clock icon

7 min read

Blog thumbnail
Published on 07/03/2023
Last updated on 02/05/2024

KubeClarity: CIS Benchmarks

Share

KubeClarity Lean into Software Chain Security Series
https://github.com/openclarity/kubeclarity

This is the last blog post covering KubeClarity features in this series. As a recounting of our journey so far, we have covered the KubeClarity internals, installations, architecture, multi-SBOMs, multi-scanners, and run-time scans. This blog will explore CIS Benchmarks, their significance, why organizations should implement them, and how KubeClarity can be a rescue.

KubeClarity CIS Benchmarks
Figure-1: KubeClarity CIS Benchmarks Integration

Understanding CIS Benchmarks

In the realm of software supply chain and cyber security best practices, CIS Benchmarks play a vital role in ensuring the security and compliance of IT systems. Developed by the Center for Internet Security (CIS), these benchmarks provide industry-recognized guidelines and recommendations for securing systems, networks, and software applications.

CIS Benchmarks are consensus-based guidelines that outline recommended security configurations and settings for various technology platforms, including operating systems, databases, web servers, and more.

The Importance of CIS Benchmarks

  • CIS Benchmarks are developed through collaboration and input from subject matter experts and vendors.
  • Implementing CIS Benchmarks enhances security by reducing the attack surface and improving overall posture.
  • They help organizations meet compliance requirements and align with industry best practices.
  • CIS Benchmarks mitigate common security threats by addressing vulnerabilities and weaknesses.
  • Implementing CIS Benchmarks saves time and cost by leveraging pre-defined security configurations.
  • Following CIS Benchmarks demonstrates industry recognition and credibility.
  • Steps for implementing CIS Benchmarks include assessment, configuration, testing, monitoring, and updates.
  • Regularly monitoring and maintaining compliance with CIS Benchmarks is crucial.

Implementing CIS Benchmarks

To implement CIS Benchmarks effectively, organizations should consider the following steps:

Assessment

Evaluate the relevant CIS Benchmarks applicable to your organization's technology platforms and systems.

Configuration

Implement the recommended security configurations provided in the CIS Benchmarks for each system or platform.

Testing

Verify the effectiveness of the implemented configurations through comprehensive testing and validation.

Monitoring

Regularly monitor systems and ensure ongoing compliance with the recommended security configurations.

Updates and Maintenance

Stay updated with the latest versions of CIS Benchmarks to address emerging threats and vulnerabilities and incorporate any necessary updates into your systems.

CIS Benchmark  Useful Resources

These resources provide additional information and tools to support the understanding and implementation of the CIS Benchmarks.

Now that we have covered the basics of CIS benchmarks let’s delve into how to run CIS Benchmarks in Kubeclarity.

KubeClarity: Configure CIS Benchmarking

To configure KubeClarity for running CIS benchmarks, follow these steps:

  1. Visit the KubeClarity GitHub repository.
  2. Clone or download the repository to your local machine.
  3. Open the "values.yaml" file in a text editor.
  4. Locate the section related to CIS benchmarks configuration. It can be found under a heading "cis-docker-benchmark-scanner ”
  5. Review the available options and parameters within the “values.yaml”configuration file.
  6. Customize the configuration based on your specific requirements. You can enable or disable specific CIS benchmarks, set thresholds, and define compliance levels.
  7. Save the changes to the configuration file.
  8. Deploy KubeClarity in your Kubernetes cluster by following the installation instructions in these EKS Install or KinD-based install blog posts.
  9. Once KubeClarity is up and running, it will automatically apply the configured CIS benchmarks and evaluate your Kubernetes cluster against them.
  10. Monitor the KubeClarity dashboard or view the generated reports to gain insights into your cluster's compliance with the CIS benchmarks.

By following these steps and customizing the CIS benchmarks configuration in the “values.yaml” file, you can effectively run and assess your Kubernetes cluster's adherence to the CIS benchmarks and evaluate fatal, info, and warning level findings.

