Rip out compensating-controls framework (#359)

## Summary Removes the compensating-controls (CC) framework. Prowler and Kingfisher continue to run weekly and produce reports; the Prowler mutelist YAML files stay in place but no longer carry \`CC: <id>\` prefixes — each entry now just keeps a free-form \`Description\` of why it's muted. The CC review cadence proved to be more process overhead than this single-operator homelab needed. ## What changed **Deleted** - \`compensating-controls.yaml\` — the CC registry - \`mise-tasks/review-compensating-controls\` — the staleness-review task - \`docs/how-to/operations/review-compensating-controls.md\` - \`docs/how-to/operations/record-review-evidence.md\` (was aspirational) - \`docs/explanation/compliance-mute-categories.md\` (proposed-future CC/NA/RA work) - 5 orphan \`+review-cc-*\` / \`+compliance-mute-categories\` changelog fragments **Modified** - 6 mutelist YAML files: stripped \`CC: <id>.\` prefix from every \`Description\` / \`statement\` field, kept the free-form text - \`mise-tasks/review-compliance-reports\`: removed CC mentions from docstrings, panel text, and the node-verification table title. Node-verification logic itself is unchanged. - \`docs/reference/operations/security.md\`: removed the "Compensating controls" section - \`docs/how-to/operations/read-compliance-reports.md\`: rewrote step 3 of "Acting on findings" to point at the mutelist YAML directly - \`docs/changelog.d/prowler-iac-mutelist.infra.md\`: rewrote to drop the "two new compensating controls" framing ## What did not change - All Prowler manifests (cronjobs, RBAC, PVs, kustomization) — scans still run on the same schedule - The Kingfisher deployment - The trivy-shim in the Prowler container — that's about Trivy ignorefile plumbing, independent of the CC concept - The mutelist entries themselves — each \`Resources\` list is unchanged; only the prose of \`Description\` was edited - \`CHANGELOG.md\` — historical releases are left as-is ## Test plan - [ ] Wait for human review before deploying — once merged, re-point ArgoCD: \`argocd app set prowler --revision main && argocd app sync prowler\` (no manifest changes besides the ConfigMap, so impact is limited to muted-finding descriptions in next week's report) - [ ] Confirm next weekly Prowler K8s CIS run (Sunday 3am) still completes and produces a report on sifaka - [ ] Confirm next weekly Prowler IaC run still honors \`trivyignore.yaml\` (the trivy shim is untouched but the ignorefile content was rewritten) - [ ] \`mise run review-compliance-reports\` — verify node-verification block still runs and prints the renamed table title Reviewed-on: #359
2026-05-22 21:08:53 -07:00 · 2026-05-22 21:08:53 -07:00 · ee51bcafb4
commit ee51bcafb4
parent 2fae0f7161
21 changed files with 72 additions and 758 deletions
--- a/mise-tasks/review-compliance-reports
+++ b/mise-tasks/review-compliance-reports
@ -143,7 +143,10 @@ def _kubectl(args: str, timeout: int = 15) -> subprocess.CompletedProcess:
 def run_node_verification(console: Console) -> None:
    """Verify node-level conditions that Prowler reports as MANUAL.

-    Compensating control: node-config-automated-verification
+    Prowler runs inside a pod and can't evaluate kubelet file permissions,
+    kubelet config arguments, etcd CA separation, or cluster-admin RBAC
+    bindings. We SSH into the minikube node and check each condition here,
+    failing loudly if any deviates from expected values.
    """
    checks: list[tuple[str, str, bool]] = []  # (name, detail, passed)

@ -278,7 +281,7 @@ def run_node_verification(console: Console) -> None:
    table = Table(
        show_header=True,
        header_style="bold",
-        title="Node Verification (CC: node-config-automated-verification)",
+        title="Node Verification (out-of-band checks for MANUAL findings)",
    )
    table.add_column("Check")
    table.add_column("Detail")
@ -528,8 +531,8 @@ def summarize_report(
            Panel(
                f"[bold yellow]{len(latest['unmuted'])} unmuted failure(s) "
                f"need triage.[/bold yellow]\n\n"
-                "For each: remediate or mute "
-                "(add to mutelist + compensating control).",
+                "For each: remediate, or add a Resource entry to the "
+                "matching check in argocd/manifests/prowler/mutelist/.",
                title=f"{label} Verdict",
                border_style="yellow",
            )
@ -653,7 +656,6 @@ def main(
            )

    # --- Node-level MANUAL check verification ---
-    # Compensating control: node-config-automated-verification
    # These checks verify conditions Prowler reports as MANUAL because it
    # runs inside a pod and cannot evaluate them directly.
    run_node_verification(console)