Menu Close
Settings Close

Language and Page Formatting Options

5.5. 了解 Compliance Operator

通过 Compliance Operator,OpenShift Container Platform 管理员可以描述集群所需的合规状态,并概述缺陷及修复方法。Compliance Operator 评估 OpenShift Container Platform 的 Kubernetes API 资源以及运行集群的节点的合规性。Compliance Operator 使用 NIST 认证工具 OpenSCAP 扫描并执行内容所提供的安全性策略。

重要

Compliance Operator 仅适用于 Red Hat Enterprise Linux CoreOS(RHCOS)部署。

5.5.1. Compliance Operator 配置集

有多个配置集可用于安装 Compliance Operator。您可以使用 oc get 命令来查看可用的配置集、配置集详情和特定规则。

  • 查看可用的配置集:

    $ oc get -n <namespace> profiles.compliance

    本例在默认 openshift-compliance 命名空间中显示配置集:

    $ oc get -n openshift-compliance profiles.compliance

    输出示例

    NAME                 AGE
    ocp4-cis             32m
    ocp4-cis-node        32m
    ocp4-e8              32m
    ocp4-moderate        32m
    ocp4-moderate-node   32m
    ocp4-nerc-cip        32m
    ocp4-nerc-cip-node   32m
    ocp4-pci-dss         32m
    ocp4-pci-dss-node    32m
    rhcos4-e8            32m
    rhcos4-moderate      32m
    rhcos4-nerc-cip      32m

    这些配置集代表不同的合规性基准。每个配置集将其应用到的产品名称添加为配置集名称的前缀。ocp4-e8 将 Essential 8 基准应用到 OpenShift Container Platform 产品,而 rhcos4-e8 将 Essential 8 基准应用到 Red Hat Enterprise Linux CoreOS (RHCOS) 产品。

  • 查看配置集的详细信息:

    $ oc get -n <namespace> -oyaml profiles.compliance <profile name>

    本例显示 rhcos4-e8 配置集的详情:

    $ oc get -n openshift-compliance -oyaml profiles.compliance rhcos4-e8

    输出示例

    apiVersion: compliance.openshift.io/v1alpha1
    description: |-
      This profile contains configuration checks for Red Hat
      Enterprise Linux CoreOS that align to the Australian
      Cyber Security Centre (ACSC) Essential Eight.
      A copy of the Essential Eight in Linux Environments guide can
      be found at the ACSC website: ...
      id: xccdf_org.ssgproject.content_profile_e8
      kind: Profile
      metadata:
        annotations:
          compliance.openshift.io/image-digest: pb-rhcos426smj
          compliance.openshift.io/product: redhat_enterprise_linux_coreos_4
          compliance.openshift.io/product-type: Node
        labels:
          compliance.openshift.io/profile-bundle: rhcos4
        name: rhcos4-e8
        namespace: openshift-compliance
        ownerReferences:
        - apiVersion: compliance.openshift.io/v1alpha1
          blockOwnerDeletion: true
          controller: true
          kind: ProfileBundle
          name: rhcos4
      rules:
      - rhcos4-accounts-no-uid-except-zero
      - rhcos4-audit-rules-dac-modification-chmod
      - rhcos4-audit-rules-dac-modification-chown
      - rhcos4-audit-rules-execution-chcon
      - rhcos4-audit-rules-execution-restorecon
      - rhcos4-audit-rules-execution-semanage
      - rhcos4-audit-rules-execution-setfiles
      - rhcos4-audit-rules-execution-setsebool
      - rhcos4-audit-rules-execution-seunshare
      - rhcos4-audit-rules-kernel-module-loading-delete
      - rhcos4-audit-rules-kernel-module-loading-finit
      - rhcos4-audit-rules-kernel-module-loading-init
      - rhcos4-audit-rules-login-events
      - rhcos4-audit-rules-login-events-faillock
      - rhcos4-audit-rules-login-events-lastlog
      - rhcos4-audit-rules-login-events-tallylog
      - rhcos4-audit-rules-networkconfig-modification
      - rhcos4-audit-rules-sysadmin-actions
      - rhcos4-audit-rules-time-adjtimex
      - rhcos4-audit-rules-time-clock-settime
      - rhcos4-audit-rules-time-settimeofday
      - rhcos4-audit-rules-time-stime
      - rhcos4-audit-rules-time-watch-localtime
      - rhcos4-audit-rules-usergroup-modification
      - rhcos4-auditd-data-retention-flush
      - rhcos4-auditd-freq
      - rhcos4-auditd-local-events
      - rhcos4-auditd-log-format
      - rhcos4-auditd-name-format
      - rhcos4-auditd-write-logs
      - rhcos4-configure-crypto-policy
      - rhcos4-configure-ssh-crypto-policy
      - rhcos4-no-empty-passwords
      - rhcos4-selinux-policytype
      - rhcos4-selinux-state
      - rhcos4-service-auditd-enabled
      - rhcos4-sshd-disable-empty-passwords
      - rhcos4-sshd-disable-gssapi-auth
      - rhcos4-sshd-disable-rhosts
      - rhcos4-sshd-disable-root-login
      - rhcos4-sshd-disable-user-known-hosts
      - rhcos4-sshd-do-not-permit-user-env
      - rhcos4-sshd-enable-strictmodes
      - rhcos4-sshd-print-last-log
      - rhcos4-sshd-set-loglevel-info
      - rhcos4-sysctl-kernel-dmesg-restrict
      - rhcos4-sysctl-kernel-kptr-restrict
      - rhcos4-sysctl-kernel-randomize-va-space
      - rhcos4-sysctl-kernel-unprivileged-bpf-disabled
      - rhcos4-sysctl-kernel-yama-ptrace-scope
      - rhcos4-sysctl-net-core-bpf-jit-harden
      title: Australian Cyber Security Centre (ACSC) Essential Eight

  • 查看所需配置集中的规则:

    $ oc get -n <namespace> -oyaml rules.compliance <rule_name>

    本例在 rhcos4 配置集中显示了 rhcos4-audit-rules-login-events 规则:

    $ oc get -n openshift-compliance -oyaml rules.compliance rhcos4-audit-rules-login-events

    输出示例

      apiVersion: compliance.openshift.io/v1alpha1
      checkType: Node
      description: |-
        The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix.rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events:
    
        -w /var/log/tallylog -p wa -k logins
        -w /var/run/faillock -p wa -k logins
        -w /var/log/lastlog -p wa -k logins
    
        If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events:
    
        -w /var/log/tallylog -p wa -k logins
        -w /var/run/faillock -p wa -k logins
        -w /var/log/lastlog -p wa -k logins
      id: xccdf_org.ssgproject.content_rule_audit_rules_login_events
      kind: Rule
      metadata:
        annotations:
          compliance.openshift.io/image-digest: pb-rhcos426smj
          compliance.openshift.io/rule: audit-rules-login-events
          control.compliance.openshift.io/NIST-800-53: AU-2(d);AU-12(c);AC-6(9);CM-6(a)
          control.compliance.openshift.io/PCI-DSS: Req-10.2.3
          policies.open-cluster-management.io/controls: AU-2(d),AU-12(c),AC-6(9),CM-6(a),Req-10.2.3
          policies.open-cluster-management.io/standards: NIST-800-53,PCI-DSS
        labels:
          compliance.openshift.io/profile-bundle: rhcos4
        name: rhcos4-audit-rules-login-events
        namespace: openshift-compliance
        ownerReferences:
        - apiVersion: compliance.openshift.io/v1alpha1
          blockOwnerDeletion: true
          controller: true
          kind: ProfileBundle
          name: rhcos4
      rationale: Manual editing of these files may indicate nefarious activity, such as
        an attacker attempting to remove evidence of an intrusion.
      severity: medium
      title: Record Attempts to Alter Logon and Logout Events
      warning: Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.