This topic describes the different benchmarks used for scanning in Compliance Scanner for VMware Tanzu.
When configuring Compliance Scanner, you choose which benchmarks you want. Benchmarks determine which tests are run by the scanner.
Compliance Scanner offers four scanning benchmarks:
- Base Xenial
- CIS Ubuntu Linux 16.04 LTS - Level 1
- CIS Ubuntu Linux 16.04 LTS - Level 2
- CIS Ubuntu Linux 22.04 LTS - Level 1
- CIS Ubuntu Linux 22.04 LTS - Level 2
- STIG for Ubuntu Xenial
- TKGI CIS Master Node
- TKGI CIS Worker Node
- TKGI STIG Master Node
- TKGI STIG Worker Node
- STIG for Ubuntu Jammy
Base Xenial
This benchmark is a subset of the full STIG benchmark.
The Base Xenial does not include the STIG tests that fail because of differences between the Xenial stemcells and standard Ubuntu Server image.
Because the removed failed tests do not threaten the security of the system, the remaining tests in the Base Xenial benchmark are a baseline for unaltered stemcells. Use this benchmark to see if the configurations have been further modified.
For information about the STIG benchmark, see STIG for Ubuntu Xenial below.
CIS Ubuntu Linux 16.04 LTS - Level 1
The CIS Level 1 profile is considered a base recommendation that can be implemented fairly promptly and is designed to not have an extensive performance impact. The intent of the Level 1 profile benchmark is to lower the attack surface of your organization while keeping machines usable and not hindering business functionality.
CIS Ubuntu Linux 16.04 LTS - Level 2
The CIS Level 2 profile is considered to be “defense in depth” and is intended for environments where security is paramount. The recommendations associated with the Level 2 profile can have an adverse effect on your organization if not implemented appropriately and with due care.
CIS Ubuntu Linux 22.04 LTS - Level 1
The CIS Level 1 profile is considered a base recommendation that can be implemented fairly promptly and is designed to not have an extensive performance impact. The intent of the Level 1 profile benchmark is to lower the attack surface of your organization while keeping machines usable and not hindering business functionality.
CIS Ubuntu Linux 22.04 LTS - Level 2
The CIS Level 2 profile is considered to be “defense in depth” and is intended for environments where security is paramount. The recommendations associated with the Level 2 profile can have an adverse effect on your organization if not implemented appropriately and with due care.
STIG for Ubuntu Xenial
This benchmark contains tests outlined in the Ubuntu 16.04 (Xenial) Security Technical Implementation Guide (STIG) published by the Defense Information Systems Agency (DISA). This benchmark contains the full Ubuntu 16.04 (Xenial) Security Technical Implementation Guide (STIG) set of tests.
This benchmark targets a standard Ubuntu Server. When it is applied to stemcells, certain tests fail for the following reasons:
- The file path specified in the tests is different on the stemcell.
- The failed test is specific to a standard Ubuntu Server image, but is not applicable to a stemcell.
- The failed test adheres to a lower security standard than what is verified with the stemcell.
To address failures of the first type, the bundled tests have been updated to reflect the paths used by stemcells. These changes do not compromise the integrity of the tests themselves. The remaining failing tests that highlight stemcell differences can help auditors assess their security posture.
For more information about the Canonical Ubuntu 16.04 LTS STIG guide, use the following link to download a ZIP file of the Department of Defense’s documentation.
TKGI CIS Master Node
This benchmark contains tests of the published CIS Kubernetes Benchmark for Control Plane Components, etcd, and Control Plane Configuration.
This benchmark includes the CIS Level 1 and CIS Level 2 profile.
This benchmark targets TKGI clusters.
TKGI CIS Worker Node
This benchmark contains tests of the published CIS Kubernetes Benchmark for Worker Nodes.
This benchmark includes the CIS Level 1 and CIS Level 2 profile.
This benchmark targets TKGI clusters.
TKGI STIG Master Node
This benchmark contains tests of the published Defense Information Systems Agency (DISA) Kubernetes Benchmark for Control Plane Components, etcd, and Control Plane Configuration.
This benchmark targets TKGI clusters.
TKGI STIG Worker Node
This benchmark contains tests of the published Defense Information Systems Agency (DISA) Kubernetes Benchmark for Worker Nodes.
This benchmark targets TKGI clusters.
STIG for Ubuntu Jammy
This benchmark contains tests outlined in the Ubuntu 22.04 (Jammy) Security Technical Implementation Guide (STIG) published by the Defense Information Systems Agency (DISA). This benchmark contains the full Ubuntu 22.04 (Jammy) Security Technical Implementation Guide (STIG) set of tests.
This benchmark targets a standard Ubuntu Server. When it is applied to stemcells, certain tests fail for the following reasons:
- The file path specified in the tests is different on the stemcell.
- The failed test is specific to a standard Ubuntu Server image, but is not applicable to a stemcell.
- The failed test adheres to a lower security standard than what is verified with the stemcell.
To address failures of the first type, the bundled tests have been updated to reflect the paths used by stemcells. These changes do not compromise the integrity of the tests themselves. The remaining failing tests that highlight stemcell differences can help auditors assess their security posture.
For more information about the Canonical Ubuntu 22.04 LTS STIG guide, use the following link to download a ZIP file of the Department of Defense’s documentation.
