Monday, May 15, 2017

CIS Kubernetes and CIS Independent Linux Benchmark

The mission of DevSec Hardening Framework is to provide users with the best content to stay secure across their infrastructure fleet. We started by providing hardening solutions written in Chef cookbooks, Puppet modules as well as Ansible modules. Beginning of this year, we started to transform our testing suite into standalone InSpec baselines. Since then we added more and more baselines like Nginx, TLS/SSL, OpenStack, MySQL or PostgreSQL.

We are happy to announce that we got a major contribution by Kristian Vlaardingerbroek from Schuberg Philis. He wrote two new benchmarks and contributed those to our open source project:

We like to thank Kristian and Schuberg Philis for their amazing work and their efforts to make security more accessible to our DevSec community.



Kubernetes is one of the leading container orchestration platforms from Google and part of CNCF. While our existing CIS Docker Benchmark verifies a single-node deployment, the Kubernetes profile is going to verify the container orchestration platform. Now, DevSec users have the ability to secure their containers in production. The benchmarks use InSpec which allows you to adapt and extend the profile to your needs via profile inheritance. A sample test in InSpec looks like:

control 'cis-kubernetes-benchmark-1.1.4' do
  title 'Ensure that the --insecure-allow-any-token argument is not set'
  desc "
     Do not allow any insecure tokens
     Rationale: Accepting insecure tokens would allow any token without
     actually authenticating anything. User information is parsed from
     the token and connections are allowed.
  impact 1.0

  tag cis: 'kubernetes:1.1.4'
  tag level: 1

  describe processes('kube-apiserver').commands.to_s do
    it { should_not match(/--insecure-allow-any-token/) }

Please go ahead, try CIS Kubernetes Benchmark. As all other DevSec baselines, this profile is also registered to the InSpec Supermarket. Therefore you can easily use it.

# show all available profiles
inspec supermarket

# execute kubernetes benchmark locally
inspec exec supermarket://dev-sec/cis-kubernetes-benchmark

# execute kubernetes benchmark against a ssh target
inspec exec supermarket://dev-sec/cis-kubernetes-benchmark -t ssh://user@host:port -i /path/to/key

Please let us know your feedback and report any issues.

Independent Linux Benchmark

We see more and more workload is moving into containers. To secure linux containers, DevSec has provided Linux Baseline and SSH Baseline for a very long time. With the addition of CIS Distribution Independent Linux Benchmark we are able to extend our capabilities to provide an industry benchmark as well. You can use the profile by using the InSpec Supermarket, too:

# show all available profiles
inspec supermarket

# execute linux benchmark locally
inspec exec supermarket://dev-sec/dev-sec/cis-linux-benchmark

# execute linux benchmark against a ssh target
inspec exec supermarket://dev-sec/dev-sec/cis-linux-benchmark -t ssh://user@host:port -i /path/to/key

# execute linux benchmark against a docker container
inspec exec supermarket://dev-sec/dev-sec/cis-linux-benchmark -t docker://container_id

We hope you enjoy the new capabilities.

  • Your DevSec Team