Add security reference card and compliance report how-to

Split report-reading guidance out of deploy-prowler into its own how-to (read-compliance-reports). Add security & compliance reference card (reference/operations/security) following the pattern of the observability card. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-24 16:05:17 -07:00 · 2026-03-24 16:05:17 -07:00 · 9053ce5955
commit 9053ce5955
parent 070a684946
4 changed files with 138 additions and 6 deletions
--- a/docs/how-to/operations/deploy-prowler.md
+++ b/docs/how-to/operations/deploy-prowler.md
@ -33,11 +33,7 @@ Prowler's Kubernetes provider runs ~70 checks from the CIS Kubernetes Benchmark

 ## Reports

-Reports are written to `sifaka:/volume1/reports/prowler/<date>/` in three formats:
-
- **HTML** — human-readable, self-contained, filterable
- **CSV** — flat tabular, one row per finding
- **JSON-OCSF** — structured, for SIEM ingestion
+Reports are written to `sifaka:/volume1/reports/prowler/` with timestamped filenames. See [[read-compliance-reports]] for how to access and interpret them.

 ## Running an ad-hoc scan

@ -55,9 +51,11 @@ kubectl logs -f job/prowler-manual -n prowler --context=minikube-indri

 Custom slim build at `containers/prowler/Dockerfile` — strips PowerShell, Trivy, and non-Kubernetes providers from upstream. See [[build-container-image]] for the build/release process.

-**TODO:** Mirror prowler-cloud/prowler on forge for supply chain control.
+Source is mirrored at `forge.ops.eblu.me/mirrors/prowler`.

