Introducing Policies for CIS Benchmarks
CIS Benchmarks, a set of cybersecurity best practices, is now a standard at Magalix. We’ve mapped CIS Benchmark controls to Magalix Policies so that you can sort, filter, and group by this standard. Check your cluster’s security posture against the CIS Benchmark alongside the existing PCI DSS and MITRE ATT&CK standards.
Also included with this release is an update to our Reporting module. Generate reports based on CIS Benchmark compliance and use those same Policies to help your organization shift security left. Understand which controls are in violation, which entities are violating them, and what remediation steps are.
Running a CIS Benchmarks tool against a cluster (or hundreds of clusters) is something a lot of people do as soon as they first hear about the CIS Benchmark. The urgency stems from what the output of these tools can tell them about their cluster in regards to overall best practices. Before getting into a deeper dive of our CI Benchmark Policies, let’s dive deeper into CIS Benchmarks and what it means for Kubernetes.
Understanding the CIS Kubernetes Benchmarks
The Center for Internet Security (CIS), established in 2000, is a non-profit organization driven by a global IT community with a mission of “identifying, developing, validating, promoting, and sustaining best practices for cyber defense.”
For a strong security posture, the CIS has put forward a set of recommendations, CIS Benchmarks, for configuring Kubernetes to minimize the risk of security breaches due to misconfigurations.
The CIS Benchmarks for Kubernetes best practices is an excellent first step for organizations to secure their infrastructure, harden their Kubernetes environments, and provides prescriptive guidance for establishing a secure configuration posture.
Recommendations sections are categorized by:
- Control Plane Components: recommended configuration settings of the Kubernetes control plane including the master node, API server, controller manager, and scheduler.
- Etcd: includes recommended settings for etcd configuration.
- Control Plane Configuration: a set of recommendations spanning user certificate authentication, minimal audit policy, and audit policy coverage.
- Worker Nodes: Various recommendations for securing configuration files and definng specific configuration settings for the Kubelet on worker nodes.
- Policies: a specific set of recommended policies for Kubernetes elements like RBAC and Service Accounts, Pod Security Policies, and Network Policies.
Brief Facts about CIS Benchmarks:
- The benchmarks are not a regulatory requirement, yet compliance frameworks point to them as the industry standard.
- They are developed by a group of global cyber security professionals and subject matter experts.
- It’s the only best-practice security configuration guide both developed and accepted by governments, business, industry, and academia.
The CIS Benchmarks Policies
The CIS Benchmarks policy pack saves teams time and resources to secure their infrastructure and meet the regulatory requirements. By running these policies against your cluster(s), organizations can understand which controls are in violation, which entities are violating them, and what needs to be done to harden the environment.
“Securing infrastructure and keeping it compliant is a complex task. Our goal at Magalix is to help teams stay on top of their infrastructure security initiatives without impacting their agility. CIS is considered a gold standard when it comes to securing apps and infrastructure. We have been consulting with our partners to implement comprehensive policies covering the CIS to give teams confidence in their infrastructure security posture” said Mohamed Ahmed, Magalix founder and CEO.
Sample of the included policies
- Ensuring default service accounts.
- Prevent Containers running with certain Linux capabilities enabled.
- Prevent Containers running in PrivilegedMode.
- Prevent Containers running with PrivilegeEscalation.
- Prevent Containers running as root.
- Ensure that all Namespaces have Network Policies defined.
- SecurityContexts are missing and can be auto-autoed
- The default namespace should not be used.
“CIS Benchmarks are a de facto standard for checking compliance against security best practices. By adding CIS policies to Magalix ever-increasing library of policy standards, we aim to provide our customers with a quick way to assess their compliance posture using one of the best-known standards in the industry. This allows our customers to continue to be productive and agile while having peace of mind and guarantees about the compliance and security of their infrastructure”
Ahmed Badran, Magalix co-founder and CTO.
CIS Policies Reporting
With this update comes a new report designed specifically to hasten your understanding of a cluster’s CIS Benchmark status. Mapping our Policies to Controls pinpoints the root cause of a violation so you can see which entities need to be assessed.
Clicking on a Control directs to a Policies page that then can be further expanded to see which entities are causing these violations. Custom policies can also be added to any standard.
Magalix Policy Enforcement Platform has 100s out-of-the-box policies and templates - PCI DSS, Application-Based Policies, and MITRE ATT&CK - enabling companies to hit the ground running.
Check Magalix Docs and learn what Magalix is, how to get started using it, and reference materials for its features and supported cloud providers.
back
3 mins read
Comments and Responses