Documenting CIS policies that are out of scope of CFI #281
Unanswered
AdrianHammond
asked this question in
General
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Problem: There are a number of CIS Policies that require the user to make decisions on how they would configure the cloud service to address the policy. I don't think this is unique to OCP so I wanted to get consensus on how we handle these CIS policies in IAC.
Proposed Approach: To document policies that are not covered by CFI provided in the IAC / documentation rather than in the SAA. This way the user will know what policies they need to make local decisions on to make the cloud service they are deploying 100% CIS compliant.
Two examples of CIS policies that I am thinking about are:
1.2.23 Ensure that the audit logs are forwarded off the cluster for retention (Manual)
5.4.2 Consider external secret storage (Manual)
Beta Was this translation helpful? Give feedback.
All reactions