Benchmark versions

Discover the compliance benchmark versions the StackRox Kubernetes Security Platform supports.

The StackRox Kubernetes Security Platform supports compliance checks against the following industry standards and regulatory frameworks:

  • CIS Benchmarks (Center for Internet Security) for Docker and Kubernetes,
  • HIPAA (Health Insurance Portability and Accountability Act),
  • NIST (National Institute of Standards and Technology), and
  • PCI DSS (Payment Card Industry Data Security Standard).

CIS Benchmarks

StackRox versionBenchmark version
2.4.16 till 2.5.29CIS Kubernetes v1.2.0 and CIS Docker v1.1.0
2.5.30 till 3.0.33CIS Kubernetes v1.4.1 and CIS Docker v1.2.0
3.0.34 and newerCIS Kubernetes v1.5.0 and CIS Docker v1.2.0

CIS Kubernetes v1.5.0 changes

The CIS Kubernetes v1.5.0 benchmark categorizes controls in 5 categories instead of 2 in CIS Kubernetes v1.4.1. Therefore, the control IDs have changed for most of the controls. CIS Kubernetes v1.5.0 includes the following categories:

  • Control Plane Components
  • etcd
  • Control Plane configuration
  • Worker Nodes
  • Polices

When you upgrade to version 3.0.34, compliance results from the old versions of these benchmarks aren’t available. To get the compliance results based on the updated controls, you must run a new compliance scan.

StatusDescription
UPDATEDUpdated control 1.2.13 in v1.5.0 (control 1.1.13 in v1.4.1) to also check if Admission Control plugin contains SecurityContextDeny, when it doesn’t contain PodSecurityPolicy. The control passes if any of one of these (or both) values are present, otherwise it fails.
UPDATEDChanged wording for control 1.2.34 (control 1.1.35 in v1.4.1). The control now passes if secretbox or kms encryption providers are in use.
UPDATEDControl 1.4.2 (control 1.2.2 in v1.4.1) now checks for --bind-address instead of --address.
UPDATEDControl 4.2.9 (control 2.1.9 in v1.4.1) Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture.
UPDATEDControl 1.2.35 (control 1.1.31 in v1.4.1) Ensure that the API Server only makes use of Strong Cryptographic Ciphers. Removed TLS_RSA_WITH_AES_256_GCM_SHA384 and TLS_RSA_WITH_AES_128_GCM_SHA256 from the list of strong cipher suites.
REMOVEDEnsure that the --repair-malformed-updates argument is set to false.
REMOVEDEnsure that the --cadvisor-port argument is set to 0.

CIS Kubernetes v1.4.1 changes

When you upgrade to version 2.5.30.0, compliance results from the old versions of these benchmarks aren’t available. To get the compliance results based on the updated controls, you must run a new compliance scan.

StatusDescription
REMOVEDEnsure that the --wal-dir argument is set as appropriate.
REMOVEDEnsure that the --max-wals argument is set to 0.
REMOVEDEnsure that the --keep-terminated-pod-volumes argument is set to false.
DEPRECATEDEnsure that the admission control plugin DenyEscalatingExec is set.
DEPRECATEDEnsure that the --cadvisor-port argument is set to 0.
ADDEDEnsure that the API Server only makes use of Strong Cryptographic Ciphers.
ADDEDEnsure that the --authorization-mode argument includes RBAC.
ADDEDScheduler: Ensure that the --address argument is set to 127.0.0.1.
ADDEDController Manager: Ensure that the --address argument is set to 127.0.0.1.
ADDEDEnsure that the Kubernetes PKI directory and file ownership is set to root:root.
ADDEDEnsure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive.
ADDEDEnsure that the Kubernetes PKI key file permissions are set to 600.
ADDEDMaster Node Security Configuration - Pod Security Policies section.
ADDEDEnsure that the Kubelet only makes use of Strong Cryptographic Ciphers.
UPDATEDAPI Server: Admission control flag renamed.
UPDATED--experimental-encryption-provider-config argument changed to --encryption-provider-config.
UPDATEDChange wording for controls 1.1.10 to 1.1.14, 1.1.27, 1.1.31, 1.1.32, and 1.1.35. (These control numbers reflect the Kubernetes Benchmark version 1.2.0.)
UPDATED^Ensure that the --auto-tls argument isn’t set to true. Previously, this check passed if --auto-tls was set to true.
UPDATED^Ensure that the --peer-auto-tls argument isn’t set to true. Previously this check passed if --peer-auto-tls was set to true.
UPDATED^Ensure that the --read-only-port argument is set to 0. Previously, the default value for this check was considered to be 0.
UPDATED^Ensure that the RotateKubeletServerCertificate argument is set to true. Previously, this check may have passed even if RotateKubeletServerCertificate was set to false.
UPDATED^Ensure that the --insecure-bind-address argument isn’t set. Previously, this check passed if --insecure-bind-address was set to 127.0.0.1.
UPDATED^Ensure that the --insecure-port argument is set to 0. Previously, the default value for this check was considered to be 8080.
UPDATED^Ensure that the admission control plugin AlwaysPullImages is set. Previously, the default value for this check was considered to be AlwaysAdmit.
UPDATED^Ensure that the admission control plugin SecurityContextDeny is set. Previously, the default value for this check was considered to be AlwaysAdmit.
UPDATED^Ensure that the --service-account-lookup argument is set to true. Previously, the default value for this check was considered to be false.
UPDATED^Ensure that the admission control plugin PodSecurityPolicy is set. Previously, the default value for this check was considered to be AlwaysAdmit.
UPDATED^Ensure that the admission control plugin ServiceAccount is set. Previously this check passed if --peer-auto-tls was set to true.
UPDATED^Ensure that the --authorization-mode argument includes Node. Previously, the default value for this check was considered to be AlwaysAllow.
UPDATED^Ensure that the admission control plugin NodeRestriction is set. Previously, the default value for this check was considered to be AlwaysAllow.
UPDATED^Ensure that the admission control plugin EventRateLimit is set. Previously, this check may have passed even if EventRateLimit wasn’t set.
UPDATED^Ensure that the --profiling argument is set to false. Previously, this check may have passed even if --profiling was set to true.
UPDATED^Ensure that the --use-service-account-credentials argument is set to true. Previously, this check may have passed even if --profiling was set to true.

