《OpenShift / RHEL / DevSecOps Summary table of contents 》

The scene that

OpenShift Built in Compliance Operator, Among them, based on CIS Baseline compliance scan . of OpenShift Compliance Operator Function and configuration of 、 Please refer to the following 2 An article ：

• OpenShift 4 - use Compliance Operator Yes OpenShift Conduct a security compliance scan
• OpenShift 4 - use Compliance Operator Fix problems found in compliance inspection

This article introduces how to OpenShift Compliance Operator and RHACS To integrate , So that we can be in RHACS View... In the console OpenShift CIS Baseline compliance scan results .

Integrated configuration

Prepare the environment

1. reference OpenShift 4 - use Compliance Operator Yes OpenShift Conduct a security compliance scan install OpenShift Compliance Operator
2. reference OpenShift Security (2) - install Red Hat Advanced Cluster Security（RHACS） install RHACS Software .
3. visit RHACS Compliance page for , Confirm that there is no
   

Use OpenShift Compliance Operator Conduct CIS Compliance scanning

1. Carry out orders , View supported compliance Profile.

$ oc get profile.compliance -n openshift-compliance
NAME                 AGE
ocp4-cis             4h27m
ocp4-cis-node        4h27m
ocp4-e8              4h27m
ocp4-high            4h27m
ocp4-high-node       4h27m
ocp4-moderate        4h27m
ocp4-moderate-node   4h27m
ocp4-nerc-cip        4h27m
ocp4-nerc-cip-node   4h27m
ocp4-pci-dss         4h27m
ocp4-pci-dss-node    4h27m
rhcos4-e8            4h27m
rhcos4-high          4h27m
rhcos4-moderate      4h27m
rhcos4-nerc-cip      4h27m

2. stay OpenShift Create the following ScanSettingBinding object , It will be called default Of ScanSetting And called ocp4-cis Of Profile binding .

apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
  name: cis-scan
  namespace: openshift-compliance
profiles:
- apiGroup: compliance.openshift.io/v1alpha1
  kind: Profile
  name: ocp4-cis
settingsRef:
  apiGroup: compliance.openshift.io/v1alpha1
  kind: ScanSetting
  name: default

3. Execute the command to check the compliance scanning progress .

$ oc get compliancescan ocp4-cis -n openshift-compliance -w
NAME       PHASE     RESULT
ocp4-cis   RUNNING   NOT-AVAILABLE
ocp4-cis   AGGREGATING   NOT-AVAILABLE
ocp4-cis   AGGREGATING   NOT-AVAILABLE
ocp4-cis   DONE          NON-COMPLIANT
$ oc get compliancecheckresult -n openshift-compliance
NAME                                                               STATUS   SEVERITY
ocp4-cis-accounts-restrict-service-account-tokens                  MANUAL   medium
ocp4-cis-accounts-unique-service-account                           MANUAL   medium
ocp4-cis-api-server-admission-control-plugin-alwaysadmit           PASS     medium
ocp4-cis-api-server-admission-control-plugin-alwayspullimages      PASS     high
...

take OpenShift Compliance Operator The scan results are integrated into RHACS Compliance page

1. If ACS Is in Compliance Operator Previously installed , You need to execute the following command to restart OpenShift Of ACS Sensors to see these results .

$ oc delete pods -l app.kubernetes.io/component=sensor -n stackrox

2. stay RHACS Console Compliance Click in the page “SCAN ENVIRONMENT” You can see below ocp4-cis Statistics of compliance scanning results .
   
   
3. Enter into ocp4-cis Scan results , You can view the compliance scanning instructions and results of each item .
   

Reference resources

https://redhat-scholars.github.io/acs-workshop/acs-workshop/08-compliance.html#compliance_operator