![]() Version : 1.3 Checklists : Ref-Id : scap_org.open -scap_cref_ssg -rhel9 -xccdf.xml Imported : T23:50:04 Stream : scap_org.open -scap_datastream_from_xccdf_ssg -rhel9 -xccdf.xml $ oscap info /usr/share/xml/scap/ssg/content/ssg -rhel9 -ds.xml Firstly, you'll need to install the scap-security-guide and openscap-scanner RPMs: Let's use the OpenSCAP tooling available with Red Hat Enterprise Linux (RHEL) to scan a system using the CIS benchmark. Integration with the RHEL Anaconda installer, allowing you to provision a system with the CIS Benchmark for RHEL already implemented.An Ansible playbook that can be used to remediate systems that have drifted.An SCAP Extensible Configuration Checklist Description Format (XCCDF), that can be used to scan systems for compliance with the benchmark.This provides a number of capabilities for organisations to adopt the CIS Benchmark for RHEL: Red Hat has provided the CIS Benchmark for Red Hat Enterprise Linux (RHEL) with the scap-security-guide RPM since RHEL 8.3. So how are the CIS Benchmarks relevant for containers, if at all? CIS Benchmarks for Red Hat Enterprise Linux (RHEL) I also shouldn't have SSH exposed inside a container, presenting another attack surface. I don't need sudo in a container - in fact, it's better not to have it - but it's one of the required checks in the CIS benchmark. For example, the CIS Benchmark for Red Hat Enterprise Linux (RHEL) specifies a number of controls that need to be implemented for a system to be compliant, for example:Ĭontainers differ from servers though. These controls provide a consistent, validated baseline for system hardening for servers. They're commonly used to provide consistent hardening to a server fleet or a set of applications, and are distributed free of charge in PDF format for non-commercial use. These capabilities work across multiple current and future frameworks provided by Kubescape.The Center for Internet Security (CIS) Benchmarks provide prescriptive configuration recommendations. ![]() On top of this, Kubescape offers SaaS service with chronological results management and assisted remediation helping people to quickly fix or reduce the risk posed by the failed checks. It offers several options to express customer specific context via exception mechanism, custom frameworks, individual namespace targeting etc. Therefore, Kubescape provides continuous posture and container image scanning of a cluster, right where a solution is deployed. Unfortunately, it is not always possible to fix all the flaws at once. What threat is posed by each failure and how to deal with them. It is always human responsibility to decide They help their audience to understand the context of every specific check which is necessary especially when certain checks fail. The NSA guidelines were published about 8 months ago and they bring very important aspects of Kubernetes cluster security understanding and maintenance. ![]() Indeed, CIS and NSA frameworks are not the same even though they have many checks in common. Just noticed this post and wanted to add a few thoughts. Hi, I am working for ARMO, the company behind Kubescape. deployments) is Trivy ( ) which has some cool IaC scanning features. Which will work best for you likely depends on your role and goals.Īnother one I would recommend looking at, if you want to do scanning of workload manifests (e.g. So in terms of which tool to use, I'd say try both :) there's differences in how they approach the problem and also differences in the scope of the standards they assess against. the NSA guide wasn't written with the same audience or scope in mind. It's hard to directly compare it to some of the other frameworks that kubescape looks at (e.g. It's been in development for 5+ years now, so should have a reasonable set of checks (and we're always keen to hear of any gaps or mistakes) The CIS benchmark is specifically a security hardening guide for general Kubernetes clusters, as well as specific distributions (OpenShift, AKS, EKS, GKE) so if you're looking for cluster hardening then it's hopefully a good route to look at. Full disclosure - I work for Aqua (Kube-bench is one of our open source projects), but I'm also one of the authors of the CIS benchmark for Kubernetes, so I hopefully have some useful perspective there :)
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |