From b8adaf6f1566b0a44b7ae5fa325b7ae815ebf7ff Mon Sep 17 00:00:00 2001 From: GroceryBoyJr <75502996+GroceryBoyJr@users.noreply.github.com> Date: Mon, 10 Nov 2025 17:55:22 -0500 Subject: [PATCH] Compliance Operator 1.8.0 Release Notes --- .../compliance-operator-release-notes.adoc | 117 ++++++++++++++---- 1 file changed, 90 insertions(+), 27 deletions(-) diff --git a/security/compliance_operator/compliance-operator-release-notes.adoc b/security/compliance_operator/compliance-operator-release-notes.adoc index 1e0db7c338dd..332dbf21126f 100644 --- a/security/compliance_operator/compliance-operator-release-notes.adoc +++ b/security/compliance_operator/compliance-operator-release-notes.adoc @@ -17,6 +17,69 @@ To access the latest release, see xref:../../security/compliance_operator/co-man For more information on compliance support for all Red{nbsp}Hat products, see link:https://access.redhat.com/compliance[Product Compliance]. +[id="compliance-operator-release-notes-1-8-0_{context}"] +== OpenShift Compliance Operator 1.8.0 + +The following advisory is available for the OpenShift Compliance Operator 1.8.0: + +* link:https://access.redhat.com/errata/RHSA-2025:21885[RHSA-2025:21885 - OpenShift Compliance Operator 1.8.0 bug fix and enhancement update] + +[id="compliance-operator-1-8-0-new-features-and-enhancements_{context}"] +=== New features and enhancements + +* With this update, the Compliance Operator provides the Common Expression Language (CEL) scanner in TECH PREVIEW status. The CEL scanner implements a new `CustomRule` Custom Resource Definition (CRD) that allows administrators to define and enforce custom security policies using CEL expressions. This new content format does not replace the existing XCCDF (Extensible Configuration Checklist Description Format) profiles but extends the ability to comply with custom security policies. For more information, see (link:https://issues.redhat.com/browse/CMP-3118[CMP-3118]). + +* Previously, Compliance Operator required persistent storage to save raw scan results, which presented challenges for edge deployments and environments without storage infrastructure. With this release, Compliance Operator supports running scans without persistent storage. Administrators can set `rawResultStorage.enabled: false` in `ScanSetting` resources to disable storage of scan result files, allowing compliance scans to run in storage-constrained environments such as edge deployments and {sno}. Compliance check results remain fully available through `ComplianceCheckResult` resources. Raw result storage remains enabled by default for backward compatibility. For more information, see (link:https://issues.redhat.com/browse/CMP-1225[CMP-1225]). + +* Previously, Compliance Operator provided `ocp4-bsi` and `ocp4-bsi-node` profiles for BSI compliance scanning. With this release, the `rhcos4-bsi` profile is now available, extending BSI standard coverage to RHCOS systems. For more information, see (link:https://issues.redhat.com/browse/CMP-3720[CMP-3720]). + +* This release removes the deprecated CIS 1.4.0, CIS 1.5.0, DISA STIG V1R1 and DISA STIG V2R1 profiles. The newer versions have replaced these obsolete profiles for customer use. For more information, see (link:https://issues.redhat.com/browse/CMP-3712[CMP-3712]). + +* With this release, PCI-DSS profiles 3.2.1 and 4.0.0 are now supported on ARM architecture systems. For more information, see (link:https://issues.redhat.com/browse/CMP-3723[CMP-3723]). + +[id="compliance-operator-1-8-0-bug-fixes_{context}"] +=== Bug fixes + +* With this release, automatic remediation for API server encryption now applies the appropriate encryption mode based on OpenShift version: AES-GCM for OpenShift 4.13.0 and higher versions, AES-CBC for earlier versions. Both encryption modes remain compliant across all OpenShift versions. For more information, see (link:https://issues.redhat.com/browse/CMP-3248[CMP-3248]). + +* Prior to this release, Compliance Operator would remediate SSH settings on RHCOS hosts by deploying a fixed sshd_config file containing all SSH hardening settings. If the scan for corresponding rules failed, this could result in unintended configuration changes to