Custom and Specific Checks

[nijdarshan]

Custom and Specific Checks

I have a requirement to scan my K8s clusters w.r.t a few CIS 1.6 benchmarks. And most of these checks align with the CIS benchmarks but there are few checks for which the configuration parameter (the flag) values have to be modified according to the requirement.

So, I wanted to understand the best way to modify a check or add a custom check and then install the kube-bench to scan the clusters. Also, with the above use case I'm not required to check for all the benchmarks, so what is the best advice to have these checks?

One thing I discovered was to use the -c flag, but I couldn't really see any example of it. Could you kindly please advise?

[nijdarshan]

Or do you suggest I go thru custom checks at Starboard?

[mozillazg]

@nijdarshan Hi, You can modify a check or add a custom check via the below steps:

1. download the cfg directory: https://github.com/aquasecurity/kube-bench/tree/main/cfg
2. modify checks or add some custom checks via modifying files under the cfg/cis-1.6 directory
3. run the kube-bench command with the --config-dir flag:

$ kube-bench run --config-dir </path/to/new/cfg/path> --benchmark cis-1.6

[mozillazg]

Looks like what you are saying does the job for me, but I have a feeling that https://github.com/aquasecurity is trying to get people to use Starboard more. So, I'd like to know your thoughts as well.

@chen-keinan What do you think about it?

[chen-keinan]

@nijdarshan depend which kink of tests you want to execute.
The custom checks in starboard (which now moved to trivy-operator)
are rego checks for k8s API.
If this is what you are looking for then trivy-operator is good choice.

[nijdarshan]

Thank you for getting back, there has been a change in the use case and since I have to scan the K8s cluster for misconfigurations, the ask is to scan the clusters without changing anything in the cluster. I have found tools which are either deployed in the cluster or installed on the nodes to do these checks, but I couldn't really find the one that could do it remotely except for kube-hunter but that's more like a pen-testing tool. I can do these things by writing a script, but is there any other way that this can be done efficiently?

So, I needed to know your thoughts on the same. @mozillazg and @chen-keinan

[nijdarshan]

These are Tanzu K8s clusters!

[mozillazg]

Thank you for getting back, there has been a change in the use case and since I have to scan the K8s cluster for misconfigurations, the ask is to scan the clusters without changing anything in the cluster. I have found tools which are either deployed in the cluster or installed on the nodes to do these checks, but I couldn't really find the one that could do it remotely except for kube-hunter but that's more like a pen-testing tool. I can do these things by writing a script, but is there any other way that this can be done efficiently?

@nijdarshan That is impossible to do a CIS Kubernetes benchmarks scan without changing anything in the cluster and nodes.