Run compliance scans

Run on-demand compliance scans.

This section explains how to run compliance scans across your entire network.

See Manage compliance for an overview of compliance scans and the compliance dashboard.

When you run a compliance scan, the StackRox Kubernetes Security Platform takes a data snapshot of your environment. The data snapshot includes Alerts, Images, Network Policies, Deployments, and related host-based data. StackRox Central collects the host-based data from the Sensors running in your clusters. After that, Central collects more data from the compliance container running in each collector pod. The compliance container collects the following data about your environment:

  • Configurations for Docker Daemon, Docker image, and Docker container.
  • Information about Docker networks.
  • Command-line arguments and processes for Docker and Kubernetes (OpenShift)
  • Permissions of specific file paths.
  • Configuration files for the core Kubernetes services.

After the data collection is complete, Central performs checks on the data to determine results. You can view the results from the Compliance dashboard and also generate compliance reports based on the results.

Scan entire environment

Running this scan checks the compliance state for your entire infrastructure across all compliance standards.

To scan your entire environment:

  1. Open the compliance dashboard by selecting Compliance from the menu.
  2. Click Scan environment.
    Scan environment
    Scan environment

Scanning the entire environment takes about 2 minutes to complete. This time may vary depending on the number of clusters and nodes in your environment.

Using the Compliance Operator

Starting in 3.0.62.0, StackRox Kubernetes Security Platform integrates with the OpenShift Compliance Operator to perform security configuration audits for OpenShift.

To install the OpenShift Compliance Operator follow these instructions.

If you are installing the OpenShift Compliance Operator for the first time you must restart Sensor to begin to receive results. To restart sensor run the following command:

Copy
kubectl delete po -n stackrox -l app=sensor

If the compliance operator was running on your cluster prior to installation of StackRox Kubernetes Security Platform, no action is required.

Evidence collection in CSV format isn’t directly supported. Detailed evidence may be pulled directly from the OpenShift compliance operator. To get evidence follow the instructions here.

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.