diff --git a/modules/compliance-profile-types.adoc b/modules/compliance-profile-types.adoc new file mode 100644 index 000000000000..54b62ff2ca3d --- /dev/null +++ b/modules/compliance-profile-types.adoc @@ -0,0 +1,26 @@ +// Module included in the following assemblies: +// +// * security/compliance_operator/co-concepts/compliance-operator-understanding.adoc +// * security/compliance_operator/co-scans/compliance-operator-supported-profiles.adoc + +:_mod-docs-content-type: REFERENCE +[id="compliance_profile_types_{context}"] += Compliance Operator profile types + +Compliance Operator rules are organized into profiles. Profiles can target the Platform or Nodes for {product-title}, and some benchmarks include `rhcos4` Node profiles. + +Platform:: Platform profiles evaluate your {product-title} cluster components. For example, a Platform-level rule can confirm whether APIServer configurations are using strong encryption cyphers. + +Node:: Node profiles evaluate the OpenShift or {op-system} configuration of each host. You can use two Node profiles: `ocp4` Node profiles and `rhcos4` Node profiles. The `ocp4` Node profiles evaluate the OpenShift configuration of each host. For example, they can confirm whether `kubeconfig` files have the correct permissions to meet a compliance standard. The `rhcos4` Node profiles evaluate the {op-system-first} configuration of each host. For example, they can confirm whether the SSHD service is configured to disable password logins. + +[IMPORTANT] +==== +For benchmarks that have Node and Platform profiles, such as PCI-DSS, you must run both profiles in your {product-title} environment. + +For benchmarks that have `ocp4` Platform, `ocp4` Node, and `rhcos4` Node profiles, such as FedRAMP High, you must run all three profiles in your {product-title} environment. +==== + +[NOTE] +==== +In a cluster with many Nodes, both `ocp4` Node and `rhcos4` Node scans might take a long time to complete. +==== \ No newline at end of file diff --git a/modules/compliance-profiles.adoc b/modules/compliance-profiles.adoc index 73bedaf65ba1..b75e7717df73 100644 --- a/modules/compliance-profiles.adoc +++ b/modules/compliance-profiles.adoc @@ -214,18 +214,4 @@ title: Record Attempts to Alter Logon and Logout Events warning: Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. ---- -==== - -[id="compliance_profile_types_{context}"] -== Compliance Operator profile types - -There are two types of compliance profiles available: Platform and Node. - -Platform:: Platform scans target your {product-title} cluster. - -Node:: Node scans target the nodes of the cluster. - -[IMPORTANT] -==== -For compliance profiles that have Node and Platform applications, such as `pci-dss` compliance profiles, you must run both in your {product-title} environment. -==== +==== \ No newline at end of file diff --git a/security/compliance_operator/co-concepts/compliance-operator-understanding.adoc b/security/compliance_operator/co-concepts/compliance-operator-understanding.adoc index ab8f9a832144..582e4cff611f 100644 --- a/security/compliance_operator/co-concepts/compliance-operator-understanding.adoc +++ b/security/compliance_operator/co-concepts/compliance-operator-understanding.adoc @@ -15,8 +15,4 @@ The Compliance Operator is available for {op-system-first} deployments only. include::modules/compliance-profiles.adoc[leveloffset=+1] -[id="additional-resources_compliance-operator-understanding"] -[role="_additional-resources"] -== Additional resources - -* xref:../../../security/compliance_operator/co-scans/compliance-operator-supported-profiles.adoc#compliance-operator-supported-profiles[Supported compliance profiles] +include::modules/compliance-profile-types.adoc[leveloffset=+2] \ No newline at end of file diff --git a/security/compliance_operator/co-scans/compliance-operator-supported-profiles.adoc b/security/compliance_operator/co-scans/compliance-operator-supported-profiles.adoc index d12deb4db17a..fc5cfaeb8f1f 100644 --- a/security/compliance_operator/co-scans/compliance-operator-supported-profiles.adoc +++ b/security/compliance_operator/co-scans/compliance-operator-supported-profiles.adoc @@ -27,8 +27,4 @@ The Compliance Operator might report incorrect results on some managed platforms include::modules/compliance-supported-profiles.adoc[leveloffset=+1] -[id="additional-resources-compliance-operator-"] -[role="_additional-resources"] -== Additional resources - -* xref:../../../security/compliance_operator/co-concepts/compliance-operator-understanding.adoc#compliance_profile_types_understanding-compliance[Compliance Operator profile types] \ No newline at end of file +include::modules/compliance-profile-types.adoc[leveloffset=+2]