Ensure that Compliance Operator is scanning the cluster

An XCCDF Rule

Description

The Compliance Operator scans the hosts and the platform (OCP) configurations for software flaws and improper configurations according to different compliance benchmarks. It uses OpenSCAP as a backend, which is a known and certified tool to do such scans.

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/compliance.openshift.io/v1alpha1/scansettingbindings?limit=5 API endpoint to the local /apis/compliance.openshift.io/v1alpha1/scansettingbindings?limit=5 file.

Rationale

Vulnerability scanning and risk management are important detective controls for all systems, to detect potential flaws and unauthorised access.

ID: xccdf_org.ssgproject.content_rule_scansettingbinding_exists
Severity: Medium
References: CIP-003-8 R1.3 CIP-003-8 R4.3 CIP-003-8 R6 CIP-004-6 4.1 CIP-004-6 4.2 CIP-004-6 R3 CIP-004-6 R4 CIP-004-6 R4.2 CIP-005-6 R1 CIP-005-6 R1.1 CIP-005-6 R1.2 CIP-007-3 R3 CIP-007-3 R3.1 CIP-007-3 R6.1 CIP-007-3 R8.4

CM-6 CM-6(1) RA-5 RA-5(5) SA-4(8)

Req-2.2.4

SRG-APP-000472-CTR-001170

CCE-83697-3
Updated: about 1 year ago