►
Description
Kubernetes Policy WG : CNCF Security SIG Policy Team Meeting 2020-10-14
A
A
B
A
B
A
B
B
B
You
know
prior
steps,
but
if
we
are
looking
only
at
the
subset
of
observations
and
findings,
we
are
able
to
extract
a
set
of
objects
that
can
be
leveraged
to
describe
the
results
in
a
way
that
we
do
not
need
all
the
other
dependent
artifacts
on
the
prior
steps
in
in
austral.
So
we
I
present
here,
left
and
right.
Those
compliance
operator
results
in
this
json
for
one
based
on
the
oscal
findings.
B
B
There
is
no
mention
of
of
regulation
or
the
controls
within
a
regulation.
What
you
will
see
are
the
cs:
benchmark
banks,
rules
with
the
timestamps
and
and
the
results,
and
this
is
what
we
have
on
the
left.
We
have
a
bunch
of
properties
that
that
we
can
find
in
in
that
file
right.
What
is
the
run
of
the
test
right?
What
are
the
some
remarks
that
are
in
there?
B
So
all
the
all,
the
I
would
say,
items
that
are
not
strictly
related
to
the
resultant
to
the
rules
are
mapped
here
under
the
properties,
the
observation
properties
and
part
of
that
we
get
also
the
rules
that
are
associated
and
I'm
looking
here
at
two
particular
rules
right.
So
I'm
looking
at
item
9
and
item
10
and
they
describe
the
rule
that
particularly
the
id
of
the
rule
x
is
edf,
one
is
finger
service
and
the
other
one
exact
amount
requested
same
time
out.
So
these
are.
These
are
the
the
rules.
B
B
In
the
case
of
compliance
operator,
I
have
a
result
per
worker
node.
So
if
I
have
two
rules
and
three
worker
nodes,
I'll
have
six
evidence
items
here
here
we
have
just
you
know,
for
the
sake
of
this
example.
Two
rules
on
one
worker,
node
and
I'll
have
those
two
rules,
so
I
have
the
properties
in
the
one
being.
Okay,
what
is
my
rule?
What
is
the
timestamp
and
what
is
the
the
status?
B
So
we
are
talking
about
the
scope.
In
this
case
it
was
an
cluster
with
one
worker
node,
so
subject
references
is
the
object
under
which
I
put
the
subjects
of
my
assessment
and
the
the
references
to
that
those
subjects
so
in
the
case
of
vms
would
be
the
you
know,
ips
associated
with
that
and
so
on.
In
this
case,
I'll
have
the.
B
The
details
associated
with
that
with
that
worker
node
that
we
could
find
in
that
result
from
the
compliance,
and
there
is
one
last
item,
observation
methods
where
I
can
describe
details
in
this
case
is
an
automated
automated
test.
The
reason
why
I
find
this
relevant
is
that
if
we
have
certain
tests
that
are
done
manual,
and-
and
this
is
the
case,
for
instance
in
in
the
cs
benchmarks
that
are
not
implemented,
they
do
not
have
a
script
within
the.
B
B
In
the
case
of
the
ocp,
we
are
looking
at
ocp4
the.
So
this
is
openshift
cloud
platform
version.
Four.
We
have
only
two
that
are
mapped,
but
through
other
artifacts
that
are
available
in
the
compliance
is
a
code.
You
are
able
to
infer
that
mapping
as
well
so
now,
depending
on
where
the
logic
of
associating
those
results
on
the
left
right.
Just
the
observations
with
the
correspondent
regulation,
that
is
of
interest
to
the
consumer
right,
the
consumer
may
be
looking
at
nist
level
or
cis
level
or
hipaa
level.
B
The
result
that
we
send
back
to
to
the
tool
that
is
providing
the
display
of
the
or
creating
the
document
for
that
regulation
may
contain
also
the
association
with
the
controls
and
and
openscap
and
sorry
oscal
allows
that
mapping
as
well.
So
I
present
here
on
the
right
an
addition
to
what
we
have
on
the
left
in
order
to
include
the
regulation.
So
the
left
one
is
regulation,
agnostic,
the
right
one
is
regulation,
aware-
and
you
see
here
under
observations
right,
I'm
marking
here
right
this.
