Configure CIS benchmarks

Developed by the Center for Internet Security (CIS), CIS benchmarks provide industry-recognized guidelines and recommendations for securing systems, networks, and software applications.

CIS Benchmarks are consensus-based guidelines that outline recommended security configurations and settings for various technology platforms, including operating systems, databases, web servers, and more. For more details, see CIS Docker Benchmark: Guidance for securing Docker containers and CIS Kubernetes Benchmark: Guidance for securing Kubernetes clusters.

Configure CIS benchmarking

By following these steps and customizing the CIS benchmarks configuration in the values.yaml file, you can effectively run and assess your Kubernetes cluster’s adherence to the CIS benchmarks and evaluate fatal, info, and warning level findings. To configure KubeClarity for running CIS benchmarks, complete the following steps.

  1. Clone or download the KubeClarity repository to your local machine, and open the values.yaml file in a text editor.

  2. Locate the cis-docker-benchmark-scanner section.

  3. Customize the configuration based on your specific requirements. You can enable or disable specific CIS benchmarks, set thresholds, and define compliance levels.

    For example:

    cis-docker-benchmark-scanner:
## Docker Image values.
docker:
  ## Use to overwrite the global docker params
  ##
  imageName: ""

## Scanner logging level (debug, info, warning, error, fatal, panic).
logLevel: warning

## Timeout for the cis docker benchmark scanner job.
timeout: "2m"

resources:
  requests:
    memory: "50Mi"
    cpu: "50m"
  limits:
    memory: "1000Mi"
    cpu: "1000m"

  4. Save the changes to the configuration file.

  5. Deploy the KubeClarity backend in your Kubernetes cluster using the modified values.yaml file.

  6. Once KubeClarity is up and running, it automatically applies the configured CIS benchmarks and evaluates your Kubernetes cluster against them.

  7. Monitor the KubeClarity dashboard, or check the generated reports to review your cluster’s compliance with the CIS benchmarks.

Enable CIS benchmarks

To enable the configured benchmark scans for on-demand runtime scans, complete the following steps.

  1. Open the UI in your browser at http://localhost:9999/.

  2. From the navigation bar on the left, select Runtime Scan, then Options.

    On-demand scan options

  3. Enable the CIS Docker Benchmark option, then click SAVE.

    Enable CIS benchmarks for on-demand scans

CIS benchmark results

  1. If you run a scan with CIS benchmarks enabled, the scan results are shown in the scan report:

    CIS benchmark scan results

  2. You can drill down further by applying filters. The filter allows you to narrow down the results and focus on the specific aspects you are interested in. Use the provided filters to navigate the CIS benchmark details and access the necessary information for your compliance analysis.

    CIS benchmark scan results filters

  3. Click on a group in the AFFECTED ELEMENTS row to see the alerts and the details.

  4. Click CIS Docker Benchmark to see a drill-down view of CIS Benchmarks and a detailed benchmark description. This deeper level of visibility enables you to investigate and address the alerts more effectively, ensuring the security and compliance of your Kubernetes environment.

    CIS benchmark details

Last modified October 11, 2023: Kubeclarity blog ports (#6) (7825fa3)