Kaspersky Container Security
1.2
English

Contents

Configuring and generating reports

Kaspersky Container Security provides the capability to generate reports based on the results of scanning registries, clusters, and images. The list of generated reports is displayed under AdministrationReports.

Reports generated by the solution display the following information:

  • Events related to the operating logic of Kaspersky Container Security, such as the results of scanning images or analyzing nodes.
  • Statistical data, such as a list of images and their identified security issues.

Kaspersky Container Security provides the following report templates:

Depending on the applied report template, reports are created and generated in different sections of the solution.

The report generation process may take several minutes.

A list of generated reports is displayed under AdministrationReports. Reports are available for download in HTML, PDF or CSV format.

In Kaspersky Container Security, reports are generated only in English.

In this Help section

Image reports

Risk acceptance report

Kubernetes benchmarks reports

Generating reports

Downloading and deleting reports
Page top
[Topic 269988]

Image reports

In Kaspersky Container Security, you can generate reports on image scan results. Depending on the required level of detail, image reports can be summary reports or detailed reports.

Images summary report.

A summary report provides consolidated information on the selected images. This report provides the names of images and the names of the clusters containing these images. A summary report contains data on image compliance with security policy requirements, the names of policies that invoked the image scans, and the scan status. For each image, the report contains data on the number of identified risks related to vulnerabilities, malware, sensitive information, and misconfigurations.

Images detailed report

A detailed report provides more detailed information about selected images, completed scans, and identified security issues. Each report includes the date and time of the last scan, the cluster containing the selected image, a risk assessment, and an assessment of compliance with security policy requirements. Kaspersky Container Security displays the number of objects with different severity levels based on identified vulnerabilities, malware, sensitive data, and misconfigurations.

In the block with the description of the applied image security policies, the application provides a list of image security policies and indicates whether this scan stage was completed successfully or with errors. The report also specifies the action performed by Kaspersky Container Security in accordance with a specific policy. In this case, the report may show that the CI/CD stage was blocked, that images were marked as non-compliant with security requirements, or that both of these actions were performed.

The Vulnerabilities section provides a list of identified vulnerabilities, their severity levels, the resource in which they were detected, and the image version in which the vulnerabilities were fixed.

The Malware and Sensitive data sections display lists of detected malicious objects and objects containing sensitive data. For each object, the severity level and path are indicated.

The Misconfigurations block provides a list indicating the names of files in which misconfigurations were identified, the severity levels of the misconfigurations, and the types of files (for example, a Docker file). It also specifies the detected issue and provides recommendations on resolving the issue.

Kaspersky Container Security receives a description of misconfiguration-related issues from the internal database for configuration file analysis. This includes modules that scan configuration files from: Kubernetes, Dockerfile, Containerfile, Terraform, Cloudformation, Azure ARM Template, and Helm Chart. The description of misconfigurations and remediation recommendations are presented in the same language as the specified scan modules. For example, the description of misconfigurations from Kubernetes is provided in English.
This database is updated when a new version of the application is released.

Page top

[Topic 264258]

Risk acceptance report

The Risk acceptance report contains data on accepted risks, including the date and time they were accepted. You can generate a report on all accepted risks or a group of accepted risks based on a filter.

For each selected risk that you accepted, its name is specified in the following format:

  • Risk type (vulnerability, malware, sensitive data, or misconfiguration).
  • Risk name or ID.
  • Risk severity.

Kaspersky Container Security provides the image name, name of the resource and repository where the specific risk was detected, and the image version in which the risk was fixed. The report table also displays the following information about risk acceptance:

  • Risk acceptance scope.
  • Time period after which the risk should be considered again when determining image security status.
  • User who accepted the risk.

Page top

[Topic 264537]

Kubernetes benchmarks reports

In Kaspersky Container Security, you can generate reports based on the results of objects checking for compliance with the Kubernetes benchmarks.

By default, reports are generated for nodes with all statuses - Passed, Warning, and Failed. If you need to generate a report for nodes with a specific scan status, in the Control status section located above the table, click the appropriate status button. Kaspersky Container Security updates the display of the compliance check results, and a report is generated for nodes with the relevant status.

