From 4ae6f21a2e4f0625f33558fec24886967eb77d7f Mon Sep 17 00:00:00 2001 From: Davide Iori Date: Thu, 17 Apr 2025 15:46:52 +0200 Subject: [PATCH 1/4] Update README.md changed text to comply with the CIS non-commercial use policy --- .../rancher-cis-benchmark/106.1.0+up8.1.0-rc.1/README.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/charts/rancher-cis-benchmark/106.1.0+up8.1.0-rc.1/README.md b/charts/rancher-cis-benchmark/106.1.0+up8.1.0-rc.1/README.md index 50beab58bac..940fad0b905 100644 --- a/charts/rancher-cis-benchmark/106.1.0+up8.1.0-rc.1/README.md +++ b/charts/rancher-cis-benchmark/106.1.0+up8.1.0-rc.1/README.md @@ -1,9 +1,14 @@ # Rancher CIS Benchmark Chart -The cis-operator enables running CIS benchmark security scans on a kubernetes cluster and generate compliance reports that can be downloaded. +The cis-operator enables security scans using profiles aligned with CIS Benchmarks on a kubernetes cluster and generate reports that can be downloaded. # Installation ``` -helm install rancher-cis-benchmark ./ --create-namespace -n cis-operator-system +helm install rancher-cis-benchmark ./ --create-namespace -n cis-operator-systemvvv ``` + + + +> [!NOTE] +> Please be aware that commercial use of CIS Benchmarks® or claiming official CIS compliance requires membership or licensing from the Center for Internet Security (CIS®). Users are responsible for adhering to CIS terms of use. From 34950ae404984f1f9caa41ddab1b87a8ae894e48 Mon Sep 17 00:00:00 2001 From: Davide Iori Date: Thu, 17 Apr 2025 16:00:57 +0200 Subject: [PATCH 2/4] Update app-readme.md changed content to comply with the CIS non-commercial use policy --- .../106.1.0+up8.1.0-rc.1/app-readme.md | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/charts/rancher-cis-benchmark/106.1.0+up8.1.0-rc.1/app-readme.md b/charts/rancher-cis-benchmark/106.1.0+up8.1.0-rc.1/app-readme.md index 88ca4582418..6f19a60024e 100644 --- a/charts/rancher-cis-benchmark/106.1.0+up8.1.0-rc.1/app-readme.md +++ b/charts/rancher-cis-benchmark/106.1.0+up8.1.0-rc.1/app-readme.md @@ -1,17 +1,20 @@ -# Rancher CIS Benchmarks +# Rancher Cluster Compliance Scanner -This chart enables security scanning of the cluster using [CIS (Center for Internet Security) benchmarks](https://www.cisecurity.org/benchmark/kubernetes/). +This chart enables security scanning of the cluster using security profiles aligned with [CIS (Center for Internet Security) Benchmark®](https://www.cisecurity.org/benchmark/kubernetes/) recommendations. For more information on how to use the feature, refer to our [docs](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/cis-scan-guides). +> [!NOTE] +> This tool facilitates assessing cluster configuration against security recommendations derived from CIS Benchmarks®. Please be aware that the use of CIS Benchmarks® for commercial purposes, or claiming official CIS compliance certification, requires appropriate licensing or membership with the Center for Internet Security (CIS®). Users are responsible for ensuring they comply with all applicable CIS terms of use. + This chart installs the following components: -- [cis-operator](https://github.com/rancher/cis-operator) - The cis-operator handles launching the [kube-bench](https://github.com/aquasecurity/kube-bench) tool that runs a suite of CIS tests on the nodes of your Kubernetes cluster. After scans finish, the cis-operator generates a compliance report that can be downloaded. -- Scans - A scan is a CRD (`ClusterScan`) that defines when to trigger CIS scans on the cluster based on the defined profile. A report is created after the scan is completed. -- Profiles - A profile is a CRD (`ClusterScanProfile`) that defines the configuration for the CIS scan, which is the benchmark versions to use and any specific tests to skip in that benchmark. This chart installs a few default `ClusterScanProfile` custom resources with no skipped tests, which can immediately be used to launch CIS scans. -- Benchmark Versions - A benchmark version is a CRD (`ClusterScanBenchmark`) that defines the CIS benchmark version to run using kube-bench as well as the valid configuration parameters for that benchmark. This chart installs a few default `ClusterScanBenchmark` custom resources. -- Alerting Resources - Rancher's CIS Benchmark application lets you run a cluster scan on a schedule, and send alerts when scans finish. +- [cis-operator](https://github.com/rancher/cis-operator) - The cis-operator handles launching the [kube-bench](https://github.com/aquasecurity/kube-bench) tool that runs a suite of tests using security profiles aligned with the CIS Benchmarks on the nodes of your Kubernetes cluster. After scans finish, the cis-operator generates a compliance report that can be downloaded. +- Scans - A