B
What
we
have
here
are
are
basically
the
details
that
I
have
on
the
left
right.
So
we
have
the
properties,
the
evidence,
group,
the
observation
methods
and
so
on
for
for
multiple
items,
and
what
I
have
above
is
the
delta
that
I'll
I'll
show
how
auscal
handles
in
order
to
to
provide
the
mapping
to
the
controls.
B
So
we
are
talking
now
about
results,
group
and
findings.
A
finding
includes
multiple
observation,
but
the
finding
maps
one-to-one
to
a
control
in
the
regulation
of
interest.
So
here
I'm
looking
at
nist
853,
so
one
finding
right,
I'm
looking
at
item
zero.
I
have.
We
have
two
items
in
here:
item
zero
and
item
one.
So
item
zero
is
interested
in
the
control
ac3.
B
So
the
objective
and
objective
status
of
object
in
here
contains
the
control,
ac,
ac3
and
the
result
with
the
value
fail.
This
is
the
aggregated
result
across
all
the
constituent
rules
that
are
associated
with
that
ac3.
Those
can
be
rules
in
ocp
for
icic
cis
benchmarks
for
kubernetes
those
can
be
in
rhl7.
B
These
are
the
linux
benchmarks
right
that
are
associated
with
ac3,
so
all
those
will
be
will
contain
observations
with
their
individual
status,
and
what
we
have
here
in
the
objective
status
is
that
the
regulation
level
ac
density
control
with
the
aggregate
status
across
that
in
the
properties.
Here
we
defined
all
the
rules
that
are
associated
with
ac3
and
we
have
rules
that
come
from
the
kubernetes
case
benchmarks
on
kubernetes,
as
well
as
rules
that
come
from
the
are
health,
seven,
the
linux.
B
So
we
d
we,
we
have
here
all
the
rules,
and
now
we
expect
that
the
observations
will
provide
at
least
one
observation
for
each
rule.
If,
if
one
of
those
rule
is
is
missing
the
status
that
we
have
here,
it
will
be
error
or
missing,
or
so
now
that
we
know
what
are
the
rules
that
are
associated
with
ac3
and
because
here
we
are
in
the
context
of
the
compliance
operator.
We
are
looking
at
cis
benchmarks,
but
if
we
are
looking
for
other
contexts
right,
you
may
have
other
rules
in
there.
B
We
are
looking
at
the
observations,
and
I
said
the
first
observation
is
for
the
rule.
You
know
limit
user
access
and,
as
we've
seen
before,
I
will
have
here
the
properties
associated
with
that
we'll
have
the
evidence
where
I
present
the.
What
is
the
what
is
the
rule
and
what
is
the
status?
So
in
this
particular
case,
this
is
not
checked.
Let's
see
what
what
what
was
the
target?
B
The
the
subject,
the
resource
on
which
that
was
it
is
it,
is
a
vm
okay
and
the
details
of
the
vm
will
be
provided
here.
Okay,
I'm
talking
about
that
worker
node
in
that
cluster,
in
in
that
region.
So
whatever
it
is
provided
by
the
compliance
operator
result,
right
will
be,
will
be
here,
so
we'll
have
the
details
of
the
target
resource.
B
In
this
case
it
was
this
worker
node,
we'll
have
the
evidence
that
will
tell
the
rule
associated
with
the
with
the
with
the
status
and
in
the
properties
above
we'll
have
additional
details
related
to
to
that.
Like
the
result
or
the
timestamp
associated
with
that,
so
this
is
this
is
one
item
we
can
look
at
another
one,
and
this
comes
from
another
another
vm.
In
this
case
we
had
a
cluster
with
three
worker
nodes,
so
we
will
have
the
results
in
the
observation
right.
B
Three
observation:
one
status
for
each
of
the
each
rule
for
each
vm
and
if
we
look
at
the
others,
you
will
see
also
results
from
the
the
kubernetes
cs
benchmarks,
because
in
the
dependencies
for
this
ac3
for
disney's
controls,
I
have
both
cs
kubernetes
rules
as
well
as
linux,
cs
benchmarks.
So
the
subject
reference
here,
I
think,
would
be
a
a
worker
node
and
those
will
be
the
details
of
the
worker
node
in
here
the
location,
the
cluster
associated
with
that
and
so
on.
