This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Benchmarks (v1)

1: Configure Benchmark Tasks (v1)

2: Review Benchmark Test Results (v1)

3: Use Compliance Dashboards and Metrics (v1)

This version is being retired. Starting Dec. 1, 2022, we will no longer support new results. Benchmark results can be viewed in the new compliance module. See also: the migration instructions.

The Center for Internet Security (CIS) issues standardized benchmarks, guidelines, and best practices for securing IT systems and environments. Additionally, Redhat publishes a Container Security Guide that outlines best practices for running Openshift 3.10/3.11 clusters.

Sysdig Secure includes implementations of four of these benchmarks that can be run against your environment:

These benchmarks are available to run via 3 separate program types:

Docker Benchmark: for CIS Docker
Kubernetes Benchmark: For CIS Kubernetes and Redhat Container Security Guide
Linux Benchmark: for CIS Distribution Independent Linux

How Sysdig Benchmark Tests Work

CIS benchmarks are best practices for the secure configuration of a target system. Sysdig has implemented these standardized controls for different versions of Kubernetes, Linux, and Docker.

Setting Up a Task

Using a new Task, configure the type of test, the environment scope, and the scheduled frequency of the compliance check. You can also filter how you’d like to view the Results report. See also Configure Benchmark Tasks (v1) .

Running a Test

Once a task is configured, Sysdig Secure will:

Kick off a check in the agent to analyze your system configuration against CIS best-practices
Store the results of this task

Reviewing Report Results

When a task has run, it is listed on the Results page and can be viewed as a Report.

Reviewing Benchmark Metrics

Consolidated Benchmark metrics can also be viewed in Sysdig Monitor, from default or customized Compliance Dashboards.

Understanding Report Filters

Customize your view of the test report, e.g., to see only high-priority results or the results from selected controls.

Note that the filter may affect only your view of the report (before agent version 9.7.0), or may actually determine of the test (after agent version 9.7.0). See also: About Custom Selections.

In older versions to filter a report, under Report on the Benchmark Task page:

Choose Custom Selection
Choose a Benchmark version and
- apply a Profile filter, and/or
- select/deselect individual controls.

Use the information in this section to understand the effect of your selections.

About Custom Selections

Filtering rules apply to the report, not the test itself.

The full test will run but the result view will be edited.
If you apply a filter to an existing task that has already run, the filter view will be retroactively applied to the historical reports.
If you deselect the filter, the full results will again be visible.

About Benchmark Versions

CIS issues benchmark versions that correspond to –- but are not identical with – the Kubernetes or Docker software version. See the mapping tables, below.

Version Rules

If you do not customize/filter your report, the Sysdig agent will auto-detect your environment version and will run the corresponding version of the benchmark controls.
If you specify a benchmark version, you can then apply a report filter.
If the test version doesn’t match the environment version, the filter will be ignored and all the tests will be displayed.

Kubernetes Version Mapping

Note: CIS 1.0, 1.1, and 1.2 are deprecated.

CIS Benchmark Ver.	Kubernetes Ver.	Sysdig Agent	Targets
CIS 1.3	Kubernetes v 1.11-1.12	all	Master control plane, Node, Etcd, Policies
CIS 1.4	Kubernetes v 1.13-1.14	all	Master control plane, Node, Etcd, Policies
CIS 1.5	Kubernetes v 1.15-	all	Master control plane, Node, Etcd, Policies
RH 0.7 Red Hat OpenShift hardening guide	OCP 3.10-3.11	v9.7-	Master node
CIS1.6	Kubernetes v1.16-	v10.6-	Master control plane, Node, Etcd, Policies
GKE 1.0	GKE	v10.6-	Master control plane, Node, Etcd, Policies, Managed services
EKS 1.0	EKS	v.10.6-	Control plane, Node, Policies, Managed services

Sysdig also supports Kubernetes benchmark tests for the following distributions:

IBM IKS: IBM Kubernetes Service
Note: Running CIS benchmarks against IKS may result in some failures or false positives due to the way IBM deploys certain components. Read more from IBM.
Rancher RKE: Rancher Kubernetes Engine
Note: Running CIS benchmarks against RKE may result in some failures or false positives due to the way Rancher deploys certain components. Read more from Rancher.

Linux Bench Versions

The Linux Benchmarks (e.g. 2.0 and 1.1) should both run on any Linux distribution; it is not necessary to map to a particular distro.

Docker Version Mapping

CIS Benchmark Version	Sysdig Report Filter
CIS_Docker_Community_Edition_Benchmark_v1.1.0	Docker 1.0

About Profile Levels

CIS defines two levels of tests, as described below.

In Sysdig Secure, full benchmarks are always run, but you can filter your view of the report to see only top-priority (Level 1 Profile) or only the secondary (Level 2 Priority) results.

From the CIS FAQ:

Level 1 Profile: Limited to major issues
Considered a base recommendation that can be implemented fairly promptly and is designed to not have an extensive performance impact. The intent of the Level 1 profile benchmark is to lower the attack surface of your organization while keeping machines usable and not hindering business functionality.
Level 2 Profile: Extensive checks, more complete
Considered to be “defense in depth” and is intended for environments where security is paramount. The recommendations associated with the Level 2 profile can have an adverse effect on your organization if not implemented appropriately or without due care.

