Make sure the Security Profiles Operator is installed

An XCCDF Rule

Description

Security Profiles Operator provides a way to define secure computing (seccomp) profiles and SELinux profiles as custom resources that are syncrhonized to every node in a given namespace. Using security profiles can increase security at the container level in your cluster. Seccomp security profiles list the syscalls a process can make, and SELinux security profiles provide a label-based system that restricts access and usage of processes, applications, and files.

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/operators.coreos.com/v1alpha1/namespaces/openshift-security-profiles/subscriptions/security-profiles-operator-sub API endpoint to the local /apis/operators.coreos.com/v1alpha1/namespaces/openshift-security-profiles/subscriptions/security-profiles-operator-sub file.

Rationale

An application that runs with privileges can be attacked to have its privileges exploited. Confining applications limit the actions an attacker can perform when they are compromised.

ID: xccdf_org.ssgproject.content_rule_security_profiles_operator_exists
Severity: Medium
References: SYS.1.6.A21

6.4 6.4.2

CCE-86168-2
Updated: 5 days ago