This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

  • 1:
    • 2:
      • 3:
        • 4:
          • 4.1:
            • 4.2:
              • 4.3:

              Benchmarks

              Select Posture > Benchmark|Tasks. The Tasks landing page is displayed.

              A “task” is the combination of benchmark test (schema), scheduled to run on a particular scope at a scheduled time. Once a task is configured, it is listed on the landing page and is linked to the full benchmark report.

              For new users: If no tasks have been created yet, you will be prompted to create some.

              For users who had Benchmark v1 tasks configured:

              • v1 tasks will be migrated to v2.

              • You can still view all v1 schedules and reports from the View Legacy Benchmarks button, if desired. Modifications to v1 after this point will not be propagated.

              On this page you can:

              • Enable/disable a task. Note that if you have Sysdig Secure for cloud installed then the AWS Foundations Benchmark task is listed for information but is handled differently than the other task types.

              • Filter the list by scope or task type to find the task more easily

              • Click a task to access the full benchmark report

              Benchmark Components details

              Types of Benchmark Schemas

              The Center for Internet Security (CIS) issues standardized benchmarks, guidelines, and best practices for securing IT systems and environments. Additionally, Redhat publishes a Container Security Guide that outlines best practices for running Openshift 3.10/3.11 clusters.

              With v2, Sysdig supports the following types of benchmarks tests/schemas:

              Schema Name

              Applicability

              Notes

              CIS Kubernetes Benchmark v1.5.1

              Kubernetes versions 1.15 and below

              Sections 1,2,3 will only be run on Master nodes, section 4 will be run on all nodes (master + worker)

              CIS Kubernetes Benchmark v1.6.0

              Kubernetes versions 1.16 and below

              Sections 1,2,3 will only be run on Master nodes, section 4 will be run on all nodes (master + worker)

              CIS Google Kubernetes Engine (GKE) Benchmark v1.0.0

               

              CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.0

               

              OpenShift 3.11 Hardening Guide v1.2.1

              OpenShift versions 3.10 and 3.11 are supported.

               

              CIS RedHat OpenShift Container Platform v4 Benchmark v1.1.0

              OpenShift Container Platform v4

              Choose Server Software > Virtualization > Kubernetes to access the link to the CIS Benchmark for RedHat OpenShift Container Platform v4 on the CIS site.

              CIS Distribution Independent Linux Benchmark v1.1.0

              Docker Security Benchmark v1.2.0

              With Secure for cloud:

              Prerequisite: Installed Sysdig Secure for cloud and selected CSPM/AWS Benchmarks.

              CIS Amazon Web Services Foundations Compliance Benchmark v1.3.0

              These tasks are auto-created when Secure for cloud benchmarks are enabled.

              They are read-only; schedule and scope are fixed. They display that a cloud bench task exists, and give access to the results.

              Understanding Benchmark Scopes

              When you Configure Benchmark Tasks , the available scope depends on the schema you choose.

              Scope LabelDescriptionSourceApplicable Schemas
              host.hostNameThe local hostname of the machine running the benchmark container.Retrieved from the machine running the benchmark container.All
              host.macThe MAC address of the machine running the benchmark container.Retrieved from the machine running the benchmark container.All
              aws.accountIdThe AWS account ID containing the EC2 instance running the benchmark container.Retrieved from the AWS EC2 Instance Metadata ServiceCIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.0
              aws.regionThe Region containing the EC2 instance running the benchmark container.Retrieved from the AWS EC2 Instance Metadata ServiceCIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.0
              aws.instanceIdThe AWS instance ID of the EC2 instance running the benchmark container.Retrieved from the AWS EC2 Instance Metadata ServiceCIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.0
              gcp.projectIdThe Project ID used to create the instance.Retrieved from the GCP Compute Engine Metadata endpointCIS Google Kubernetes Engine (GKE) Benchmark v1.0.0
              gcp.instanceIdThe ID of the VM.Retrieved from the GCP Compute Engine Metadata endpointCIS Google Kubernetes Engine (GKE) Benchmark v1.0.0
              gcp.instanceZoneThe Zone that the VM is running in.Retrieved from the GCP Compute Engine Metadata endpointCIS Google Kubernetes Engine (GKE) Benchmark v1.0.0
              kubernetes.cluster.nameThe configured Cluster name.Set in the sysdig-agent configmap under the key: k8s_cluster_nameAll
              kubernetes.node.nameThe name of the node in Kubernetes.Supplied by Kubernetes Downwards APIAll
              agent.tag.*A set of customizable tags set in the agent configmap. Same as tags for the standard agentSet in the sysdig-agent configmap under the key: tagsAll

