Product Name
CIS-CAT Pro Assessor v4
Product Version
v4.*35.0+
Date
Problem
The CIS Amazon Elastic Kubernetes Service (EKS) Benchmark requires certain Linux environment variables to be in place before CIS-CAT Pro Assessor can conduct a scan successfully. If these are not set correctly, Recommendations in the report may contain unexpected Fail or Unknown results.
Info |
---|
As of and Amazon EKS Benchmark version 1.4.0, the “Worker Node Configuration Files“ category does not yet feature any Artifact Expressions. Consequently, CIS-CAT Pro Assessor will not collect evidence data for these Recommendations and return a “Manual” result for the applicable items. |
Solution
Ensure that all other prerequisites (such as kubectl and the AWS CLI) are in place and properly configured as outlined in the CIS-CAT Pro Assessor Configuration Guide:
https://ciscat-assessor.docs.cisecurity.org/en/latest/Configuration%20Guide/#amazon-elastic-kubernetes-service-eks-assessment
Then set the following environment variables on the system hosting Assessor:
export NODE_NAME=(node name)
(ex.Example:
export NODE_NAME=ip-172-31-125-147.ec2.internal
export CLUSTER_NAME=(cluster name)
(ex.Example:
export CLUSTER_NAME=eks-cluster-test-a1
export REGION_CODE=(region code)
(ex.Example:
export REGION_CODE=us-east-1
When invoking Assessor, add the -E
(or --preserve-env
) parameter to sudo
to retain the set values.
The below example will use the “Level 1 - Cluster / Control Plane” Profile:
Code Block |
---|
sudo -E ./Assessor-CLI.sh -b "benchmarks/CIS_Amazon_Elastic_Kubernetes_Service_(EKS)_Benchmark_v1.4.0-xccdf.xml" -p "xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Cluster__Control_Plane" |
Keywords; amazon eks
Content by Label
Filter by label (Content by label) | ||||||
---|---|---|---|---|---|---|
|
Page Properties | ||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||
|