Depending on the level of detail, the reports can be summary reports or detailed reports.

Kubernetes benchmarks summary report

A summary report provides consolidated information on the selected clusters. It lists the names of nodes with the specified compliance check status, as well as the date and time of the last check of each node. The report for all nodes displays information on the number of Kubernetes benchmarks with selected statuses that were detected during object scanning.

Kubernetes benchmark detailed report

A detailed report provides more detailed information about the nodes of the selected cluster or about a specific node of the cluster. It depends on which subsection of the solution you are generating the report from:

  • A detailed report on the nodes of the selected cluster is created from the table with a list of clusters.
  • A report on a node is generated on the page with the detailed description of that node.

For each node in the cluster selected for generating the report, the date and time of the last scan performed, the number of Kubernetes benchmarks with the scan statuses assigned to them, and the benchmarks that were assigned the statuses selected before the report generation are also listed.

Kubernetes benchmarks provide configuration baselines and recommendations for secure configuration of solutions and applications to improve protection against cyberthreats. Hardening is a process that helps protect against unauthorized access, denial of service, and other security events by elimination of potential risks.

Example of Kubernetes benchmarks

After checking nodes for compliance with the Kubernetes benchmarks, Kaspersky Container Security can display recommendations related to security requirements, for example:

  • Control Plane Components
    • Control Plane Node Configuration Files
      • Ensure that the API server pod specification file permissions are set to 644 or more restrictive.
      • Ensure that the API server pod specification file ownership is set to root:root.
    • API Server
      • Ensure that the --anonymous-auth argument is set to false.
      • Ensure that the --token-auth-file parameter is not set.
    • Controller Manager
      • Ensure that the --terminated-pod-gc-threshold argument is set as appropriate.
      • Ensure that the --profiling argument is set to false.
  • etcd
    • Ensure that the --cert-file and --key-file arguments are set as appropriate.
    • Ensure that the --client-cert-auth argument is set to true.
  • Control Plane Configuration
    • Authentication and Authorization
      • Client certificate authentication should not be used for users.
    • Logging
      • Ensure that a minimal audit policy is created.
      • Ensure that the audit policy covers key security concerns.
  • Worker Nodes
    • Worker Node Configuration Files
      • Ensure that the kubelet service file permissions are set to 644 or more restrictive.
      • Ensure that the kubelet service file ownership is set to root:root.
  • Policies.
    • Role-Based Access Control and Accounts
      • Ensure that the cluster-admin role is only used where required.
      • Minimize access to secrets
    • Pod Security Policies
      • Minimize the admission of privileged containers.
    • Network Policies and CNI
      • Ensure that the CNI in use supports Network Policies.
      • Ensure that all namespaces have Network Policies defined.
    • Secrets Management
      • Prefer using secrets as files over secrets as environment variables.
      • Consider external secret storage.

    .

Page top
[Topic 264538]

Generating reports

In Kaspersky Container Security, reports are generated in different sections of the application depending on the specific report template that you are using.

The report generation process may take several minutes.

You can view a list of generated reports under AdministrationReports. In this section, generated reports can be downloaded as .HTML, .PDF, or .CSV.

Page top
[Topic 270330]

Generating Images reports

To generate an Images summary report:

  1. Go to one of the following sections:
    • ResourcesAssetsRegistries to generate a report on images from registries integrated with the solution.
    • ResourcesCI/CD to generate a report on images that are scanned in CI/CD.

      Under ResourcesCI/CD, reports are generated only for objects with the image artifact type (container_image or image). In this section, a report cannot be generated for other types of artifacts.

  2. Depending on the section that you selected, do one of the following:
    • In the ResourcesAssetsRegistries section, select a repository or one or more images for which you want to generate a report.

      You can select all repositories and images by selecting the check box in the table header.

    • In the ResourcesCI/CD section, select one or more images for which you want to generate a report.

      You can specify all images in all repositories by selecting the check box in the table header.

  3. Click the Create report button above the table, and select Images summary report in the drop-down list.
  4. In the window that opens, confirm report generation.

To generate an Images detailed report:

  1. Go to one of the following sections:
    • ResourcesAssetsRegistries to generate a report on images from registries integrated with the solution.
    • ResourcesCI/CD to generate a report on images that are scanned in CI/CD.

