Kaspersky Container Security
2.0
English

Contents

Configuring and generating reports

Kaspersky Container Security provides the capability to generate reports based on the results of scanning registries, clusters, and images. The list of generated reports is displayed under AdministrationReports.

Reports generated by the solution display the following information:

  • Events related to the operating logic of Kaspersky Container Security, such as the results of scanning images or analyzing nodes.
  • Statistical data, such as a list of images and their identified security issues.

Kaspersky Container Security provides the following report templates:

Depending on the applied report template, reports are created and generated in different sections of the solution.

The report generation process may take several minutes.

The list of generated reports is displayed under AdministrationReports. Reports are available for download in .HTML, .PDF, .CSV, .JSON, or .XML format.

In Kaspersky Container Security, reports are generated only in English.

In this Help section

Image reports

Risk acceptance report

Kubernetes benchmarks reports

Cluster benchmarks report

Generating reports

Downloading and deleting reports
Page top
[Topic 282787]

Image reports

In Kaspersky Container Security, you can generate reports on image scan results. Depending on the required level of detail, image reports can be summary reports or detailed reports.

Images summary report.

A summary report provides consolidated information on the selected images. This report provides the names of images and the names of the clusters containing these images. A summary report contains data on image compliance with security policy requirements, the names of policies that invoked the image scans, and the scan status. For each image, the report contains data on the number of identified risks related to vulnerabilities, malware, sensitive information, and misconfigurations.

Images detailed report

A detailed report provides more detailed information about selected images, completed scans, and identified security issues. Each report includes the date and time of the last scan, the cluster containing the selected image, a risk assessment, and an assessment of compliance with security policy requirements. Kaspersky Container Security displays the number of objects with different severity levels based on identified vulnerabilities, malware, sensitive data, and misconfigurations.

In the block with the description of the applied image security policies, the application provides a list of image security policies and indicates whether this scan stage was completed successfully or with errors. The report also specifies the action performed by Kaspersky Container Security in accordance with a specific policy. In this case, the report may show that the CI/CD stage was blocked, that images were marked as non-compliant with security requirements, or that both of these actions were performed.

The Vulnerabilities section provides a list of identified vulnerabilities, their severity levels, the resource in which they were detected, and the image version in which the vulnerabilities were fixed.

The Malware and Sensitive data sections display lists of detected malicious objects and objects containing sensitive data. For each object, the severity level and path are indicated.

The Misconfigurations block provides a list indicating the names of files in which misconfigurations were identified, the severity levels of the misconfigurations, and the types of files (for example, a Docker file). It also specifies the detected issue and provides recommendations on resolving the issue.

Kaspersky Container Security receives a description of misconfiguration-related issues from the internal database for configuration file analysis. This includes modules that scan configuration files from: Kubernetes, Dockerfile, Containerfile, Terraform, Cloudformation, Azure ARM Template, and Helm Chart. The description of misconfigurations and remediation recommendations are presented in the same language as the specified scan modules. For example, the description of misconfigurations from Kubernetes is provided in English.
This database is updated when a new version of the application is released.

Page top
[Topic 264258]

Risk acceptance report

The Risk acceptance report contains data on accepted risks, including the date and time they were accepted. You can generate a report on all accepted risks or a group of accepted risks based on a filter.

For each selected risk that you accepted, its name is specified in the following format:

  • Risk type (vulnerability, malware, sensitive data, or misconfiguration).
  • Risk name or ID.
  • Risk severity.

Kaspersky Container Security provides the image name, name of the resource and repository where the specific risk was detected, and the image version in which the risk was fixed. The report table also displays the following information about risk acceptance:

  • Risk acceptance scope.
  • Time period after which the risk should be considered again when determining image security status.
  • User who accepted the risk.

Page top
[Topic 264537]

Kubernetes benchmarks reports

In Kaspersky Container Security, you can generate reports based on the results of objects checking for compliance with the Kubernetes benchmarks.

By default, reports are generated for nodes with all statuses - Passed, Warning, and Failed. If you need to generate a report for nodes with a specific scan status, in the Control status section located above the table, click the appropriate status button. Kaspersky Container Security updates the display of the compliance check results, and a report is generated for nodes with the relevant status.

Depending on the level of detail, the reports can be summary reports or detailed reports.

Kubernetes benchmarks summary report

A summary report provides consolidated information on the selected clusters. It lists the names of nodes with the specified compliance check status, as well as the date and time of the last check of each node. The report for all nodes displays information on the number of Kubernetes benchmarks with selected statuses that were detected during object scanning.

Kubernetes benchmark detailed report

A detailed report provides more detailed information about the nodes of the selected cluster or about a specific node of the cluster. It depends on which subsection of the solution you are generating the report from:

  • A detailed report on the nodes of the selected cluster is created from the table with a list of clusters.
  • A report on a node is generated on the page with the detailed description of that node.

For each node in the cluster selected for generating the report, the date and time of the last scan performed, the number of Kubernetes benchmarks with the scan statuses assigned to them, and the benchmarks that were assigned the statuses selected before the report generation are also listed.

