Earlier versions of Sysdig Secure referred to this module as Compliance.
The Center for Internet Security (CIS) issues standardized benchmarks, guidelines, and best practices for securing IT systems and environments. Additionally, Redhat publishes a Container Security Guide that outlines best practices for running Openshift 3.10/3.11 clusters.
Sysdig Secure includes implementations of four of these benchmarks that can be run against your environment:
These benchmarks are available to run via 3 separate program types:
Docker Benchmark: for CIS Docker
Kubernetes Benchmark: For CIS Kubernetes and Redhat Container Security Guide
Linux Benchmark: for CIS Distribution Independent Linux
How Sysdig Benchmark Tests Work
CIS benchmarks are best practices for the secure configuration of a target system. Sysdig has implemented these standardized controls for different versions of Kubernetes, Linux, and Docker.
Setting Up a Task
Using a new Task, configure the type of test, the environment scope, and the scheduled frequency of the compliance check. You can also filter how you’d like to view the Results report. See also Configure Benchmark Tasks (Legacy) .
Running a Test
Once a task is configured, Sysdig Secure will:
Kick off a check in the agent to analyze your system configuration against CIS best-practices
Store the results of this task
Reviewing Report Results
When a task has run, it is listed on the
Results page and can be
viewed as a
Reviewing Benchmark Metrics
Benchmark metrics can also be viewed in Sysdig
Monitor, from default or customized
Understanding Report Filters
Customize your view of the test report, e.g., to see only high-priority results or the results from selected controls.
Note that the filter may affect only your view of the report (before agent version 9.7.0), or may actually determine of the test (after agent version 9.7.0). See also: About Custom Selections.
In older versions to filter a report, under
Report on the
Benchmark Task page:
select/deselect individual controls.
Use the information in this section to understand the effect of your selections.
About Custom Selections
Filtering rules apply to the report, not the test itself.
The full test will run but the result view will be edited.
If you apply a filter to an existing task that has already run, the filter view will be retroactively applied to the historical reports.
If you deselect the filter, the full results will again be visible.
About Benchmark Versions
CIS issues benchmark versions that correspond to –- but are not identical with – the Kubernetes or Docker software version. See the mapping tables, below.
If you do not customize/filter your report, the Sysdig agent will auto-detect your environment version and will run the corresponding version of the benchmark controls.
If you specify a benchmark version, you can then apply a report filter.
If the test version doesn’t match the environment version, the filter will be ignored and all the tests will be displayed.
Kubernetes Version Mapping
Note: CIS 1.0, 1.1, and 1.2 are deprecated.
|CIS Benchmark Ver.||Kubernetes Ver.||Sysdig Agent||Targets|
|CIS 1.3||Kubernetes v 1.11-1.12||all||Master control plane, Node, Etcd, Policies|
|CIS 1.4||Kubernetes v 1.13-1.14||all||Master control plane, Node, Etcd, Policies|
|CIS 1.5||Kubernetes v 1.15-||all||Master control plane, Node, Etcd, Policies|
|RH 0.7 Red Hat OpenShift hardening guide||OCP 3.10-3.11||v9.7-||Master node|
|CIS1.6||Kubernetes v1.16-||v10.6-||Master control plane, Node, Etcd, Policies|
|GKE 1.0||GKE||v10.6-||Master control plane, Node, Etcd, Policies, Managed services|
|EKS 1.0||EKS||v.10.6-||Control plane, Node, Policies, Managed services|
Sysdig also supports Kubernetes benchmark tests for the following distributions:
IBM IKS: IBM Kubernetes Service
Note: Running CIS benchmarks against IKS may result in some failures or false positives due to the way IBM deploys certain components. Read more from IBM.
Rancher RKE: Rancher Kubernetes Engine
Note: Running CIS benchmarks against RKE may result in some failures or false positives due to the way Rancher deploys certain components. Read more from Rancher.
Linux Bench Versions
The Linux Benchmarks (e.g. 2.0 and 1.1) should both run on any Linux distribution; it is not necessary to map to a particular distro.
Docker Version Mapping
|CIS Benchmark Version||Sysdig Report Filter|
About Profile Levels
CIS defines two levels of tests, as described below.
In Sysdig Secure, full benchmarks are always run, but you can filter your view of the report to see only top-priority (Level 1 Profile) or only the secondary (Level 2 Priority) results.
From the CIS FAQ:
Level 1 Profile: Limited to major issues
Considered a base recommendation that can be implemented fairly promptly and is designed to not have an extensive performance impact. The intent of the Level 1 profile benchmark is to lower the attack surface of your organization while keeping machines usable and not hindering business functionality.
Level 2 Profile: Extensive checks, more complete
Considered to be “defense in depth” and is intended for environments where security is paramount. The recommendations associated with the Level 2 profile can have an adverse effect on your organization if not implemented appropriately or without due care.
In the Sysdig Secure interface, select
Allto view an in-depth report that includes both Level 1 and Level 2 controls.
Level 1to view a report that includes only high-priority controls.
Level 2to view a report that includes only the lower-priority controls that are excluded from Level 1.
See also: Configure Benchmark Tasks (Legacy) .