Benchmarks for Compliance Scanner

Note: Pivotal Platform is now part of VMware Tanzu. In v1.2 and later, Pivotal Compliance Scanner is named Compliance Scanner for VMware Tanzu.

Page last updated:

This topic describes the different benchmarks used for scanning in Compliance Scanner for VMware Tanzu.

Overview

When configuring Compliance Scanner, you choose which benchmarks you want. Benchmarks determine which tests are run by the scanner.

Compliance Scanner offers four scanning benchmarks:

Base Xenial

This benchmark is a subset of the full STIG benchmark.

The Base Xenial does not include the STIG tests that fail because of differences between the Xenial stemcells and standard Ubuntu Server image.

Because the removed failed tests do not threaten the security of the system, the remaining tests in the Base Xenial benchmark are a baseline for unaltered stemcells. Use this benchmark to see if the configurations have been further modified.

For information about the STIG benchmark, see STIG for Ubuntu Xenial below.

CIS Ubuntu Linux 16.04 LTS – Level 1

The CIS Level 1 profile is considered a base recommendation that can be implemented fairly promptly and is designed to not have an extensive performance impact. The intent of the Level 1 profile benchmark is to lower the attack surface of your organization while keeping machines usable and not hindering business functionality.

CIS Ubuntu Linux 16.04 LTS – Level 2

The CIS Level 2 profile is considered to be “defense in depth” and is intended for environments where security is paramount. The recommendations associated with the Level 2 profile can have an adverse effect on your organization if not implemented appropriately and with due care.

STIG for Ubuntu Xenial

This benchmark contains tests outlined in the Ubuntu 16.04 (Xenial) Security Technical Implementation Guide (STIG) published by the Defense Information Systems Agency (DISA). This benchmark contains the full Ubuntu 16.04 (Xenial) Security Technical Implementation Guide (STIG) set of tests.

This benchmark targets a standard Ubuntu Server. When it is applied to stemcells, certain tests fail for the following reasons:

  • The file path specified in the tests is different on the stemcell.
  • The failed test is specific to a standard Ubuntu Server image, but is not applicable to a stemcell.
  • The failed test adheres to a lower security standard than what is verified with the stemcell.

To address failures of the first type, the bundled tests have been updated to reflect the paths used by stemcells. These changes do not compromise the integrity of the tests themselves. The remaining failing tests that highlight stemcell differences can help auditors assess their security posture.

For more information about the Canonical Ubuntu 16.04 LTS STIG guide, use the following link to download a ZIP file of the Department of Defense’s documentation.