scan is a CRD (`ClusterScan`) that defines when to trigger scans on the cluster based on the defined profile. A report is created after the scan is completed. +- Profiles - A profile is a CRD (`ClusterScanProfile`) that defines the configuration for the CIS-aligned scan, which is the benchmark versions to use and any specific tests to skip in that benchmark. This chart installs a few default `ClusterScanProfile` custom resources with no skipped tests, which can immediately be used to launch the scans. +- Benchmark Versions - A benchmark version is a CRD (`ClusterScanBenchmark`) that defines a specific CIS Benchmark publication (e.g., CIS Kubernetes Benchmark v1.23) that scan profiles can reference for alignment to run using kube-bench, as well as the valid configuration parameters for that benchmark. This chart installs a few default `ClusterScanBenchmark` custom resources. +- Alerting Resources - Rancher's scanning application lets you run a cluster scan on a schedule, and send alerts when scans finish. - If you want to enable alerts to be delivered when a cluster scan completes, you need to ensure that [Rancher's Monitoring and Alerting](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/) application is pre-installed and the [Receivers and Routes](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/configuration/#alertmanager-config) are configured to send out alerts. - Additionally, you need to set `alerts: true` in the Values YAML while installing or upgrading this chart. From af655ca3b24d1f15aa8c729bb4c30a53c5c4d85c Mon Sep 17 00:00:00 2001 From: Davide Iori Date: Thu, 17 Apr 2025 16:47:37 +0200 Subject: [PATCH 3/4] Update app-readme.md removed trademark symbol --- .../rancher-cis-benchmark/106.1.0+up8.1.0-rc.1/app-readme.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/rancher-cis-benchmark/106.1.0+up8.1.0-rc.1/app-readme.md b/charts/rancher-cis-benchmark/106.1.0+up8.1.0-rc.1/app-readme.md index 6f19a60024e..b6473782e37 100644 --- a/charts/rancher-cis-benchmark/106.1.0+up8.1.0-rc.1/app-readme.md +++ b/charts/rancher-cis-benchmark/106.1.0+up8.1.0-rc.1/app-readme.md @@ -1,12 +1,12 @@ # Rancher Cluster Compliance Scanner -This chart enables security scanning of the cluster using security profiles aligned with [CIS (Center for Internet Security) Benchmark®](https://www.cisecurity.org/benchmark/kubernetes/) recommendations. +This chart enables security scanning of the cluster using security profiles aligned with [CIS (Center for Internet Security) Benchmark](https://www.cisecurity.org/benchmark/kubernetes/) recommendations. For more information on how to use the feature, refer to our [docs](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/cis-scan-guides). > [!NOTE] -> This tool facilitates assessing cluster configuration against security recommendations derived from CIS Benchmarks®. Please be aware that the use of CIS Benchmarks® for commercial purposes, or claiming official CIS compliance certification, requires appropriate licensing or membership with the Center for Internet Security (CIS®). Users are responsible for ensuring they comply with all applicable CIS terms of use. +> This tool facilitates assessing cluster configuration against security recommendations derived from CIS Benchmarks. Please be aware that the use of CIS Benchmarks for commercial purposes, or claiming official CIS compliance certification, requires appropriate licensing or membership with the Center for Internet Security (CIS). Users are responsible for ensuring they comply with all applicable CIS terms of use. This chart installs the following components: From 62e500d1ed7f845b6dea31281e9689936a8f094c Mon Sep 17 00:00:00 2001 From: Davide Iori Date: Thu, 17 Apr 2025 16:48:18 +0200 Subject: [PATCH 4/4] Update README.md removed trademark symbol --- charts/rancher-cis-benchmark/106.1.0+up8.1.0-rc.1/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/rancher-cis-benchmark/106.1.0+up8.1.0-rc.1/README.md b/charts/rancher-cis-benchmark/106.1.0+up8.1.0-rc.1/README.md index 940fad0b905..046ceea2a06 100644 --- a/charts/rancher-cis-benchmark/106.1.0+up8.1.0-rc.1/README.md +++ b/charts/rancher-cis-benchmark/106.1.0+up8.1.0-rc.1/README.md @@ -11,4 +11,4 @@ helm install rancher-cis-benchmark ./ --create-namespace -n cis-operator-systemv > [!NOTE] -> Please be aware that commercial use of CIS Benchmarks® or claiming official CIS compliance requires membership or licensing from the Center for Internet Security (CIS®). Users are responsible for adhering to CIS terms of use. +> Please be aware that commercial use of CIS Benchmarks or claiming official CIS compliance requires membership or licensing from the Center for Internet Security (CIS). Users are responsible for adhering to CIS terms of use.