支持控制台(Console)开发人员开始试用联系人

2.5.13. OpenShift CIS 扫描策略

OpenShift CIS 扫描策略会部署一个扫描来检查 master 和 worker 节点是否与 OpenShift CIS 安全基准相符。您必须安装 Compliance operator 以应用 OpenShift CIS 策略。

OpenShift CIS 扫描策略在 Red Hat Advanced Cluster Management 中作为 Kubernetes 配置策略创建。OpenShift Container Platform 4.9、4.7 和 4.6 支持 OpenShift CIS 扫描策略。如需更多信息,请参阅 OpenShift Container Platform 文档中的 了解 Compliance Operator 部分以了解更多详细信息。

2.5.13.1. OpenShift CIS 资源

创建 OpenShift CIS 扫描策略时,会创建以下资源:

  • 用于识别要扫描的配置集的 ScanSettingBinding 资源 (cis): 

    apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
  name: compliance-cis-scan
spec:
  remediationAction: inform
  severity: high
  object-templates:
    - complianceType: musthave # this template creates ScanSettingBinding:cis
      objectDefinition:
        apiVersion: compliance.openshift.io/v1alpha1
        kind: ScanSettingBinding
        metadata:
          name: cis
          namespace: openshift-compliance
        profiles:
        - apiGroup: compliance.openshift.io/v1alpha1
          kind: Profile
          name: ocp4-cis
        - apiGroup: compliance.openshift.io/v1alpha1
          kind: Profile
          name: ocp4-cis-node
        settingsRef:
          apiGroup: compliance.openshift.io/v1alpha1
          kind: ScanSetting
          name: default

  • 一个 ComplianceSuite 资源 (compliance-suite-cis),用于通过检查 status 字段来验证扫描是否已完成: 

    apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
  name: compliance-suite-cis
spec:
  remediationAction: inform
  severity: high
  object-templates:
    - complianceType: musthave # this template checks if scan has completed by checking the status field
      objectDefinition:
        apiVersion: compliance.openshift.io/v1alpha1
        kind: ComplianceSuite
        metadata:
          name: cis
          namespace: openshift-compliance
        status:
          phase: DONE

  • 一个 ComplianceCheckResult 资源 (compliance-suite-cis-results),它通过检查 ComplianceCheckResult 自定义资源 (CR) 来报告扫描套件的结果: 

    apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
  name: compliance-suite-cis-results
spec:
  remediationAction: inform
  severity: high
  object-templates:
    - complianceType: mustnothave # this template reports the results for scan suite: cis by looking at ComplianceCheckResult CRs
      objectDefinition:
        apiVersion: compliance.openshift.io/v1alpha1
        kind: ComplianceCheckResult
        metadata:
          namespace: openshift-compliance
          labels:
            compliance.openshift.io/check-status: FAIL
            compliance.openshift.io/suite: cis

请参阅 policy-compliance-operator-cis-scan.yaml 文件示例。有关创建策略的更多信息,请参阅管理安全策略

Red Hat logoGithubRedditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

© 2024 Red Hat, Inc.