Red Hat Summit 红帽全球峰会支持控制台(Console)开发人员开始试用联系人

5.5. 了解 Compliance Operator

通过 Compliance Operator,OpenShift Container Platform 管理员可以描述集群所需的合规状态,并概述缺陷及修复方法。Compliance Operator 评估 OpenShift Container Platform 的 Kubernetes API 资源以及运行集群的节点的合规性。Compliance Operator 使用 NIST 认证工具 OpenSCAP 扫描并执行内容所提供的安全性策略。

重要

Compliance Operator 仅适用于 Red Hat Enterprise Linux CoreOS(RHCOS)部署。

5.5.1. Compliance Operator 配置集
复制链接

有多个配置集可用于安装 Compliance Operator。您可以使用 oc get 命令来查看可用的配置集、配置集详情和特定规则。

  • 查看可用的配置集: 

    $ oc get -n <namespace> profiles.compliance
    Copy to Clipboard Toggle word wrap

    本例在默认 openshift-compliance 命名空间中显示配置集: 

    $ oc get -n openshift-compliance profiles.compliance
    Copy to Clipboard Toggle word wrap

    输出示例

    NAME                 AGE
ocp4-cis             32m
ocp4-cis-node        32m
ocp4-e8              32m
ocp4-moderate        32m
ocp4-moderate-node   32m
ocp4-nerc-cip        32m
ocp4-nerc-cip-node   32m
ocp4-pci-dss         32m
ocp4-pci-dss-node    32m
rhcos4-e8            32m
rhcos4-moderate      32m
rhcos4-nerc-cip      32m
    Copy to Clipboard Toggle word wrap

    这些配置集代表不同的合规性基准。每个配置集将其应用到的产品名称添加为配置集名称的前缀。ocp4-e8 将 Essential 8 基准应用到 OpenShift Container Platform 产品,而 rhcos4-e8 将 Essential 8 基准应用到 Red Hat Enterprise Linux CoreOS (RHCOS) 产品。

  • 查看配置集的详细信息: 

    $ oc get -n <namespace> -oyaml profiles.compliance <profile name>
    Copy to Clipboard Toggle word wrap

    本例显示 rhcos4-e8 配置集的详情: 

    $ oc get -n openshift-compliance -oyaml profiles.compliance rhcos4-e8
    Copy to Clipboard Toggle word wrap