Kubernetes benchmarks provide configuration baselines and recommendations for secure configuration of solutions and applications to improve protection against cyberthreats. Hardening is a process that helps protect against unauthorized access, denial of service, and other security events by elimination of potential risks.

Example of Kubernetes benchmarks

After checking nodes for compliance with the Kubernetes benchmarks, Kaspersky Container Security can display recommendations related to security requirements, for example:

  • Control Plane Components.
    • Control Plane Node Configuration Files.
      • Ensure that the API server pod specification file permissions are set to 644 or more restrictive.
      • Ensure that the API server pod specification file ownership is set to root:root.
    • API Server.
      • Ensure that the --anonymous-auth argument is set to false.
      • Ensure that the --token-auth-file parameter is not set.
    • Controller Manager.
      • Ensure that the --terminated-pod-gc-threshold argument is set as appropriate.
      • Ensure that the --profiling argument is set to false.
  • etcd.
    • Ensure that the --cert-file and --key-file arguments are set as appropriate.
    • Ensure that the --client-cert-auth argument is set to true.
  • Control Plane Configuration.
    • Authentication and Authorization.
      • Client certificate authentication should not be used for users.
    • Logging.
      • Ensure that a minimal audit policy is created.
      • Ensure that the audit policy covers key security concerns.
  • Worker Nodes.
    • Worker Node Configuration Files.
      • Ensure that the kubelet service file permissions are set to 644 or more restrictive.
      • Ensure that the kubelet service file ownership is set to root:root.
  • Policies.
    • Role-Based Access Control and Accounts
      • Ensure that the cluster-admin role is only used where required.
      • Minimize access to secrets
    • Pod Security Policies
      • Minimize the admission of privileged containers.
    • Network Policies and CNI
      • Ensure that the CNI in use supports Network Policies.
      • Ensure that all namespaces have Network Policies defined.
    • Secrets Management
      • Prefer using secrets as files over secrets as environment variables.
      • Consider external secret storage.

    .

Page top
[Topic 264538]

Cluster benchmarks report

The report provides information about the compliance of cluster resources with benchmarks. You can generate a report for one or more clusters.

The report includes the following information:

  • Date and time when the report was generated.
  • Name of the checked cluster. If the report is generated for multiple clusters, the report presents information broken down by cluster.
  • Date and time of the scan.
  • The categories and subcategories of controls selected when the report was generated. By default, the report is generated for all categories and subcategories of controls in the cluster. If you need to generate a report for resources in a specific category and subcategory of controls, specify the relevant categories or subcategories.
  • Compliance score as a percentage.
  • The number of controls that could not be checked.
  • The number of resources in the cluster that are not compliant with benchmarks.

The report also includes a table with the following information about the compliance of cluster resources with benchmark controls:

  • ID and name of the control
  • Severity of the control
  • Remediation recommendations
  • Category of the control
  • Compliance score as a percentage
  • Number of non-compliant resources for each control found

Cluster benchmark controls represent the most important cluster configuration parameters that can be exploited by hackers conducting cyber attacks. The controls are based on a systematic description of cybersecurity hardening techniques and tactics in the MITRE and NSA/CISA benchmarks. Analyzing the compliance of cluster resources with benchmark controls allows ensuring an appropriate level of protection and timely identifying risks to the infrastructure.

By default, reports are generated for resources at all severity levels (Critical, High, Medium, and Low) that have been checked for compliance with all benchmarks (MITRE and NSA/CISA). If you need to generate a report for resources with a specific severity and a check for compliance with a specific benchmark, use the filter to select the values that you need. Kaspersky Container Security updates the display of the compliance check results, and a report is generated for resources with the relevant parameters.

Page top
[Topic 286621]

Generating reports

In Kaspersky Container Security, reports are generated in different sections of the application depending on the specific report template that you are using.

The report generation process may take several minutes.

You can view a list of generated reports under AdministrationReports. In this section, generated reports can be downloaded as .HTML, .PDF, .CSV, .JSON, or .XML files.

Page top
[Topic 282788]

Generating Images reports

To generate an Images summary report:

  1. Go to one of the following sections:
    • Resources → Registries to generate a report on images from registries integrated with the solution.
    • ResourcesCI/CD to generate a report on images that are scanned in CI/CD.

      Under ResourcesCI/CD, reports are generated only for objects with the image artifact type (container_image or image). In this section, a report cannot be generated for other types of artifacts.

  2. Depending on the section that you selected, do one of the following:
    • In the Resources → Registries section, select a repository or one or more images for which you want to generate a report.

      You can select all repositories and images by selecting the check box in the table header.

    • In the ResourcesCI/CD section, select one or more images for which you want to generate a report.

      You can specify all images in all repositories by selecting the check box in the table header.

  3. Click the Create report button above the table, and select Images summary report in the drop-down list.
  4. In the window that opens, confirm report generation.

To generate an Images detailed report:

  1. Go to one of the following sections:
    • Resources → Registries to generate a report on images from registries integrated with the solution.
    • ResourcesCI/CD to generate a report on images that are scanned in CI/CD.

      Under ResourcesCI/CD, reports are generated only for objects with the image artifact type (container_image or image). In this section, a report cannot be generated for other types of artifacts.