              1 -

              Configure Benchmark Tasks

              Use a Benchmark Task to define:

              • the type of benchmark test to be run, based on “schemas

              • the scope of the environment to be checked

              • the scheduled test frequency

              • the list of controls to be included/excluded. Use this to silence noisy or unfixable controls that you’ve determined are not useful.

              Once a task has been set up, it will run tests automatically on the scheduled timeline. You can also trigger the task manually.

              Create a Task

              1. Select Compliance > Benchmark|Tasks.

                The Task benchmark landing page is displayed.

              2. Click+Add Taskand define the task parameters on the New Task page:

                • Name: Create a meaningful name.

                • Schema: Select the appropriate schema type from the drop-down menu. See Types of Benchmark Schemas for details.

                • Schedule: Choose a frequency and time to run the test. Benchmarks can be scheduled Daily, Weekly or Monthly, on designated days at a specific time. A single task cannot be scheduled more frequently than once per day.

                • Scope: Choose from the available scoping options, which are auto-filtered based on the chosen schema. See also: Understanding Benchmark Scopes .

                • Custom Report: De-select any of the controls you don’t want run in the test or view in the report.

              3. Click Save.

              The task will appear on the Tasks landing page along with the date and time it was last run. Click the task to review the report.

              Tasks are immutable once created. You cannot change the scope, schedule, schema or filtered controls for an existing task.

              Trigger a Task Manually

              Rather than wait for the next scheduled time for a task to run, users can choose to run a benchmark test manually.

              1. Select Compliance > Benchmark|Tasks.

              2. On the relevant task, click the Run Now (arrow) icon.

                A notification will state that the test was successfully run.

              2 -

              AWS Foundations Benchmarks

              Overview

              The CIS Amazon Web Services Foundations Benchmark v 1.3.0 forms one part of Sysdig’s comprehensive Cloud Security Posture Management (CSPM) and Compliance tools. The AWS CIS Benchmarks assessment evaluates your AWS services  against the benchmark requirements and  returns the results and remediation activities you need to fix misconfigurations in your cloud environment.

              We’ve included several UI improvements to provide additional details such as:  control descriptions, affected resources, failing assets, and guided remediation steps, both manual and CLI-based when available.

              Enable CIS AWS Foundations Benchmarks

              Prerequisites

              • Sysdig Secure (SaaS)

              • Workloads running in the AWS environment, including EKS, Fargate, etc. for which you want to verify best security practices and compliance

              Deploy: using a simple CloudFormation Template in the AWS Console. See Deploy Sysdig Secure for cloud on AWS

              Using AWS Foundations Benchmarks

              The checks and reports for AWS Benchmarks differ from Host Benchmarks in the following ways:

              • No scheduling: The check is automatically deployed daily; the user does not choose a particular schedule, nor to “run now.”

              • Tasks and Reports combined:

                There is a single page displaying:

                • The chosen AWS account, region, and date when report date

                • The curated list of controls that are run (left panel)

                • The daily report, with its pass/fail details and any recommended remediation steps

              Reviewing an AWS CIS Report

              1. Log in to Sysdig Secure and select Compliance > AWS Foundations Benchmark.

              2. Select the relevant report:

                Account id: From the drop-down menu, choose one of the accounts where you deployed the CFT and enabled the AWS Benchmarks feature.

                Region: Choose the AWS region of the account you want to check (not necessarily the region where your Sysdig Secure is installed)

                Date: Choose a report date. Checks are run once per 24 hours.

              3. Review the daily report (right panel).

                Note the following:

                • % of Resources Passed: Of the controls implemented by Sysdig, this is the percentage that passed.