B
B
Result
right
the
failure,
so
the
the
the
logic
here.
Actually
we
have
this
implemented
and
the
logic
that
we
use
that
if
we
have
any
failure,
it's
a
failure.
If
we
have
any
error,
it's
an
error.
If
we
have
any
warning,
we
are
looking
also
at
trends
right
for
for
some
of
the
rules.
So
if
we
have
a
warning
right,
I
get
close
to
a
limit
of
a
value
of
a
parameter.
I
have
a
warning
else.
If
everything
passes,
I
have
a
pass.
B
B
Control
is
implemented
completely
or
partially
right,
so
this
means
that
the
interpretation
of
nist
ac3
from
the
point
of
view
of
the
rules,
the
cs
benchmarks
that
I
that
are
associated
with
that
in
the
in
the
properties
completely
cover
right,
ac3
control.
So
then
I'll
have
a
complete
and
complete
and
and
pass
right
will
give
me
a
pass
for
this
control.
B
However,
if
this
control
is
partially
implemented,
meaning
that
the
the
benchmarks
that
are
associated
with
that
do
not
fully
cover
all
the
items
that
the
control
requires,
I
will
have
here
the
implementation
status
as
being
partial
and
then
the
the
result
in
lock,
instead
of
being
a
pass.
If
everything
passes,
it
will
be
a
partial
pass,
because
it's
not
completely
implemented
and
one
last
item
here.
We
we
discussed
that
under
the
observations
right
in
in
the
observation.
We
also
give
this
observation
method,
whether
it's
automated
or
not.
B
If
we
are
dealing
with
a
mix
of
automated
tests
assessments
as
well
as
manual
assessments
until
we
have
the
manual
items
as
well
in
the
system,
that
will
also
be
a
partial
pass.
So
if
I
have
all
the
results
from
my
automated
tests
right,
everything
that
I
get
from
the
opens
cap,
that
is,
has
a
script
right
to
check
a
rule
if
everything
passes,
but
I
do
not
have
the
results
for
the
series
benchmark
that
are
manual,
it
will
be
also
a
partial
pass.
B
So
all
this
all
this,
let's
say
levels
of
granularity
and
levels
of
detail
to
inform
the
user
on
the
actual
posture
of
a
control,
are
supported
in
this
rich
schema
that
comes
from
from
moscow.
So
now,
depending
on
the
level
of
leverage
right
in
in
this
project,
this
working
group
right
we
can,
we
can
select
the
subset
of
that
or
you
know,
goals
goes
with
the
full
blown
set
of
set
of
items.
B
If
we
need,
I
can
submit
it
also
the
the
simpler
one,
but
since
this
one
includes
the
observation
of
the
other
one,
I
submitted
only
this
one
so
in
in
in
conclusion,
right
we
are
able
to
map
the
current.
You
know.
Xccdf
result.
Part
xcdf
is
very
rich
right,
so
it
has
items
related
to
remediation.
It
has
items
related
to
violations
and
so
on
this
wasn't
the
scope
of
this
exercise.
B
So
in
this
exercise
we
only
focused
on
the
results
that
are
presented
in
xcdf
by
the
way,
oscar
also
supports
the
the
description
of
the
remediations
and
and
and
threats
and
risks,
and
so
on.
In
other
aspects,
other
objects
associated
with
the
assessment
results
again.
They
are
not
subject
of
this
presentation
and
the
modeling
that
we
have
done
between
the
axis
edf
and
and
oscar
jason
here.
But
if
we
are
interested
right,
I
can
bring
samples
related
to
that
as
well.
So
we
only
looked
at
the
results.
B
B
B
A
Excellent,
thank
you
yeah
yeah,
so
anchor
just
so
you
know
is:
is
that
ibm
research
and
she's
working
actively
with
ibm
cloud,
and
so
this
so
since
they
are
also
looking
at
feeding.
You
know
information
about
results
from
for
these
controls
assessment,
and
so
I
kind
of
pulled
her
into
this
work
group
right
so.
A
C
Yeah
and
that
that's
a
good
question,
I
did
see
your
pull
request
as
well,
and
thank
you
for
you
know
providing
that
the
detailed
report
there.
