Benchmarks (Legacy)
Navigate the Benchmark Tasks Landing Page
This version is being retired. Starting March 15, 2023, we will no longer support new results. Benchmark results can be viewed in the new compliance module. See also: the migration instructions.
Select Posture > Benchmark|Tasks
. The Tasks landing page is
displayed.
A “task” is the combination of benchmark test (schema), scheduled to run on a particular scope at a scheduled time. Once a task is configured, it is listed on the landing page and is linked to the full benchmark report.
For new users: If no tasks have been created yet, you will be prompted to create some.
For users who had Benchmark v1 tasks configured:
v1 tasks will be migrated to v2.
You can still view all v1 schedules and reports from the
View Legacy Benchmarks
button, if desired. Modifications to v1 after this point will not be propagated.
On this page you can:
Enable/disable a task. Note that if you have Sysdig Secure for cloud installed then the AWS Foundations Benchmark task is listed for information but is handled differently than the other task types.
Filter the list by scope or task type to find the task more easily
Click a task to access the full benchmark report
Benchmark Components details
Types of Benchmark Schemas
The Center for Internet Security (CIS) issues standardized benchmarks, guidelines, and best practices for securing IT systems and environments. Additionally, Redhat publishes a Container Security Guide that outlines best practices for running Openshift 3.10/3.11 clusters.
With v2, Sysdig supports the following types of benchmarks tests/schemas:
Schema Name | Applicability | Notes |
---|---|---|
Kubernetes versions 1.15 and below | Sections 1,2,3 will only be run on Master nodes, section 4 will be run on all nodes (master + worker) | |
Kubernetes versions 1.16 and below | Sections 1,2,3 will only be run on Master nodes, section 4 will be run on all nodes (master + worker) | |
| ||
CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.0 |
| |
OpenShift versions 3.10 and 3.11 are supported. |
| |
OpenShift Container Platform v4 | Choose | |
With Secure for cloud: | Prerequisite: Installed Sysdig Secure for cloud and selected CSPM/AWS Benchmarks. | |
CIS Amazon Web Services Foundations Compliance Benchmark v1.3.0 | These tasks are auto-created when Secure for cloud benchmarks are enabled. They are read-only; schedule and scope are fixed. They display that a cloud bench task exists, and give access to the results. |
Understanding Benchmark Scopes
When you Configure Benchmark Tasks , the available scope depends on the schema you choose.
Scope Label | Description | Source | Applicable Schemas |
---|---|---|---|
host.hostName | The local hostname of the machine running the benchmark container. | Retrieved from the machine running the benchmark container. | All |
host.mac | The MAC address of the machine running the benchmark container. | Retrieved from the machine running the benchmark container. | All |
aws.accountId | The AWS account ID containing the EC2 instance running the benchmark container. | Retrieved from the AWS EC2 Instance Metadata Service | CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.0 |
aws.region | The Region containing the EC2 instance running the benchmark container. | Retrieved from the AWS EC2 Instance Metadata Service | CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.0 |
aws.instanceId | The AWS instance ID of the EC2 instance running the benchmark container. | Retrieved from the AWS EC2 Instance Metadata Service | CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.0 |
gcp.projectId | The Project ID used to create the instance. | Retrieved from the GCP Compute Engine Metadata endpoint | CIS Google Kubernetes Engine (GKE) Benchmark v1.0.0 |
gcp.instanceId | The ID of the VM. | Retrieved from the GCP Compute Engine Metadata endpoint | CIS Google Kubernetes Engine (GKE) Benchmark v1.0.0 |
gcp.instanceZone | The Zone that the VM is running in. | Retrieved from the GCP Compute Engine Metadata endpoint | CIS Google Kubernetes Engine (GKE) Benchmark v1.0.0 |
kubernetes.cluster.name | The configured Cluster name. | Set in the sysdig-agent configmap under the key: k8s_cluster_name | All |
kubernetes.node.name | The name of the node in Kubernetes. | Supplied by Kubernetes Downwards API | All |
agent.tag.* | A set of customizable tags set in the agent configmap. Same as tags for the standard agent | Set in the sysdig-agent configmap under the key: tags | All |
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.