OCPBUGS-25761: Clarified relationship between rules and profiles

sheriff-rh · sheriff-rh · commit e97fea46376f · 2025-03-04T08:11:51.000-05:00
diff --git a/modules/compliance-profile-types.adoc b/modules/compliance-profile-types.adoc
@@ -0,0 +1,28 @@
+// Module included in the following assemblies:
+//
+// * security/compliance_operator/co-concepts/compliance-operator-understanding.adoc
+// * security/compliance_operator/co-scans/compliance-operator-supported-profiles.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="compliance_profile_types_{context}"]
+= Compliance Operator profile types
+
+Compliance Operator rules are organized into profiles. Profiles can target the {product-title} Platform or Nodes, and some standards include `rhcos4` Node profiles.
+
+Platform:: Platform scans evaluate your {product-title} cluster components, checking once per scan to verify settings. For example, confirming APIServer configurations are using strong encryption cyphers is Platform-level rule.
+
+Node:: Node scans target the nodes of the cluster, checking every Node in a cluster to verify OpenShift-specific settings. For example, confirming kubeconfig files have the correct permissions to meet a compliance standard is a Node-level rule.
+
+`rhcos4` Node:: Node scans for {op-system-first} Nodes. Every {op-system} Node is checked in a cluster to verify underlying operating system settings. For example, confirming the SSHD service is configured to disable password logins is an {op-system}-level rule.
+
+[IMPORTANT]
+====
+For compliance standards that have Node and Platform profiles, such as PCI-DSS, you must run both profiles in your {product-title} environment.
+
+For compliance standards that have Node, Platform, and `rhcos4` Node profiles, such as FedRAMP High, you must run all three profiles in your {product-title} environment.
+====
+
+[NOTE]
+====
+Both Node and `rhcos4` Node scans may take a long time to complete in a cluster with many Nodes.
+====
diff --git a/modules/compliance-profiles.adoc b/modules/compliance-profiles.adoc
@@ -214,18 +214,4 @@ title: Record Attempts to Alter Logon and Logout Events
 warning: Manual editing of these files may indicate nefarious activity, such as an
   attacker attempting to remove evidence of an intrusion.
 ----
-====
-
-[id="compliance_profile_types_{context}"]
-== Compliance Operator profile types
-
-There are two types of compliance profiles available: Platform and Node.
-
-Platform:: Platform scans target your {product-title} cluster.
-
-Node:: Node scans target the nodes of the cluster.
-
-[IMPORTANT]
-====
-For compliance profiles that have Node and Platform applications, such as `pci-dss` compliance profiles, you must run both in your {product-title} environment.
-====
+====
diff --git a/security/compliance_operator/co-concepts/compliance-operator-understanding.adoc b/security/compliance_operator/co-concepts/compliance-operator-understanding.adoc
@@ -15,8 +15,4 @@ The Compliance Operator is available for {op-system-first} deployments only.
 
 include::modules/compliance-profiles.adoc[leveloffset=+1]
 
-[id="additional-resources_compliance-operator-understanding"]
-[role="_additional-resources"]
-== Additional resources
-
-* xref:../../../security/compliance_operator/co-scans/compliance-operator-supported-profiles.adoc#compliance-operator-supported-profiles[Supported compliance profiles]
+include::modules/compliance-profile-types.adoc[leveloffset=+2]
diff --git a/security/compliance_operator/co-scans/compliance-operator-supported-profiles.adoc b/security/compliance_operator/co-scans/compliance-operator-supported-profiles.adoc
@@ -27,6 +27,8 @@ The Compliance Operator might report incorrect results on some managed platforms
 
 include::modules/compliance-supported-profiles.adoc[leveloffset=+1]
 
+include::modules/compliance-profile-types.adoc[leveloffset=+2]
+
 [id="additional-resources-compliance-operator-"]
 [role="_additional-resources"]
 == Additional resources
