Ensure that Compliance Operator scans are running periodically

An XCCDF Rule

Description

The Compliance Operator scans the hosts and the platform (OCP) configurations for software flaws and improper configurations according to different compliance benchmarks. Compliance Operator allows its scans to be scheduled periodically using the ScanSetting Custom Resource.

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:

/apis/compliance.openshift.io/v1alpha1/scansettings API endpoint, filter with with the jq utility using the following filter [.items[]] | map(.schedule != "" and .schedule != null) and persist it to the local /apis/compliance.openshift.io/v1alpha1/scansettings#c9e8242304a62f077a87b2b045f62b01340e80a8798e58477faa58c06e918211 file.

Rationale

Without periodical scanning and verification, security functions may not operate correctly and this failure may go unnoticed within the container platform.

ID: xccdf_org.ssgproject.content_rule_scansettings_have_schedule
Severity: Medium
References: SI-6(b)

SRG-APP-000473-CTR-001175

CCE-90762-6
Updated: about 1 year ago