CIS Benchmark for Red Hat OpenShift Container Platform v4
The CIS Benchmarks, from the Center for Internet Security, are a set of best practices that help security practitioners implement and maintain cybersecurity defenses.
CIS Benchmarks for Red Hat OpenShift Container Platform
The Kubernetes CIS Benchmark includes configuration guidelines for Red Hat OpenShift Container Platform v4.
The OpenShift Compliance Operator runs scans and provides remediation strategies for compliance issues. The OpenShift Compliance Operator includes the following profiles for the CIS Red Hat OpenShift Container Platform 4 Benchmark:
ocp4-cis
ocp4-cis-node
The IBM Cloud Pak® for Data control plane and many of the services are tested against these profiles.
The compliance statements in the following sections assume that you have a hardened cluster. Specifically, that you completed the following tasks:
- Installing the OpenShift Compliance Operator.
- Running the CIS control tests that are included with the OpenShift Compliance Operator.
- Adjusting your cluster configuration to address the identified issues.
The information in the following sections indicates any exceptions that you need to allow in order for the Cloud Pak for Data software to install on your cluster.
Cluster-wide components
Cluster-wide components are installed exactly once on the cluster.
Software | Automated control test | Manual control test | Gaps |
---|---|---|---|
IBM® Certificate manager | This information is not currently available. | This information is not currently available. | This information is not currently available. |
License Service | This information is not currently available. | This information is not currently available. | This information is not currently available. |
Scheduling service | All checks passed | Partial |
|
Required components
The software in the following table is installed with each instance of IBM Cloud Pak for Data on the cluster.
Software | Automated control test | Manual control test | Gaps |
---|---|---|---|
IBM Cloud Pak foundational services | This information is not currently available. | This information is not currently available. | This information is not currently available. |
IBM Cloud Pak for Data platform operator | All checks passed | Partial |
|
IBM Cloud Pak for Data control plane | All checks passed | Partial |
|
Services
You can choose which services are installed in an instance of IBM Cloud Pak for Data.
Any violations that are introduced by the IBM Cloud Pak for Data control plane automatically affect the services that are installed on top of the control plane. The statements in this section specify whether the individual services introduce additional violations.
Software | Automated control test | Manual control test | Gaps |
---|---|---|---|
AI Factsheets | All checks passed | All checks passed | |
Analytics Engine powered by Apache Spark | All checks passed | Partial |
|
Cognos® Analytics | All checks passed | All checks passed | |
Cognos Dashboards | This information is not currently available. | This information is not currently available. | |
Data Privacy | All checks passed | All checks passed | |
Data Refinery | All checks passed | All checks passed | |
Data Replication | This information is not currently available. | This information is not currently available. | This information is not currently available. |
DataStage® | All checks passed | All checks passed | |
Db2® | Partial | Partial |
|
Db2 Big SQL | Partial | Partial |
|
Db2 Data Gate | All checks passed | All checks passed | |
Db2 Data Management Console | All checks passed | All checks passed | |
Db2 Warehouse | Partial | Partial |
|
Decision Optimization | All checks passed | All checks passed | |
EDB Postgres | This information is not currently available. | This information is not currently available. | |
Execution Engine for Apache Hadoop | All checks passed | Partial |
|
IBM Match 360 with Watson™ | All checks passed | All checks passed | If you enable FIPS on your cluster, you must allow an exception for the following
compliance issue:
|
Informix® | All checks passed | All checks passed | |
MANTA Automated Data Lineage | Partial | This information is not currently available. |
|
OpenPages® | All checks passed | All checks passed | All checks pass when you use an external database. If you use an embedded Db2 database, you must allow an exception for the following compliance issues:
|
Planning Analytics | All checks passed | All checks passed | |
Product Master | This information is not currently available. | This information is not currently available. | This information is not currently available. |
RStudio® Server Runtimes | All checks passed | All checks passed | |
SPSS® Modeler | All checks passed | All checks passed | |
Voice Gateway | This information is not currently available. | This information is not currently available. | This information is not currently available. |
Watson Assistant | Partial | Partial | This information is not currently available. |
Watson Discovery | This information is not currently available. | All checks passed | This information is not currently available. |
Watson Knowledge Catalog | Partial | Partial |
|
Watson Knowledge Studio | This information is not currently available. | All checks passed | This information is not currently available. |
Watson Machine Learning | All checks passed | Partial | ocp4-cis-accounts-restrict-service-account-tokens |
Watson Machine Learning Accelerator | All checks passed | All checks passed |
|
Watson OpenScale | All checks passed | All checks passed | All checks pass when you use an external database. If you use an embedded Db2 database, you must allow exceptions for:
|
Watson Pipelines | All checks passed | Partial |
|
Watson Query | Partial | Partial |
|
Watson Speech services | This information is not currently available. | This information is not currently available. | |
Watson Studio | Partial | Partial |
|
Watson Studio Runtimes | All checks passed | All checks passed | |
watsonx.data | All checks passed | This information is not currently available. |
Automatically installed dependencies
Software | Automated control test | Manual control test | Gaps |
---|---|---|---|
Common core services | Partial | Partial |
|
Db2 as a service | Partial | Partial |
|
Db2U | Partial | Partial |
|