SSH. With this release, Compliance Operator applies very specific remediations to SSH according to the rules shown in https://github.com/ComplianceAsCode/content/blob/master/shared/macros/10-kubernetes.jinja#L1-L154. For more information, see (link:https://issues.redhat.com/browse/CMP-3553[CMP-3553]). + +* For prior versions of Compliance Operator, the log rotation function depended on finding the `logrotate` file in the `/etc/cron.daily` folder. With this release, Compliance Operator works with the `logrotate.timer` service. This provides reliable log rotation behavior from Compliance Operator. +// For more information, see (link:https://issues.redhat.com/browse/CMP-3172[CMP-3172]). + +* For previous versions of Compliance Operator, it is possible for the `STIG ID` to be omitted from the compliance report. These omissions were caused by missing `stigref` and `stigid` values. With this release, the omissions have been corrected and now `STIG ID` reliably shows up in the compliance report. +// For more information, see (link:https://issues.redhat.com/browse/OCPBUGS-60143[OCPBUGS-60143]. + +* Prior to this release, Compliance Operator STIG control CNTR-OS-000720 selected rule `rhcos4-audit-rules-suid-privilege-function`, but since the rule was not available in Compliance Operator, no output was generated. With this release, the rule, `rhcos4-audit-rules-suid-privilege-function` is now available in Compliance Operator and listed in the scan output. For more information, see (link:https://issues.redhat.com/browse/CMP-3558[CMP-3558]). + +* In previous versions of Compliance Operator, scanning with the `ocp4-stig` profile would fail for the rule `ocp4-stig-modified-audit-log-forwarding-uses-tls` even if TLS is enabled correctly. This would occur because the `tls://` field is no longer required by the `ClusterLogForwarder` resource, causing the scan output to show an incorrect `FAIL` result. With this release, the protocol prefix is not required and the scan output produces correct results. For more information, see (link:https://access.redhat.com/solutions/7016445[routes-protected-by-tls compliance check failing when ODF 4.11 is installed]). + +* Previously, there was no automated method to check if API servers were using unsupported configuration overrides as recommended by CIS Benchmark control 1.2.31 or 1.2.33. This release provides dedicated rules for checking for unsupported configuration overrides. + +* For prior releases of Compliance Operator, some rules were missing a variable reference in the annotation, such as rule `resource-requests-limits`. With this release, the variable reference is available for rules and the erroneous output is eliminated. For more information, see (link:https://issues.redhat.com/browse/CMP-3582[CMP-3582]). + +* Previously, the `ocp4-routes-rate-limit` rule required setting rate limits for all routes outside the `openshift` and `kube` namespaces. However, using the feature and scanning for it presented problems because other namespaces managed by critical Operators should not be modified and not be scanned for the modification by Compliance Operator. With this release, routes managed by critical Operators are not flagged as errors by the Compliance Operator. +// For more information, see (link:https://issues.redhat.com/browse/CMP-3589[CMP-3589]). + +* In prior versions of Compliance Operator, a `ComplianceScan` reported the warning `SDN not found` when the `openshift-sdn` networking provider was not found. In this release, Compliance Operator suppresses the warning when OpenShift-SDN is not the active networking provider. For more information, see (link:https://issues.redhat.com/browse/CMP-3591[CMP-3591]). + +* Previously, duplicate variables could be accidentally created in `TailoredProfile` and were not correctly detected by Compliance Operator. With this release, duplicate `setValues` in `TailoredProfile` are identified and trigger a warning event from a compliance scan. +// For more information, see (link:https://issues.redhat.com/browse/CMP-3596[CMP-3596]). + +* In previous releases of Compliance Operator, the rule ocp4-audit-log-forwarding-uses-tls failed when the `clusterlogforwarder` output