Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[cloud][8.13] Enable / Disable benchmark rules #4936

Merged
merged 9 commits into from
Mar 25, 2024
Merged

[cloud][8.13] Enable / Disable benchmark rules #4936

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
ab2608d
new content and screenshot
benironside Mar 19, 2024
c2a78b0
updates KSPM benchmarks page, updates title
benironside Mar 19, 2024
583ff1c
bugfix
benironside Mar 19, 2024
b806e83
content reorg
benironside Mar 19, 2024
ca30376
minor reorg, adds headings
benironside Mar 20, 2024
fd6fc00
reorgs other copy of page
benironside Mar 20, 2024
6160777
bugfix
benironside Mar 20, 2024
05795cc
Incorporates Yarden's review :)
benironside Mar 21, 2024
433e7a2
incorporates Nat's and Stash's reviews
benironside Mar 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 16 additions & 11 deletions docs/cloud-native-security/cspm-benchmark-rules.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,13 @@
[[cspm-benchmark-rules]]
= Benchmark rules
The Benchmark Integrations page lets you view the cloud security posture (CSP) benchmark rules for the <<cspm, Cloud security posture management>> (CSPM) and <<kspm, Kubernetes security posture management>> (KSPM) integrations.
= Benchmarks
benironside marked this conversation as resolved.
Show resolved Hide resolved
The Benchmarks page lets you view the cloud security posture (CSP) benchmark rules for the <<cspm, Cloud security posture management>> (CSPM) and <<kspm, Kubernetes security posture management>> (KSPM) integrations.

Benchmark rules are used by these integrations to identify configuration risks in your cloud infrastructure. Benchmark rules are based on the Center for Internet Security's (CIS) https://www.cisecurity.org/cis-benchmarks/[secure configuration benchmarks].
[role="screenshot"]
image::images/benchmark-rules.png[Benchmark rules page]
benironside marked this conversation as resolved.
Show resolved Hide resolved

[discrete]
== What are benchmark rules?
Benchmark rules are used by the CSPM and KSPM integrations to identify configuration risks in your cloud infrastructure. Benchmark rules are based on the Center for Internet Security's (CIS) https://www.cisecurity.org/cis-benchmarks/[secure configuration benchmarks].

Each benchmark rule checks to see if a specific type of resource is configured according to a CIS Benchmark. The names of rules describe what they check, for example:

Expand All @@ -11,21 +16,21 @@ Each benchmark rule checks to see if a specific type of resource is configured a
* `Ensure IAM policies that allow full "*:*" administrative privileges are not attached`
* `Ensure the default namespace is not in use`

When benchmark rules are evaluated, the resulting <<findings-page, findings>> data appears on the <<cloud-posture-dashboard, Cloud Security Posture dashboard>>.

When benchmark rules are evaluated, the resulting <<findings-page, findings>> data appears on the <<cloud-posture-dashboard, Cloud Security Posture dashboard>>.
NOTE: Benchmark rules are not editable.

To find the Benchmark Integrations page, go to **Rules -> Benchmark rules**. From there, you can view the benchmark rules associated with an existing integration by clicking the integration name.
[discrete]
== Review your benchmarks

[role="screenshot"]
image::images/benchmark-rules.png[Benchmark rules page]
To see your active benchmarks, go to **Rules -> Benchmarks**. From there, you can click a benchmark's name to view the benchmark rules associated with it. You can click a benchmark rule's name to see details including information about how to remediate it, and related links.
benironside marked this conversation as resolved.
Show resolved Hide resolved

You can then click on a benchmark rule's name to see details, including information about how to remediate failures and related links.
Benchmark rules are enabled by default, but you can disable some of them — at the benchmark level — to suit your environment. This means for example that if you have two integrations using the `CIS AWS` benchmark, disabling a rule for that benchmark affects both integrations. To enable or disable a rule, use the **Enabled** toggle on the right of the rules table.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some suggestions to remove "enable/disable". Also modified the last sentence a wee bit because the column is labeled in the UI, not the toggle.

Suggested change
Benchmark rules are enabled by default, but you can disable some of them — at the benchmark level to suit your environment. This means for example that if you have two integrations using the `CIS AWS` benchmark, disabling a rule for that benchmark affects both integrations. To enable or disable a rule, use the **Enabled** toggle on the right of the rules table.
Benchmark rules are turned on by default, but you can turn some off at the benchmark level to suit your environment. For example, if you have two integrations using the `CIS AWS` benchmark, turning off that benchmark rule affects both integrations. To turn a benchmark rule on or off, use the toggle in the **Enabled** column.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These changes would apply to this section as well if you accepted them.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The "Enabled" instead of "turned on" is reflective of the UI element (the table column with the setting is called "Enabled" and has a toggle for each rule), so I'm reluctant to avoid using it in this case. Other reviewers what do you think?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We seem to use enable and disable for detection rules (example here), so I suppose using the same terminology here would be consistent.


