title: Ensure the notification is enabled for Compliance Operator

description: |-
  The OpenShift platform provides the Compliance Operator for administrators
  to monitor compliance state of a cluster and provides them with an overview 
  of gaps and ways to remediate them, and this control ensures proper notification 
  alert is enabled for Compliance Operator so that system administrators and 
  security personnel are notified about the alerts on compliance status.
  
rationale: |-
  Compliance alert enables OpenShift administrators to be informed on the system
  compliance status


identifiers:
  cce@ocp4: CCE-86032-0

references:
  nist: SI-6,SI-4(24)

{{% set jqfilter = '[.items[] | select(.metadata.name =="compliance") | .metadata.name]' %}}

ocil_clause: 'A prometheus rule object is not generated by Compliance Operator'

ocil: |-
    Run the following command to see if alert monitor is enabled by Compliance Operator:
    <pre>$  oc get prometheusrules --all-namespaces -o json | jq '{{{ jqfilter }}}'</pre>
    Make sure that there is one output named: compliance

severity: medium

warnings:
- general: |-
    {{{ openshift_filtered_cluster_setting({'/apis/monitoring.coreos.com/v1/prometheusrules': jqfilter}) | indent(4) }}}

template:
  name: yamlfile_value
  vars:
    ocp_data: "true"
    filepath: |-
      {{{ openshift_filtered_path('/apis/monitoring.coreos.com/v1/prometheusrules', jqfilter) }}}
    yamlpath: "[:]"
    check_existence: "at_least_one_exists"
    entity_check: "at least one"
    values:
      - value: ".*"
        operation: "pattern match"