configuration contained maps without a URL key. With this release, the rule correctly filters for outputs that have a URL field, showing `PASS` when TLS is properly enabled for `clusterlogforwarder`. For more information, see (link:https://issues.redhat.com/browse/CMP-3597[CMP-3597]). + +* In prior versions of Compliance Operator, for the rule `rhcos4-service-systemd-coredump-disabled`, no remediation was generated after scanning the cluster. In this release, remediation is provided for `rhcos4-service-systemd-coredump-disabled`. +// For more information, see (link:https://issues.redhat.com/browse/CMP-3599[CMP-3599]). + +* In prior versions of Compliance Operator, the rule to check the setting of `imagestream.spec.tags.importPolicy.scheduled` would return `FAIL` even when the configuration was correct. With this release, the rule now correctly excludes imagestreams managed by the samples operator and those owned by ClusterVersion, resulting in accurate compliance status reporting. +// For more information, see (link:https://issues.redhat.com/browse/CMP-3601[CMP-3601]). + +* In prior releases, Compliance Operator included outdated TLS cipher suite rules which used unsupported configuration overrides with defective remediations. With this release, these outdated rules have been removed from the default profile. Also, the `ocp4-kubelet-configure-tls-cipher-suites-ingresscontroller` rule has been renamed to `ocp4-ingress-controller-tls-cipher-suites` for better organization. For more information, see (link:https://issues.redhat.com/browse/CMP-3606[CMP-3606]). + +* In prior versions of Compliance Operator, creating `ComplianceScans` directly with custom content images failed during the profile deprecation check. With this release, Compliance Operator gracefully handles cases where the `ProfileBundle` cannot be determined, logging an informational message instead of failing the scan. For more information, see (link:https://issues.redhat.com/browse/CMP-3613[CMP-3613]). + +* Previously, Compliance Operator scanned incorrectly flagged passthrough routes as NON-COMPLIANT with the `ocp4-routes-protected-by-tls` rule. With this release, passthrough routes are properly excluded from this rule because they delegate TLS termination to the backend application. +// For more information, see (link:https://issues.redhat.com/browse/CMP-3630[CMP-3630]). [id="compliance-operator-release-notes-1-7-1_{context}"] == OpenShift Compliance Operator 1.7.1 @@ -33,7 +96,7 @@ The OpenShift Compliance Operator 1.7.1 supports PCI-DSS versions 3.2.1 and 4.0. [id="compliance-operator-1-7-1-bug-fixes_{context}"] === Bug fixes -* Previously, the Compliance Operator's `pauser` container could be terminated due to running out of memory (OOMKilled). With this update, the memory limit for the `pauser` container is increased to prevent the error and improve overall stability. (link:https://issues.redhat.com/browse/OCPBUGS-50924[*OCPBUGS-50924*]) +* Previously, the Compliance Operator's `pauser` container could be terminated due to running out of memory, showing the status `OOMKilled). With this update, the memory limit for the `pauser` container is increased to prevent the error and improve overall stability. (link:https://issues.redhat.com/browse/OCPBUGS-50924[OCPBUGS-50924]) [id="compliance-operator-release-notes-1-7-0_{context}"] == OpenShift Compliance Operator 1.7.0 @@ -47,40 +110,40 @@ The following advisory is available for the OpenShift Compliance Operator 1.7.0: * A `must-gather` extension is now available for the Compliance Operator installed on `aarch64`, `x86`, `ppc64le`, and `s390x` architectures. The `must-gather` tool provides crucial configuration details to Red Hat Customer Support and engineering. For more information, see xref:../../security/compliance_operator/co-support.adoc#compliance-must-gather_co-support[Using the must-gather tool for the Compliance Operator]. -* CIS Benchmark Support has been added to Compliance Operator 1.7.0. The profile supported is CIS OpenShift Benchmark 1.7.0. For more information, see (link:https://issues.redhat.com/browse/CMP-3081[*CMP-3081*]) +* CIS Benchmark Support has been added to Compliance Operator 1.7.0. The profile