×

There are several profiles available as part of the Compliance Operator (CO) installation. While you can use the following profiles to assess gaps in a cluster, usage alone does not infer or guarantee compliance with a particular profile and is not an auditor.

In order to be compliant or certified under these various standards, you need to engage an authorized auditor such as a Qualified Security Assessor (QSA), Joint Authorization Board (JAB), or other industry recognized regulatory authority to assess your environment. You are required to work with an authorized auditor to achieve compliance with a standard.

For more information on compliance support for all Red Hat products, see Product Compliance.

The Compliance Operator might report incorrect results on some managed platforms, such as OpenShift Dedicated and Azure Red Hat OpenShift. For more information, see the Red Hat Knowledgebase Solution #6983418.

Compliance profiles

The Compliance Operator provides profiles to meet industry standard benchmarks.

The following tables reflect the latest available profiles in the Compliance Operator.

CIS compliance profiles

Table 1. Supported CIS compliance profiles
Profile Profile title Application Industry compliance benchmark Supported architectures Supported platforms

ocp4-cis [1]

CIS Red Hat OpenShift Container Platform Benchmark v1.5.0

Platform

CIS Benchmarks ™ [1]

x86_64 ppc64le s390x

ocp4-cis-1-4 [3]

CIS Red Hat OpenShift Container Platform Benchmark v1.4.0

Platform

CIS Benchmarks ™ [4]

x86_64 ppc64le s390x

ocp4-cis-1-5

CIS Red Hat OpenShift Container Platform Benchmark v1.5.0

Platform

CIS Benchmarks ™ [4]

x86_64 ppc64le s390x

ocp4-cis-node [1]

CIS Red Hat OpenShift Container Platform Benchmark v1.5.0

Node [2]

CIS Benchmarks ™ [4]

x86_64 ppc64le s390x

Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP)

ocp4-cis-node-1-4 [3]

CIS Red Hat OpenShift Container Platform Benchmark v1.4.0

Node [2]

CIS Benchmarks ™ [4]

x86_64 ppc64le s390x

Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP)

ocp4-cis-node-1-5

CIS Red Hat OpenShift Container Platform Benchmark v1.5.0

Node [2]

CIS Benchmarks ™ [4]

x86_64 ppc64le s390x

Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP)

  1. The ocp4-cis and ocp4-cis-node profiles maintain the most up-to-date version of the CIS benchmark as it becomes available in the Compliance Operator. If you want to adhere to a specific version, such as CIS v1.4.0, use the ocp4-cis-1-4 and ocp4-cis-node-1-4 profiles.

  2. Node profiles must be used with the relevant Platform profile. For more information, see Compliance Operator profile types.

  3. CIS v1.4.0 is superceded by CIS v1.5.0. It is recommended to apply the latest profile to your environment.

  4. To locate the CIS OKD v4 Benchmark, go to CIS Benchmarks and click Download Latest CIS Benchmark, where you can then register to download the benchmark.

Essential Eight compliance profiles

Table 2. Supported Essential Eight compliance profiles
Profile Profile title Application Industry compliance benchmark Supported architectures Supported platforms

ocp4-e8

Australian Cyber Security Centre (ACSC) Essential Eight

Platform

ACSC Hardening Linux Workstations and Servers

x86_64

rhcos4-e8

Australian Cyber Security Centre (ACSC) Essential Eight

Node

ACSC Hardening Linux Workstations and Servers

x86_64

Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP)

FedRAMP High compliance profiles

Table 3. Supported FedRAMP High compliance profiles
Profile Profile title Application Industry compliance benchmark Supported architectures Supported platforms

ocp4-high [1]

NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Platform level

Platform

NIST SP-800-53 Release Search

x86_64

ocp4-high-node [1]

NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Node level

Node [2]

NIST SP-800-53 Release Search

x86_64

Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP)

ocp4-high-node-rev-4

NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Node level

Node [2]

NIST SP-800-53 Release Search

x86_64

Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP)

ocp4-high-rev-4

NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Platform level

Platform

NIST SP-800-53 Release Search

x86_64

rhcos4-high [1]

NIST 800-53 High-Impact Baseline for Red Hat Enterprise Linux CoreOS

Node

NIST SP-800-53 Release Search

x86_64

Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP)

rhcos4-high-rev-4

NIST 800-53 High-Impact Baseline for Red Hat Enterprise Linux CoreOS

Node

NIST SP-800-53 Release Search

x86_64

Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP)

  1. The ocp4-high, ocp4-high-node and rhcos4-high profiles maintain the most up-to-date version of the FedRAMP High standard as it becomes available in the Compliance Operator. If you want to adhere to a specific version, such as FedRAMP high R4, use the ocp4-high-rev-4 and ocp4-high-node-rev-4 profiles.

  2. Node profiles must be used with the relevant Platform profile. For more information, see Compliance Operator profile types.

FedRAMP Moderate compliance profiles

Table 4. Supported FedRAMP Moderate compliance profiles
Profile Profile title Application Industry compliance benchmark Supported architectures Supported platforms

ocp4-moderate [1]

NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Platform level

Platform

NIST SP-800-53 Release Search

x86_64 ppc64le s390x

ocp4-moderate-node [1]

NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Node level

Node [2]

NIST SP-800-53 Release Search

x86_64 ppc64le s390x

Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP)

ocp4-moderate-node-rev-4

NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Node level

Node [2]

NIST SP-800-53 Release Search

x86_64 ppc64le s390x

Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP)

ocp4-moderate-rev-4

NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Platform level

Platform

NIST SP-800-53 Release Search

x86_64 ppc64le s390x

rhcos4-moderate [1]

NIST 800-53 Moderate-Impact Baseline for Red Hat Enterprise Linux CoreOS

Node

NIST SP-800-53 Release Search

x86_64

Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP)

rhcos4-moderate-rev-4

NIST 800-53 Moderate-Impact Baseline for Red Hat Enterprise Linux CoreOS

Node

NIST SP-800-53 Release Search

x86_64

Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP)

  1. The ocp4-moderate, ocp4-moderate-node and rhcos4-moderate profiles maintain the most up-to-date version of the FedRAMP Moderate standard as it becomes available in the Compliance Operator. If you want to adhere to a specific version, such as FedRAMP Moderate R4, use the ocp4-moderate-rev-4 and ocp4-moderate-node-rev-4 profiles.

