Menu Close

5.5. Compliance Operator 이해

OpenShift Container Platform 관리자는 Compliance Operator를 통해 클러스터의 필수 규정 준수 상태를 설명하고 격차에 대한 개요와 문제를 해결하는 방법을 제공할 수 있습니다. Compliance Operator는 OpenShift Container Platform의 Kubernetes API 리소스와 클러스터를 실행하는 노드 모두의 규정 준수를 평가합니다. Compliance Operator는 NIST 인증 툴인 OpenSCAP을 사용하여 콘텐츠에서 제공하는 보안 정책을 검사하고 시행합니다.

중요

Compliance Operator는 Red Hat Enterprise Linux CoreOS (RHCOS) 배포에만 사용할 수 있습니다.

5.5.1. Compliance Operator 프로필

Compliance Operator 설치의 일부로 다양한 프로필을 사용할 수 있습니다.

사용 가능한 프로필 보기:

$ oc get -n <namespace> profiles.compliance

출력 예

NAME              AGE
ocp4-cis          4h52m
ocp4-cis-node     4h52m
ocp4-e8           4h52m
ocp4-moderate     4h52m
rhcos4-e8         4h52m
rhcos4-moderate   4h52m

이러한 프로필은 다양한 규정 준수 벤치마크를 나타냅니다.

프로필 세부 정보 보기:

$ oc get -n <namespace> -oyaml profiles.compliance <profile name>

출력 예

apiVersion: compliance.openshift.io/v1alpha1
description: |-
  This profile contains configuration checks for Red Hat
  Enterprise Linux CoreOS that align to the Australian
  Cyber Security Centre (ACSC) Essential Eight.
  A copy of the Essential Eight in Linux Environments guide can
  be found at the ACSC website: ...
id: xccdf_org.ssgproject.content_profile_e8
kind: Profile
metadata:
  annotations:
    compliance.openshift.io/product: redhat_enterprise_linux_coreos_4
    compliance.openshift.io/product-type: Node
    creationTimestamp: "2020-09-07T11:42:51Z"
    generation: 1
  labels:
    compliance.openshift.io/profile-bundle: rhcos4
    name: rhcos4-e8
  namespace: openshift-compliance
rules:
- rhcos4-accounts-no-uid-except-zero
- rhcos4-audit-rules-dac-modification-chmod
- rhcos4-audit-rules-dac-modification-chown
- rhcos4-audit-rules-execution-chcon
- rhcos4-audit-rules-execution-restorecon
- rhcos4-audit-rules-execution-semanage
- rhcos4-audit-rules-execution-setfiles
- rhcos4-audit-rules-execution-setsebool
- rhcos4-audit-rules-execution-seunshare
- rhcos4-audit-rules-kernel-module-loading
- rhcos4-audit-rules-login-events
- rhcos4-audit-rules-login-events-faillock
- rhcos4-audit-rules-login-events-lastlog
- rhcos4-audit-rules-login-events-tallylog
- rhcos4-audit-rules-networkconfig-modification
- rhcos4-audit-rules-sysadmin-actions
- rhcos4-audit-rules-time-adjtimex
- rhcos4-audit-rules-time-clock-settime
- rhcos4-audit-rules-time-settimeofday
- rhcos4-audit-rules-time-stime
- rhcos4-audit-rules-time-watch-localtime
- rhcos4-audit-rules-usergroup-modification
- rhcos4-auditd-data-retention-flush
- rhcos4-auditd-freq
- rhcos4-auditd-local-events
- rhcos4-auditd-log-format
- rhcos4-auditd-name-format
- rhcos4-auditd-write-logs
- rhcos4-configure-crypto-policy
- rhcos4-configure-ssh-crypto-policy
- rhcos4-no-empty-passwords
- rhcos4-selinux-policytype
- rhcos4-selinux-state
- rhcos4-service-auditd-enabled
- rhcos4-sshd-disable-empty-passwords
- rhcos4-sshd-disable-gssapi-auth
- rhcos4-sshd-disable-rhosts
- rhcos4-sshd-disable-root-login
- rhcos4-sshd-disable-user-known-hosts
- rhcos4-sshd-do-not-permit-user-env
- rhcos4-sshd-enable-strictmodes
- rhcos4-sshd-print-last-log
- rhcos4-sshd-set-loglevel-info
- rhcos4-sshd-use-priv-separation
- rhcos4-sysctl-kernel-dmesg-restrict
- rhcos4-sysctl-kernel-kexec-load-disabled
- rhcos4-sysctl-kernel-kptr-restrict
- rhcos4-sysctl-kernel-randomize-va-space
- rhcos4-sysctl-kernel-unprivileged-bpf-disabled
- rhcos4-sysctl-kernel-yama-ptrace-scope
- rhcos4-sysctl-net-core-bpf-jit-harden
title: Australian Cyber Security Centre (ACSC) Essential Eight

원하는 프로필 내 규칙 보기:

$ oc get -n <namespace> -oyaml rules.compliance <rule_name>

출력 예

apiVersion: compliance.openshift.io/v1alpha1
description: '<code>auditd</code><code>augenrules</code><code>.rules</code><code>/etc/audit/rules.d</code><pre>-w /var/log/tallylog -p wa -k logins -w /var/run/faillock -p wa -k logins -w /var/log/lastlog -p wa -k logins</pre><code>auditd</code><code>auditctl</code><code>/etc/audit/audit.rules</code><pre>-w /var/log/tallylog -p wa -k logins -w /var/run/faillock -p wa -k logins -w /var/log/lastlog -p wa -k logins</pre>file in order to watch for unattempted manual edits of files involved in storing logon events:'
id: xccdf_org.ssgproject.content_rule_audit_rules_login_events
kind: Rule
metadata:
  annotations:
    compliance.openshift.io/rule: audit-rules-login-events
    control.compliance.openshift.io/NIST-800-53: AU-2(d);AU-12(c);AC-6(9);CM-6(a)
    policies.open-cluster-management.io/controls: AU-2(d),AU-12(c),AC-6(9),CM-6(a)
    policies.open-cluster-management.io/standards: NIST-800-53
    creationTimestamp: "2020-09-07T11:43:03Z"
    generation: 1
  labels:
    compliance.openshift.io/profile-bundle: rhcos4
  name: rhcos4-audit-rules-login-events
  namespace: openshift-compliance
  rationale: |-
    Manual editing of these files may indicate nefarious activity,
    such as an attacker attempting to remove evidence of an
    intrusion.
  severity: medium
  title: Record Attempts to Alter Logon and Logout Events
  warning: |-
    <ul><li><code>audit_rules_login_events_tallylog</code></li>
    <li><code>audit_rules_login_events_faillock</code></li>
    <li><code>audit_rules_login_events_lastlog</code></li></ul>
    This rule checks for multiple syscalls related to login
    events and was written with DISA STIG in mind.
    Other policies should use separate rule for
    each syscall that needs to be checked.

각 프로필에는 적용되는 제품 이름이 프로필 이름에 접두사로 추가됩니다. ocp4-e8 은 Essential 8 벤치마크를 OpenShift Container Platform 제품에 적용하고, rhcos4-e8 은 Essential 8 벤치마크를 RHCOS(Red Hat Enterprise Linux CoreOS) 제품에 적용합니다.