supported is CIS OpenShift Benchmark 1.7.0. For more information, see (link:https://issues.redhat.com/browse/CMP-3081[CMP-3081]) -* Compliance Operator is now supported on `aarch64` architecture for CIS OpenShift Benchmark 1.7.0 and FedRAMP Moderate Revision 4. For more information, see (link:https://issues.redhat.com/browse/CMP-2960[*CMP-2960*]) +* Compliance Operator is now supported on `aarch64` architecture for CIS OpenShift Benchmark 1.7.0 and FedRAMP Moderate Revision 4. For more information, see (link:https://issues.redhat.com/browse/CMP-2960[CMP-2960]) -* Compliance Operator 1.7.0 now supports OpenShift DISA STIG V2R2 profiles for OpenShift and RHCOS. For more information, see (link:https://issues.redhat.com/browse/CMP-3142[*CMP-3142*]) +* Compliance Operator 1.7.0 now supports OpenShift DISA STIG V2R2 profiles for OpenShift and RHCOS. For more information, see (link:https://issues.redhat.com/browse/CMP-3142[CMP-3142]) -* Compliance Operator 1.7.0 now supports deprecation of old, unsupported profile versions, such as deprecation of CIS 1.4 profiles, CIS 1.5 profiles, DISA STIG V1R1 profiles and DISA STIG V2R1 profiles. For more information, see (link:https://issues.redhat.com/browse/CMP-3149[*CMP-3149*]) +* Compliance Operator 1.7.0 now supports deprecation of old, unsupported profile versions, such as deprecation of CIS 1.4 profiles, CIS 1.5 profiles, DISA STIG V1R1 profiles and DISA STIG V2R1 profiles. For more information, see (link:https://issues.redhat.com/browse/CMP-3149[CMP-3149]) -* With this release of Compliance Operator 1.7.0, the deprecation of older CIS and DISA STIG profiles mean that these older profiles will no longer be supported with the appearance of Compliance Operator 1.8.0. For more information, see (link:https://issues.redhat.com/browse/CMP-3284[*CMP-3284*]) +* With this release of Compliance Operator 1.7.0, the deprecation of older CIS and DISA STIG profiles mean that these older profiles will no longer be supported with the appearance of Compliance Operator 1.8.0. For more information, see (link:https://issues.redhat.com/browse/CMP-3284[CMP-3284]) -* With this release of Compliance Operator 1.7.0, BSI profile support is added for OpenShift. For more information, refer to the KCS article link:https://access.redhat.com/articles/7045834[*BSI Quick Check*] and link:https://access.redhat.com/compliance/bsi[*BSI Compliance Summary*]. +* With this release of Compliance Operator 1.7.0, BSI profile support is added for OpenShift. For more information, refer to the KCS article link:https://access.redhat.com/articles/7045834[BSI Quick Check] and link:https://access.redhat.com/compliance/bsi[*BSI Compliance Summary*]. [id="compliance-operator-1-7-0-bug-fixes_{context}"] === Bug fixes -* Before this release, Compliance Operator would provide an unneeded remediation recommendation due to differences in filesystem structure for the `s390x` architecture. With this release, the Compliance Operator now recognizes the differences in filesystem structure and does not provide the misleading remediation. With this update, the rule is now more clearly defined. (link:https://issues.redhat.com/browse/OCPBUGS-33194[*OCPBUGS-33194*]) +* Before this release, Compliance Operator would provide an unneeded remediation recommendation due to differences in filesystem structure for the `s390x` architecture. With this release, the Compliance Operator now recognizes the differences in filesystem structure and does not provide the misleading remediation. With this update, the rule is now more clearly defined. (link:https://issues.redhat.com/browse/OCPBUGS-33194[OCPBUGS-33194]) -* Previously, the instructions for rule `ocp4-etcd-unique-ca` did not work for OpenShift 4.17 and later. With this update, the instructions and actionable steps are corrected. (link:https://issues.redhat.com/browse/OCPBUGS-42350[*OCPBUGS-42350*]) +* Previously, the instructions for rule `ocp4-etcd-unique-ca` did not work for OpenShift 4.17 and later. With this update, the instructions and actionable steps are corrected. (link:https://issues.redhat.com/browse/OCPBUGS-42350[OCPBUGS-42350]) -* When using the Compliance Operator with Cluster Logging Operator (CLO) version 6.0, various rules would fail. This is due to backwards incompatible changes to the CRDs that CLO uses. The Compliance Operator relies on those CRDs to verify logging functionality. The CRDs have been corrected to support the PCI-DSS profiles with CLO. (link:https://issues.redhat.com/browse/OCPBUGS-43229[*OCPBUGS-43229*]) +* When using the Compliance Operator with Cluster Logging Operator (CLO) version 6.0, various rules would fail. This is due to backwards incompatible changes to the CRDs that CLO uses. The Compliance Operator relies on those CRDs to verify logging functionality. The CRDs have been corrected to support the PCI-DSS profiles with CLO. (link:https://issues.redhat.com/browse/OCPBUGS-43229[OCPBUGS-43229]) -* After installing Cluster Logging Operator (CLO) 6.0, users found that the ComplianceCheckResult `ocp4-cis-audit-log-forwarding-enabled` was failing because there was a change in the APIversion of the `clusterlogforwarder` resource. Log collection and forwarding configurations are now specified under the new API, part of the observability.openshift.io API group. (link:https://issues.redhat.com/browse/OCPBUGS-43585[*OCPBUGS-43585*]) +* After installing Cluster Logging Operator (CLO) 6.0, users found that the ComplianceCheckResult `ocp4-cis-audit-log-forwarding-enabled` was failing because there was a change in the APIversion of the `clusterlogforwarder` resource. Log collection and forwarding configurations are now specified under the new API, part of the observability.openshift.io API group. (link:https://issues.redhat.com/browse/OCPBUGS-43585[OCPBUGS-43585]) -* For previous releases of Compliance Operator, the scans would generate an error log for the reconcile loop on the Operator pod. With this release, the Compliance Operator controller logic is more stable. (link:https://issues.redhat.com/browse/OCPBUGS-51267[*OCPBUGS-51267*]) +* For previous releases of Compliance Operator, the scans would generate an error log for the reconcile loop on the Operator pod. With this release, the Compliance Operator controller logic is more stable. (link:https://issues.redhat.com/browse/OCPBUGS-51267[OCPBUGS-51267]) -* Previously, the rules `file-integrity-exists` or `file-integrity-notification-enabled` would fail on `aarch64` OpenShift clusters. With this update, these rules evaluate as `NOT-APPLICABLE` on `aarch64` systems. (link:https://issues.redhat.com/browse/OCPBUGS-52884[*OCPBUGS-52884*]) +* Previously, the rules `file-integrity-exists` or `file-integrity-notification-enabled` would fail on `aarch64` OpenShift clusters. With this update, these rules evaluate as `NOT-APPLICABLE` on `aarch64` systems. (link:https://issues.redhat.com/browse/OCPBUGS-52884[OCPBUGS-52884]) -* Before this release of the Compliance Operator, the rule `kubelet-configure-tls-cipher-suites` failed for the API server ciphers, resulting in `E2E-FAILURE` status. The rule has been updated to check new ciphers from RFC 8446, which are included with OpenShift 4.18. The rule is now being evaluated correctly. (link:https://issues.redhat.com/browse/OCPBUGS-54212[*OCPBUGS-54212*]) +* Before this release of the Compliance Operator, the rule `kubelet-configure-tls-cipher-suites` failed for the API server ciphers, resulting in `E2E-FAILURE` status. The rule has been updated to check new ciphers from RFC 8446, which are included with OpenShift 4.18. The rule is now being evaluated correctly. (link:https://issues.redhat.com/browse/OCPBUGS-54212[OCPBUGS-54212]) -* Previously, the Compliance Operator platform scan would fail and produce the message `failed to parse Ignition config`. With this release, the Compliance Operator is safe to run on 4.19 clusters, when that version of OpenShift is available to customers. (link:https://issues.redhat.com/browse/OCPBUGS-54403[*OCPBUGS-54403*]) +* Previously, the Compliance Operator platform scan would fail and produce the message `failed to parse Ignition config`. With this release, the Compliance Operator is safe to run on 4.19 clusters, when that version of OpenShift is available to customers. (link:https://issues.redhat.com/browse/OCPBUGS-54403[OCPBUGS-54403]) -* Before this release of Compliance