Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Product Name

CIS-CAT Pro Assessor v4

Product Version

v4.*35.0+

Date



Problem

The CIS Amazon Elastic Kubernetes Service (EKS) Benchmark requires certain Linux environment variables to be in place before CIS-CAT Pro Assessor can conduct a scan successfully. If these are not set correctly, Recommendations in the report may contain unexpected Fail or Unknown results.

Info

As of and Amazon EKS Benchmark version 1.4.0, the “Worker Node Configuration Files“ category does not yet feature any Artifact Expressions. Consequently, CIS-CAT Pro Assessor will not collect evidence data for these Recommendations and return a “Manual” result for the applicable items.

Solution

Ensure that all other prerequisites (such as kubectl and the AWS CLI) are in place and properly configured as outlined in the CIS-CAT Pro Assessor Configuration Guide:
https://ciscat-assessor.docs.cisecurity.org/en/latest/Configuration%20Guide/#amazon-elastic-kubernetes-service-eks-assessment

Then set the following environment variables on the system hosting Assessor:

  • export NODE_NAME=(node name)

    • Example: export NODE_NAME=ip-172-31-125-147.ec2.internal

  • export CLUSTER_NAME=(cluster name)

    • Example: export CLUSTER_NAME=eks-cluster-test-a1

  • export REGION_CODE=(region code)

    • Example: export REGION_CODE=us-east-1

When invoking Assessor, add the -E (or --preserve-env) parameter to sudo to retain the set values.
The below example will use the “Level 1 - Cluster / Control Plane” Profile:

Code Block
sudo -E ./Assessor-CLI.sh -b "benchmarks/CIS_Amazon_Elastic_Kubernetes_Service_(EKS)_Benchmark_v1.4.0-xccdf.xml" -p "xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Cluster__Control_Plane"

Keywords; amazon eks

Content by Label

Filter by label (Content by label)
showLabelsfalse
showSpacefalse
cqllabel = "sbp_fer"

Copyright © 2024

Center for Internet Security®


Page Properties
hiddentrue

Action

Name(s)

Date

Linked ticket

Jira Legacy
serverSystem Jira
serverIdb90ca2a8-9df7-3869-89db-c424866c1b16
keySUPPORT-32067

Created by

Allan Cornwell

Reviewed by

SBP Product Technical Support Team (Amanda McGown Allan Cornwell Andrew Dannenberger Nick Romanzo Parami Swenson (Unlicensed))

Approved by

Amanda McGown

Remove by