  2. Node profiles must be used with the relevant Platform profile. For more information, see Compliance Operator profile types.

NERC-CIP compliance profiles

Table 5. Supported NERC-CIP compliance profiles
Profile Profile title Application Industry compliance benchmark Supported architectures Supported platforms

ocp4-nerc-cip

North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for the OKD - Platform level

Platform

NERC CIP Standards

x86_64

ocp4-nerc-cip-node

North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for the OKD - Node level

Node [1]

NERC CIP Standards

x86_64

Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP)

rhcos4-nerc-cip

North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for Red Hat Enterprise Linux CoreOS

Node

NERC CIP Standards

x86_64

Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP)

  1. Node profiles must be used with the relevant Platform profile. For more information, see Compliance Operator profile types.

PCI-DSS compliance profiles

Table 6. Supported PCI-DSS compliance profiles
Profile Profile title Application Industry compliance benchmark Supported architectures Supported platforms

ocp4-pci-dss [1]

PCI-DSS v4 Control Baseline for OKD 4

Platform

PCI Security Standards ® Council Document Library

x86_64

ocp4-pci-dss-3-2 [3]

PCI-DSS v3.2.1 Control Baseline for OKD 4

Platform

PCI Security Standards ® Council Document Library

x86_64

ocp4-pci-dss-4-0

PCI-DSS v4 Control Baseline for OKD 4

Platform

PCI Security Standards ® Council Document Library

x86_64

ocp4-pci-dss-node [1]

PCI-DSS v4 Control Baseline for OKD 4

Node [2]

PCI Security Standards ® Council Document Library

x86_64

Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP)

ocp4-pci-dss-node-3-2 [3]

PCI-DSS v3.2.1 Control Baseline for OKD 4

Node [2]

PCI Security Standards ® Council Document Library

x86_64

Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP)

ocp4-pci-dss-node-4-0

PCI-DSS v4 Control Baseline for OKD 4

Node [2]

PCI Security Standards ® Council Document Library

x86_64

Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP)

  1. The ocp4-pci-dss and ocp4-pci-dss-node profiles maintain the most up-to-date version of the PCI-DSS standard as it becomes available in the Compliance Operator. If you want to adhere to a specific version, such as PCI-DSS v3.2.1, use the ocp4-pci-dss-3-2 and ocp4-pci-dss-node-3-2 profiles.

  2. Node profiles must be used with the relevant Platform profile. For more information, see Compliance Operator profile types.

  3. PCI-DSS v3.2.1 is superceded by PCI-DSS v4. It is recommended to apply the latest profile to your environment.

STIG compliance profiles

Table 7. Supported STIG compliance profiles
Profile Profile title Application Industry compliance benchmark Supported architectures Supported platforms

ocp4-stig [1]

Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift

Platform

DISA-STIG

x86_64

ocp4-stig-node [1]

Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift

Node [2]

DISA-STIG

x86_64

Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP)

ocp4-stig-node-v1r1 [3]

Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift V1R1

Node [2]

DISA-STIG

x86_64

Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP)

ocp4-stig-node-v2r1

Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift V2R1

Node [2]

DISA-STIG

x86_64

Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP)

ocp4-stig-v1r1 [3]

Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift V1R1

Platform

DISA-STIG

x86_64

ocp4-stig-v2r1

Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift V2R1

Platform

DISA-STIG

x86_64

rhcos4-stig

Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift

Node

DISA-STIG

x86_64

Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP)

rhcos4-stig-v1r1 [3]

Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift V1R1

Node

DISA-STIG [3]

x86_64

Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP)

rhcos4-stig-v2r1

Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift V2R1

Node

DISA-STIG

x86_64

Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP)

  1. The ocp4-stig, ocp4-stig-node and rhcos4-stig profiles maintain the most up-to-date version of the DISA-STIG benchmark as it becomes available in the Compliance Operator. If you want to adhere to a specific version, such as DISA-STIG V2R1, use the ocp4-stig-v2r1 and ocp4-stig-node-v2r1 profiles.

  2. Node profiles must be used with the relevant Platform profile. For more information, see Compliance Operator profile types.

  3. DISA-STIG V1R1 is superceded by DISA-STIG V2R1. It is recommended to apply the latest profile to your environment.

About extended compliance profiles

Some compliance profiles have controls that require following industry best practices, resulting in some profiles extending others. Combining the Center for Internet Security (CIS) best practices with National Institute of Standards and Technology (NIST) security frameworks establishes a path to a secure and compliant environment.

For example, the NIST High-Impact and Moderate-Impact profiles extend the CIS profile to achieve compliance. As a result, extended compliance profiles eliminate the need to run both profiles in a single cluster.

Table 8. Profile extensions
Profile Extends

ocp4-pci-dss

ocp4-cis

ocp4-pci-dss-node

ocp4-cis-node

ocp4-high

ocp4-cis

ocp4-high-node

ocp4-cis-node

ocp4-moderate

ocp4-cis

ocp4-moderate-node

ocp4-cis-node

ocp4-nerc-cip

ocp4-moderate

ocp4-nerc-cip-node

ocp4-moderate-node

Additional resources