Fortinet black logo

Online Help

Compliance Assessment

Copy Link
Copy Doc ID 4a6f3c4b-8d0f-11eb-a7dc-00505692583a:696437

Compliance Assessment

Compliance Assessment provides additional security posture by assessing Kubernetes cluster nodes configuration using the latest CIS Kubernetes benchmarks.

CIS Kubernetes benchmark is used to conduct compliance assessment for self hosted Kubernetes cluster. CIS Kubernetes benchmark is developed by the Center for Internet Security (CIS), the leading industry standard that provides consensus based security configuration recommendations in identifying container security vulnerabilities. For more information, please visit https://www.cisecurity.org/cis-securesuite/.

Container Protection automatically determines and uses the supported version of CIS Kubernetes Benchmark to conduct compliance assessment on the self-hosted Kubernetes cluster.

Other CIS benchmarks such as Amazon Elastic Kubernetes Service (EKS) and Google Kubernetes Engine (GKE) are used to assess Kubernetes Clusters that resides on these cloud service platforms.

Prerequisite

  1. Compliance Assessment requires Kubernetes cluster to be setup with Container Protection. Follow the instructions in Add Kubernetes Cluster to deploy the Kubernetes Agent on the Kubernetes cluster.
  2. Enable the compliance policies by following the guidelines in Compliance Policy Configuration.

Compliance Page

FortiView > Compliance page shows the compliance result summary of all Kubernetes clusters that are integrated with Container Proteciton.

CIS Benchmark Compliance Rate - CIS Benchmark Compliance rate shows the number of CIS Kubernetes benchmark policies that the Kubernetes cluster is in compliance with.

For example, 50/100 means out of 100 Compliance policies, only 50 compliance policies that the cluster is in compliance with.

Cluster Detail - click on image details to be re-directed to the Cluster Detail page.

Cluster Detail

Cluster Detail page shows the audit result of the Kubernetes cluster. The audit results can be sorted by policy name, audit result, and compliant/non-compliant policies.

Kubernetes Version shows the version of the Kubernetes cluster.

The Audit Result column shows whether the cluster is in compliance with the policy.

When click on View More button, policy description and audit result will be shown.

Audit Result - Audit Result shows what is being returned with the audit performed on the cluster. Note: The audit result will show as compliant only if all worker nodes are compliant.

Remediation- Remediation provides recommendation from CIS Benchmark on making the cluster compliant with the policy, most of the time it will be a CLI command.

Auto Remediation - Auto Remediation allows FortiCWP to automatically perform the remediation suggested by the CIS Benchmark.

If the audit result is "Non-Compliant", the list of worker nodes that are "Compliant" and "Non-Compliant" will be listed. Remediation will still provide suggestion on fixing the non-compliant worker nodes.

There are 5 types of audit result status, here is the list of audit result status with descriptions:

Audit Result Status

Description

Compliant The audit result of the scan performed is compliant with the CIS Benchmark standard.
Non-Compliant

There are a few scenarios that may lead to "Non-Compliant" audit result status:

  1. The audit result does not comply with CIS Benchmark standard.
  2. The Audit result returned is empty.
  3. Auto Remediation is set to "OFF", where it requires manual remediation or enable auto remediation.
  4. Auto Remediation is set to "On", but failed to remediate the non-compliant Kubernetes cluster.
  5. Not all cluster worker nodes have returned audit result that are compliant to the policy standard.

Insufficient Info Audit result with not enough information will receive the status of "Insufficient Info".
Unable to Scan Container Protection has difficulty performing compliant scan with the policy.

Not Supported

The policy compliant scan is not supported in Container Protection.

Compliance Assessment

Compliance Assessment provides additional security posture by assessing Kubernetes cluster nodes configuration using the latest CIS Kubernetes benchmarks.

CIS Kubernetes benchmark is used to conduct compliance assessment for self hosted Kubernetes cluster. CIS Kubernetes benchmark is developed by the Center for Internet Security (CIS), the leading industry standard that provides consensus based security configuration recommendations in identifying container security vulnerabilities. For more information, please visit https://www.cisecurity.org/cis-securesuite/.

Container Protection automatically determines and uses the supported version of CIS Kubernetes Benchmark to conduct compliance assessment on the self-hosted Kubernetes cluster.

Other CIS benchmarks such as Amazon Elastic Kubernetes Service (EKS) and Google Kubernetes Engine (GKE) are used to assess Kubernetes Clusters that resides on these cloud service platforms.

Prerequisite

  1. Compliance Assessment requires Kubernetes cluster to be setup with Container Protection. Follow the instructions in Add Kubernetes Cluster to deploy the Kubernetes Agent on the Kubernetes cluster.
  2. Enable the compliance policies by following the guidelines in Compliance Policy Configuration.

Compliance Page

FortiView > Compliance page shows the compliance result summary of all Kubernetes clusters that are integrated with Container Proteciton.

CIS Benchmark Compliance Rate - CIS Benchmark Compliance rate shows the number of CIS Kubernetes benchmark policies that the Kubernetes cluster is in compliance with.

For example, 50/100 means out of 100 Compliance policies, only 50 compliance policies that the cluster is in compliance with.

Cluster Detail - click on image details to be re-directed to the Cluster Detail page.

Cluster Detail

Cluster Detail page shows the audit result of the Kubernetes cluster. The audit results can be sorted by policy name, audit result, and compliant/non-compliant policies.

Kubernetes Version shows the version of the Kubernetes cluster.

The Audit Result column shows whether the cluster is in compliance with the policy.

When click on View More button, policy description and audit result will be shown.

Audit Result - Audit Result shows what is being returned with the audit performed on the cluster. Note: The audit result will show as compliant only if all worker nodes are compliant.

Remediation- Remediation provides recommendation from CIS Benchmark on making the cluster compliant with the policy, most of the time it will be a CLI command.

Auto Remediation - Auto Remediation allows FortiCWP to automatically perform the remediation suggested by the CIS Benchmark.

If the audit result is "Non-Compliant", the list of worker nodes that are "Compliant" and "Non-Compliant" will be listed. Remediation will still provide suggestion on fixing the non-compliant worker nodes.

There are 5 types of audit result status, here is the list of audit result status with descriptions:

Audit Result Status

Description

Compliant The audit result of the scan performed is compliant with the CIS Benchmark standard.
Non-Compliant

There are a few scenarios that may lead to "Non-Compliant" audit result status:

  1. The audit result does not comply with CIS Benchmark standard.
  2. The Audit result returned is empty.
  3. Auto Remediation is set to "OFF", where it requires manual remediation or enable auto remediation.
  4. Auto Remediation is set to "On", but failed to remediate the non-compliant Kubernetes cluster.
  5. Not all cluster worker nodes have returned audit result that are compliant to the policy standard.

Insufficient Info Audit result with not enough information will receive the status of "Insufficient Info".
Unable to Scan Container Protection has difficulty performing compliant scan with the policy.

Not Supported

The policy compliant scan is not supported in Container Protection.