 ## See also

+- [[security]] — security & compliance posture overview
+- [[read-compliance-reports]] — how to access and interpret scan reports
 - [[deploy-k8s-service]] — general K8s deployment how-to
 - [[build-container-image]] — container build pipeline
--- a/docs/how-to/operations/read-compliance-reports.md
+++ b/docs/how-to/operations/read-compliance-reports.md
@ -0,0 +1,79 @@
+---
+title: Read Compliance Reports
+modified: 2026-03-24
+last-reviewed: 2026-03-24
+tags:
+  - how-to
+  - security
+  - compliance
+---
+
+# Read Compliance Reports
+
+How to access and interpret compliance scan reports from [[prowler]] and other security scanners.
+
+## Accessing reports
+
+Reports are stored on sifaka at `/volume1/reports/`. Each scanner writes to its own subdirectory:
+
+| Scanner | Path | Schedule |
+|---------|------|----------|
+| [[prowler]] | `sifaka:/volume1/reports/prowler/` | Weekly (Sunday 3am) |
+
+Copy reports to your local machine (remember `scp -O` for sifaka):
+
+```fish
+scp -O sifaka:/volume1/reports/prowler/prowler-output-In-Cluster-*.html /tmp/
+open /tmp/prowler-output-In-Cluster-*.html
+```
+
+## Report formats
+
+### HTML
+
+Open in a browser. Self-contained, filterable by severity, status, and service. Best for human review — shows pass/fail per check with remediation guidance.
+
+### CSV
+
+One row per finding. Columns include check ID, status, severity, resource, namespace, description, and remediation. Good for filtering in a spreadsheet or scripting.
+
+### JSON-OCSF
+
+Open Cybersecurity Schema Framework format. Machine-parseable, suitable for SIEM ingestion or programmatic analysis.
+
+### Compliance CSV
+
+In the `compliance/` subdirectory. Findings mapped to specific framework requirement IDs (e.g., CIS 1.11 section numbers). Shows which controls pass or fail.
+
+## Interpreting results
+
+### Status values
+
+- **PASS** — the resource is configured securely per the check
+- **FAIL** — remediation is recommended
+- **MANUAL** — Prowler cannot determine the result automatically (e.g., kubelet file permissions when not running on the node)
+- **MUTED** — the finding was explicitly suppressed via a mutelist
+
+### Severity
+
+Findings are categorized as **critical**, **high**, **medium**, or **low**. Focus on critical and high first.
+
+### Expected failures
+
+Not all failures require action. Common expected failures in our minikube cluster:
+
+- **Core/pod security (high):** System pods (ArgoCD, external-secrets, tailscale-operator) legitimately need elevated privileges. These can be mutelisted.
+- **Apiserver (medium):** Audit logging, profiling, and some admission plugins are not configured in minikube defaults. Low risk for a homelab.
+- **Kubelet (high):** Anonymous auth or read-only port settings from minikube defaults.
+
+### Acting on findings
+
+1. **Triage** — review new failures, distinguish real issues from expected noise
+2. **Remediate** — fix what you can (pod security contexts, RBAC tightening)
+3. **Mutelist** — suppress expected/accepted failures via Prowler's `--mutelist-file` to reduce noise in future scans
+4. **Track** — compare reports over time to spot regressions
+
+## See also
+
+- [[security]] — security & compliance posture overview
+- [[deploy-prowler]] — Prowler deployment and ad-hoc scans
--- a/docs/reference/operations/security.md
+++ b/docs/reference/operations/security.md
@ -0,0 +1,53 @@
+---
+title: Security & Compliance
+modified: 2026-03-24
+last-reviewed: 2026-03-24
+tags:
+  - operations
+  - security
+---
+
+# Security & Compliance
+
+Security posture and compliance scanning for BlumeOps infrastructure.
+
+## Compliance frameworks
+
+| Framework | Tool | Cluster | Notes |
+|-----------|------|---------|-------|
+| CIS Kubernetes Benchmark v1.11 | [[prowler]] | minikube-indri | Weekly CronJob, ~82 checks |
+| PCI DSS v4.0 (K8s mapping) | [[prowler]] | minikube-indri | Reuses CIS checks mapped to PCI requirements |
+| ISO 27001:2022 (K8s mapping) | [[prowler]] | minikube-indri | Partial — 22 of 92 controls mapped |
+
+## Scanning tools
+
+- [[prowler]] — CIS Kubernetes Benchmark scanner (weekly CronJob)
+  - [[deploy-prowler]] — deployment and ad-hoc scan how-to
+  - [[read-compliance-reports]] — accessing and interpreting reports
+
+## Identity & access
+
+- [[authentik]] — SSO/OIDC provider for all web services
+- RBAC — Kubernetes role-based access control (audited by Prowler RBAC checks)
+
+## Network & TLS
+
+- [[caddy]] — TLS termination for `*.ops.eblu.me` services
+- [[flyio-proxy]] — public ingress via Fly.io tunnel
+- Tailscale — zero-trust mesh networking across all nodes
+
+## Secrets management
+
+- [[1password]] — root credential store
+- [[external-secrets]] — Kubernetes secrets synced from 1Password
+
+## Reports
+
+All compliance scan reports are stored on `sifaka:/volume1/reports/`. See [[read-compliance-reports]] for access and interpretation.
+
+## Known gaps
+
+- No SOC 2 compliance mapping for Kubernetes (Prowler only maps SOC 2 for AWS/Azure/GCP)
+- k3s control plane checks produce no results (embedded binary, no static pods) — consider kube-bench
+- No container image vulnerability scanning yet (Prowler has an `image` provider)
+- No IaC scanning of manifests/Dockerfiles yet (Prowler has an `iac` provider using Trivy)
--- a/docs/reference/services/prowler.md
+++ b/docs/reference/services/prowler.md
@ -27,4 +27,6 @@ Runs Prowler 5 as a CronJob against minikube-indri, executing CIS Kubernetes Ben

 ## See also

+- [[security]] — security & compliance posture overview
 - [[deploy-prowler]] — deployment how-to, ad-hoc scan instructions, check relevance notes
+- [[read-compliance-reports]] — how to access and interpret reports