Supported compliance profiles
There are several profiles available as part of the Compliance Operator (CO) installation. While you can use the following profiles to assess gaps in a cluster, usage alone does not infer or guarantee compliance with a particular profile and is not an auditor.
In order to be compliant or certified under these various standards, you need to engage an authorized auditor such as a Qualified Security Assessor (QSA), Joint Authorization Board (JAB), or other industry recognized regulatory authority to assess your environment. You are required to work with an authorized auditor to achieve compliance with a standard.
For more information on compliance support for all Red Hat products, see Product Compliance.
Important
The Compliance Operator might report incorrect results on some managed platforms, such as OpenShift Dedicated and Azure Red Hat OpenShift. For more information, see the Red Hat Knowledgebase Solution #6983418.
Compliance profiles
The Compliance Operator provides profiles to meet industry standard benchmarks.
Note
The following tables reflect the latest available profiles in the Compliance Operator.
CIS compliance profiles
| Profile | Profile title | Application | Industry compliance benchmark | Supported architectures | Supported platforms |
|---|---|---|---|---|---|
ocp4-cis [1] |
CIS Red Hat OpenShift Container Platform Benchmark v1.7.0 |
Platform |
CIS Benchmarks ™ [4] |
|
|
ocp4-cis-1-7[3] |
CIS Red Hat OpenShift Container Platform Benchmark v1.7.0 |
Platform |
CIS Benchmarks ™ [4] |
|
|
ocp4-cis-node [1] |
CIS Red Hat OpenShift Container Platform Benchmark v1.7.0 |
Node [2] |
CIS Benchmarks ™ [4] |
|
Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) |
ocp4-cis-node-1-7[3] |
CIS Red Hat OpenShift Container Platform Benchmark v1.7.0 |
Node [2] |
CIS Benchmarks ™ [4] |
|
Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) |
-
The
ocp4-cisandocp4-cis-nodeprofiles maintain the most up-to-date version of the CIS benchmark as it becomes available in the Compliance Operator. If you want to adhere to a specific version, such as CIS v1.7.0, use theocp4-cis-1-7andocp4-cis-node-1-7profiles. -
Node profiles must be used with the relevant Platform profile. For more information, see Compliance Operator profile types.
-
All earlier CIS profiles are superceded by CIS v1.7.0. It is recommended to apply the latest profile to your environment.
-
To locate the CIS OpenShift Container Platform v4 Benchmark, go to CIS Benchmarks and click Download Latest CIS Benchmark, where you can then register to download the benchmark.
BSI Profile Support
| Profile | Profile title | Application | Industry compliance benchmark | Supported architectures | Supported platforms |
|---|---|---|---|---|---|
ocp4-bsi [1] |
BSI IT-Grundschutz (Basic Protection) Building Block SYS.1.6 and APP.4.4 |
Platform |
|
||
ocp4-bsi-node [1] |
BSI IT-Grundschutz (Basic Protection) Building Block SYS.1.6 and APP.4.4 |
Node [2] |
|
||
ocp4-bsi-2022 [3] |
BSI IT-Grundschutz (Basic Protection) Building Block SYS.1.6 and APP.4.4 |
Platform |
|
||
ocp4-bsi-node-2022 [3] |
BSI IT-Grundschutz (Basic Protection) Building Block SYS.1.6 and APP.4.4 |
Node [2] |
|
||
rhcos4-bsi [3] |
BSI IT-Grundschutz (Basic Protection) Building Block SYS.1.6 and APP.4.4 |
Node [2] |
|
||
ocp4-bsi-2022 [3] |
BSI IT-Grundschutz (Basic Protection) Building Block SYS.1.6 and APP.4.4 |
Node [2] |
|
-
The
ocp4-bsiandocp4-bsi-nodeprofiles maintain the most up-to-date version of the BSI Basic Protection Profile as it becomes available in the Compliance Operator. If you want to adhere to a specific version, such as BSI 2022, use theocp4-bsi-2022andocp4-bsi-node-2022profiles. -
Node profiles must be used with the relevant Platform profile. For more information, see Compliance Operator profile types.
-
Edition 2022 is the latest available English edition of the BSI IT-Grundschutz (Basic Protection) compendium. There were no changes for Building Blocks SYS.1.6 and APP.4.4 in the latest published German compendium (edition 2023).
For more information, see BSI Quick Check.
