This is the last blog post covering KubeClarity features in this series on leaning into software supply chain security. As a recounting of our journey so far, we have covered the KubeClarity internals, installations, architecture, multi-SBOMs, multi-scanners, and run-time scans. 

This blog will explore CIS Benchmarks, their significance, why organizations should implement them, and how KubeClarity can be a rescue.

Understanding CIS Benchmarks

Within software supply chain and cyber security best practices, CIS Benchmarks play a vital role in ensuring the security and compliance of IT systems. Developed by the Center for Internet Security (CIS), these benchmarks provide industry-recognized guidelines and recommendations for securing systems, networks, and software applications.

CIS Benchmarks are consensus-based guidelines that outline recommended security configurations and settings for various technology platforms, including operating systems, databases, web servers, and more.

The importance of CIS Benchmarks

• CIS Benchmarks are developed through collaboration and input from subject matter experts and vendors.
• Implementing CIS Benchmarks enhances security by reducing the attack surface and improving overall posture.
• They help organizations meet compliance requirements and align with industry best practices.
• CIS Benchmarks mitigate common security threats by addressing vulnerabilities and weaknesses.
• Implementing CIS Benchmarks saves time and cost by leveraging pre-defined security configurations.
• Following CIS Benchmarks demonstrates industry recognition and credibility.
• Steps for implementing CIS Benchmarks include assessment, configuration, testing, monitoring, and updates.
• Regularly monitoring and maintaining compliance with CIS Benchmarks is crucial.

Ultimately, CIS benchmarking helps organizations align with your industry's best practices and provides the clarity you need to understand your current status.

5 steps to implementing CIS Benchmarks

To implement CIS Benchmarks effectively, organizations should consider the following steps:

Assessment

Evaluate the relevant CIS Benchmarks applicable to your organization's technology platforms and systems.

Configuration

Implement the recommended security configurations provided in the CIS Benchmarks for each system or platform.

Testing

Verify the effectiveness of the implemented configurations through comprehensive testing and validation.

Monitoring

Regularly monitor systems and ensure ongoing compliance with the recommended security configurations.

Updates and maintenance

Stay updated with the latest versions of CIS Benchmarks to address emerging threats and vulnerabilities and incorporate any necessary updates into your systems.

CIS Benchmarking: Useful resources

Looking for more helpful information and best practices for CIS benchmarks? Here are a few resources you can explore:

• CIS Benchmarks official website
• CIS Controls: Prioritized cybersecurity practices
• CIS Benchmarks community: Engage with security professionals and exchange knowledge knowledge
• CIS-CAT Pro: Tool for assessing and validating CIS Benchmark compliance
• CIS WorkBench: Tool for automating benchmark compliance assessments
• CIS Docker Benchmark: Guidance for securing Docker containers:
• CIS Kubernetes Benchmark: Guidance for securing Kubernetes clusters

These resources provide additional information and tools to support the understanding and implementation of the CIS Benchmarks.

Now that we have covered the basics of CIS benchmarks let’s delve into how to run CIS Benchmarks in Kubeclarity.

KubeClarity: Configure CIS Benchmarking

To configure KubeClarity for running CIS benchmarks, follow these steps:

1. Visit the KubeClarity GitHub repository.
2. Clone or download the repository to your local machine.
3. Open the "values.yaml" file in a text editor.
4. Locate the section related to CIS benchmarks configuration. It can be found under a heading "cis-docker-benchmark-scanner ”
5. Review the available options and parameters within the “values.yaml”configuration file.
6. Customize the configuration based on your specific requirements. You can enable or disable specific CIS benchmarks, set thresholds, and define compliance levels.
7. Save the changes to the configuration file.
8. Deploy KubeClarity in your Kubernetes cluster by following the installation instructions in these EKS Install or KinD-based install blog posts.
9. Once KubeClarity is up and running, it will automatically apply the configured CIS benchmarks and evaluate your Kubernetes cluster against them.
10. Monitor the KubeClarity dashboard or view the generated reports to gain insights into your cluster's compliance with the CIS benchmarks.

By following these steps and customizing the CIS benchmarks configuration in the “values.yaml” file, you can effectively run and assess your Kubernetes cluster's adherence to the CIS benchmarks and evaluate fatal, info, and warning level findings.

Below are the key CIS configuration settings in the “values.yaml” file that are relevant:

cis-docker-benchmark-scanner:
    ## Docker Image values.
    docker:
      ## Use to overwrite the global docker params
      ##
      imageName: ""

    ## Scanner logging level (debug, info, warning, error, fatal, panic).
    logLevel: warning

    ## Timeout for the cis docker benchmark scanner job.
    timeout: "2m"

    resources:
      requests:
        memory: "50Mi"
        cpu: "50m"
      limits:
        memory: "1000Mi"
        cpu: "1000m"

KubeClarity UI to visualize CIS Benchmarks

The KubeClarity UI presents the CIS Benchmark results clearly and makes it convenient to identify areas of non-compliance and take necessary actions. By leveraging KubeClarity's UI, you can streamline the process of monitoring and enforcing CIS Benchmark adherence, ensuring that your Kubernetes environment meets the highest security standards.

CIS Benchmarks can be enabled post deployment with UI toggles as shown in this section. To enable the benchmarks, go to the runtime scanning pane and enable options as shown in Figure-2 below:

You can find the CIS Docker Benchmark toggle under on-demand scan options. Set CIS Benchmarking ON and save the options as seen in Figure-3 below. You can leave the Max Scan Parallelism at the current default value. This runtime scan configuration will ensure that KubeClarity performs CIS Benchmark checks during scanning, helping you maintain a secure and compliant Docker environment.

Start a scan, and after the scan is complete, you will notice the results in Figure-4 below:

To explore the specifics of the CIS benchmark, you can drill down further by applying filters, as shown in Figure-5. The filter will allow you to narrow down the results and focus on the specific aspects you are interested in. 

By leveraging the filtering capabilities, you can delve into the details of individual CIS benchmark checks, gaining a deeper understanding of your compliance status and identifying areas that require attention. Use the provided filters to navigate the CIS benchmark details and access the necessary information for your compliance analysis.

After applying the filters on CIS Benchmarks, you will see updated counts of affected elements with CIS alerts, as seen in Figure-6:

Click on the respective item to gain more insights into the alerts and understand the details of affected elements, applications, or application resources. You can access comprehensive information about the associated alerts by clicking on an affected element, application, or resource, including specific details, recommendations, and remediation steps as seen in Figure-7 below:

Next, click on a CIS benchmark to see a drill-down view of CIS Benchmarks and a detailed benchmark description, as shown in Figure-8 below. This deeper level of visibility enables you to investigate and address the alerts more effectively, ensuring the security and compliance of your Kubernetes environment.

CIS Benchmarks made possible through KubeClarity

And this concludes our exhilarating KubeClarity feature journey. Throughout this KubeClarity blog series, the goal was to provide you with enlightening insights and ensure you have a comprehensive understanding of the remarkable features and capabilities of KubeClarity. I hope this journey has intrigued you and inspired you to take the leap and experience KubeClarity firsthand.

If you want to brush up on your KubeClarity knowledge, we recommend you check out the following posts in this series:

• KubeClarity Internals
• KubeClarity Installations
• KubeClarity Architecture
• Multi-SBOMs
• Multi-scanners
• Run-time scans

Next up

Learn how to contribute and get involved with KubeClarity.

Pallavi Kalapatapu is a Principal Engineer and open-source advocate in Cisco’s Emerging Technology & Incubation organization, now Outshift.