I
think
the
question
we
need
to
think
through
and
you
know
discuss
is-
is
the
expectation
that
the
policy
report,
like
a
policy
report,
would
contain
all
of
the
auscal
report
details
or
what
is
the
mapping
and
how
will
the
two
live
together
right?
C
So
I'm
not
sure
like
today
in
your
system,
when
you're
producing
this
ascal
report,
I'm
sure
there's
other
systems
consuming
that
directly
and
that
will
continue.
So
what
is
the
expectation
from
the
policy
report?
So
if
we
want
to
put
some
of
this
data
in
a
kubernetes
cr
or
maybe
all
of
the
data
in
the
kubernetes
cr?
B
C
Okay,
so,
but
which
would
it
be
that
oscar,
the
ascal
report
and
that
schema
that
remains
like
a
superset
of
what
we
want
to
put
in
the
policy
report
or
would
the
do
we
want
to
see
if
all
of
this
somehow
fits,
even
if
it's
a
generic
untyped
data
it?
Somehow,
we
want
the
policy
report
to
contain
this
information
when
I'm
not
yeah,
not
too
clear
about
how
or
what
would
be
the
goals
over
there.
A
B
B
B
And
and
I
think
the
reason
for
leveraging
right,
those
is
if
this
result
is
sent
to
a
system
that
deals
with
enforcement
or
right
automatic
remediation,
whether
it's
sent
to
a
grc
system.
Sorry,
where
risk
is
needed
in
order
to
fit
into
the
processes
that
they
have
there
to
associate
risk
with
that.
So
I
think,
as
jim
you
know
pointed
out,
I
think
it's.
A
B
B
Yeah,
that's
that's
the
beauty
of
that
that,
at
the
end
of
the
day,
we
are
able
to
put
together
a
report
where
those
different
items
can
be
aligned,
because
if
I'm
looking
for
ac3
right
or
the
other
one
was
au3,
I
picked
up
those
on
purpose,
because
these
are
controls
that
gather
their
aggregated
result
across
the
stack.
So
in
order
to
meaningfully
be
able
to
aggregate
that,
we
need
those
different
layers
in
the
stack
to
produce
a
result
that
that
you
know
we
compare
and
are
able
to
aggregate.
A
Yeah-
and
I
think
from
my
point
of
view
right
given
you
know,
the
focus
that
I'm
working
on
is
security
and
governance.
On
the
I
would,
I
think,
as
everybody
knows,
that
needs
to
be
applied
across
the
stack
right
for
all
the
controls
and-
and
you
want
to
be
able
to
represent
the
results
in
the
context
of
a
standard
that
the
customer
is
interested
in.
You
know
whether
it's
industry,
853
or
pci
or
hipaa,
whatever
right.
So
I
think
this
this
kind
of
brings
that
to
the
table.
A
C
Yeah,
I
think
that
makes
sense,
so
I
think
the
question
then
becomes
so
are
we
expecting
so
for
the
kubernetes
layers?
When
we
are
reporting
and
one
option
is
okay,
we
could
say
well,
let's
just
adopt
the
ausco
definition
and
somehow
see.
If
we
can,
you
know
if
there's
if
we
can
take
that
definition
and
represent
it
as
a
kubernetes
cr
right.
That
would
be
one
approach.
C
The
other
approach
would
be
to
say.
Okay,
we
still
want
to
provide
some
generic
top-level
information,
like
we
have
in
the
policy
report,
which
is
something
that
we're
inventing,
but
then
somehow
we
can.
You
know
we
can
keep
all
of
the
oscar.
I
don't
know
which
layer
it
would
cleanly
map
to
like.
So
I
see
there's
findings
and
there's
a
results
group
of
findings
and
observations
so
somewhere
in
there.
C
If
we
map
one
of
those
layers
to
a
policy
result,
then
we
could
put
all
of
the
other
data
in
in
just
like
the
generic
kind
of
an
object
right
which
is
untyped
or
unstructured
in
the
policy
report,
but
yeah.
It
is
tempting
to
kind
of
at
least
take
a
deeper
look.
If
this
work
has
been
done,
if
it's
used
and
if
it's
comprehensive,
can
we
represent
this
oscar
report
or
the
entire
structure
in
kubernetes
right
for
the
kubernetes
layers.
