules_login_events_tallylog</code></li>
-    <li><code>audit_rules_login_events_faillock</code></li>
-    <li><code>audit_rules_login_events_lastlog</code></li></ul>
-    This rule checks for multiple syscalls related to login
-    events and was written with DISA STIG in mind.
-    Other policies should use separate rule for
-    each syscall that needs to be checked.
+  warning: Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.
 ----
 
-Each profile has the product name that it applies to added as a prefix to the profile's name. `ocp4-e8` applies the Essential 8 benchmark to the {product-title} product, while `rhcos4-e8` applies the Essential 8 benchmark to the {op-system-first} product.