In the Sysdig Secure interface, select All to view an in-depth report that includes both Level 1 and Level 2 controls.

Select Level 1 to view a report that includes only high-priority controls.

Select Level 2 to view a report that includes only the lower-priority controls that are excluded from Level 1.

1 - Configure Benchmark Tasks (v1)

Use a Benchmark Task to define:

the type of benchmark test to be run
the scope of the environment to be checked
the scheduled test frequency
the format in which you want to view the results report.

Once a task has been set up, it will run tests automatically on the scheduled timeline. You can also trigger the task manually.

Schedule an Automated Benchmark Test

Create a Task

From the Benchmarks module, select the Schedule icon.
The Schedule list (of existing tasks) is displayed.
Click +Add Task and define the task parameters on the New Task page:
- Name: Create a meaningful name.
- Type: Select Docker Benchmark , Kubernetes Benchmark, or Linux Benchmark, despending on your environment.
- Schedule: Choose a frequency and time to run the test.
- Scope: Choose Everywhere, or narrow the scope as needed.
  (See also Using Labels .)
- Report: Select how you want to view the test results in the report.
  - All Tests: means that no filter will be applied to the Report.
    Sysdig will automatically apply the correct version of the benchmark test for your environment, based on the version of Kubernetes or Docker where the agent is installed.
  - Custom Selection: LEGACY: means that you will Filter Report Results .
    After agent 9.7.0, the custom selection also defines what parts of the test will run.
Click Save.

One Task, One Test, One Environment

To run benchmarks on environments with different Kubernetes versions, create a separate task for that scope and version. Sysdig cannot run tests for multiple versions in a single task.

Filter Report Results

Note that the full CIS benchmark test will be run, even when the Report view is filtered.

From the Benchmarks module, select the Schedule icon and either select or create a Task.
The Task configuration page is displayed.
For Report, choose Custom Selection.
Choose the appropriate CIS benchmark version from the drop-down menu (based on the Type chosen).
See About Benchmark Versions for details.
Filter results as desired.
1. Optional: Choose a Profile Level (1 or 2).
  Select Profile Level 1 to view only high-vulnerability results.
  Select Profile Level 2 to view only the lower-level results that were excluded from Level 1.
  Select All (no profile filter) to view complete results.
  See also: About Profile Levels.
2. Optional: Select/deselect individual controls as desired.
3. Optional: Select All to clear previous selections and begin again.
Click Save.

Edit a Scheduled Task

From the Benchmarks module, select the Schedule icon.
The list of scheduled tasks is displayed.
Select a task from the list and edit.

Changing the Report filter settings for a task that has already been run will retroactively filter the existing report views.

Click Save.

Delete a Scheduled Task

From the Benchmarks module, select the Schedule icon.
On the relevant task, click the More Options (three dots) icon.
Select Delete task and click Yes to confirm (or No to revert the change).

Trigger a Manual Benchmark Test (Run Now)

Rather than wait for the next scheduled time for a benchmark test to run, users can choose to run a benchmark test manually.

From the Benchmarks module, select the Schedule icon.
On the relevant task, click the Run Now (arrow) icon.
A notification will state that the test was successfully run.
Return to the Results tab and refresh the page after several minutes to see the results.

2 - Review Benchmark Test Results (v1)

When you have configured Benchmark tasks to run tests, each task run produces a listing connected to a report. This page describes the features associated with the Results list and associated Report pages, described below..

Using the Results List

The Benchmarks landing page is also the Results list, where each completed result report is linked.

From this page you can:

Access Reports
Create/access Tasks from the Schedule icon
Search for **Report **listings by Task name from the search bar
Link to Dashboards and their associated metrics in Sysdig Monitor

Note: If a test fails altogether, an error log is listed instead of a Report link.

On Kubernetes tests, the results list will also display the Kubernetes master node, which can be helpful for identification:

Using the Results Report

Click an entry in the Results list to open the corresponding Results Report.

You can:

Review the Pass/Fail/Warn results of each compliance control
Check remediation suggestions on Warn/Fail results
Download the report as a CSV file if needed

Sample Kubernetes report. (See also: https://www.cisecurity.org/benchmark/kubernetes/ )

Remember: You may have chosen to filter the Report view to highlight a subset of information.

A filter will apply to ALL relevant listings in the Results page; remove the filter to view the entire test result. See Filter Report Results.

Check Remediation Tips

Remediation tips provide a general summary of what is usually required to resolve an issue. This information is not environment-specific and should be used as a guide, rather than specific configuration instructions.

Access Remediation tips from the Wrench icon next to a Warn or Fail entry in a Report.

Remediation information is included in downloaded CSV reports as well.

Download Report as a CSV File

From a Report page, click Download CSV.

3 - Use Compliance Dashboards and Metrics (v1)

Links to the Compliance Dashboards in Sysdig Monitor are provided from the Results list in the Sysdig Secure Benchmarks module.

Compliance Dashboards

Sysdig provides Compliance & Security Dashboards as part of Sysdig Monitor:

Compliance (K8s)
Compliance (Docker)

Sample Docker compliance dashboard:

Sample Kubernetes compliance dashboard:

Compliance Metrics

A number of compliance metrics for both Kubernetes and Docker are available to view in Sysdig Monitor dashboards. These metrics are documented in full in the Metrics Dictionary and are available here: Compliance.