Benchmarks

Note

The Benchmarks v2 release has several differences from v1:

  • Installation is handled through a dedicated benchmark runner included with the new Node Analyzer.

  • Host and cloud benchmarks are handled in one interface

  • Reports combine results from all relevant hosts, rather than one report per host

  • Improvements in scoping, scheduling, and team scoping, with associated changes to the UI

  • Improved processing pipeline

Users who were running v1 in Sysdig Secure SaaS will be upgraded to v2 when the Node Analyzer is installed, but can access v1 through the Legacy Benchmarks button on the landing page. Legacy documentation is also available.

Navigate the Benchmark Tasks Landing Page

Select Compliance > Benchmark|Tasks. The Tasks landing page is displayed.

A "task" is the combination of benchmark test (schema), scheduled to run on a particular scope at a scheduled time. Once a task is configured, it is listed on the landing page and is linked to the full benchmark report.

benchv2_tasks.png

For new users: If no tasks have been created yet, you will be prompted to create some.

For users who had Benchmark v1 tasks configured:

  • v1 tasks will be migrated to v2.

  • You can still view all v1 schedules and reports from the View Legacy Benchmarks button, if desired. Modifications to v1 after this point will not be propagated.

On this page you can:

  • Enable/disable a task. Note that if you have Sysdig Secure for cloud installed then the AWS Foundations Benchmark task is listed for information but is handled differently than the other task types.

  • Filter the list by scope or task type to find the task more easily

  • Click a task to access the full benchmark report

Benchmark Components details

Types of Benchmark Schemas

The Center for Internet Security (CIS) issues standardized benchmarks, guidelines, and best practices for securing IT systems and environments. Additionally, Redhat publishes a Container Security Guide that outlines best practices for running Openshift 3.10/3.11 clusters.

With v2, Sysdig supports the following types of benchmarks tests/schemas:

schema_list.png

Schema Name

Applicability

Notes

CIS Kubernetes Benchmark v1.5.1

Kubernetes versions 1.15 and below

Sections 1,2,3 will only be run on Master nodes, section 4 will be run on all nodes (master + worker)

CIS Kubernetes Benchmark v1.6.0

Kubernetes versions 1.16 and below

Sections 1,2,3 will only be run on Master nodes, section 4 will be run on all nodes (master + worker)

CIS Google Kubernetes Engine (GKE) Benchmark v1.0.0

New with v2

CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.0

New with v2

OpenShift 3.11 Hardening Guide v1.2.1

OpenShift versions 3.10 and 3.11 are supported.

Support for version 4.x is not yet available

CIS Distribution Independent Linux Benchmark v1.1.0

Docker Security Benchmark v1.2.0

With Secure for cloud:

Prerequisite: Installed Sysdig Secure for cloud and selected CSPM/AWS Benchmarks.

CIS Amazon Web Services Foundations Compliance Benchmark v1.3.0

These tasks are auto-created when Secure for cloud benchmarks are enabled.

They are read-only; schedule and scope are fixed. They display that a cloud bench task exists, and give access to the results.

Understanding Benchmark Scopes

When you Configure Benchmark Tasks , the available scope depends on the schema you choose.

Scope Label

Description

Source

Applicable Schemas

host.hostName

The local hostname of the machine running the benchmark container.

Retrieved from the machine running the benchmark container.

All

host.mac

The MAC address of the machine running the benchmark container.

Retrieved from the machine running the benchmark container.

All

aws.accountId

The AWS account ID containing the EC2 instance running the benchmark container.

Retrieved from the AWS EC2 Instance Metadata Service

CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.0

aws.region

The Region containing the EC2 instance running the benchmark container.

Retrieved from the AWS EC2 Instance Metadata Service

CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.0

aws.instanceId

The AWS instance ID of the EC2 instance running the benchmark container.

Retrieved from the AWS EC2 Instance Metadata Service

CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.0

gcp.projectId

The Project ID used to create the instance.

Retrieved from the GCP Compute Engine Metadata endpoint

CIS Google Kubernetes Engine (GKE) Benchmark v1.0.0

gcp.instanceId

The ID of the VM.

Retrieved from the GCP Compute Engine Metadata endpoint

CIS Google Kubernetes Engine (GKE) Benchmark v1.0.0

gcp.instanceZone

The Zone that the VM is running in.

Retrieved from the GCP Compute Engine Metadata endpoint

CIS Google Kubernetes Engine (GKE) Benchmark v1.0.0

kubernetes.cluster.name

The configured Cluster name.

Set in the sysdig-agent configmap under the key: k8s_cluster_name

All

kubernetes.node.name

The name of the node in Kubernetes.

Supplied by Kubernetes Downwards API

All

agent.tag.*

A set of customizable tags set in the agent configmap. Same as tags for the standard agent

Set in the sysdig-agent configmap under the key: tags

All