From 06e63f812a0438a8e7b73744d03e1a0deacea355 Mon Sep 17 00:00:00 2001 From: GroceryBoyJr <75502996+GroceryBoyJr@users.noreply.github.com> Date: Fri, 14 Nov 2025 16:50:33 -0500 Subject: [PATCH] CMP-3717: Update supported profiles documentation --- modules/compliance-supported-profiles.adoc | 140 ++++++--------------- 1 file changed, 39 insertions(+), 101 deletions(-) diff --git a/modules/compliance-supported-profiles.adoc b/modules/compliance-supported-profiles.adoc index d8a0fc71cf81..b614f87b5dfb 100644 --- a/modules/compliance-supported-profiles.adoc +++ b/modules/compliance-supported-profiles.adoc @@ -30,32 +30,14 @@ The following tables reflect the latest available profiles in the Compliance Ope |ocp4-cis ^[1]^ |CIS Red Hat OpenShift Container Platform Benchmark v1.7.0 |Platform -|link:https://www.cisecurity.org/cis-benchmarks/[CIS Benchmarks ™] ^[1]^ -|`x86_64` - `ppc64le` - `s390x` - `aarch64` -| - -|ocp4-cis-1-4 ^[3]^ -|CIS Red Hat OpenShift Container Platform Benchmark v1.4.0 -|Platform -|link:https://www.cisecurity.org/cis-benchmarks/[CIS Benchmarks ™] ^[4]^ -|`x86_64` - `ppc64le` - `s390x` -| - -|ocp4-cis-1-5 -|CIS Red Hat OpenShift Container Platform Benchmark v1.5.0 -|Platform |link:https://www.cisecurity.org/cis-benchmarks/[CIS Benchmarks ™] ^[4]^ |`x86_64` `ppc64le` `s390x` + `aarch64` | -|ocp4-cis-1-7 +|ocp4-cis-1-7^[3]^ |CIS Red Hat OpenShift Container Platform Benchmark v1.7.0 |Platform |link:https://www.cisecurity.org/cis-benchmarks/[CIS Benchmarks ™] ^[4]^ @@ -75,25 +57,7 @@ The following tables reflect the latest available profiles in the Compliance Ope `aarch64` |{product-rosa} with {hcp} (ROSA HCP) -|ocp4-cis-node-1-4 ^[3]^ -|CIS Red Hat OpenShift Container Platform Benchmark v1.4.0 -|Node ^[2]^ -|link:https://www.cisecurity.org/cis-benchmarks/[CIS Benchmarks ™] ^[4]^ -|`x86_64` - `ppc64le` - `s390x` -|{product-rosa} with {hcp} (ROSA HCP) - -|ocp4-cis-node-1-5 -|CIS Red Hat OpenShift Container Platform Benchmark v1.5.0 -|Node ^[2]^ -|link:https://www.cisecurity.org/cis-benchmarks/[CIS Benchmarks ™] ^[4]^ -|`x86_64` - `ppc64le` - `s390x` -|{product-rosa} with {hcp} (ROSA HCP) - -|ocp4-cis-node-1-7 +|ocp4-cis-node-1-7^[3]^ |CIS Red Hat OpenShift Container Platform Benchmark v1.7.0 |Node ^[2]^ |link:https://www.cisecurity.org/cis-benchmarks/[CIS Benchmarks ™] ^[4]^ @@ -105,9 +69,9 @@ The following tables reflect the latest available profiles in the Compliance Ope |=== [.small] -1. The `ocp4-cis` and `ocp4-cis-node` profiles maintain the most up-to-date version of the CIS benchmark as it becomes available in the Compliance Operator. If you want to adhere to a specific version, such as CIS v1.4.0, use the `ocp4-cis-1-4` and `ocp4-cis-node-1-4` profiles. +1. The `ocp4-cis` and `ocp4-cis-node` profiles maintain the most up-to-date version of the CIS benchmark as it becomes available in the Compliance Operator. If you want to adhere to a specific version, such as CIS v1.7.0, use the `ocp4-cis-1-7` and `ocp4-cis-node-1-7` profiles. 2. Node profiles must be used with the relevant Platform profile. For more information, see _Compliance Operator profile types_. -3. CIS v1.4.0 is superceded by CIS v1.5.0. It is recommended to apply the latest profile to your environment. +3. All earlier CIS profiles are superceded by CIS v1.7.0. It is recommended to apply the latest profile to your environment. 