Essential Eight compliance profiles
| Profile | Profile title | Application | Industry compliance benchmark | Supported architectures | Supported platforms |
|---|---|---|---|---|---|
ocp4-e8 |
Australian Cyber Security Centre (ACSC) Essential Eight |
Platform |
|
||
rhcos4-e8 |
Australian Cyber Security Centre (ACSC) Essential Eight |
Node |
|
Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) |
FedRAMP High compliance profiles
Important
Applying automatic remedations to any profile, such as rhcos4-stig, that uses the service-sshd-disabled rule, automatically disables the sshd service. This situation blocks SSH access to control plane nodes and compute nodes. To keep the SSH access enabled, create a TailoredProfile object and set the rhcos4-service-sshd-disabled rule value for the disableRules parameter.
| Profile | Profile title | Application | Industry compliance benchmark | Supported architectures | Supported platforms |
|---|---|---|---|---|---|
ocp4-high [1] |
NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Platform level |
Platform |
|
||
ocp4-high-node [1] |
NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Node level |
Node [2] |
|
Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) |
|
ocp4-high-node-rev-4 |
NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Node level |
Node [2] |
|
Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) |
|
ocp4-high-rev-4 |
NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Platform level |
Platform |
|
||
rhcos4-high [1] |
NIST 800-53 High-Impact Baseline for Red Hat Enterprise Linux CoreOS |
Node |
|
Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) |
|
rhcos4-high-rev-4 |
NIST 800-53 High-Impact Baseline for Red Hat Enterprise Linux CoreOS |
Node |
|
Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) |
-
The
ocp4-high,ocp4-high-nodeandrhcos4-highprofiles maintain the most up-to-date version of the FedRAMP High standard as it becomes available in the Compliance Operator. If you want to adhere to a specific version, such as FedRAMP high R4, use theocp4-high-rev-4andocp4-high-node-rev-4profiles. -
Node profiles must be used with the relevant Platform profile. For more information, see Compliance Operator profile types.
FedRAMP Moderate compliance profiles
| Profile | Profile title | Application | Industry compliance benchmark | Supported architectures | Supported platforms |
|---|---|---|---|---|---|
ocp4-moderate [1] |
NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Platform level |
Platform |
|
||
ocp4-moderate-node [1] |
NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Node level |
Node [2] |
|
Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) |
|
ocp4-moderate-node-rev-4 |
NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Node level |
Node [2] |
|
Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) |
|
ocp4-moderate-rev-4 |
NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Platform level |
Platform |
|
||
rhcos4-moderate [1] |
NIST 800-53 Moderate-Impact Baseline for Red Hat Enterprise Linux CoreOS |
Node |
|
Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) |
|
rhcos4-moderate-rev-4 |
NIST 800-53 Moderate-Impact Baseline for Red Hat Enterprise Linux CoreOS |
Node |
|
Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) |
-
The
ocp4-moderate,ocp4-moderate-nodeandrhcos4-moderateprofiles maintain the most up-to-date version of the FedRAMP Moderate standard as it becomes available in the Compliance Operator. If you want to adhere to a specific version, such as FedRAMP Moderate R4, use theocp4-moderate-rev-4andocp4-moderate-node-rev-4profiles. -
Node profiles must be used with the relevant Platform profile. For more information, see Compliance Operator profile types.
NERC-CIP compliance profiles
| Profile | Profile title | Application | Industry compliance benchmark | Supported architectures | Supported platforms |
|---|---|---|---|---|---|
ocp4-nerc-cip |
North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for the OpenShift Container Platform - Platform level |
Platform |
|
||
ocp4-nerc-cip-node |
North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for the OpenShift Container Platform - Node level |
Node [1] |
|
Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) |
|
rhcos4-nerc-cip |
North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for Red Hat Enterprise Linux CoreOS |
Node |
|
Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) |
-
Node profiles must be used with the relevant Platform profile. For more information, see Compliance Operator profile types.
PCI-DSS compliance profiles
| Profile | Profile title | Application | Industry compliance benchmark | Supported architectures | Supported platforms |
|---|---|---|---|---|---|
ocp4-pci-dss [1] |
PCI-DSS v4 Control Baseline for OpenShift Container Platform 4 |
Platform |
|
||
ocp4-pci-dss-3-2 [3] |
PCI-DSS v3.2.1 Control Baseline for OpenShift Container Platform 4 |
Platform |
|
||
ocp4-pci-dss-4-0 |
PCI-DSS v4 Control Baseline for OpenShift Container Platform 4 |
Platform |
|
||
ocp4-pci-dss-node [1] |
PCI-DSS v4 Control Baseline for OpenShift Container Platform 4 |
Node [2] |
|
Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) |
|
ocp4-pci-dss-node-3-2 [3] |
PCI-DSS v3.2.1 Control Baseline for OpenShift Container Platform 4 |
Node [2] |
|
Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) |
|
ocp4-pci-dss-node-4-0 |
PCI-DSS v4 Control Baseline for OpenShift Container Platform 4 |
Node [2] |
|
Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) |
-
The
ocp4-pci-dssandocp4-pci-dss-nodeprofiles maintain the most up-to-date version of the PCI-DSS standard as it becomes available in the Compliance Operator. If you want to adhere to a specific version, such as PCI-DSS v3.2.1, use theocp4-pci-dss-3-2andocp4-pci-dss-node-3-2profiles. -
Node profiles must be used with the relevant Platform profile. For more information, see Compliance Operator profile types.
