Benchmarks

Select Posture > Benchmark|Tasks. The Tasks landing page is displayed.

A “task” is the combination of benchmark test (schema), scheduled to run on a particular scope at a scheduled time. Once a task is configured, it is listed on the landing page and is linked to the full benchmark report.

For new users: If no tasks have been created yet, you will be prompted to create some.

For users who had Benchmark v1 tasks configured:

  • v1 tasks will be migrated to v2.

  • You can still view all v1 schedules and reports from the View Legacy Benchmarks button, if desired. Modifications to v1 after this point will not be propagated.

On this page you can:

  • Enable/disable a task. Note that if you have Sysdig Secure for cloud installed then the AWS Foundations Benchmark task is listed for information but is handled differently than the other task types.

  • Filter the list by scope or task type to find the task more easily

  • Click a task to access the full benchmark report

Benchmark Components details

Types of Benchmark Schemas

The Center for Internet Security (CIS) issues standardized benchmarks, guidelines, and best practices for securing IT systems and environments. Additionally, Redhat publishes a Container Security Guide that outlines best practices for running Openshift 3.10/3.11 clusters.

With v2, Sysdig supports the following types of benchmarks tests/schemas:

Schema Name

Applicability

Notes

CIS Kubernetes Benchmark v1.5.1

Kubernetes versions 1.15 and below

Sections 1,2,3 will only be run on Master nodes, section 4 will be run on all nodes (master + worker)

CIS Kubernetes Benchmark v1.6.0

Kubernetes versions 1.16 and below

Sections 1,2,3 will only be run on Master nodes, section 4 will be run on all nodes (master + worker)

CIS Google Kubernetes Engine (GKE) Benchmark v1.0.0

 

CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.0

 

OpenShift 3.11 Hardening Guide v1.2.1

OpenShift versions 3.10 and 3.11 are supported.

 

CIS RedHat OpenShift Container Platform v4 Benchmark v1.1.0

OpenShift Container Platform v4

Choose Server Software > Virtualization > Kubernetes to access the link to the CIS Benchmark for RedHat OpenShift Container Platform v4 on the CIS site.

CIS Distribution Independent Linux Benchmark v1.1.0

Docker Security Benchmark v1.2.0

With Secure for cloud:

Prerequisite: Installed Sysdig Secure for cloud and selected CSPM/AWS Benchmarks.

CIS Amazon Web Services Foundations Compliance Benchmark v1.3.0

These tasks are auto-created when Secure for cloud benchmarks are enabled.

They are read-only; schedule and scope are fixed. They display that a cloud bench task exists, and give access to the results.

Understanding Benchmark Scopes

When you Configure Benchmark Tasks , the available scope depends on the schema you choose.

Scope LabelDescriptionSourceApplicable Schemas
host.hostNameThe local hostname of the machine running the benchmark container.Retrieved from the machine running the benchmark container.All
host.macThe MAC address of the machine running the benchmark container.Retrieved from the machine running the benchmark container.All
aws.accountIdThe AWS account ID containing the EC2 instance running the benchmark container.Retrieved from the AWS EC2 Instance Metadata ServiceCIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.0
aws.regionThe Region containing the EC2 instance running the benchmark container.Retrieved from the AWS EC2 Instance Metadata ServiceCIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.0
aws.instanceIdThe AWS instance ID of the EC2 instance running the benchmark container.Retrieved from the AWS EC2 Instance Metadata ServiceCIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.0
gcp.projectIdThe Project ID used to create the instance.Retrieved from the GCP Compute Engine Metadata endpointCIS Google Kubernetes Engine (GKE) Benchmark v1.0.0
gcp.instanceIdThe ID of the VM.Retrieved from the GCP Compute Engine Metadata endpointCIS Google Kubernetes Engine (GKE) Benchmark v1.0.0
gcp.instanceZoneThe Zone that the VM is running in.Retrieved from the GCP Compute Engine Metadata endpointCIS Google Kubernetes Engine (GKE) Benchmark v1.0.0
kubernetes.cluster.nameThe configured Cluster name.Set in the sysdig-agent configmap under the key: k8s_cluster_nameAll
kubernetes.node.nameThe name of the node in Kubernetes.Supplied by Kubernetes Downwards APIAll
agent.tag.*A set of customizable tags set in the agent configmap. Same as tags for the standard agentSet in the sysdig-agent configmap under the key: tagsAll


Last modified November 8, 2021