4. To locate the CIS {product-title} v4 Benchmark, go to link:https://www.cisecurity.org/benchmark/kubernetes[CIS Benchmarks] and click *Download Latest CIS Benchmark*, where you can then register to download the benchmark. [id="bsi-profiles_{context}"] @@ -152,6 +116,21 @@ The following tables reflect the latest available profiles in the Compliance Ope |`x86_64` | +|rhcos4-bsi ^[3]^ +|BSI IT-Grundschutz (Basic Protection) Building Block SYS.1.6 and APP.4.4 +|Node ^[2]^ +|link:https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf[BSI Basic Protection Compendium] +|`x86_64` +| + +|ocp4-bsi-2022 ^[3]^ +|BSI IT-Grundschutz (Basic Protection) Building Block SYS.1.6 and APP.4.4 +|Node ^[2]^ +|link:https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf[BSI Basic Protection Compendium] +|`x86_64` +| + + |=== [.small] 1. The `ocp4-bsi` and `ocp4-bsi-node` profiles maintain the most up-to-date version of the BSI Basic Protection Profile as it becomes available in the Compliance Operator. If you want to adhere to a specific version, such as BSI 2022, use the `ocp4-bsi-2022` and `ocp4-bsi-node-2022` profiles. @@ -390,6 +369,7 @@ Applying automatic remedations to any profile, such as `rhcos4-stig`, that uses |link:https://www.pcisecuritystandards.org/document_library?document=pci_dss[PCI Security Standards ® Council Document Library] |`x86_64` `ppc64le` + `aarch64` | |ocp4-pci-dss-3-2 ^[3]^ @@ -399,6 +379,7 @@ Applying automatic remedations to any profile, such as `rhcos4-stig`, that uses |`x86_64` `ppc64le` `s390x` + `aarch64` | |ocp4-pci-dss-4-0 @@ -407,6 +388,7 @@ Applying automatic remedations to any profile, such as `rhcos4-stig`, that uses |link:https://www.pcisecuritystandards.org/document_library?document=pci_dss[PCI Security Standards ® Council Document Library] |`x86_64` `ppc64le` + `aarch64` | |ocp4-pci-dss-node ^[1]^ @@ -415,6 +397,7 @@ Applying automatic remedations to any profile, such as `rhcos4-stig`, that uses |link:https://www.pcisecuritystandards.org/document_library?document=pci_dss[PCI Security Standards ® Council Document Library] |`x86_64` `ppc64le` + `aarch64` |{product-rosa} with {hcp} (ROSA HCP) |ocp4-pci-dss-node-3-2 ^[3]^ @@ -424,6 +407,7 @@ Applying automatic remedations to any profile, such as `rhcos4-stig`, that uses |`x86_64` `ppc64le` `s390x` + `aarch64` |{product-rosa} with {hcp} (ROSA HCP) |ocp4-pci-dss-node-4-0 @@ -432,6 +416,7 @@ Applying automatic remedations to any profile, such as `rhcos4-stig`, that uses |link:https://www.pcisecuritystandards.org/document_library?document=pci_dss[PCI Security Standards ® Council Document Library] |`x86_64` `ppc64le` + `aarch64` |{product-rosa} with {hcp} (ROSA HCP) |=== @@ -460,7 +445,7 @@ Applying automatic remedations to any profile, such as `rhcos4-stig`, that uses |Supported platforms |ocp4-stig ^[1]^ -|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift +|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift^[3]^ |Platform |link:https://public.cyber.mil/stigs/downloads/[DISA-STIG] |`x86_64` @@ -468,87 +453,40 @@ Applying automatic remedations to any profile, such as `rhcos4-stig`, that uses | |ocp4-stig-node ^[1]^ -|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift -|Node ^[2]^ -|link:https://public.cyber.mil/stigs/downloads/[DISA-STIG] -|`x86_64` - `ppc64le` -|{product-rosa} with {hcp} (ROSA HCP) - -|ocp4-stig-node-v1r1 ^[3]^ -|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift V1R1 -|Node ^[2]^ -|link:https://public.cyber.mil/stigs/downloads/[DISA-STIG] -|`x86_64` - `ppc64le` -|{product-rosa} with {hcp} (ROSA HCP) - -|ocp4-stig-node-v2r1 -|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift V2R1 -|Node ^[2]^ -|link:https://public.cyber.mil/stigs/downloads/[DISA-STIG] -|`x86_64` - `ppc64le` -|{product-rosa} with {hcp} (ROSA HCP) - -|ocp4-stig-node-v2r2 -|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift V2R2 +|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift^[3]^ |Node ^[2]^ |link:https://public.cyber.mil/stigs/downloads/[DISA-STIG] |`x86_64` `ppc64le` |{product-rosa} with {hcp} (ROSA HCP) -|ocp4-stig-v1r1 ^[3]^ -|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift V1R1 -|Platform -|link:https://public.cyber.mil/stigs/downloads/[DISA-STIG] -|`x86_64` - `ppc64le` -| -|ocp4-stig-v2r1 -|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift V2R1 +|ocp4-stig-v2r3 +|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift V2R3 |Platform |link:https://public.cyber.mil/stigs/downloads/[DISA-STIG] |`x86_64` `ppc64le` | -|ocp4-stig-v2r2 -|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift V2R2 -|Platform -|link:https://public.cyber.mil/stigs/downloads/[DISA-STIG] -|`x86_64` - `ppc64le` -| - -|rhcos4-stig -|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift +|ocp4-stig-node-v2r3 ^[1]^ +|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift V2R3 |Node |link:https://public.cyber.mil/stigs/downloads/[DISA-STIG] |`x86_64` `ppc64le` -|{product-rosa} with {hcp} (ROSA HCP) - -|rhcos4-stig-v1r1 ^[3]^ -|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift V1R1 -|Node -|link:https://public.cyber.mil/stigs/downloads/[DISA-STIG] ^[3]^ -|`x86_64` - `ppc64le` -|{product-rosa} with {hcp} (ROSA HCP) +| -|rhcos4-stig-v2r1 -|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift V2R1 +|rhcos4-stig^[1]^ +|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift^[3]^ |Node |link:https://public.cyber.mil/stigs/downloads/[DISA-STIG] |`x86_64` `ppc64le` |{product-rosa} with {hcp} (ROSA HCP) -|rhcos4-stig-v2r2 -|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift V2R2 +|rhcos4-stig-v2r3 +|Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift V2R3 |Node |link:https://public.cyber.mil/stigs/downloads/[DISA-STIG] |`x86_64` @@ -557,9 +495,9 @@ Applying automatic remedations to any profile, such as `rhcos4-stig`, that uses |=== [.small] -1. The `ocp4-stig`, `ocp4-stig-node` and `rhcos4-stig` profiles maintain the most up-to-date version of the DISA-STIG benchmark as it becomes available in the Compliance Operator. If you want to adhere to a specific version, such as DISA-STIG V2R1, use the `ocp4-stig-v2r1` and `ocp4-stig-node-v2r1` profiles. +1. The `ocp4-stig`, `ocp4-stig-node` and `rhcos4-stig` profiles maintain the most up-to-date version of the DISA-STIG benchmark as it becomes available in the Compliance Operator. If you want to adhere to a specific version, such as DISA-STIG V2R3, use the `ocp4-stig-v2r3` and `ocp4-stig-node-v2r3` profiles. 2. Node profiles must be used with the relevant Platform profile. For more information, see _Compliance Operator profile types_. -3. DISA-STIG V1R1 is superceded by DISA-STIG V2R1. It is recommended to apply the latest profile to your environment. +3. DISA-STIG V1R2 is superceded by DISA-STIG V2R3. It is recommended to apply the latest profile to your environment. [id="compliance-extended-profiles_{context}"] == About extended compliance profiles