-
PCI-DSS v3.2.1 is superceded by PCI-DSS v4. It is recommended to apply the latest profile to your environment.
STIG compliance profiles
Important
Applying automatic remedations to any profile, such as rhcos4-stig, that uses the service-sshd-disabled rule, automatically disables the sshd service. This situation blocks SSH access to control plane nodes and compute nodes. To keep the SSH access enabled, create a TailoredProfile object and set the rhcos4-service-sshd-disabled rule value for the disableRules parameter.
| Profile | Profile title | Application | Industry compliance benchmark | Supported architectures | Supported platforms |
|---|---|---|---|---|---|
ocp4-stig [1] |
Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift[3] |
Platform |
|
||
ocp4-stig-node [1] |
Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift[3] |
Node [2] |
|
Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) |
|
ocp4-stig-v2r3 |
Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift V2R3 |
Platform |
|
||
ocp4-stig-node-v2r3 [1] |
Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift V2R3 |
Node |
|
||
rhcos4-stig[1] |
Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift[3] |
Node |
|
Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) |
|
rhcos4-stig-v2r3 |
Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift V2R3 |
Node |
|
Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) |
-
The
ocp4-stig,ocp4-stig-nodeandrhcos4-stigprofiles maintain the most up-to-date version of the DISA-STIG benchmark as it becomes available in the Compliance Operator. If you want to adhere to a specific version, such as DISA-STIG V2R3, use theocp4-stig-v2r3andocp4-stig-node-v2r3profiles. -
Node profiles must be used with the relevant Platform profile. For more information, see Compliance Operator profile types.
-
DISA-STIG V1R2 is superceded by DISA-STIG V2R3. It is recommended to apply the latest profile to your environment.
About extended compliance profiles
Some compliance profiles have controls that require following industry best practices, resulting in some profiles extending others. Combining the Center for Internet Security (CIS) best practices with National Institute of Standards and Technology (NIST) security frameworks establishes a path to a secure and compliant environment.
For example, the NIST High-Impact and Moderate-Impact profiles extend the CIS profile to achieve compliance. As a result, extended compliance profiles eliminate the need to run both profiles in a single cluster.
| Profile | Extends |
|---|---|
ocp4-pci-dss |
ocp4-cis |
ocp4-pci-dss-node |
ocp4-cis-node |
ocp4-high |
ocp4-cis |
ocp4-high-node |
ocp4-cis-node |
ocp4-moderate |
ocp4-cis |
ocp4-moderate-node |
ocp4-cis-node |
ocp4-nerc-cip |
ocp4-moderate |
ocp4-nerc-cip-node |
ocp4-moderate-node |
Compliance Operator profile types
Compliance Operator rules are organized into profiles. Profiles can target the Platform or Nodes for OpenShift Container Platform, and some benchmarks include rhcos4 Node profiles.
- Platform
-
Platform profiles evaluate your OpenShift Container Platform cluster components. For example, a Platform-level rule can confirm whether APIServer configurations are using strong encryption cyphers.
- Node
-
Node profiles evaluate the OpenShift or RHCOS configuration of each host. You can use two Node profiles:
ocp4Node profiles andrhcos4Node profiles. Theocp4Node profiles evaluate the OpenShift configuration of each host. For example, they can confirm whetherkubeconfigfiles have the correct permissions to meet a compliance standard. Therhcos4Node profiles evaluate the Red Hat Enterprise Linux CoreOS (RHCOS) configuration of each host. For example, they can confirm whether the SSHD service is configured to disable password logins.
Important
For benchmarks that have Node and Platform profiles, such as PCI-DSS, you must run both profiles in your OpenShift Container Platform environment.
For benchmarks that have ocp4 Platform, ocp4 Node, and rhcos4 Node profiles, such as FedRAMP High, you must run all three profiles in your OpenShift Container Platform environment.
Note
In a cluster with many Nodes, both ocp4 Node and rhcos4 Node scans might take a long time to complete.