Tailoring the Compliance Operator - Compliance Operator | Security and compliance

While the Compliance Operator comes with ready-to-use profiles, they must be modified in order to fit the organizations’ needs and requirements. The process of modifying a profile is called tailoring.

The Compliance Operator provides an object to easily tailor profiles called a TailoredProfile. This assumes that you are extending a pre-existing profile, and allows you to enable and disable rules and values which come from the ProfileBundle.

You will only be able to use rules and variables that are available as part of the ProfileBundle that the Profile you want to extend belongs to.

Using tailored profiles

While the TailoredProfile CR enables the most common tailoring operations, the XCCDF standard allows even more flexibility in tailoring OpenSCAP profiles. In addition, if your organization has been using OpenScap previously, you may have an existing XCCDF tailoring file and can reuse it.

The ComplianceSuite object contains an optional TailoringConfigMap attribute that you can point to a custom tailoring file. The value of the TailoringConfigMap attribute is a name of a ConfigMap, which must contain a key called tailoring.xml and the value of this key is the tailoring contents.

Procedure

Browse the available rules for the Fedora CoreOS (FCOS) ProfileBundle:

$ oc get rules.compliance -l compliance.openshift.io/profile-bundle=rhcos4

Browse the available variables in the same ProfileBundle:

$ oc get variables.compliance -l compliance.openshift.io/profile-bundle=rhcos4

Choose which rules you want to add to the TailoredProfile. This TailoredProfile example disables two rules and changes one value. Use the rationale value to describe why these changes were made:

Example output

apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
  name: nist-moderate-modified
spec:
  extends: rhcos4-moderate
  title: My modified NIST moderate profile
  disableRules:
  - name: rhcos4-file-permissions-node-config
    rationale: This breaks X application.
  - name: rhcos4-account-disable-post-pw-expiration
    rationale: No need to check this as it comes from the IdP
  setValues:
  - name: rhcos4-var-selinux-state
    rationale: Organizational requirements
    value: permissive

Add the profile to the ScanSettingsBinding object:

$ cat nist-moderate-modified.yaml

Example output

apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
  name: nist-moderate-modified
profiles:
  - apiGroup: compliance.openshift.io/v1alpha1
    kind: Profile
    name: ocp4-moderate
  - apiGroup: compliance.openshift.io/v1alpha1
    kind: TailoredProfile
    name: nist-moderate-modified
settingsRef:
  apiGroup: compliance.openshift.io/v1alpha1
  kind: ScanSetting
  name: default

Create the TailoredProfile:

$ oc create -n <namespace> -f <file-name>.yaml

Example output

scansettingbinding.compliance.openshift.io/nist-moderate-modified created