B
So
if
we
find
out
that
the
exercise
that
you
mentioned
jim,
let's
take,
have
a
deeper
look
and
you
see
that
some
things
are
needed
or
missing
or
need
to
be
done
in
a
separate
hole,
although
the
schema
is
pretty
flexible
and
generic,
the
team
is,
is
open
to
to
listen
to
those
feedback.
So
this
is.
This
was
a
positive
experience
for
us.
C
C
Are
there
examples
of
how
these
reports
have
been
used
like
to
whether
it's
for
user
interfaces
like
reports
like
you
know
more,
I
guess
user
consumable
reports
right
that
are
produced,
so
that'll
be
interesting
to
see
that
can
this
data
other
actual
real
world
examples
of
this
data
being
taken
and
translated
into
something
consumable
by
administrators
and
people
concerned
with
security
of
these
systems,
because
that
would
be
a
good
data
point
to
see
that
yeah.
Then
this
makes
sense
that
we
also
support
it
for
kubernetes.
B
A
Yeah,
I
think
we
are
just
starting
to
you.
You
is
on
the
call
he's
in
my
team
leading
the
our
grc
squad
and
we
are
just
starting
to
look
at
this
right
in
terms
of
putting
it
into
the
product,
so
we
haven't
done
that
yet.
But
that
said,
you
already
have
submitted
an
example
of
our
config
policy
controller
within
drakum,
how
it
would
use
this
standard
to
represent
the
results
so,
and
so
what
I'm
saying
is
that
we
have
mapped
our
our
existing
controls
to
this
standard.
A
The
existing
policy,
ca
standard
right
policy
report
standard
and
but
now
that
anka
has
done
the
work
of
bringing
oscar
in,
we
can
do
a
we
have
to
kind
of
redo
that
mapping.
I
think,
because
I
think
some
of
the
fields
that
you
have
filled
out
was
not
done
as
part
of
use
work,
but
that
said,
our
control
today
already
has
standards,
control,
categories
and
controls
in
it.
A
So
we
already
have
those
pieces
of
information
for
our
policies,
so
so
we
should
be
able
to
fill
those
in
based
on
the
example
that
you
have
here,
and
I
think
I
would
like
to
proceed
in
this
direction
because,
eventually,
like
I
said,
if
you
take
the
raccam
product
today,
it
already
has
a
look
at
our
dashboard.
It
already
summarizes
the
controls
in
the
context
of
the
standards
right.
A
B
And
right,
I
think
this
is
that
that's
that's
an
important
path
that
that
is
needed
for
and
where
this
can
help
to
write,
standardize
and
organize
the
across
the
stack.
Another
direction
that
I
have
seen.
The
compliance
right
institutions
going
towards
is
automatic
generation
of
the
documentation.
So
we
are
talking
about
those.
B
You
know
hundreds
of
pages
of
of
the
reports
for
the
audit
and
our
our
initial
thought
and
they
start
started
producing
a
particular
call
fire,
which
is
the
first
one
that
we've
seen
interested
in
oscar
templates
for
those
documentation
that
can
then
be
automatically
filled
out
from
the
from
the
assessment
results
in
australia.
So
that's
another
direction.
We
are
not
yet
there,
but
for
us,
that's
that's
the
ultimate
ultimate
goal
right
to
to
help
the
automatic
generation
of
the
audits,
yep,
yep.
C
So
I
think
the
the
other
question
that
comes
to
mind
is-
and
I
don't
have
an
opinion
on
this-
just
kind
of
wondering
out
loud
as
you
know
so
part
of
the
the
driver
or
the
motivation
for
the
policy
report
was
to
have
something
that
the
cluster
admin
could
see
and
that
we
have
all
of
these
different.
You
know
the
growing
set
of
policy
tools
for
kubernetes
right,
whether
it's
image,
governance
or
runtime
policies
or
configuration
scanning
things
like
that.
So
the
question
is
like
this
report
it.
C
B
So
that's
one
aspect
of
your
question,
the
other
one
I
think
the
it
depends
and
we've
we've
got
exactly
into
into
the
core
of
of
this
concern
right.
If
we
are
looking
at
the
compliance
operator,
I
think
we
have
about
600
rules
right
so
is
it?
