-
Bug
-
Resolution: Done-Errata
-
Major
-
None
-
4.18
-
None
-
Quality / Stability / Reliability
-
False
-
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
The compliance operator has Compliance Rule CRDs. One important piece of information we put in the annotations for those rules are profiles and controls the rules satisfy.
Customers and other products (like ACS), rely on this information to understand how these rule map to baselines they care about, like FedRAMP High, NERC-CIP, PCI-DSS, CIS, etc.
The profile parser of the Compliance Operator determines if a rule is related to a benchmark if it contains a link to the upstream benchmark documentation.
The content project recently updated the NERC-CIP profile reference, because it was returning a 404.
https://github.com/ComplianceAsCode/content/pull/12892
However, the profile parser in the compliance operator was looking for the older reference and because it couldn't find a match it didn't build the NERC-CIP references appropriately.
With compliance operator 1.6.2:
╭─lbragstad@p1 ~
╰─➤ $ oc get rules ocp4-audit-logging-enabled -o json | jq '.metadata.annotations."control.compliance.openshift.io/NERC-CIP"'
"CIP-003-8 R4;CIP-003-8 R4.1;CIP-003-8 R4.2;CIP-003-8 R5.2;CIP-003-8 R6;CIP-004-6 R2.2.2;CIP-004-6 R2.2.3;CIP-004-6 R3.3;CIP-007-3 R.1.3;CIP-007-3 R5;CIP-007-3 R5.1.1;CIP-007-3 R5.2;CIP-007-3 R5.3.1;CIP-007-3 R5.3.2;CIP-007-3 R5.3.3;CIP-007-3 R6.5"
With compliance operator 1.7.0 candidate builds (or the latest commit to the ComplianceAsCode/content repository):
╭─lbragstad@p1 ~
╰─➤ $ oc get rules ocp4-audit-logging-enabled -o json | jq '.metadata.annotations."control.compliance.openshift.io/NERC-CIP"'
null
╭─lbragstad@p1 ~
╰─➤ $ oc get rules ocp4-audit-logging-enabled -o json | jq '.metadata.annotations'
{
"compliance.openshift.io/image-digest": "pb-ocp4nb767",
"compliance.openshift.io/profiles": "ocp4-cis-1-5,ocp4-moderate,ocp4-pci-dss,ocp4-nerc-cip,ocp4-high,ocp4-cis,ocp4-high-rev-4,ocp4-pci-dss-4-0,ocp4-pci-dss-3-2,ocp4-cis-1-4,ocp4-moderate-rev-4,ocp4-cis-1-7",
"compliance.openshift.io/rule": "audit-logging-enabled",
"control.compliance.openshift.io/CIS-OCP": "3.2.1",
"control.compliance.openshift.io/NIST-800-53": "AU-2;AU-3;AU-3(1);AU-6;AU-6(1);AU-7;AU-7(1);AU-8;AU-8(1);AU-9;AU-12;AU-12(1);AU-12(3);CM-5(1);SI-11;SI-12;SI-4(20);SI-4(23)",
"control.compliance.openshift.io/PCI-DSS": "Req-2.2;Req-12.5.5",
"control.compliance.openshift.io/PCI-DSS-4-0": "2.2.1;2.2;10.2.1.3;10.2.1;10.2",
"control.compliance.openshift.io/STIG": "SRG-APP-000089-CTR-000150;SRG-APP-000090-CTR-000155;SRG-APP-000101-CTR-000205",
"policies.open-cluster-management.io/controls": "AU-2,AU-3,AU-3(1),AU-6,AU-6(1),AU-7,AU-7(1),AU-8,AU-8(1),AU-9,AU-12,AU-12(1),AU-12(3),CM-5(1),SI-11,SI-12,SI-4(20),SI-4(23),Req-2.2,Req-12.5.5,SRG-APP-000089-CTR-000150,SRG-APP-000090-CTR-000155,SRG-APP-000101-CTR-000205,3.2.1,2.2.1,2.2,10.2.1.3,10.2.1,10.2",
"policies.open-cluster-management.io/standards": "NIST-800-53,PCI-DSS,STIG,CIS-OCP,PCI-DSS-4-0"
}
Version-Release number of selected component (if applicable):
How reproducible:
100%
Steps to Reproduce:
1. Install the compliance operator from master
2. Look for a rule that should be in the NERC-CIP profile (ocp4-audit-logging-enabled)
3. Observe that it doesn't contain any controls for NERC-CIP
Actual results:
No NERC-CIP profile controls are available in the metadata.
Expected results:
The rule should contain a reference to the NERC-CIP control it's related to.
Additional info:
- links to
-
RHBA-2025:3728
OpenShift Compliance Operator 1.7.0