                • Resources Passing: Every control checks multiple resources (e.g., hundreds of S3 buckets, etc.). This figure displays an aggregated count of all the resources over all the controls.

                • Resources Failing: Choose this figure to review a consolidated list of all failed controls with their remediation recommendations.

              3 -

              Review Benchmark Results

              Click a listed task to review the full report, check Pass|Fail status, discover remediation steps, and/or download the report as a CSV file.

              1. Log in to Sysdig Secure and select Compliance > Benchmark|Tasks and select one of the task line items.

                If you have installed Sysdig Secure for cloud, AWS Foundations Benchmarks are listed on Tasks page, but are handled differentlyfrom the rest of the Host Benchmark results.

                A benchmark report is displayed.

              2. From the report page, you can do the following:

                • Summary: Review the Summary (left panel) to see every control and its result

                • Date: Choose the test run from a different date. Use the date drop-down to see historical results of this report.

                • Sort and list: by which resources passed/failed the test. Click the Resources Passed/ Resources Failed links to filter the results accordingly.

              3. Drill down to review details and remediate.

                After sorting, e.g., by Resources Failed , you can review the control details including the recommended Remediation Procedure.

              4. Optional: Download as CSV using the button at the top of the page.

              4 -

              Benchmarks (Legacy)

              Earlier versions of Sysdig Secure referred to this module as Compliance.

              The Center for Internet Security (CIS) issues standardized benchmarks, guidelines, and best practices for securing IT systems and environments. Additionally, Redhat publishes a Container Security Guide that outlines best practices for running Openshift 3.10/3.11 clusters.

              Sysdig Secure includes implementations of four of these benchmarks that can be run against your environment:

              These benchmarks are available to run via 3 separate program types:

              • Docker Benchmark: for CIS Docker

              • Kubernetes Benchmark: For CIS Kubernetes and Redhat Container Security Guide

              • Linux Benchmark: for CIS Distribution Independent Linux

              How Sysdig Benchmark Tests Work

              CIS benchmarks are best practices for the secure configuration of a target system. Sysdig has implemented these standardized controls for different versions of Kubernetes, Linux, and Docker.

              Setting Up a Task

              Using a new Task, configure the type of test, the environment scope, and the scheduled frequency of the compliance check. You can also filter how you’d like to view the Results report. See also Configure Benchmark Tasks (Legacy) .

              Running a Test

              Once a task is configured, Sysdig Secure will:

              • Kick off a check in the agent to analyze your system configuration against CIS best-practices

              • Store the results of this task

              Reviewing Report Results

              When a task has run, it is listed on the Results page and can be viewed as a Report.

              Reviewing Benchmark Metrics

              Consolidated Benchmark metrics can also be viewed in Sysdig Monitor, from default or customized Compliance Dashboards.

              Understanding Report Filters

              Customize your view of the test report, e.g., to see only high-priority results or the results from selected controls.

              Note that the filter may affect only your view of the report (before agent version 9.7.0), or may actually determine of the test (after agent version 9.7.0). See also: About Custom Selections.

              In older versions to filter a report, under Report on the Benchmark Task page:

              • Choose Custom Selection

              • Choose a Benchmark version and

                • apply a Profile filter, and/or

                • select/deselect individual controls.

              Use the information in this section to understand the effect of your selections.

              About Custom Selections

              Filtering rules apply to the report, not the test itself.

              • The full test will run but the result view will be edited.

              • If you apply a filter to an existing task that has already run, the filter view will be retroactively applied to the historical reports.

              • If you deselect the filter, the full results will again be visible.

              About Benchmark Versions

              CIS issues benchmark versions that correspond to –- but are not identical with – the Kubernetes or Docker software version. See the mapping tables, below.

              Version Rules

              • If you do not customize/filter your report, the Sysdig agent will auto-detect your environment version and will run the corresponding version of the benchmark controls.

              • If you specify a benchmark version, you can then apply a report filter.

              • If the test version doesn’t match the environment version, the filter will be ignored and all the tests will be displayed.

              Kubernetes Version Mapping

              Note: CIS 1.0, 1.1, and 1.2 are deprecated.

