CIS Logo
tagline: Confidence in the Connected World

CIS Benchmark Release Summary for July 2017

This month in the CIS Benchmark communities, Docker and Kubernetes were our primary focus for developing secure configurations. Here’s the wrap up:

CIS Docker Community Edition Benchmark v1.1.0

We’re excited to announce the release of a newly-updated CIS Docker Benchmark which contains security recommendations through Docker version 17.06. Thanks to our consensus participants for helping to make this update possible! See a list of changes below:

New Recommendations

  • 2.18 Restrict containers from acquiring new privileges
  • 7.8 Rotate node certificates as appropriate
  • 7.9 Rotate root CA certificates as appropriate
  • 7.10 Separate management plane traffic from data plane traffic

 Modified Recommendations

  • 2.1 Restrict network traffic between containers on the default bridge - clarified the intent of the recommendation

Deleted Recommendations

  • 6.1 Perform regular security audits of your host system and containers
  • 6.2 Monitor Docker containers usage, performance, and metering
  • 6.3 Backup container data

Miscellaneous Changes

  • Formatting the entire benchmark
  • Updated several reference URLs
  • New Section - "7 Docker Swarm Configuration"
  • All Swarm related recommendations moved to the Swarm section
  • Added CIS Controls mappings
  • Updated all recommendation titles to conform to CIS Standard.

Special thanks to author Pravin Goyal and editors Thomas Sjögren, Rory McCune and Brian Andrzejewski for their work on this benchmark!

CIS ISC BIND DNS Server 9.9 Benchmark v3.0.1

This CIS Benchmark has been updated to include mappings between configuration settings and the CIS Controls, a prioritized list of cyber defense actions that provide specific guidance to thwart the most pervasive attacks. These mappings will show in the CIS Benchmark documentation and in CIS-CAT Pro assessments.

CIS Kubernetes Benchmark v1.1.0

Also updated for July – the Kubernetes CIS Benchmark. This release contains coverage for Kubernetes 1.7.  Below, you’ll find a summary of release changes:

New Recommendations:

  • 1.32 Ensure that the --authorization-mode argument is set to Node
  • 1.33 Ensure that the admission control policy is set to NodeRestriction
  • 1.34 Ensure that the --experimental-encryption-provider-config argument is set as appropriate
  • 1.35 Ensure that the encryption provider is set to aescbc
  • 3.7 Ensure that the RotateKubeletServerCertificate argument is set to true
  • 6.8 Configure Network policies as appropriate
  • 1.14 Ensure that the RotateKubeletClientCertificate argument is set to true
  • 1.15 Ensure that the RotateKubeletServerCertificate argument is set to true
  • 2.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive
  • 2.8 Ensure that the client certificate authorities file ownership is set to root:root

Deleted Recommendations:

  • 3.3 Ensure that the --insecure-experimental-approve-all-kubelet-csrs-for-group argument is not set
  • 6.5 Avoid using Kubernetes Secrets

Special thanks to the Kubernetes Editor team for the quick turnaround getting this update out! Our communities work hard to develop secure configurations for all, and this benchmark is a shining example of those efforts.

Finally, thanks to all of our CIS Benchmark communities for sharing their expertise and feedback. Looking forward to seeing what we accomplish together in August!