Chapter 2. Managing compliance
By using Red Hat Advanced Cluster Security for Kubernetes you can assess, check, and report on the compliance status of your containerized infrastructure. You can run out-of-the-box compliance scans based on industry standards including:
- CIS Benchmarks (Center for Internet Security) for Docker and Kubernetes
- HIPAA (Health Insurance Portability and Accountability Act)
- NIST Special Publication 800-190 and 800-53 (National Institute of Standards and Technology)
- PCI DSS (Payment Card Industry Data Security Standard)
- OpenSCAP (Open Security Content Automation Protocol): Available in RHACS for OpenShift Container Platform clusters when the Compliance Operator is installed and configured to provide results to RHACS
By scanning your environment based on these standards you can:
- Evaluate your infrastructure for regulatory compliance.
- Harden your Docker Engine and Kubernetes orchestrator.
- Understand and manage the overall security posture of your environment.
- Get a detailed view of compliance status for clusters, namespaces, and nodes.
2.1. Viewing the compliance dashboard
The compliance dashboard provides a high-level view of the compliance standards across all clusters, namespaces, and nodes in your environment.
The compliance dashboard includes charts and provides options to investigate a potential problem with compliance mandates. You can navigate to compliance scan results for a single cluster, namespace, or a node. Moreover, you can generate reports on the state of compliance within your containerized environment.
Procedure
- On the RHACS portal, select Compliance from the navigation menu.
The first time you open the Compliance dashboard you will see a blank dashboard. You must run a compliance scan to populate the dashboard.
2.2. Running a compliance scan
Running a compliance scan checks the compliance status for your entire infrastructure across all compliance standards. When you run a compliance scan, Red Hat Advanced Cluster Security for Kubernetes takes a data snapshot of your environment. The data snapshot includes alerts, images, network policies, deployments, and related host-based data. Central collects the host-based data from the Sensors running in your clusters. After that, Central collects more data from the compliance container running in each collector pod. The compliance container collects the following data about your environment:
- Configurations for Docker Daemon, Docker image, and Docker container.
- Information about Docker networks.
- Command-line arguments and processes for Docker, Kubernetes, and OpenShift Container Platform.
- Permissions of specific file paths.
- Configuration files for the core Kubernetes and OpenShift Container Platform services.
After the data collection is complete, Central performs checks on the data to determine results. You can view the results from the compliance dashboard and also generate compliance reports based on the results.
In a compliance scan:
- Control describes a single line item in an industry or regulatory compliance standard against which an auditor evaluates an information system for compliance with said standard. Red Hat Advanced Cluster Security for Kubernetes checks the evidence of compliance with a single control by completing one or more checks.
- Check is the single test performed during a single control assessment.
-
Some controls have multiple checks associated with them. If any of the associated check fails for a control, the entire control state is marked as
Fail.
Procedure
- Navigate to the RHACS portal and open the compliance dashboard by selecting Compliance from the navigation menu.
Optional: By default, information under all standards is displayed in the compliance results. To view only information from specific standards, perform the following steps:
- Click Manage standards.
- By default, all standards are selected. Clear the checkbox for any specific standard that you do not want to display, and then click Save. Standards that are not selected do not appear in the dashboard display (including widgets), compliance results tables that are accessed from the dashboard, and PDF files created using the Export button. However, all default standards are included when results are exported as a CSV file.
Click Scan environment.
NoteScanning the entire environment takes about 2 minutes to complete. This time might vary depending on the number of clusters and nodes in your environment.
2.3. Viewing compliance scan results
After you run a compliance scan, the compliance dashboard displays the results as the compliance status for your environment. You can view compliance violations directly from the dashboard, filter the details view, and drill down compliance standards to understand if your environment is compliant against specific benchmarks. This section explains how to view and filter compliance scan results.
You can use shortcuts to check the compliance status of clusters, namespaces, and nodes. Look for these shortcuts on the top of your compliance dashboard. By clicking these shortcuts you can view the compliance snapshot and generate reports on the overall compliance of your clusters, namespaces, or nodes.
Compliance status
| Status | Description |
|---|---|
|
| The compliance check failed. |
|
| The compliance check passed. |
|
| Red Hat Advanced Cluster Security for Kubernetes skipped the check because it was not applicable. |
|
|
The compliance check gathered data, but Red Hat Advanced Cluster Security for Kubernetes could not make a |
|
| The compliance check failed due to a technical issue. |
2.3.1. Viewing compliance status for clusters
You can view compliance status for all clusters or a single cluster from the compliance dashboard.
Procedure
To view compliance status for all clusters in your environment:
- Navigate to the RHACS portal and open the compliance dashboard by selecting Compliance from the navigation menu.
- Click Clusters on the compliance dashboard.
To view compliance status for a specific cluster in your environment:
- Navigate to the RHACS portal and open the compliance dashboard by selecting Compliance from the navigation menu.
- On the compliance dashboard, look for the Passing standards by cluster widget.