              CIS Benchmark Ver.Kubernetes Ver.Sysdig AgentTargets
              CIS 1.3Kubernetes v 1.11-1.12allMaster control plane, Node, Etcd, Policies
              CIS 1.4Kubernetes v 1.13-1.14allMaster control plane, Node, Etcd, Policies
              CIS 1.5Kubernetes v 1.15-allMaster control plane, Node, Etcd, Policies
              RH 0.7 Red Hat OpenShift hardening guideOCP 3.10-3.11v9.7-Master node
              CIS1.6Kubernetes v1.16-v10.6-Master control plane, Node, Etcd, Policies
              GKE 1.0GKEv10.6-Master control plane, Node, Etcd, Policies, Managed services
              EKS 1.0EKSv.10.6-Control plane, Node, Policies, Managed services

              Sysdig also supports Kubernetes benchmark tests for the following distributions:

              • IBM IKS: IBM Kubernetes Service

                Note: Running CIS benchmarks against IKS may result in some failures or false positives due to the way IBM deploys certain components. Read more from IBM.

              • Rancher RKE: Rancher Kubernetes Engine

                Note: Running CIS benchmarks against RKE may result in some failures or false positives due to the way Rancher deploys certain components. Read more from Rancher.

              Linux Bench Versions

              The Linux Benchmarks (e.g. 2.0 and 1.1) should both run on any Linux distribution; it is not necessary to map to a particular distro.

              Docker Version Mapping

              CIS Benchmark VersionSysdig Report Filter
              CIS_Docker_Community_Edition_Benchmark_v1.1.0Docker 1.0

              About Profile Levels

              CIS defines two levels of tests, as described below.

              In Sysdig Secure, full benchmarks are always run, but you can filter your view of the report to see only top-priority (Level 1 Profile) or only the secondary (Level 2 Priority) results.

              From the CIS FAQ:

              • Level 1 Profile: Limited to major issues

                Considered a base recommendation that can be implemented fairly promptly and is designed to not have an extensive performance impact. The intent of the Level 1 profile benchmark is to lower the attack surface of your organization while keeping machines usable and not hindering business functionality.

              • Level 2 Profile: Extensive checks, more complete

                Considered to be “defense in depth” and is intended for environments where security is paramount. The recommendations associated with the Level 2 profile can have an adverse effect on your organization if not implemented appropriately or without due care.

                In the Sysdig Secure interface, select All to view an in-depth report that includes both Level 1 and Level 2 controls.

                Select Level 1 to view a report that includes only high-priority controls.

                Select Level 2 to view a report that includes only the lower-priority controls that are excluded from Level 1.

                See also: Configure Benchmark Tasks (Legacy) .

              4.1 -

              Configure Benchmark Tasks (Legacy)

              Use a Benchmark Task to define:

              • the type of benchmark test to be run

              • the scope of the environment to be checked

              • the scheduled test frequency

              • the format in which you want to view the results report.

              Once a task has been set up, it will run tests automatically on the scheduled timeline. You can also trigger the task manually. See Trigger a Manual Benchmark Test (Run Now).

              Schedule an Automated Benchmark Test

              Create a Task

              1. From the Benchmarks module, select the Schedule icon.

                The Schedule list (of existing tasks) is displayed.

              2. Click +Add Task and define the task parameters on the New Task page:

                • Name: Create a meaningful name.

                • Type: Select Docker Benchmark , Kubernetes Benchmark, or Linux Benchmark, despending on your environment.

                • Schedule: Choose a frequency and time to run the test.

                • Scope: Choose Everywhere, or narrow the scope as needed.

                  (See also Grouping, Scoping, and Segmenting Metrics .)

                • Report: Select how you want to view the test results in the report.

                  • All Tests: means that no filter will be applied to the Report.

                    Sysdig will automatically apply the correct version of the benchmark test for your environment, based on the version of Kubernetes or Docker where the agent is installed.

                  • Custom Selection: LEGACY: means that you will Filter Report Results .

                    After agent 9.7.0, the custom selection also defines what parts of the test will run. See also Understanding Report Filters.