Below are the key CIS configuration settings in the “values.yaml” file that are relevant:

cis-docker-benchmark-scanner:
    ## Docker Image values.
    docker:
      ## Use to overwrite the global docker params
      ##
      imageName: ""

    ## Scanner logging level (debug, info, warning, error, fatal, panic).
    logLevel: warning

    ## Timeout for the cis docker benchmark scanner job.
    timeout: "2m"

    resources:
      requests:
        memory: "50Mi"
        cpu: "50m"
      limits:
        memory: "1000Mi"
        cpu: "1000m"

KubeClarity UI to visualize CIS Benchmarks

The KubeClarity UI presents the CIS Benchmark results clearly and makes it convenient to identify areas of non-compliance and take necessary actions. By leveraging KubeClarity's UI, you can streamline the process of monitoring and enforcing CIS Benchmark adherence, ensuring that your Kubernetes environment meets the highest security standards.

CIS Benchmarks can be enabled post deployment with UI toggles as shown in this section. To enable the benchmarks, go to the runtime scanning pane and enable options as shown in Figure-2 below:

KubeClarity UI RunTime Scan_1
Figure-2:  KubeClarity UI Runtime Scan Options to Enable CIS Benchmarks

You can find the CIS Docker Benchmark toggle under on-demand scan options. Set CIS Benchmarking ON and save the options as seen in Figure-3 below. You can leave the Max Scan Parallelism at the current default value. This runtime scan configuration will ensure that KubeClarity performs CIS Benchmark checks during scanning, helping you maintain a secure and compliant Docker environment.

Enabling KubeClarity  CIS Benchmarks
Figure-3: Enabling KubeClarity  CIS Benchmarks Under Runtime Scan Options.

Start a scan, and after the scan is complete, you will notice the results in Figure-4 below:

Scan Results Reporting CIS Benchmarks
Figure-4: Scan Results Reporting CIS Benchmarks

To explore the specifics of the CIS benchmark, you can drill down further by applying filters, as shown in Figure-5. The filter will allow you to narrow down the results and focus on the specific aspects you are interested in. By leveraging the filtering capabilities, you can delve into the details of individual CIS benchmark checks, gaining a deeper understanding of your compliance status and identifying areas that require attention. Use the provided filters to navigate the CIS benchmark details and access the necessary information for your compliance analysis.

Enabling CIS Benchmark Filters on Scan Results
Figure 5:  Enabling CIS Benchmark Filters on Scan Results

After applying the filters on CIS Benchmarks, you will see updated counts of affected elements with CIS alerts, as seen in Figure-6:

 Affected Elements with CIS Benchmark Alerts
Figure-6: Affected Elements with CIS Benchmark Alerts

Click on the respective item to gain more insights into the alerts and understand the details of affected elements, applications, or application resources. You can access comprehensive information about the associated alerts by clicking on an affected element, application, or resource, including specific details, recommendations, and remediation steps as seen in Figure-7 below:

Detailed view of Application Resources with CIS Benchmark Alerts
Figure-7: Detailed view of Application Resources with CIS Benchmark Alerts

Next, click on a CIS benchmark to see a drill-down view of CIS Benchmarks and a detailed benchmark description, as shown in Figure-8 below. This deeper level of visibility enables you to investigate and address the alerts more effectively, ensuring the security and compliance of your Kubernetes environment.

Details Describing CIS Benchmarks
Figure-8: Details Describing CIS Benchmarks

Conclusion

And this concludes our exhilarating KubeClarity feature journey. Throughout this blog series, the goal was to provide you with enlightening insights and ensure you have a comprehensive understanding of the remarkable features and capabilities of KubeClarity. I hope this journey has intrigued you and inspired you to take the leap and experience KubeClarity firsthand.

NextUp

We will discuss how to contribute and get involved with KubeClarity.




Pallavi Kalapatapu is a Principal Engineer and open-source advocate in Cisco’s Emerging Technology & Incubation organization, now Outshift.

Subscribe card background
Subscribe
Subscribe to
the Shift!

Get emerging insights on emerging technology straight to your inbox.

Unlocking Multi-Cloud Security: Panoptica's Graph-Based Approach

Discover why security teams rely on Panoptica's graph-based technology to navigate and prioritize risks across multi-cloud landscapes, enhancing accuracy and resilience in safeguarding diverse ecosystems.

thumbnail
I
Subscribe
Subscribe
 to
The Shift
!
Get
emerging insights
on innovative technology straight to your inbox.

The Shift is Outshift’s exclusive newsletter.

Get the latest news and updates on cloud native modern applications, application security, generative AI, quantum computing, and other groundbreaking innovations shaping the future of technology.

Outshift Background