Automated CIS Benchmark Scanning

[Rotfuks]

Motivation

In the past we have done some CIS Benchmark tests in order to see how "secure" our platform is compared to that benchmark. In order to get a continuous picture about this benchmark we have to create automations that check our platform on a regular basis and result in a fresh list of findings/issues.

Todo

• [ ] Create an automation pipeline that runs regular CIS benchmark tests
  • For a start a time based trigger for these checks (ie. once a month) should be enough
  • For a start just an alert with the findings as a list should be enough
• [ ] Run the pipeline to get a fresh set of Benchmark Test Results

Outcome

• We have regular CIS Benchmark tests run against our kubernetes platform
• We have a updated list of findings that we can work on

[stone-z]

FYI the scanning automation piece here does not need to be implemented. Trivy Operator will generate CIS and other benchmarks (NSA/DISA) reports in clusters where it is deployed. These reports are collected from MCs already, and it would be possible to collect them also from workload clusters during testing