NOTE: Benchmark rules are not editable.
NOTE: Disabling a benchmark rule automatically disables any associated detection rules and alerts. Re-enabling a benchmark rule **does not** automatically re-enable them.
benironside marked this conversation as resolved.
Show resolved Hide resolved

[discrete]
== How benchmark rules work

. When a security posture management integration is deployed, and every four hours after that, {agent} fetches relevant cloud resources.
. After resources are fetched, they are evaluated against all applicable benchmark rules.
. After resources are fetched, they are evaluated against all applicable enabled benchmark rules.
. Finding values of `pass` or `fail` indicate whether the standards defined by benchmark rules were met.
Binary file modified docs/cloud-native-security/images/benchmark-rules.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
27 changes: 16 additions & 11 deletions docs/cloud-native-security/kspm-benchmark-rules.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,13 @@
[[benchmark-rules]]
= Benchmark rules
The Benchmark Integrations page lets you view the cloud security posture (CSP) benchmark rules for the <<cspm, Cloud security posture mangaement>> (CSPM) and <<kspm, Kubernetes security posture management>> (KSPM) integrations.
= Benchmarks
The Benchmarks page lets you view the cloud security posture (CSP) benchmark rules for the <<cspm, Cloud security posture management>> (CSPM) and <<kspm, Kubernetes security posture management>> (KSPM) integrations.

Benchmark rules are used by these integrations to identify configuration risks in your cloud infrastructure. Benchmark rules are based on the Center for Internet Security's (CIS) https://www.cisecurity.org/cis-benchmarks/[secure configuration benchmarks].
[role="screenshot"]
image::images/benchmark-rules.png[Benchmark rules page]

[discrete]
== What are benchmark rules?
Benchmark rules are used by the CSPM and KSPM integrations to identify configuration risks in your cloud infrastructure. Benchmark rules are based on the Center for Internet Security's (CIS) https://www.cisecurity.org/cis-benchmarks/[secure configuration benchmarks].

Each benchmark rule checks to see if a specific type of resource is configured according to a CIS Benchmark. The names of rules describe what they check, for example:

Expand All @@ -11,21 +16,21 @@ Each benchmark rule checks to see if a specific type of resource is configured a
* `Ensure IAM policies that allow full "*:*" administrative privileges are not attached`
* `Ensure the default namespace is not in use`

When benchmark rules are evaluated, the resulting <<findings-page, findings>> data appears on the <<cloud-posture-dashboard, Cloud Security Posture dashboard>>.

When benchmark rules are evaluated, the resulting <<findings-page, findings>> data appears on the <<cloud-posture-dashboard, Cloud Security Posture dashboard>>.
NOTE: Benchmark rules are not editable.

To find the Benchmark Integrations page, go to **Rules -> Benchmark rules**. From there, you can view the benchmark rules associated with an existing integration by clicking the integration name.
[discrete]
== Review your benchmarks

[role="screenshot"]
image::images/benchmark-rules.png[Benchmark rules page]
To see your active benchmarks, go to **Rules -> Benchmarks**. From there, you can click a benchmark's name to view the benchmark rules associated with it. You can click a benchmark rule's name to see details including information about how to remediate it, and related links.

You can then click on a benchmark rule's name to see details, including information about how to remediate failures and related links.
Benchmark rules are enabled by default, but you can disable some of them — at the benchmark level — to suit your environment. This means for example that if you have two integrations using the `CIS AWS` benchmark, disabling a rule for that benchmark affects both integrations. To enable or disable a rule, use the **Enabled** toggle on the right of the rules table.

NOTE: Benchmark rules are not editable.
NOTE: Disabling a benchmark rule automatically disables any associated detection rules and alerts. Re-enabling a benchmark rule **does not** automatically re-enable them.

[discrete]
== How benchmark rules work

. When a security posture management integration is deployed, and every four hours after that, {agent} fetches relevant cloud resources.
. After resources are fetched, they are evaluated against all applicable benchmark rules.
. After resources are fetched, they are evaluated against all applicable enabled benchmark rules.
. Finding values of `pass` or `fail` indicate whether the standards defined by benchmark rules were met.