    输出示例

    apiVersion: compliance.openshift.io/v1alpha1
description: |-
  This profile contains configuration checks for Red Hat
  Enterprise Linux CoreOS that align to the Australian
  Cyber Security Centre (ACSC) Essential Eight.
  A copy of the Essential Eight in Linux Environments guide can
  be found at the ACSC website: ...
  id: xccdf_org.ssgproject.content_profile_e8
  kind: Profile
  metadata:
    annotations:
      compliance.openshift.io/image-digest: pb-rhcos426smj
      compliance.openshift.io/product: redhat_enterprise_linux_coreos_4
      compliance.openshift.io/product-type: Node
    labels:
      compliance.openshift.io/profile-bundle: rhcos4
    name: rhcos4-e8
    namespace: openshift-compliance
    ownerReferences:
    - apiVersion: compliance.openshift.io/v1alpha1
      blockOwnerDeletion: true
      controller: true
      kind: ProfileBundle
      name: rhcos4
  rules:
  - rhcos4-accounts-no-uid-except-zero
  - rhcos4-audit-rules-dac-modification-chmod
  - rhcos4-audit-rules-dac-modification-chown
  - rhcos4-audit-rules-execution-chcon
  - rhcos4-audit-rules-execution-restorecon
  - rhcos4-audit-rules-execution-semanage
  - rhcos4-audit-rules-execution-setfiles
  - rhcos4-audit-rules-execution-setsebool
  - rhcos4-audit-rules-execution-seunshare
  - rhcos4-audit-rules-kernel-module-loading-delete
  - rhcos4-audit-rules-kernel-module-loading-finit
  - rhcos4-audit-rules-kernel-module-loading-init
  - rhcos4-audit-rules-login-events
  - rhcos4-audit-rules-login-events-faillock
  - rhcos4-audit-rules-login-events-lastlog
  - rhcos4-audit-rules-login-events-tallylog
  - rhcos4-audit-rules-networkconfig-modification
  - rhcos4-audit-rules-sysadmin-actions
  - rhcos4-audit-rules-time-adjtimex
  - rhcos4-audit-rules-time-clock-settime
  - rhcos4-audit-rules-time-settimeofday
  - rhcos4-audit-rules-time-stime
  - rhcos4-audit-rules-time-watch-localtime
  - rhcos4-audit-rules-usergroup-modification
  - rhcos4-auditd-data-retention-flush
  - rhcos4-auditd-freq
  - rhcos4-auditd-local-events
  - rhcos4-auditd-log-format
  - rhcos4-auditd-name-format
  - rhcos4-auditd-write-logs
  - rhcos4-configure-crypto-policy
  - rhcos4-configure-ssh-crypto-policy
  - rhcos4-no-empty-passwords
  - rhcos4-selinux-policytype
  - rhcos4-selinux-state
  - rhcos4-service-auditd-enabled
  - rhcos4-sshd-disable-empty-passwords
  - rhcos4-sshd-disable-gssapi-auth
  - rhcos4-sshd-disable-rhosts
  - rhcos4-sshd-disable-root-login
  - rhcos4-sshd-disable-user-known-hosts
  - rhcos4-sshd-do-not-permit-user-env
  - rhcos4-sshd-enable-strictmodes
  - rhcos4-sshd-print-last-log
  - rhcos4-sshd-set-loglevel-info
  - rhcos4-sysctl-kernel-dmesg-restrict
  - rhcos4-sysctl-kernel-kptr-restrict
  - rhcos4-sysctl-kernel-randomize-va-space
  - rhcos4-sysctl-kernel-unprivileged-bpf-disabled
  - rhcos4-sysctl-kernel-yama-ptrace-scope
  - rhcos4-sysctl-net-core-bpf-jit-harden
  title: Australian Cyber Security Centre (ACSC) Essential Eight
    Copy to Clipboard Toggle word wrap

  • 查看所需配置集中的规则: 

    $ oc get -n <namespace> -oyaml rules.compliance <rule_name>
    Copy to Clipboard Toggle word wrap

    本例在 rhcos4 配置集中显示了 rhcos4-audit-rules-login-events 规则: 

    $ oc get -n openshift-compliance -oyaml rules.compliance rhcos4-audit-rules-login-events
    Copy to Clipboard Toggle word wrap

    输出示例

      apiVersion: compliance.openshift.io/v1alpha1
  checkType: Node
  description: |-
    The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix.rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events:

    -w /var/log/tallylog -p wa -k logins
    -w /var/run/faillock -p wa -k logins
    -w /var/log/lastlog -p wa -k logins

    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events:

    -w /var/log/tallylog -p wa -k logins
    -w /var/run/faillock -p wa -k logins
    -w /var/log/lastlog -p wa -k logins
  id: xccdf_org.ssgproject.content_rule_audit_rules_login_events
  kind: Rule
  metadata:
    annotations:
      compliance.openshift.io/image-digest: pb-rhcos426smj
      compliance.openshift.io/rule: audit-rules-login-events
      control.compliance.openshift.io/NIST-800-53: AU-2(d);AU-12(c);AC-6(9);CM-6(a)
      control.compliance.openshift.io/PCI-DSS: Req-10.2.3
      policies.open-cluster-management.io/controls: AU-2(d),AU-12(c),AC-6(9),CM-6(a),Req-10.2.3
      policies.open-cluster-management.io/standards: NIST-800-53,PCI-DSS
    labels:
      compliance.openshift.io/profile-bundle: rhcos4
    name: rhcos4-audit-rules-login-events
    namespace: openshift-compliance
    ownerReferences:
    - apiVersion: compliance.openshift.io/v1alpha1
      blockOwnerDeletion: true
      controller: true
      kind: ProfileBundle
      name: rhcos4
  rationale: Manual editing of these files may indicate nefarious activity, such as
    an attacker attempting to remove evidence of an intrusion.
  severity: medium
  title: Record Attempts to Alter Logon and Logout Events
  warning: Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.
    Copy to Clipboard Toggle word wrap

返回顶部
Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

Theme

© 2025 Red Hat