      Under ResourcesCI/CD, reports are generated only for objects with the image artifact type (container_image or image). In this section, a report cannot be generated for other types of artifacts.

    • ComponentsScannersScanner tasks to generate a report based on an image scanned as part of a scan task.
  2. Depending on the section that you selected, do one of the following:
    • Under ResourcesAssetsRegistries, perform the following steps:
      1. Select a repository or one or more images for which you want to generate a report.
      2. Click the Create report button above the table, and select Images detailed report in the drop-down list.
    • Under ResourcesCI/CD, complete the following steps:
      1. Select a repository or one or more images for which you want to generate a report.
      2. Click the Create report button above the table, and select Images detailed report in the drop-down list.
    • Under ComponentsScannersScanner jobs, complete the steps specified below:
      1. In the list of scanner tasks, select the scanned object for which you want to generate a report. You can select only one image from the page with a detailed description of the scan results for this image.
      2. In the window containing the object scan results, click the Create report button located to the right of the description of the object's compliance with security policy requirements.

        A scan results window with a Create report button opens only for scanner jobs that have Finished status.

  3. In the window that opens, confirm report generation.
Page top
[Topic 270331]

Generating Risk acceptance reports

To generate a Risk acceptance report:

  1. Go to the PoliciesRisk acceptance section.

    By default, a report is generated for all accepted risks, which are displayed in the table. If necessary, you can generate a report for specific objects. To specify the objects for which you want to generate a report, perform one or more of the following actions:

    • In the Search field, enter a risk name, repository name, or image name.
    • Use the Risk type drop-down list above the table to select objects by risk type.
    • Use the Vendor fix drop-down list above the table to select objects by risk type.
  2. Click the Create report button above the table.

    Kaspersky Container Security will start generating a report, and will prompt you to follow a link to a page containing a list of generated reports.

Page top
[Topic 270332]

Generating Kubernetes benchmark reports

To generate a Kubernetes benchmarks summary report:

  1. Go to ComplianceKubernetes benchmarks.
  2. In the Cluster field, select one or more clusters to generate a report for.

    You can generate a report on all clusters by selecting All from the Cluster drop-down list.

  3. Above the table, under Control status, select check statuses for which you want to generate a report: Passed, Warning, or Failed.

    All statuses are selected by default.

  4. Click the Create report button above the table, and select Summary report from the drop-down list.
  5. In the window that opens, confirm report generation. You can download the generated report in .HTML, .PDF, and .CSV formats in the AdministrationReports section.

To generate a Kubernetes benchmarks summary report:

  1. Go to ComplianceKubernetes benchmarks.
  2. Above the table, under Control status, select check statuses for which you want to generate a report: Passed, Warning, or Failed.

    All statuses are selected by default.

  3. Do one of the following:
    • In the Cluster field, select the cluster for which you want to generate a report, and complete the following steps:
      1. Click the Create report button above the table.
      2. Select Detailed report from the drop-down list.
    • In the table with the check results, click the cluster name and complete the following steps:
      1. Click the name of a node in the selected cluster.

        Kaspersky Container Security displays the available data on the Kubernetes benchmarks that was obtained for this node during the scan.

      2. Click the Create report button above the table.
  4. In the window that opens, confirm report generation. You can download the generated report in .HTML, .PDF, and .CSV formats in the AdministrationReports section.

A Kubernetes benchmarks detailed report is generated for one cluster only. However, it contains information about all nodes in this cluster.
To get detailed reports for multiple clusters, you must generate a report for each cluster separately.

Page top

[Topic 270334]

Downloading and deleting reports

Kaspersky Container Security displays a list of generated reports in the table in the AdministrationReports section.

For each generated report, the table provides the name that the application assigned to the report, the report template, the date and time of report creation, and the report generation status. The table also lets you download a successfully generated report in the desired format, or delete a report.

To download a report:

In the row containing the report, click the button for the relevant format: PDF, HTML, or CSV.

To delete a report:

  1. In the row containing the name of the report that you want to delete, click the delete icon ("Delete" icon.).
  2. In the window that opens, confirm the action.
Page top
[Topic 264301]