Benchmarks

Note

Earlier versions of Sysdig Secure referred to this module as Compliance.

The Center for Internet Security (CIS) issues standardized benchmarks, guidelines, and best practices for securing IT systems and environments. Additionally, Redhat publishes a Container Security Guide that outlines best practices for running Openshift 3.10/3.11 clusters.

Sysdig Secure includes implementations of four of these benchmarks that can be run against your environment:

These benchmarks are available to run via 3 separate program types:

  • Docker Benchmark: for CIS Docker

  • Kubernetes Benchmark: For CIS Kubernetes and Redhat Container Security Guide

  • Linux Benchmark: for CIS Distribution Independent Linux

How Sysdig Benchmark Tests Work

CIS benchmarks are best practices for the secure configuration of a target system. Sysdig has implemented these standardized controls for different versions of Kubernetes, Linux, and Docker.

Setting Up a Task

Using a new Task, configure the type of test, the environment scope, and the scheduled frequency of the compliance check. You can also filter how you'd like to view the Results report. See also Configure Benchmark Tasks.

Running a Test

Once a task is configured, Sysdig Secure will:

  • Kick off a check in the agent to analyze your system configuration against CIS best-practices

  • Store the results of this task

Reviewing Report Results

When a task has run, it is listed on the Results page and can be viewed as a Report.

bench_report.png

Reviewing Benchmark Metrics

Consolidated Benchmark metrics can also be viewed in Sysdig Monitor, from default or customized Compliance Dashboards.

374671355.png

Understanding Report Filters

Customize your view of the test report, e.g., to see only high-priority results or the results from selected controls.

Note that the filter may affect only your view of the report (before agent version 9.7.0), or may actually determine of the test (after agent version 9.7.0). See also: About Custom Selections.

In older versions to filter a report, under Report on the Benchmark Task page:

  • Choose Custom Selection

  • Choose a Benchmark version and

    • apply a Profile filter, and/or

    • select/deselect individual controls.

results_newtask.png

Use the information in this section to understand the effect of your selections.

About Custom Selections

Filtering rules apply to the report, not the test itself.

  • The full test will run but the result view will be edited.

  • If you apply a filter to an existing task that has already run, the filter view will be retroactively applied to the historical reports.

  • If you deselect the filter, the full results will again be visible.

About Benchmark Versions

CIS issues benchmark versions that correspond to –- but are not identical with -- the Kubernetes or Docker software version. See the mapping tables, below.

Version Rules

  • If you do not customize/filter your report, the Sysdig agent will auto-detect your environment version and will run the corresponding version of the benchmark controls.

  • If you specify a benchmark version, you can then apply a report filter.

  • If the test version doesn't match the environment version, the filter will be ignored and all the tests will be displayed.

Kubernetes Version Mapping

CIS Benchmark Version

Kubernetes Version

Sysdig Report Filter UI

CIS 1.0 (legacy)

Kubernetes v 1.6

CIS 1.1 (legacy)

Kubernetes v 1.7

CIS 1.2 (legacy)

Kubernetes v 1.8

CIS 1.3

Kubernetes v 1.11-1.12

bench_new.png

CIS 1.4

Kubernetes v 1.13-1.14

CIS 1.5

Kubernetes v 1.15-

Sysdig also supports Kubernetes benchmark tests for the following distributions:

  • EKS: Amazon Elastic Container Service for Kubernetes, default cluster version

  • GKE: Google Kubernetes Engine (GKE), default cluster version

  • IKS: IBM Kubernetes Service

  • OpenShift versions 3.10, 3.11

  • Rancher

  • Red Hat OpenShift hardening guide rh-0.7 OCP 3.10-3.11

Linux Bench Versions

The Linux Benchmarks (e.g. 2.0 and 1.1) should both run on any Linux distribution; it is not necessary to map to a particular distro.

Docker Version Mapping

CIS Benchmark Version

Sysdig Report Filter

CIS_Docker_Community_Edition_Benchmark_v1.1.0

Docker 1.0

About Profile Levels

CIS defines two levels of tests, as described below.

In Sysdig Secure, full benchmarks are always run, but you can filter your view of the report to see only top-priority (Level 1 Profile) or only the secondary (Level 2 Priority) results.

From the CIS FAQ:

  • Level 1 Profile: Limited to major issues

    Considered a base recommendation that can be implemented fairly promptly and is designed to not have an extensive performance impact. The intent of the Level 1 profile benchmark is to lower the attack surface of your organization while keeping machines usable and not hindering business functionality.

  • Level 2 Profile: Extensive checks, more complete

    Considered to be "defense in depth" and is intended for environments where security is paramount. The recommendations associated with the Level 2 profile can have an adverse effect on your organization if not implemented appropriately or without due care.

    Note

    In the Sysdig Secure interface, select All to view an in-depth report that includes both Level 1 and Level 2 controls.

    Select Level 1 to view a report that includes only high-priority controls.

    Select Level 2 to view a report that includes only the lower-priority controls that are excluded from Level 1.

    See also: Configure Benchmark Tasks.