    • ComponentsScannersScanner tasks to generate a report based on an image scanned as part of a scan task.
  2. Depending on the section that you selected, do one of the following:
    • Under Resources → Registries, perform the following steps:
      1. Select a repository or one or more images for which you want to generate a report.
      2. Click the Create report button above the table, and select Images detailed report in the drop-down list.
    • Under ResourcesCI/CD, complete the following steps:
      1. Select a repository or one or more images for which you want to generate a report.
      2. Click the Create report button above the table, and select Images detailed report in the drop-down list.
    • Under ComponentsScannersScanner jobs, complete the steps specified below:
      1. In the list of scanner tasks, select the scanned object for which you want to generate a report. You can select only one image from the page with a detailed description of the scan results for this image.
      2. In the window containing the object scan results, click the Create report button located to the right of the description of the object's compliance with security policy requirements.

        A scan results window with a Create report button opens only for scanner jobs that have Finished status.

  3. In the window that opens, confirm report generation.
Page top
[Topic 294415]

Generating Risk acceptance reports

To generate a Risk acceptance report:

  1. Go to the PoliciesRisk acceptance section.

    By default, a report is generated for all accepted risks, which are displayed in the table. If necessary, you can generate a report for specific objects. To specify the objects for which you want to generate a report, perform one or more of the following actions:

    • In the Search field, enter a risk name, repository name, or image name.
    • Use the Risk type drop-down list above the table to select objects by risk type.
    • Use the Vendor fix drop-down list above the table to select objects by risk type.
  2. Click the Create report button above the table.

    Kaspersky Container Security will start generating a report, and will prompt you to follow a link to a page containing a list of generated reports.

Page top
[Topic 270332]

Generating Kubernetes benchmark reports

To generate a Kubernetes benchmarks summary report:

  1. Go to ComplianceKubernetes benchmarks.
  2. In the Cluster field, select one or more clusters to generate a report for.

    You can generate a report on all clusters by selecting All from the Cluster drop-down list.

  3. Above the table, under Control status, select check statuses for which you want to generate a report: Passed, Warning, or Failed.

    All statuses are selected by default.

  4. Click the Create report button above the table, and select Summary report from the drop-down list.
  5. In the window that opens, confirm report generation. You can download the generated report in .HTML, .PDF, .CSV, .JSON, and .XML formats in the Administration → Reports section.

To generate a Kubernetes benchmarks summary report:

  1. Go to ComplianceKubernetes benchmarks.
  2. Above the table, under Control status, select check statuses for which you want to generate a report: Passed, Warning, or Failed.

    All statuses are selected by default.

  3. Do one of the following:
    • In the Cluster field, select the cluster for which you want to generate a report, and complete the following steps:
      1. Click the Create report button above the table.
      2. Select Detailed report from the drop-down list.
    • In the table with the check results, click the cluster name and complete the following steps:
      1. Click the name of a node in the selected cluster.

        Kaspersky Container Security displays the available data on the Kubernetes benchmarks that was obtained for this node during the scan.

      2. Click the Create report button above the table.
  4. In the window that opens, confirm report generation. You can download the generated report in .HTML, .PDF, .CSV, .JSON, and .XML formats in the Administration → Reports section.

A Kubernetes benchmarks detailed report is generated for one cluster only. However, it contains information about all nodes in this cluster.
To get detailed reports for multiple clusters, you must generate a report for each cluster separately.

Page top
[Topic 282792]

Generating cluster benchmarks reports

To generate a Cluster benchmarks report for a single cluster:

  1. Go to the ComplianceCluster benchmarks section.
  2. Do one of the following:
    • In the table, select the check box for the cluster for which you want to generate a report.
    • Click the cluster name in the table and go to the window with the cluster resource check results.
  3. Click the Create report button, which is located:
    • Above the table, if you selected the cluster using the check box.
    • Above the check date and time selection field, if you have navigated to the window with the results of the cluster resource check.
  4. In the window that opens, confirm report generation. You can download the generated report in .HTML, .PDF, .CSV, .JSON, and .XML formats in the Administration → Reports section.

To generate a Cluster benchmarks report for multiple clusters:

  1. Go to the ComplianceCluster benchmarks section.
  2. In the table, select the check boxes for the clusters for which you want to generate a report.
  3. Click the Create report button, which is located above the table.
  4. In the window that opens, confirm report generation. You can download the generated report in .HTML, .PDF, .CSV, and .JSON formats in the AdministrationReports section.

Page top
[Topic 286623]

Downloading and deleting reports

Kaspersky Container Security displays a list of generated reports in the table in the AdministrationReports section.

For each generated report, the table provides the name that the application assigned to the report, the report template, the date and time of report creation, and the report generation status. The table also lets you download a successfully generated report in the desired format, or delete a report.

To download a report:

In the row containing the report, click the button for the relevant format: .PDF, .HTML, .CSV, .JSON, or .XML.

To delete a report:

  1. In the row containing the name of the report that you want to delete, click the delete icon ("Delete" icon.).
  2. In the window that opens, confirm the action.
Page top
[Topic 292577]