Is
it
the
expectation
there
that
an
admin
will
be
able
to
go
through
those
600
in
in
one
document?
And
of
course,
that's
not,
you
know
feasible.
B
What
are
the
policies
and
then
display
the
content
that
is
relevant
just
for
that
particular.
So
you
see
here
an
observation
is
kind
of
self-contained.
It
has
the
evidence,
the
scope
and
the
properties,
so
those
would
be
the
two
means
by
which
that
can
be
done.
If
I
can
make
the
comparison
first,
one
is
more
like
the
linux
approach.
The
second
one
is
more
like
the
windows
approach,
so,
depending
on
the
you
know,
the
the
type
of
users
that
we
are
dealing
with.
A
C
C
Yeah,
let's,
let's
have
another
discussion
on
it
and
maybe
you
know
like
I'll
I'll,
do
some
more
research
and
read
up
on
this
too.
This
is
super
interesting
and
I
mean
I
agree.
It
makes
complete
sense.
I'm
just
you
know.
We
need
to
kind
of
make
sure
that
the
some
of
the
initial
intent
of
the
policy
report
are
still
met
right,
like
in
terms
of
having
something
simple
for
the
user
to
see
and
understand.
C
B
B
So
I'm
taking
my
400
missed
rules
and
I'm
taking
my
300,
you
know
cis
benchmarks
and
I
I
know
that
they
are
targeted
to
hipaa
or
to
nist
or
to
to
the
right
level,
and
I
try
or
do
I
really
have
to
go
and
edit
within
each
role
of
those.
You
know
four
hundred
dollars
if
you
have
any
any
usability
at
this
at
this
point,
I
would
be
very
interested
because
that
would
drive
the
user
experience
in
a
different
way.
C
All
right,
yeah
makes
sense.
I
think
that's
something
we
need
to
think
through
and
I
I
don't
know
like
again
it
will
the
mapping
be
done
externally.
Will
it
be
done
on
a
poor
rule
basis
and
which
you
know
who
represents
that
right,
but
at
a
high
level,
what
we
at
least
with
the
policy
results
the
policy
report
like
just
if
you
do
run
a
cis
benchmark,
the
idea
would
be
to
at
least
be
get
to
be
able
to
see
some
summary
status
and
unders.
C
You
know
kind
of
be
able
to
represent
that
in
kubernetes
as
a
native
object
of
what
the
benchmark
results
were
now
details
we
have
to
decide.
Are
those
separate
crs?
Are
they
part
of
the
same
report
or
you
know
those
managed
in
external
tools
right
and
all
of
those
are
possible
options,
but
the
more
flexible
we
can
make
this?
I
think
the
wider
adoption
and
usage
we'll
see.
C
A
C
So
is
there
like
in
this?
Are
there
provisions
for
even
providing
things
like
summary,
counts,
etc,
because
that
was
one
of
the
things
we
wanted
to
do
in
the
report
is
have
some
inability
to
say
how
many
total
pass
failed,
or
is
that
just
something
I
mean?
Obviously
you
can
process
that
by
scanning
through
the
data,
but
is
that
also
available.
B
That
would
be
as
part
of
the
properties,
so
it's
not
it's
not
singled
out
as
as
as
such,
and
the
reason
for
that
is
that
this
is
part
of
larger
hierarchical
structure.
So
you
have
those
individual
observations,
then
you
group
them
and
aggregate
at
the
controls
level.
Then
you
group
them
at
a
regulation
level.
Then
you
group
them
at
the
profiles
that
you
know
may
include
multiple.
B
C
C
Okay
and
then
so
like
just
going
back
to
the
hierarchy,
you
know.
So
there
is
the
result
group
the
findings,
the
observation,
so
how?
Where
does
it?
So,
if
I'm
running
like
a
cis
benchmark-
and
you
had
some
example
of
this-
is
the
cis
benchmark
map
to
the
like?
So
let's
say
I'm
running
cis
benchmarks
for
kubernetes?
C
B
B
B
This
means
that
that
will
be
mapped
to
mapped
one
to
one
to
an
observation
right
because,
although
I
have
seen
in
in
openscap
that
it
can
be
sometimes
that
the
cis
benchmark
is
implemented
by
two
rules
right
so
so
this
is
the
finding
right.
