Feature Overview (aka. Goal Summary)  

MicroShift customers frequently have strict governance requirements, e.g. they need to by compliant with CIS, NIST or PCI-DSS policies. OpenSCAP is the framework to implement that. There are a couple of scap profiles available for RHEL and OpenShift. But these do not work fully with MicroShift and need adaptation. 

The goal of this feature is to determine the process needed to adapt an existing profile / create a new profile based on an existing one.

There are several candidates to start with, i.e.: CIS, NERC, NIST 800-53, PCI-

Requirements (aka. Acceptance Criteria):

A list of specific needs or objectives that a feature must deliver in order to be considered complete.  Be sure to include nonfunctional requirements such as security, reliability, performance, maintainability, scalability, usability, etc.  Initial completion during Refinement status.

Provide at least one scap profile specific to MicroShift 

Use Cases (Optional):

Include use case diagrams, main success scenarios, alternative flow scenarios.  Initial completion during Refinement status.

As MicroShift admin, I want to use OpenSCAP tooling to asses and ensure compliance of my MicroShift installation with relevant standards. 

A profile should be applicable to both rpm and ostree based deployments. 

Questions to Answer (Optional):

Find out how new scap profiles can be created/submitted

Determine which existing profiles are most relevant to MicroShift customers

Out of Scope

Creating new profiles from scratch. We will always take an existing profile as baseline.

Handle ostree specifics, e.g. apply a profile during image builds

Background

Customer Considerations

Determine which profiles / standards are relevant to customers

Documentation Considerations

Determine which profiles / standards are relevant to customers

Interoperability Considerations

Need to work in combination with RHEL profiles. E.g. when CIS compliance is the goal, both the RHEL and MicroShift profiles are relevant.