Operator, several rules were not platform aware, creating unneeded errors. Now that the rules have been properly ported to other architectures, those rules run correctly and users can observe some Compliance Check Results reporting `NOT-APPLICABLE` appropriately, depending on the architecture they are using. (link:https://issues.redhat.com/browse/OCPBUGS-53041[*OCPBUGS-53041*]) +* Before this release of Compliance Operator, several rules were not platform aware, creating unneeded errors. Now that the rules have been properly ported to other architectures, those rules run correctly and users can observe some Compliance Check Results reporting `NOT-APPLICABLE` appropriately, depending on the architecture they are using. (link:https://issues.redhat.com/browse/OCPBUGS-53041[OCPBUGS-53041]) -* Previously, the rule `file-groupowner-ovs-conf-db-hugetlbf` would fail unexpectedly. With this release, the rule fails only when this is the needed result. (link:http://issues.redhat.com/browse/OCPBUGS-55180[*OCPBUGS-55190*]) +* Previously, the rule `file-groupowner-ovs-conf-db-hugetlbf` would fail unexpectedly. With this release, the rule fails only when this is the needed result. (link:http://issues.redhat.com/browse/OCPBUGS-55180[OCPBUGS-55190]) [id="compliance-operator-release-notes-1-6-2_{context}"] == OpenShift Compliance Operator 1.6.2 @@ -89,7 +152,7 @@ The following advisory is available for the OpenShift Compliance Operator 1.6.2: * link:https://access.redhat.com/errata/RHBA-2025:2659[RHBA-2025:2659 - OpenShift Compliance Operator 1.6.2 update] -CVE-2024-45338 is resolved in the Compliance Operator 1.6.2 release. (link:https://access.redhat.com/security/cve/cve-2024-45338[*CVE-2024-45338*]) +CVE-2024-45338 is resolved in the Compliance Operator 1.6.2 release. (link:https://access.redhat.com/security/cve/cve-2024-45338[CVE-2024-45338]) [id="compliance-operator-release-notes-1-6-1_{context}"] == OpenShift Compliance Operator 1.6.1 @@ -119,23 +182,23 @@ The following advisory is available for the OpenShift Compliance Operator 1.6.0: [id="compliance-operator-1-6-0-bug-fixes_{context}"] === Bug fixes -* Before this release, a misleading description in the `ocp4-route-ip-whitelist` rule resulted in misunderstanding, causing potential for misconfigurations. With this update, the rule is now more clearly defined. (link:https://issues.redhat.com/browse/CMP-2485[*CMP-2485*]) +* Before this release, a misleading description in the `ocp4-route-ip-whitelist` rule resulted in misunderstanding, causing potential for misconfigurations. With this update, the rule is now more clearly defined. (link:https://issues.redhat.com/browse/CMP-2485[CMP-2485]) -* Previously, the reporting of all of the `ComplianceCheckResults` for a `DONE` status `ComplianceScan` was incomplete. With this update, annotation has been added to report the number of total `ComplianceCheckResults` for a `ComplianceScan` with a `DONE` status. (link:https://issues.redhat.com/browse/CMP-2615[*CMP-2615*]) +* Previously, the reporting of all of the `ComplianceCheckResults` for a `DONE` status `ComplianceScan` was incomplete. With this update, annotation has been added to report the number of total `ComplianceCheckResults` for a `ComplianceScan` with a `DONE` status. (link:https://issues.redhat.com/browse/CMP-2615[CMP-2615]) -* Previously, the `ocp4-cis-scc-limit-container-allowed-capabilities` rule description contained ambiguous guidelines, leading to confusion among users. With this update, the rule description and actionable steps are clarified. (link:https://issues.redhat.com/browse/OCPBUGS-17828[*OCPBUGS-17828*]) +* Previously, the `ocp4-cis-scc-limit-container-allowed-capabilities` rule description contained ambiguous guidelines, leading to confusion among users. With this update, the rule description and actionable steps are clarified. (link:https://issues.redhat.com/browse/OCPBUGS-17828[OCPBUGS-17828]) -* Before this update, sysctl configurations caused certain auto remediations for RHCOS4 rules to fail scans in affected clusters. With this update, the correct sysctl settings are applied and RHCOS4 rules for FedRAMP High profiles pass scans correctly. (link:https://issues.redhat.com/browse/OCPBUGS-19690[*OCPBUGS-19690*]) +* Before