This is the last blog post covering KubeClarity features in this series. As a recounting of our journey so far, we have covered the KubeClarity internals, installations, architecture, multi-SBOMs, multi-scanners, and run-time scans. This blog will explore CIS Benchmarks, their significance, why organizations should implement them, and how KubeClarity can be a rescue.
In the realm of software supply chain and cyber security best practices, CIS Benchmarks play a vital role in ensuring the security and compliance of IT systems. Developed by the Center for Internet Security (CIS), these benchmarks provide industry-recognized guidelines and recommendations for securing systems, networks, and software applications.
CIS Benchmarks are consensus-based guidelines that outline recommended security configurations and settings for various technology platforms, including operating systems, databases, web servers, and more.
To implement CIS Benchmarks effectively, organizations should consider the following steps:
Evaluate the relevant CIS Benchmarks applicable to your organization’s technology platforms and systems.
Implement the recommended security configurations provided in the CIS Benchmarks for each system or platform.
Verify the effectiveness of the implemented configurations through comprehensive testing and validation.
Regularly monitor systems and ensure ongoing compliance with the recommended security configurations.
Stay updated with the latest versions of CIS Benchmarks to address emerging threats and vulnerabilities and incorporate any necessary updates into your systems.
These resources provide additional information and tools to support the understanding and implementation of the CIS Benchmarks.
Now that we have covered the basics of CIS benchmarks let’s delve into how to run CIS Benchmarks in Kubeclarity.
To configure KubeClarity for running CIS benchmarks, follow these steps:
By following these steps and customizing the CIS benchmarks configuration in the “values.yaml” file, you can effectively run and assess your Kubernetes cluster’s adherence to the CIS benchmarks and evaluate fatal, info, and warning level findings.
Below are the key CIS configuration settings in the “values.yaml” file that are relevant:
cis-docker-benchmark-scanner: ## Docker Image values. docker: ## Use to overwrite the global docker params ## imageName: "" ## Scanner logging level (debug, info, warning, error, fatal, panic). logLevel: warning ## Timeout for the cis docker benchmark scanner job. timeout: "2m" resources: requests: memory: "50Mi" cpu: "50m" limits: memory: "1000Mi" cpu: "1000m"
The KubeClarity UI presents the CIS Benchmark results clearly and makes it convenient to identify areas of non-compliance and take necessary actions. By leveraging KubeClarity’s UI, you can streamline the process of monitoring and enforcing CIS Benchmark adherence, ensuring that your Kubernetes environment meets the highest security standards.
CIS Benchmarks can be enabled post deployment with UI toggles as shown in this section. To enable the benchmarks, go to the runtime scanning pane and enable options as shown in Figure-2 below:
You can find the CIS Docker Benchmark toggle under on-demand scan options. Set CIS Benchmarking ON and save the options as seen in Figure-3 below. You can leave the Max Scan Parallelism at the current default value. This runtime scan configuration will ensure that KubeClarity performs CIS Benchmark checks during scanning, helping you maintain a secure and compliant Docker environment.
Start a scan, and after the scan is complete, you will notice the results in Figure-4 below:
To explore the specifics of the CIS benchmark, you can drill down further by applying filters, as shown in Figure-5. The filter will allow you to narrow down the results and focus on the specific aspects you are interested in. By leveraging the filtering capabilities, you can delve into the details of individual CIS benchmark checks, gaining a deeper understanding of your compliance status and identifying areas that require attention. Use the provided filters to navigate the CIS benchmark details and access the necessary information for your compliance analysis.
After applying the filters on CIS Benchmarks, you will see updated counts of affected elements with CIS alerts, as seen in Figure-6:
Click on the respective item to gain more insights into the alerts and understand the details of affected elements, applications, or application resources. You can access comprehensive information about the associated alerts by clicking on an affected element, application, or resource, including specific details, recommendations, and remediation steps as seen in Figure-7 below:
Next, click on a CIS benchmark to see a drill-down view of CIS Benchmarks and a detailed benchmark description, as shown in Figure-8 below. This deeper level of visibility enables you to investigate and address the alerts more effectively, ensuring the security and compliance of your Kubernetes environment.
And this concludes our exhilarating KubeClarity feature journey. Throughout this blog series, the goal was to provide you with enlightening insights and ensure you have a comprehensive understanding of the remarkable features and capabilities of KubeClarity. I hope this journey has intrigued you and inspired you to take the leap and experience KubeClarity firsthand.
We will discuss how to contribute and get involved with KubeClarity.
Pallavi Kalapatapu is a Principal Engineer and open-source advocate in Cisco’s Emerging Technology & Incubation organization, now Outshift.