OCPBUGS-25761: Clarified relationship between rules and profiles

sheriff-rh · sheriff-rh · commit fa76b3aec457 · 2025-02-26T07:37:53.000-05:00
diff --git a/modules/compliance-profile-types.adoc b/modules/compliance-profile-types.adoc
@@ -0,0 +1,27 @@
+// Module included in the following assemblies:
+//
+// * security/compliance_operator/co-concepts/compliance-operator-understanding.adoc
+// * security/compliance_operator/co-scans/compliance-operator-supported-profiles.adoc
+
+[id="compliance_profile_types_{context}"]
+= Compliance Operator profile types
+
+There are three types of compliance profiles available: Platform, Node, and {op-system-first} profiles. These profile types contain rules that check both OpenShift and operating system settings, such as {op-system} configurations. 
+
+Platform:: Platform scans target your {product-title} cluster, checking once per scan to verify settings. For example, confirming APIServer configurations are using strong encryption cyphers is Platform-level rule.
+
+Node:: Node scans target the nodes of the cluster, checking every Node in a cluster to verify settings. For example, confirming kubeconfig files have the correct permissions to meet a compliance standard is a Node-level rule.
+
+{op-system}:: Node scans for {op-system} Nodes. Every {op-system} Node is checked in a cluster to verify settings. For example, confirming the SSHD service is configured to disable password logins is an {op-system}-level rule.
+
+[NOTE]
+====
+Both Node and {op-system} scans may take a long time to complete in a cluster with many Nodes.
+====
+
+[IMPORTANT]
+====
+For compliance profiles that have Node and Platform applications, such as `pci-dss` compliance profiles, you must run both in your {product-title} environment.
+
+For compliance profiles that have Node, Platform, and {op-system} applications, such as FedRAMP High compliance profiles, you must run all three in your {product-title} environment.
+====
diff --git a/modules/compliance-profiles.adoc b/modules/compliance-profiles.adoc
@@ -214,18 +214,4 @@ title: Record Attempts to Alter Logon and Logout Events
 warning: Manual editing of these files may indicate nefarious activity, such as an
   attacker attempting to remove evidence of an intrusion.
 ----
-====
-
-[id="compliance_profile_types_{context}"]
-== Compliance Operator profile types
-
-There are two types of compliance profiles available: Platform and Node.
-
-Platform:: Platform scans target your {product-title} cluster.
-
-Node:: Node scans target the nodes of the cluster.
-
-[IMPORTANT]
-====
-For compliance profiles that have Node and Platform applications, such as `pci-dss` compliance profiles, you must run both in your {product-title} environment.
-====
+====
diff --git a/security/compliance_operator/co-concepts/compliance-operator-understanding.adoc b/security/compliance_operator/co-concepts/compliance-operator-understanding.adoc
@@ -15,8 +15,4 @@ The Compliance Operator is available for {op-system-first} deployments only.
 
 include::modules/compliance-profiles.adoc[leveloffset=+1]
 
-[id="additional-resources_compliance-operator-understanding"]
-[role="_additional-resources"]
-== Additional resources
-
-* xref:../../../security/compliance_operator/co-scans/compliance-operator-supported-profiles.adoc#compliance-operator-supported-profiles[Supported compliance profiles]
+include::modules/compliance-profile-types.adoc[leveloffset=+2]
diff --git a/security/compliance_operator/co-scans/compliance-operator-supported-profiles.adoc b/security/compliance_operator/co-scans/compliance-operator-supported-profiles.adoc
@@ -27,6 +27,8 @@ The Compliance Operator might report incorrect results on some managed platforms
 
 include::modules/compliance-supported-profiles.adoc[leveloffset=+1]
 
+include::modules/compliance-profile-types.adoc[leveloffset=+2]
+
 [id="additional-resources-compliance-operator-"]
 [role="_additional-resources"]
 == Additional resources
