×

There are several profiles available as part of the Compliance Operator (CO) installation. While you can use the following profiles to assess gaps in a cluster, usage alone does not infer or guarantee compliance with a particular profile.

The Compliance Operator might report incorrect results on managed platforms, such as OpenShift Dedicated, Red Hat OpenShift Service on AWS, and Azure Red Hat OpenShift. For more information, see the Red Hat Knowledgebase Solution #6983418.

Compliance profiles

The Compliance Operator provides the following compliance profiles:

Table 1. Supported compliance profiles
Profile Profile title Application Compliance Operator version Industry compliance benchmark Supported architectures

rhcos4-stig

Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift

Node

1.3.0+

DISA-STIG [1]

x86_64

ocp4-stig-node

Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift

Node

1.3.0+

DISA-STIG [1]

x86_64

ocp4-stig

Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift

Platform

1.3.0+

DISA-STIG [1]

x86_64

ocp4-cis

CIS Red Hat OpenShift Container Platform 4 Benchmark v1.4.0

Platform

1.2.0+

CIS Benchmarks ™ [1]

x86_64 ppc64le s390x

ocp4-cis-node

CIS Red Hat OpenShift Container Platform 4 Benchmark v1.4.0

Node [2]

1.2.0+

CIS Benchmarks ™ [1]

x86_64 ppc64le s390x

ocp4-e8

Australian Cyber Security Centre (ACSC) Essential Eight

Platform

0.1.39+

ACSC Hardening Linux Workstations and Servers

x86_64

ocp4-moderate

NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Platform level

Platform

0.1.39+

NIST SP-800-53 Release Search

x86_64 ppc64le s390x

rhcos4-e8

Australian Cyber Security Centre (ACSC) Essential Eight

Node

0.1.39+

ACSC Hardening Linux Workstations and Servers

x86_64

rhcos4-moderate

NIST 800-53 Moderate-Impact Baseline for Red Hat Enterprise Linux CoreOS

Node

0.1.39+

NIST SP-800-53 Release Search

x86_64

ocp4-moderate-node

NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Node level

Node [2]

0.1.44+

NIST SP-800-53 Release Search

x86_64 ppc64le s390x

ocp4-nerc-cip

North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for the Red Hat OpenShift Container Platform - Platform level

Platform

0.1.44+

NERC CIP Standards

x86_64

ocp4-nerc-cip-node

North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for the Red Hat OpenShift Container Platform - Node level

Node [2]

0.1.44+

NERC CIP Standards

x86_64

rhcos4-nerc-cip

North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for Red Hat Enterprise Linux CoreOS

Node

0.1.44+

NERC CIP Standards

x86_64

ocp4-pci-dss

PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Platform 4

Platform

0.1.47+

PCI Security Standards® Council Document Library

x86_64 ppc64le

ocp4-pci-dss-node

PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Platform 4

Node [2]

0.1.47+

PCI Security Standards® Council Document Library

x86_64 ppc64le

ocp4-high

NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Platform level

Platform

0.1.52+

NIST SP-800-53 Release Search

x86_64

ocp4-high-node

NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Node level

Node [2]

0.1.52+

NIST SP-800-53 Release Search

x86_64

rhcos4-high

NIST 800-53 High-Impact Baseline for Red Hat Enterprise Linux CoreOS

Node

0.1.52+

NIST SP-800-53 Release Search

x86_64

  1. To locate the CIS OKD v4 Benchmark, go to CIS Benchmarks and click Download Latest CIS Benchmark, where you can then register to download the benchmark.

  2. Node profiles must be used with the relevant Platform profile. For more information, see Compliance Operator profile types.

About extended compliance profiles

Some compliance profiles have controls that require following industry best practices, resulting in some profiles extending others. Combining the Center for Internet Security (CIS) best practices with National Institute of Standards and Technology (NIST) security frameworks establishes a path to a secure and compliant environment.

For example, the NIST High-Impact and Moderate-Impact profiles extend the CIS profile to achieve compliance. As a result, extended compliance profiles eliminate the need to run both profiles in a single cluster.

Table 2. Profile extensions
Profile Extends

ocp4-pci-dss

ocp4-cis

ocp4-pci-dss-node

ocp4-cis-node

ocp4-high

ocp4-cis

ocp4-high-node

ocp4-cis-node

ocp4-moderate

ocp4-cis

ocp4-moderate-node

ocp4-cis-node

ocp4-nerc-cip

ocp4-moderate

ocp4-nerc-cip-node

ocp4-moderate-node

Additional resources