# Step 1: Evidence Details

|System|Source of data|Frameworks|
|---|---|---|
|kubernetes|kube-bench|cis benchmark for kubernetes|

```
Purpose: The purpose of Kube-bench CIS benchmark for Kubernetes is to ensure adherence to industry-standard security best practices, identify potential security vulnerabilities, and provide actionable insights for enhancing the overall security posture of Kubernetes clusters. It enables automated scanning and monitoring of Kubernetes configurations against the CIS benchmarks, aiding in the proactive mitigation of security risks and bolstering the resilience of containerized environments.
```
```
RecomendedEvidenceName: CISBenchmarkForKubernetesResults
```

# Step 2: Define the System Specific Data (a.k.a Extended Data Schema)

Sample data


[WARN] 5.1.2 Minimize access to secrets (Manual)

5.1.2 Where possible, remove get, list and watch access to Secret objects in the cluster.

# Step 3: Define the Standard Schema
  


In [None]:
{
    # Meta
    "System": "kubernetes",
    "Source": "kube-bench",

    # Resource info
    "ResourceID":"cr-dev-eks-cr-4",
    "ResourceName": "cr-dev-eks-cr-4",
    "ResourceType": "Private cluster",
    "ResourceLocation": "",
    "ResourceTags": None,

    # Data
    "ParentControlDescription": "Worker Node Configuration Files",
    "ControlNumber": "4.1.1",
    "ControlDescription": "Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)",
    
    # Compliance details
    "ValidationStatusCode": "PS",
    "ValidationStatusNotes": "File permissions meet the CIS Benchmark requirement.",
    "ComplianceStatus": "COMPLIANT",
    "ComplianceStatusReason": "Kube-bench logs indicate permissions are set to 600 or more restrictive (details in logs)",
    "RemediationSteps": "",
    "EvaluatedTime": "2024-04-16T10:06:43.829090157Z",

    # User editable data
    "UserAction":"",

    # Action editable data
    "ActionStatus":"",
    "ActionResponseURL":""
}

# Step 3.a: Sample Data

|System|Source|ResourceID|ResourceName|ResourceType|ResourceLocation|ResourceTags|ParentControlDescription|ControlNumber|ControlDescription|ValidationStatusCode|ValidationStatusNotes|ComplianceStatus|ComplianceStatusReason|RemediationSteps|EvaluatedTime|UserAction|ActionStatus|ActionResponseURL|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|kubernetes|kube-bench|cr-dev-eks-cr-4|cr-dev-eks-cr-4|Private cluster||None|Worker Node Configuration Files|4.1.1|Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)|PS|File permissions meet the CIS Benchmark requirement.|COMPLIANT|Kube-bench logs indicate permissions are set to 600 or more restrictive (details in logs)||2024-04-16T10:06:43.829090157Z||||

# Step 4: Describe the Compliance Taxonomy

The compliance taxonomy changes based on the ControlName field, from the ControlConfig.json, which can be found inside catalog/globalcatalog/rules/EvaluateCISBenchmarkForKubernetes/RuleConfig.json.

The below table contains the taxonomy for the ControlNumber: 5.1.2

|ValidationStatusCode|ValidationStatusNotes|ComplianceStatus|ComplianceStatusReason|
|---|---|---|---|
|PS|Secret access meets the CIS Benchmark requirement.|COMPLIANT|Audit logs indicate that access to secrets is minimized (details in logs)|
|FL|Remediation required: Minimize secret access as per CIS Benchmark.|NON_COMPLIANT|Audit logs indicate that access to secrets is not minimized (details in logs)|

# Step 5: Calculation for Compliance Percentage and Status


In [None]:
# Calculation of Compliance Percentage
CompliancePCT = (100 - (Count of 'NON_COMPLIANT' records * 100) / Total records)

# Compliance Status
#COMPLIANT - 100%
#NON_COMPLIANT - 0%<=status<100%
#NOT_DETERMINED - If no records are found in the account

# Step 6: Describe (in words) the Remediation Steps for Non-Compliance

Remediation notes:
Address non-compliance records refer 'ValidationStatusNotes' which is nothing but the 'RemediationSteps'.

# Step 7. Control Setup Details

| Control Details            |                               |
|----------------------------|-------------------------------|
| **RuleName**               | EvaluateCISBenchmarkForKubernetes    |
| **PreRequisiteRuleNames**  |           |
| **ExtendedSchemaRuleNames**|            |
| **ApplicationClassName**   | kubernetes               |