this update, sysctl configurations caused certain auto remediations for RHCOS4 rules to fail scans in affected clusters. With this update, the correct sysctl settings are applied and RHCOS4 rules for FedRAMP High profiles pass scans correctly. (link:https://issues.redhat.com/browse/OCPBUGS-19690[OCPBUGS-19690]) -* Before this update, an issue with a `jq` filter caused errors with the `rhacs-operator-controller-manager` deployment during compliance checks. With this update, the `jq` filter expression is updated and the `rhacs-operator-controller-manager` deployment is exempt from compliance checks pertaining to container resource limits, eliminating false positive results. (link:https://issues.redhat.com/browse/OCPBUGS-19690[*OCPBUGS-19690*]) +* Before this update, an issue with a `jq` filter caused errors with the `rhacs-operator-controller-manager` deployment during compliance checks. With this update, the `jq` filter expression is updated and the `rhacs-operator-controller-manager` deployment is exempt from compliance checks pertaining to container resource limits, eliminating false positive results. (link:https://issues.redhat.com/browse/OCPBUGS-19690[OCPBUGS-19690]) -* Before this update, `rhcos4-high` and `rhcos4-moderate` profiles checked values of an incorrectly titled configuration file. As a result, some scan checks could fail. With this update, the `rhcos4` profiles now check the correct configuration file and scans pass correctly. (link:https://issues.redhat.com/browse/OCPBUGS-31674[*OCPBUGS-31674*]) +* Before this update, `rhcos4-high` and `rhcos4-moderate` profiles checked values of an incorrectly titled configuration file. As a result, some scan checks could fail. With this update, the `rhcos4` profiles now check the correct configuration file and scans pass correctly. (link:https://issues.redhat.com/browse/OCPBUGS-31674[OCPBUGS-31674]) -* Previously, the `accessokenInactivityTimeoutSeconds` variable used in the `oauthclient-inactivity-timeout` rule was immutable, leading to a `FAIL` status when performing DISA STIG scans. With this update, proper enforcement of the `accessTokenInactivityTimeoutSeconds` variable operates correctly and a `PASS` status is now possible. (link:https://issues.redhat.com/browse/OCPBUGS-32551[*OCPBUGS-32551*]) +* Previously, the `accessokenInactivityTimeoutSeconds` variable used in the `oauthclient-inactivity-timeout` rule was immutable, leading to a `FAIL` status when performing DISA STIG scans. With this update, proper enforcement of the `accessTokenInactivityTimeoutSeconds` variable operates correctly and a `PASS` status is now possible. (link:https://issues.redhat.com/browse/OCPBUGS-32551[OCPBUGS-32551]) -* Before this update, some annotations for rules were not updated, displaying the incorrect control standards. With this update, annotations for rules are updated correctly, ensuring the correct control standards are displayed. (link:https://issues.redhat.com/browse/OCPBUGS-34982[*OCPBUGS-34982*]) +* Before this update, some annotations for rules were not updated, displaying the incorrect control standards. With this update, annotations for rules are updated correctly, ensuring the correct control standards are displayed. (link:https://issues.redhat.com/browse/OCPBUGS-34982[OCPBUGS-34982]) -* Previously, when upgrading to Compliance Operator 1.5.1, an incorrectly referenced secret in a `ServiceMonitor` configuration caused integration issues with the Prometheus Operator. With this update, the Compliance Operator will accurately reference the secret containing the token for `ServiceMonitor` metrics. (link:https://issues.redhat.com/browse/OCPBUGS-39417[*OCPBUGS-39417*]) +* Previously, when upgrading to Compliance Operator 1.5.1, an incorrectly referenced secret in a `ServiceMonitor` configuration caused integration issues with the Prometheus Operator. With this update, the Compliance Operator will accurately reference the secret containing the token for `ServiceMonitor` metrics. (link:https://issues.redhat.com/browse/OCPBUGS-39417[OCPBUGS-39417]) [id="compliance-operator-release-notes-1-5-1_{context}"] == OpenShift Compliance Operator 1.5.1