CIS Cri-O Benchmark v1.0#90
Conversation
Codecov Report
@@ Coverage Diff @@
## main #90 +/- ##
=======================================
Coverage 59.18% 59.18%
=======================================
Files 4 4
Lines 147 147
=======================================
Hits 87 87
Misses 50 50
Partials 10 10 Continue to review full report at Codecov.
|
|
Hey! very nice contribution! :)
|
|
Hello Yoav,
Thank you for your reply.
We based this benchmark on CIS1.2 benchmark!
We have conducted some online research on cri-o documentation for the
commands.
However most of the test were carried out on a local kubernetes cluster
which ulitizes cri-o runtime.
We've pre selected which CIS1.2 commands were applicable on cri-o and then
tested the commands. However please note this is the first version and also
the first time we are using cri-o and would love to hear your feedback!
Next week we'll be meeting with our client to discuss the progress.
Thanks in advance!
Kind regards,
Niels Regelink.
Op wo 30 dec. 2020 10:42 schreef Yoav Rotem <notifications@github.com>:
… Hey! very nice contribution! :)
I didn't started to go through the PR yet, but I have a couple of
questions first,
1. on which benchmark did you based it? (CIS 1.2?)
2. Secondly did you used cri official data source or just tested it
locally and found where is what?
Beside that any special comments or thing I should know before
starting to review this PR?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#90 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AR6UAOGCSOPTVH46JWV2LLTSXLYYFANCNFSM4VJCQ6EQ>
.
|
|
It will take me a while because I want to validate all information is documented in cri-o documentation, and if its valid for which cri-o releases. |
|
Dear Yoav, Today we've updated the cri-o config definitions.yaml. We are now in the process of finalizing our documentation and are considering issuing this config for review in the cri-o community github as well. Can I commit the changes to the definitions.yaml in the pull request or do you want me to send it separately? Thanks in advance! Niels Regelink. |
|
Do it here :) |
|
I can't seem to upload the definitions.yaml into this section, it keeps saying file not supported. |
|
@nregelink thank you for making this contribution! It's a really nice idea to have a benchmark for CRI-O and we'd love to get one published but there are a couple of things that would need to happen first. Our test files for docker-bench, kube-bench etc implement the tests specified in benchmark documents published by the CIS. We try to stick as closely as possible to those community benchmark specifications, and we can't describe a benchmarks as CIS unless it's published by them. So one thing you might want to consider is getting in touch with them and publishing it there, and then the test files can be published here as an implementation of a CIS benchmark. Another thing I think would be really valuable would be to work with the CRI-O maintainers as they are in a better position than we are to comment on the validity of the tests being suggested here. Looping in @rhatdan @mrunalp @runcom for comment. |
|
Dear @lizrice , Kind regards, |
|
|
4 participants
Dear reader,
Thank you for taking your time to read this.
This is a CRI-O runtime security benchmark based on de Aquasecurity Docker-Benchmark.
We are a group of 4 students from the Netherlands currently in our last year for our Bachelor in Computer Sciences.
For a project we are assigned a research in building a Cri-O runtime benchmark which is based on the AquaSecurity Docker-Benchmark.
This project is carried out in cooperation with a company which specialises in software development and IT-architecture.
We've developed a Cri-O config 1.0 for the Aquasecurity Benchmark.
The definitions of the Docker-Benchmark have been evaluated and assesed for applicability on a Cri-O runtime environment.
In order to run the Benchmark, run the Aquasecurity benchmark with the following argumet: --benchmark crio-1.0
!Note!: if you have customised your Cri-O container storage location, please change the value of "crio-storage" in config.yaml
For now the company name will be undisclosed until further notice. This project is being carried out for Saxion University of Applied Sciences: https://www.saxion.edu/ For any questions, please do not hesitate in creating an active issue or by contacting me via mail: 417169@student.saxion.nl
Please note that this is our first time creating a pull request in github, if we've made any mistakes, please do let us know.
We'd love to hear your feedback on our work so far.
Happy holidays !
Kind Regards,
Niels Regelink