Installation Manual - 108 v7 CIS and PCI DSS 4 scanner closure

Single closeout record for the v7 CIS and PCI DSS 4 Compliance Operator remediation, scan validation, and evidence boundary.

This chapter records OP-GF-COMPLIANCE-21, the single closure campaign for active v7 CIS and PCI DSS 4 OpenShift Compliance Operator findings across hub-dc-v7 and spoke-dc-v7.

The result is scanner-profile closure for the active OpenShift clusters. It is not a formal PCI DSS Report on Compliance, Attestation of Compliance, QSA signoff, business-process control assessment, physical control assessment, or external cardholder-data-scope validation.

Governance

FieldValue
IssueOP-GF-COMPLIANCE-21 / #441
MilestoneWorkspace Governance
Governing ADRADR 0016
Related ADRsADR 0024, ADR 0027
Platform GitOps commitd5b3bfa

Scope

ItemDecision
Management clusterhub-dc-v7
Workload clusterspoke-dc-v7
Historical v6 clustersnot touched
Primary evidenceOpenShift Compliance Operator CIS and PCI DSS 4 scans
Formal PCI attestationout of scope

Desired State Changes

The platform GitOps commit added:

  • hub PCI DSS 4 tailored profile and scan binding;
  • hub File Integrity Operator, all-node FileIntegrity, and alerting;
  • hub OAuth token inactivity settings and default OAuthClient inactivity bounds;
  • hub and spoke master MachineConfigs for PCI DSS 4 audit-directory access rules;
  • spoke tailored CIS profile for operator-owned SCC and namespace NetworkPolicy findings;
  • spoke PCI DSS 4 tailoring for the Gatekeeper canary namespace and existing VM disk encryption exception.

The bootstrap clone on gf-ocp-bootstrap-01 was fast-forwarded to the same commit, and Argo CD synced both clusters.

Rollout

The live rollout used the established path:

local workspace -> dl385-2 -> gf-ocp-bootstrap-01 -> v7 kubeconfigs

Operational sequence:

  1. Forced Argo CD hard refreshes.
  2. Waited for the master MachineConfig rollout on hub and spoke.
  3. Confirmed no MCP degradation.
  4. Triggered fresh CIS and PCI DSS 4 scans.
  5. Reinitialized File Integrity Operator AIDE databases after the planned MachineConfig change.
  6. Restarted AIDE pods so post-baseline checks updated immediately.

Final Cluster Health

Final snapshot: 2026-05-21T13:14:54Z.

Checkhub-dc-v7spoke-dc-v7
Argo CDSynced / Healthy at d5b3bfa14807a2fc87467afb3ed71a2d2f506eb9Synced / Healthy at d5b3bfa14807a2fc87467afb3ed71a2d2f506eb9
ClusterOperatorssteadysteady
MCPsupdated, not updating, not degradedupdated, not updating, not degraded
File Integrity node status3/3 Succeeded6/6 Succeeded

Compliance Scan Results

Hub

ScanPhaseResultStartEnd
ocp4-cisDONECOMPLIANT2026-05-21T13:03:41Z2026-05-21T13:04:20Z
ocp4-cis-node-masterDONECOMPLIANT2026-05-21T13:03:41Z2026-05-21T13:04:33Z
ocp4-pci-dss-4-0-hub-dc-v7DONECOMPLIANT2026-05-21T13:03:43Z2026-05-21T13:04:43Z
ocp4-pci-dss-node-4-0-masterDONECOMPLIANT2026-05-21T13:03:53Z2026-05-21T13:04:36Z

Hub relevant check counts:

ScanPassManualFail
ocp4-cis68210
ocp4-cis-node-master9400
ocp4-pci-dss-4-0-hub-dc-v787220
ocp4-pci-dss-node-4-0-master10800

Spoke

ScanPhaseResultStartEnd
ocp4-cis-spoke-dc-v7DONECOMPLIANT2026-05-21T13:03:41Z2026-05-21T13:04:58Z
ocp4-cis-node-masterDONECOMPLIANT2026-05-21T13:03:46Z2026-05-21T13:05:18Z
ocp4-cis-node-workerDONECOMPLIANT2026-05-21T13:03:46Z2026-05-21T13:05:08Z
ocp4-pci-dss-4-0-spoke-dc-v7DONECOMPLIANT2026-05-21T13:03:46Z2026-05-21T13:05:18Z
ocp4-pci-dss-node-4-0-masterDONECOMPLIANT2026-05-21T13:03:46Z2026-05-21T13:05:18Z
ocp4-pci-dss-node-4-0-workerDONECOMPLIANT2026-05-21T13:03:46Z2026-05-21T13:05:18Z

Spoke relevant check counts:

ScanPassManualFail
ocp4-cis-spoke-dc-v768210
ocp4-cis-node-master9400
ocp4-cis-node-worker5700
ocp4-pci-dss-4-0-spoke-dc-v785220
ocp4-pci-dss-node-4-0-master10800
ocp4-pci-dss-node-4-0-worker5900

Tailoring Record

The scanner closure used tailored profiles where direct remediation would be wrong for the current lab state:

  • existing VM disk encryption is a non-retrofittable lab exception unless the nodes are rebuilt;
  • RHACS is the selected image and runtime security control plane, so the standalone Container Security Operator is not installed;
  • Security Profiles Operator remains a future hardening gate;
  • HTPasswd remains the temporary lab break-glass identity provider until future OIDC/Keycloak work;
  • operator-owned SCC and namespace NetworkPolicy findings are tailored rather than forcing broad default-deny policies into platform namespaces.

Closeout Position

The active v7 clusters have no remaining CIS or PCI DSS 4 Compliance Operator FAIL results in the targeted profiles.

Future work should focus on manual evidence binders, formal attestation scope, and optional hardening decisions such as full-disk encryption in a future rebuild and Security Profiles Operator onboarding.

Last reviewed: 2026-05-21