Product Name
CIS-CAT Pro Assessor v4
Product Version
v4.*
Date
Problem
The CIS Amazon Elastic Kubernetes Service (EKS) Benchmark requires certain Linux environment variables to be in place before CIS-CAT Pro Assessor can conduct a scan successfully. If these are not set correctly, Recommendations in the report may contain unexpected Fail or Unknown results.
Solution
Ensure that all other prerequisites (such as kubectl and the AWS CLI) are in place and properly configured as outlined in the CIS-CAT Pro Assessor Configuration Guide:
https://ciscat-assessor.docs.cisecurity.org/en/latest/Configuration%20Guide/#amazon-elastic-kubernetes-service-eks-assessment
Then set the following environment variables on the system hosting Assessor:
export NODE_NAME=(node name)
(ex.ip-172-31-125-147.ec2.internal
)export CLUSTER_NAME=(cluster name)
(ex.eks-cluster-test-a1
)export REGION_CODE=(region code)
(ex.us-east-1
)
When invoking Assessor, add the -E
(or --preserve-env
) parameter to sudo
to retain the set values.
The below example will use the “Level 1 - Cluster / Control Plane” Profile:
sudo -E ./Assessor-CLI.sh -b "benchmarks/CIS_Amazon_Elastic_Kubernetes_Service_(EKS)_Benchmark_v1.4.0-xccdf.xml" -p "xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Cluster__Control_Plane"
0 Comments