^ We fixed incorrect results for compliance controls that depend on these checks.

CIS Docker v1.2.0 changes

When you upgrade to version 2.5.30.0, compliance results from the old versions of these benchmarks aren’t available. To get the compliance results based on the updated controls, you must run a new compliance scan.

StatusDescription
REMOVEDEnsure auditing is configured for Docker files and directories - /usr/bin/docker-runc.
REMOVEDEnsure operations on legacy registry (v1) are disabled.
ADDEDHost Configuration - General Configuration section.
ADDEDHost Configuration - Linux Hosts Specific Configuration section.
ADDEDEnsure auditing is configured for Docker files and directories - /etc/sysconfig/docker.
ADDEDEnsure auditing is configured for Docker files and directories - /usr/sbin/runc.
ADDEDEnsure that the /etc/sysconfig/docker file ownership is set to root:root
ADDEDEnsure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively.
ADDEDDocker Enterprise Configuration - Universal Control Plane Configuration section.
ADDEDDocker Enterprise Configuration - Docker Trusted Registry Configuration.
UPDATEDChange wording for controls 1.1, 1.3, 2.16, 2.17, 3.1, 3.2, 3.5, 3.12, 3.15, 3.17, 3.19, 3.20, 4.1 to 4.3, 4.6, 4.8, 4.9, 4.11, 5.1 to 5.4, 5.6, 5.8 to 5.18, 5.20, 5.22 to 5.31, 6.1, 6.2, 7.1 to 7.10. (These control numbers reflect the Docker Benchmark version 1.1.0.)
UPDATED^Ensure that registry certificate file ownership is set to root:root. Previously, this check may have passed even if certificate file ownership wasn’t set to root:root.
UPDATED^Ensure that registry certificate file permissions are set to 444 or more restrictively. Previously, this check may have passed even if certificate file permissions were less restrictive than 444.
UPDATED^Ensure containers are restricted from acquiring new privileges. Previously, this check may have passed even if --no-new-privileges was set to false.
UPDATED^Ensure TLS authentication for Docker daemon is configured. Previously, this check may have passed even if -tlscacert, --tlscert, or --tlskey parameters were absent.
UPDATED^Ensure that the Docker socket isn’t mounted inside any containers. Previously, this check may have passed even if docker.sock was mounted inside container.
UPDATED^Ensure that the on-failure container restart policy is set to 5. Previously, this check may have passed even if RestartPolicyName was set incorrectly.

^ We fixed incorrect results for compliance controls that depend on these checks.

HIPAA

StackRox versionBenchmark version
2.4.16 and newerHIPAA 164

NIST

StackRox versionBenchmark version
2.4.16 till 3.0.39NIST Special Publication 800-190
3.0.40 and newerNIST Special Publication 800-190 and 800-53 Rev. 4

PCI DSS

StackRox versionBenchmark version
2.4.16 and newerPCI DSS 3.2.1

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.