Is
that
the
regulation
level
and
then
what
I
have
on
the
left?
These
observations
right
are
the
individual
results.
So
what
what
the
finding
allows
you
to
do
is
that
the
level
of
of
of
mapping
to
say
well?
What
are
the
my.
B
My
individual
results
out
of
which
I
I
create
my
in
the
this
case,
the
cs,
benchmark
that,
but
I
will
say,
99
of
the
cases
I
will
have
here
a
cs
benchmark
and
I
have
one
to
one
one
observation
associated
with
that
you
change
the
finding
to
nist
right.
I
have
these.
You
know
four
properties,
four
rules
for
cs
benchmark
that
are
associated
with
that,
so
you
you
can
use
it
across
any
any
type
of
regulation
or
benchmark
that
you
that
you
need.
B
Object
above
those
those
observations
and
findings,
which
is
called
assessment
result
so
as
part
of
the
assessment
result,
peers
to
result
group
would
be
the
ssp,
it
would
be
the
inventory
on
top
of
which
I
apply
my
objectives.
So
let's
say
it
gives
you
it
gives
you
flexibility,
as
an
auditor
fine
tune,
your
audit
right.
So
if
I'm,
if
I'm
doing
openscap
and
I'm
doing
all
the
compliance
operator-
and
I
put
it
in
this
format
right-
it
is
all
or
nothing
what
the
other
levels
appears
to
result.
B
Group
allows
me
to
do
is
to
say
I'm
looking
only
at
this
set
of
inventory,
I'm
looking
only
at
this
particular
clusters,
or
these
particular
vms
and
my
ssp
will
will
give
only
those
items.
So
then,
when
I
go
here
into
observations,
I
will
not
have
100
of
my
inventory.
I
will
have
a
subset
of
that.
Another
sorry.
C
Okay,
no
I'm
just
yeah,
I
see
so
so.
This
seems
like
this
report,
then,
is
generated
based
on
what
you're
trying
to
what
information
you're
trying
to
gather
right.
So
if
I
say
okay,
I
want
to
look
at
maybe
some
subset
of
my
clusters
or
maybe
some
subset
of
nodes
in
a
cluster.
Then
the
report
will
the
result
group
will
be
for
that
particular.
C
B
B
Assessment
methods-
and
it
allows
you
to
describe
let's
say
that
I
have
10
tools
to
do
assessments
right.
I
have
compliance
operator,
I
can
cavionics,
I
have
prisma.
I
have
write
different
tools,
so
can
be
that
an
auditor
says
you
know
what
I
I
want
that
tool
the
results
from
that
tool,
so
it
allows
you
to
describe
how
the
what
are
the
methods
so
again,
oscar
is
very
rich
right.
B
Another
aspect,
it's
called
appear
to
result
group
is
called
objectives,
so
the
objectives
is
derived
from
the
object
of
profile
so,
where
you
say,
I'm
not
interested
in
fullness
853,
I'm
interested
only
in
the
access
control
part
or
I'm
an
auditor
that
I'm
only
familiar
with
the
network
aspect.
So
I
want
only
the
boundaries
related
controls
right,
so
the
the
more
levels
you
you
add
here
right,
the
the
reacher,
starts
to
be
the
the
way
that
you
can
tune.
C
Okay,
all
right
yeah.
This
will
be
interesting
to
think
through
and
discuss
and
see
how
we
want
to
like,
because
if
we
have
certain
policy
frameworks
running
in
a
kubernetes
cluster,
how
should
they
store
their
information
and
then
seems
like?
Maybe
we
do
need
a
little
bit
of
something
which
can
allow
queries
to
pull
this
together
and
and
pass
back
a
particular
report
in
kubernetes
right
or
if
you.
B
Yeah,
the
reason
why
I
didn't
add
all
these
other
layers
is
because
they
are
dependencies,
as
you
say
right,
so
this
means
now.
I
have.
I
need
a
discovery
system
that
provides
inventory
in
the
oscar
ssp
format,
so
I'm
able
now
to
build
this
into
into
this
report,
so
I
removed
on
purpose
everything
so
that
the
people
are
not
that
we
need
all
these
other
tools.