              3. Click Save.

              One Task, One Test, One Environment

              To run benchmarks on environments with different Kubernetes versions, create a separate task for that scope and version. Sysdig cannot run tests for multiple versions in a single task.

              Filter Report Results

              Note that the full CIS benchmark test will be run, even when the Report view is filtered.

              1. From the Benchmarks module, select the Schedule icon and either select or create a Task.

                The Task configuration page is displayed.

              2. For Report, choose Custom Selection.

              3. Choose the appropriate CIS``benchmark version from the drop-down menu (based on the Type chosen).

                See About Benchmark Versions for details.

              4. Filter results as desired.

                1. Optional: Choose a Profile Level (1 or 2).

                  Select Profile Level 1 to view only high-vulnerability results.

                  Select Profile Level 2 to view only the lower-level results that were excluded from Level 1.

                  Select All (no profile filter) to view complete results.

                  See also: About Profile Levels.

                2. Optional: Select/deselect individual controls as desired.

                3. Optional: Select All to clear previous selections and begin again.

              5. Click Save.

              Edit a Scheduled Task

              1. From the Benchmarks module, select the Schedule icon.

                The list of scheduled tasks is displayed.

              2. Select a task from the list and edit.

                Changing the Report filter settings for a task that has already been run will retroactively filter the existing report views.

              3. Click Save.

              Delete a Scheduled Task

              1. From the Benchmarks module, select the Schedule icon.

              2. On the relevant task, click the More Options (three dots) icon.

              3. Select Delete task and click Yes to confirm (or No to revert the change).

              Trigger a Manual Benchmark Test (Run Now)

              Rather than wait for the next scheduled time for a benchmark test to run, users can choose to run a benchmark test manually.

              1. From the Benchmarks module, select the Schedule icon.

              2. On the relevant task, click the Run Now (arrow) icon.

                A notification will state that the test was successfully run.

              3. Return to the Results tab and refresh the page after several minutes to see the results.

              4.2 -

              Review Benchmark Test Results (Legacy)

              When you have configured Benchmark tasks to run tests, each task run produces a listing connected to a report. This page describes the features associated with the Results list and associated Report pages, described below..

              Using the Results List

              The Benchmarks landing page is also the Results list, where each completed result report is linked.

              From this page you can:

              • Access Reports

              • Create/access Tasks from the Schedule icon

              • Search for **Report **listings by Task name from the search bar

              • Link to Dashboards and their associated metrics in Sysdig Monitor

              Note: If a test fails altogether, an error log is listed instead of a Report link.

              On Kubernetes tests, the results list will also display the Kubernetes master node, which can be helpful for identification:

              Using the Results Report

              Click an entry in the Results list to open the corresponding Results Report.

              You can:

              • Review the Pass/Fail/Warn results of each compliance control

              • Check remediation suggestions on Warn/Fail results

              • Download the report as a CSV file if needed

              Sample Kubernetes report. (See also: https://www.cisecurity.org/benchmark/kubernetes/ )

              Remember: You may have chosen to filter the Report view to highlight a subset of information.

              A filter will apply to ALL relevant listings in the Results page; remove the filter to view the entire test result. See Filter Report Results.

              Check Remediation Tips

              Remediation tips provide a general summary of what is usually required to resolve an issue. This information is not environment-specific and should be used as a guide, rather than specific configuration instructions.

              Access Remediation tips from the Wrench icon next to a Warn or Fail entry in a Report.

              Remediation information is included in downloaded CSV reports as well.

              Download Report as a CSV File

              From a Report page, click Download CSV.

              4.3 -

              Use Compliance Dashboards and Metrics (Legacy)

              Links to the Compliance``Dashboards in Sysdig Monitor are provided from the Results list in the Sysdig Secure Benchmarks module.

              Compliance Dashboards

              Sysdig provides Compliance & Security Dashboards as part of Sysdig Monitor:

              • Compliance (K8s)

              • Compliance (Docker)

              Sample Docker compliance dashboard:

              Sample Kubernetes compliance dashboard:

              Compliance Metrics

              A number of compliance metrics for both Kubernetes and Docker are available to view in Sysdig Monitor dashboards. These metrics are documented in full in the Metrics Dictionary and are available here: Compliance.