- In this widget, click on a cluster name to view its compliance status.
2.3.2. Viewing compliance status for namespaces
You can view compliance status for all namespaces or a single namespace from the compliance dashboard.
Procedure
To view compliance status for all namespaces in your environment:
- Navigate to the RHACS portal and open the compliance dashboard by selecting Compliance from the navigation menu.
- Click Namespaces on the compliance dashboard.
To view compliance status for a specific namespace in your environment:
- Navigate to the RHACS portal and open the compliance dashboard by selecting Compliance from the navigation menu.
- Click Namespaces to open the namespaces details page.
- From the Namespaces table, click on a namespace. A side panel opens on the right.
- In the side panel, click on the name of the namespace to view its compliance status.
2.3.3. Viewing compliance status for a specific standard
Red Hat Advanced Cluster Security for Kubernetes supports NIST, PCI DSS, NIST, HIPAA, CIS for Kubernetes and CIS for Docker compliance standards. You can view all the compliance controls for a single compliance standard.
Procedure
- Navigate to the RHACS portal and open the compliance dashboard by selecting Compliance from the navigation menu.
- On the compliance dashboard, look for the Passing standards across clusters cluster widget.
- In this widget, click on a standard to view information about all the controls associated with that standard.
Many of the controls in CIS Docker refer to the configuration of the Docker engine on each Kubernetes node. Many CIS Docker controls are also best practices for building and using containers, and RHACS has policies to enforce their use. See "Managing security policies" in "Additional resources" for more information.
Additional resources
2.3.4. Viewing compliance status for a specific control
You can view compliance status for a specific control for a selected standard.
Procedure
- Navigate to the RHACS portal and open the compliance dashboard by selecting Compliance from the navigation menu.
- On the compliance dashboard, look for the Passing standards by cluster widget.
- In this widget, click on a standard to view information about all the controls associated with that standard.
- From the Controls table, click on a control. A side panel opens on the right.
- In the side panel, click on the name of the control to view its details.
2.4. Filtering compliance status
Red Hat Advanced Cluster Security for Kubernetes search makes it easy to filter different combinations of data from the compliance dashboard. To focus your attention on a subset of clusters, industry standards, passing or failing controls, you can narrow the scope of the data visible on the compliance dashboard.
Procedure
- Navigate to the RHACS portal and open the compliance dashboard by selecting Compliance from the navigation menu.
- On the compliance dashboard, select either Clusters, or Namespaces, or Nodes to open the details page.
- Enter your filtering criteria in the search bar and then press Enter.
2.5. Generating compliance reports
Red Hat Advanced Cluster Security for Kubernetes enables you to generate reports to keep track of the compliance status of your environment. You can use these reports to convey compliance status across various industry mandates to other stakeholders.
You can generate:
- Executive reports that focuses on the business aspect and includes charts and summary of compliance status in PDF format.
- Evidence reports that focuses on the technical aspect and includes detailed information in CSV format.
Procedure
- Navigate to the RHACS portal and open the compliance dashboard by selecting Compliance from the navigation menu.
On the compliance dashboard, click Export on the top right side.
- To generate an executive report, select Download page as PDF.
- To generate an evidence report, select Download Evidence as CSV.
The Export option appears on all compliance pages and filtered views.
2.5.1. Evidence reports
You can export comprehensive compliance-related data from Red Hat Advanced Cluster Security for Kubernetes in CSV format as an evidence report. This evidence report contains detailed information about the compliance assessment, and it is tailored towards technical roles, such as compliance auditors, DevOps engineers, or security practitioners.
An evidence report contains the following information:
| CSV field | Description |
|---|---|
| Standard | The compliance standard, for example, CIS Kubernetes. |
| Cluster | The name of the assessed cluster. |
| Namespace | The name of the namespace or project where the deployment exists. |
| Object Type |
The Kubernetes entity type of the object. For example, |
| Object Name |
The name of the object which is a Kubernetes systems-generated string that uniquely identify objects. For example, |
| Control | The control number as it appears in the compliance standard. |
| Control Description | Description about the compliance check that the control carries out. |
| State |
Whether the compliance check passed or failed. For example, |
| Evidence | The explanation about why a specific compliance check failed or passed. |
| Assessment Time | The time and date when you ran the compliance scan. |
2.6. Supported benchmark versions
Red Hat Advanced Cluster Security for Kubernetes supports compliance checks against the following industry standards and regulatory frameworks:
| Benchmark | Supported version |
|---|---|
| CIS Benchmarks (Center for Internet Security) for Docker and Kubernetes | CIS Kubernetes v1.5.0 and CIS Docker v1.2.0 |
| HIPAA (Health Insurance Portability and Accountability Act) | HIPAA 164 |
| NIST (National Institute of Standards and Technology) | NIST Special Publication 800-190 and 800-53 Rev. 4 |
| PCI DSS (Payment Card Industry Data Security Standard) | PCI DSS 3.2.1 |
