CIS Ubuntu Benchmark

This document describes the level of compliance that Google Distributed Cloud has with the CIS Ubuntu Benchmark.

Access the benchmark

The CIS Ubuntu Benchmark is available on the CIS website.

Configuration profile

In the CIS Ubuntu Benchmark document, you can read about configuration profiles. The Ubuntu images used by Google Distributed Cloud are hardened to meet the Level 2 - Server profile.

Evaluation on Google Distributed Cloud

We use the following values to specify the status of Ubuntu recommendations in Google Distributed Cloud.

Status	Description
Pass	Complies with a benchmark recommendation.
Fail	Does not comply with a benchmark recommendation.
Equivalent control	Does not comply with the exact terms in a benchmark recommendation, but other mechanisms in Google Distributed Cloud provide equivalent security controls.
Depends on environment	Google Distributed Cloud does not configure items related to a benchmark recommendation. Your configuration determines whether your environment complies with the recommendation.

Status of Google Distributed Cloud

The Ubuntu images used with Google Distributed Cloud are hardened to meet the CIS Level 2 - Server profile. The following table gives justifications for why Google Distributed Cloud components did not pass certain recommendations. Benchmarks that have a Passed status are not included in the following table.

Configure AIDE cron job

AIDE is a file integrity checking tool that verifies compliance with CIS L1 Server benchmark 1.4 Filesystem Integrity Checking. In Google Distributed Cloud, the AIDE process has been causing high resource usage issues.

The AIDE process on nodes is disabled by default to prevent resource issues. This will affect compliance with CIS L1 Server benchmark 1.4.2: Ensure filesystem integrity is regularly checked.

If you want to opt in to run the AIDE cron job, complete the following steps to re-enable AIDE:

1. Create a DaemonSet.

   Here's a manifest for a DaemonSet:

   apiVersion: apps/v1
   kind: DaemonSet
   metadata:
   name: enable-aide-pool1
   spec:
   selector:
     matchLabels:
       app: enable-aide-pool1
   template:
     metadata:
       labels:
         app: enable-aide-pool1
     spec:
       hostIPC: true
       hostPID: true
       nodeSelector:
         cloud.google.com/gke-nodepool: pool-1
       containers:
       - name: update-audit-rule
         image: ubuntu
         command: ["chroot", "/host", "bash", "-c"]
         args:
         - |
           set -x
           while true; do
             # change daily cronjob schedule
             minute=30;hour=5
             sed -E "s/([0-9]+ [0-9]+)(.*run-parts --report \/etc\/cron.daily.*)/$minute $hour\2/g" -i /etc/crontab
   
             # enable aide
             chmod 755 /etc/cron.daily/aide
   
             sleep 3600
           done
         volumeMounts:
         - name: host
           mountPath: /host
         securityContext:
           privileged: true
       volumes:
       - name: host
         hostPath:
           path: /
   

   In the preceding manifest:

   • The AIDE cron job will only run on node pool pool-1 as specified by the nodeSelector cloud.google.com/gke-nodepool: pool-1. You can configure the AIDE process to run on as many node pools as you want by specifying the pools under the nodeSelector field. To run the same cron job schedule across different node pools, remove the nodeSelector field. However, to avoid host resource congestions, we recommend you maintain separate schedules.

   • The cron job is scheduled to run daily at 5:30am as specified by the configuration minute=30;hour=5. You can configure different schedules for the AIDE cron job as required.

2. Copy the manifest to a file named enable-aide.yaml, and create the DaemonSet:

   kubectl apply --kubeconfig USER_CLUSTER_KUBECONFIG -f enable-aide.yaml
   

   where USER_CLUSTER_KUBECONFIG is the path of the kubeconfig file for your user cluster.